Organization Boundary
Organization Boundary
Section titled “Organization Boundary”5 automated security scanners
Indirect Vendor Exposure
Section titled “Indirect Vendor Exposure”Purpose: The Indirect Vendor Exposure Scanner is designed to identify potential vulnerabilities arising from secondary business relationships, affiliate connections, and family member businesses that may pose indirect security risks to an organization. This tool helps organizations assess and mitigate the risk associated with these relationships by detecting mentions of related entities in public records, social media profiles, news articles, code repositories, and more.
What It Detects:
- Secondary Business Relationships: Identifies mentions of secondary vendors or partners in public records and searches for joint ventures or collaborations with other companies.
- Affiliate Connections: Looks for affiliate programs and partnerships listed on the company’s website, scans social media profiles and news articles for affiliate relationships.
- Family Member Businesses: Detects references to family members involved in business operations by searching LinkedIn profiles for connections between family members and the organization.
- Code Repositories: Analyzes GitHub repositories for mentions of related businesses or vendors and checks for code contributions from affiliated entities.
- Security Advisories and Breach History: Reviews security advisories on GitHub for any indirect vendor exposure, queries HaveIBeenPwned API to find breach history involving related entities.
Inputs Required:
domain(string): Primary domain to analyze (e.g., acme.com)company_name(string): Company name for statement searching (e.g., “Acme Corporation”)
Business Impact: Identifying potential vulnerabilities from secondary business relationships, affiliate connections, and family member businesses is crucial as these relationships can lead to data breaches or unauthorized access if not properly managed. This tool helps organizations maintain a secure and resilient security posture by proactively detecting and addressing such risks.
Risk Levels:
- Critical: Findings that directly impact critical infrastructure or systems, leading to immediate attention for remediation.
- High: Findings that pose significant risk but are less severe than critical issues, requiring high priority actions.
- Medium: Findings that indicate moderate risk and may require intermediate level of attention and planning for resolution.
- Low: Findings that suggest lower risk with minimal impact on security posture, which can be addressed as part of routine maintenance activities.
- Info: Informational findings that provide context but do not directly affect the core security posture, suitable for awareness or informational purposes.
If specific conditions for these risk levels are not detailed in the README, they have been inferred based on the scanner’s purpose and impact.
Example Findings:
- A mention of Acme Corporation found in a repository that hosts sensitive code, potentially exposing internal algorithms to unauthorized access.
- Discovery of a breach mention in news articles related to a company with extensive operations in cloud services, indicating potential exposure through compromised third-party vendors.
Shadow Technology Implementation
Section titled “Shadow Technology Implementation”Purpose: The Shadow Technology Implementation Scanner is designed to identify unauthorized tools, personal cloud accounts for work, and unofficial integrations within an organization by probing the domain’s DNS, HTTP, TLS, ports, and APIs. This tool aims to safeguard organizational data and ensure compliance with security policies by detecting potential threats hidden in these areas.
What It Detects:
- Unapproved Tools Detection: Identifies unauthorized software or tools being used based on specific patterns in security headers such as
strict-transport-security,content-security-policy,x-frame-options, andx-content-type-options. - Personal Cloud Accounts Usage: Detects the use of personal cloud services by analyzing DNS records and HTTP content for known service indicators, including patterns like
v=spf1.*[\\+\\-\\~\\?]allandv=DMARC1.*p=(none|quarantine|reject). - Unofficial Integrations: Identifies unauthorized third-party integrations by examining TLS/SSL certificates and cipher suites, such as outdated protocols like
TLSv1.0,TLSv1.1, weak ciphers likeRC4,DES, andMD5.
Inputs Required:
- domain (string): The primary domain to analyze, e.g., acme.com. This is the essential input for directing the scanner’s probes towards the correct target.
Business Impact: Ensuring that only approved tools, services, and integrations are used within an organization is crucial for maintaining data security and compliance with regulatory standards. Unauthorized tools can pose significant risks by allowing unauthorized access or data leakage, potentially compromising sensitive information and damaging organizational reputation.
Risk Levels:
- Critical: Conditions where the scanner identifies patterns that directly compromise security headers critical to HTTPS usage, such as missing
strict-transport-securityheader. - High: Conditions where personal cloud accounts are detected using indicators that bypass corporate policies or use weak encryption methods like outdated TLS versions or weak ciphers.
- Medium: Conditions where unauthorized third-party integrations are identified through DNS anomalies or suspicious SSL/TLS configurations.
- Low: Informal findings related to minor deviations in security headers or less critical DNS record configurations that do not pose immediate threats but should be monitored for future changes.
- Info: Routine checks for compliance with basic security practices, such as the presence of required security headers.
Example Findings:
- A website is detected without the
strict-transport-securityheader, indicating a critical risk that must be addressed to enhance HTTPS usage and prevent downgrade attacks (Critical). - Personal cloud accounts are discovered using DNS records with patterns suggesting bypassing corporate policies for data storage (High).
- Weak ciphers like RC4 or DES in SSL/TLS configurations suggest a high risk of cryptographic weaknesses, potentially allowing eavesdropping or session hijacking (High).
Shared Infrastructure Exposure
Section titled “Shared Infrastructure Exposure”Purpose: The Shared Infrastructure Exposure Scanner is designed to identify and assess potential risks associated with personnel-owned infrastructure and shared hosting environments utilized for company purposes. This tool aims to ensure compliance with organizational policies and standards by detecting unauthorized use of company resources, identifying shared hosting services that may pose security risks, and assessing the overall security posture based on breach history and risk factor disclosures.
What It Detects:
- Personnel-Owned Infrastructure Usage: Identifies GitHub repositories linked to personal accounts but containing code or configurations related to the company, as well as LinkedIn profiles mentioning personal projects with company technology stacks.
- Shared Hosting Detection: Discovers subdomains using Certificate Transparency logs that may indicate shared hosting services and analyzes job board postings for mentions of shared hosting solutions used by the company.
- Security Incident Coverage in News: Scrapes news articles and security incident reports mentioning data breaches or unauthorized access related to the company, checks for breach history on HaveIBeenPwned API associated with the company domain, parses SEC EDGAR filings for risk factors related to infrastructure usage and potential vulnerabilities, and scans GitHub security advisories for any known vulnerabilities affecting repositories linked to the company.
Inputs Required:
domain(string): Primary domain to analyze (e.g., acme.com)company_name(string): Company name for statement searching (e.g., “Acme Corporation”)
Business Impact: This scanner is crucial for maintaining the security and compliance of a company’s infrastructure, ensuring that all resources are managed according to organizational policies and standards. Detecting unauthorized use of company technology stacks or shared hosting environments can lead to data breaches, intellectual property theft, and significant financial losses. The ability to identify these risks in advance helps mitigate potential threats and safeguard sensitive information.
Risk Levels:
- Critical: Conditions that directly impact critical security aspects such as unauthorized access to infrastructure, exposure of sensitive data, or immediate compliance failures.
- High: Conditions that significantly affect the overall security posture but do not meet the criteria for a Critical risk level.
- Medium: Conditions that may indicate potential issues requiring attention but have limited direct impact on critical security functions.
- Low: Informative findings that provide general insights into infrastructure usage and are generally of minimal concern unless they escalate in severity.
- Info: Informational findings that do not pose immediate risks or compliance concerns but can be monitored for trends or future impacts.
If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact.
Example Findings:
- A GitHub repository named “company_project” owned by a personal account contains sensitive company data.
- An individual linked to your company’s technology stack through their LinkedIn profile is using a shared hosting service that lacks adequate security measures.
Data Sovereign Boundary Issues
Section titled “Data Sovereign Boundary Issues”Purpose: The Data Sovereign Boundary Issues Scanner is designed to identify and alert about potential issues related to company data in personal accounts and unauthorized use of company intellectual property (IP) on GitHub. This tool aims to ensure that sensitive information remains within organizational boundaries and prevents misuse by detecting any instances where company IP might be exposed or misused through public repositories.
What It Detects:
- Company Data in Personal Accounts: Identifies mentions of company-specific data or confidential information in public GitHub repositories, searching for patterns indicative of data leakage such as internal document names, project codes, or sensitive keywords.
- Unauthorized Use of Company IP: Scans personal projects on GitHub for unauthorized use of company intellectual property (IP), including code snippets, logos, and trademarks. It also detects mentions of proprietary technology stacks or tools used exclusively by the company.
- Subdomain Discovery: Utilizes Certificate Transparency logs to discover subdomains that may be associated with personal accounts but are linked to the company’s domain, potentially indicating data leakage through unsecured or misconfigured subdomains.
- Breach History: Checks the HaveIBeenPwned API for any breaches involving the company’s domain, which might suggest data leakage into personal accounts. It analyzes breach descriptions for patterns that indicate misuse of company data.
- News and Job Board Analysis: Searches news articles and job boards for mentions of company data in personal projects or unauthorized disclosures, identifying potential security incidents where company IP has been exposed through public channels.
Inputs Required:
domain(string): The primary domain to analyze (e.g., acme.com)company_name(string): The company name for statement searching (e.g., “Acme Corporation”)
Business Impact: Ensuring that sensitive information remains within organizational boundaries and preventing misuse of company IP is crucial for maintaining a secure and compliant digital environment. This not only protects the organization’s intellectual property but also adheres to legal and regulatory requirements, minimizing potential risks associated with data breaches or unauthorized disclosures.
Risk Levels:
- Critical: Findings that directly indicate significant security incidents such as data breaches involving critical company information are considered critical. These include instances of unauthorized access, compromised accounts, or direct mentions of sensitive data in public repositories.
- High: Issues that suggest potential exposure of company IP through personal accounts or unauthorized use of proprietary technology stacks and tools are classified as high risk. This includes the detection of internal document names, project codes, or mentions of proprietary software and hardware used by the company.
- Medium: Informational findings that might indicate a need for further investigation into data handling practices or compliance with IP policies are considered medium risk. These include mentions of technology stacks commonly associated with specific breaches or unauthorized use scenarios.
- Low: Findings that do not pose significant security risks but may require awareness and attention, such as the discovery of subdomains linked to the company’s domain without clear business justification, are classified as low risk.
- Info: Informational findings provide context about potential data handling issues or compliance gaps that are less severe than high-risk issues but still warrant monitoring and improvement efforts.
Example Findings:
- “Potential issue found in https://github.com/user/repo/blob/main/file.txt from repository https://github.com/user/repo: Found pattern: data breach”
- “Unauthorized use of company IP detected in personal project: https://github.com/user/project: Found pattern: experience with aws”
- “Subdomain discovered: sub.acme.com linked to personal account: Certificate Transparency log entry found”
- “Breach found: AcmeDataLeak - Description: Data breach involving acme.com: Found pattern: data breach”
- “Article found: Acme Corporation Data Leak Exposed on GitHub - URL: https://example.com/article: Found pattern: security incident”
Unofficial Technology Partnerships
Section titled “Unofficial Technology Partnerships”Purpose: The purpose of the “Unofficial Technology Partnerships Scanner” is to identify undisclosed vendor relationships, unofficial integrations, and personal connection-driven adoption within an organization by analyzing public records, OSINT sources, and specific patterns in publicly available data.
What It Detects:
- Undisclosed Vendor Relationships: Identifies mentions of third-party vendors or partners not officially disclosed. This includes detecting references to services or products from unknown or unlisted vendors.
- Unofficial Integrations: Finds evidence of integrations with external systems or tools that are not documented publicly, including code repositories and job postings indicating unauthorized use of integrations.
- Personal Connection-Driven Adoption: Identifies individuals within the organization who have personal connections to technology vendors, based on LinkedIn profiles and GitHub contributions suggesting such relationships influence adoption decisions.
- Security Incident Involvement: Searches for mentions of security incidents involving third-party vendors or partners, including breach history associated with subdomains using Certificate Transparency logs.
- Technology Stack Disclosure: Analyzes job boards, news articles, and other public sources for technology stack disclosures that may indicate unofficial partnerships or integrations.
Inputs Required:
domain(string): The primary domain to analyze, e.g., “acme.com”.company_name(string): The company name for statement searching, e.g., “Acme Corporation”.
Business Impact: This scanner is crucial as it helps organizations uncover hidden dependencies and potential security risks associated with unofficial technology partnerships that could lead to data breaches or unauthorized access. It ensures compliance with privacy policies and enhances overall cybersecurity posture by identifying and mitigating potential vulnerabilities introduced through unverified integrations.
Risk Levels:
- Critical: Conditions that pose a significant risk to the organization, such as known third-party vendor involvement in security incidents or unauthorized access attempts.
- High: Conditions indicating high risks, including undisclosed partnerships with vendors leading to data breaches or unauthorized use of technology stacks.
- Medium: Conditions suggesting medium risks, like personal connections influencing adoption decisions that might lead to internal threats.
- Low: Informal mentions in public records and minimal impact on security posture unless escalated.
- Info: General information about company’s tech stack without immediate risk but useful for strategic planning.
Example Findings:
- “Security incident involving third-party vendor detected.” - This finding indicates a critical issue where an unauthorized access attempt or data breach was associated with a third-party vendor, posing a significant threat to the organization.
- “Experience with AWS mentioned in GitHub repository.” - This is a high-risk finding as it suggests that the company might be using unofficial tools or services potentially compromising their security infrastructure.