Because the rapid digital transformation caused organizations to greatly increase the number of assets they expose to the Internet, cyber felons found new ways to exploit companies.
There are many vulnerabilities that a company can have and not even be aware of them. However, if noticed too late, a hacker can end up causing the business major financial losses or even reputational damage.
While many Internet users choose to protect themselves with traditional security measures, such as Virtual Private Networks (VPNs), companies are in need of more complex solutions. Aside from educating your employees, one of the most important steps is to evaluate a business’ attack surface and potential risks.
To find out more about the best cybersecurity practices for companies, Cybernews invited Tim Dowling, the Founder and CEO of TrustedSite – a company that specializes in data protection.
Let’s go back to the beginning of TrustedSite. What has the journey been like?
TrustedSite’s journey first began back in 2002 when my Co-Founder Ben Tyler developed ScanAlert, one of the first commercial website and web application vulnerability scanners. Around that time, I was leading McAfee’s web security division and the ScanAlert technology caught our attention. In 2008, we acquired ScanAlert and rebranded it as the McAfee SECURE service, which quickly became one of the most familiar symbols of security online. In 2013, Ben and myself, along with other members of McAfee leadership, spun the operation out to form PathDefender, which was shortly thereafter rebranded as TrustedSite, so that we could fully focus on the service’s success.
Over time, TrustedSite evolved with the help of Nick Merritt, now TrustedSite’s VP of Security, who had worked alongside Ben and me at McAfee. With the explosive growth in online services across all industries, we saw that many businesses had a need to go beyond traditional vulnerability and application scanning to protect their attack surface. This led to the development of the TrustedSite Security platform, a complete solution that takes an integrated approach to external attack surface management. The TrustedSite platform brings together all the services security teams need to get the attacker’s view of their organization and reduce perimeter risk, including attack surface discovery, website and firewall monitoring, application and server scanning, penetration testing, and more. But our goal is to be more than a security tool, we’re really here to be an extension of your security team, ready to help you meet your security objectives however we can.
Can you tell us a little bit about your platform? What are its key features?
TrustedSite offers a complete attack surface management platform that takes a step-by-step approach to perimeter security. It begins with Attack Surface Discovery because you can’t protect what you don’t know. Customers can input what we call a seed domain and we’ll find all of the associated subdomains, alive IPs, and additional top-level domains. Every discovered asset is given a risk score to help you see what areas of your attack surface need urgent attention.
In addition, our penetration testing services are fully integrated into the platform so that you have one place to manage both continuous and point-in-time testing services. And of course, support is fully built-in as well, so if you have questions about risks or need a vulnerability validated, you can easily submit a ticket and request help from our team.
What vulnerabilities do you notice being exploited most often nowadays?
The same vulnerabilities that were being exploited a decade ago are still prevalent today. This includes common types of web vulnerabilities like SQL Injection (SQLi) and cross-site scripting (XSS). Vulnerabilities such as XSS have dropped off the radar of OWASP Top 10, which tracks trends in security risks to web applications, but my team still discovers them frequently during testing. While these are easy to prevent, they’re also easy to introduce if there isn’t a focus on secure design principles.
How do you think the recent global events changed the nature of cyberattacks?
With the Covid-19 pandemic, there’s been an increase in remote work, which means an increased risk of employees using their own devices to access work resources. This creates a situation where an individual's personal device may become a high-value target due to the access that it may provide a malicious actor.
This is similar to attacks we have seen on MSPs and third-party contractors in the past, such as with the Okta breach. An attacker was able to compromise the system of a tech support worker who had access to the Okta system and extracted information using the worker’s credentials.
What kind of tests and checkups do you think every company should conduct on a regular basis?
While the standard has been to perform penetration testing once or twice a year, it’s no longer sufficient to combat the changing threat landscape. Penetration tests and vulnerability assessments are still valuable tests that should be performed, but they only provide a snapshot of a company’s current security posture. It’s necessary to maintain a holistic view of external security, which includes identifying all assets that belong to the company and continuously monitoring them for changes and vulnerabilities. The shift from on-premise infrastructure to the cloud has made this more difficult than ever, with many companies having dozens or even hundreds of third-party assets and services that could be key entryways leading to a breach of customer data.
Why do you think certain organizations are unaware of the risks they are exposed to?
I think that most organizations are generally aware of cyberattacks and the risks they pose. We hear about new breaches and attacks almost weekly in the news. The problem is that we’re often lacking context into how these incidents happened. Even with the details, it can be hard to determine whether the same threat applies to your organization. I think the true difficulty is keeping up with the pace of cybersecurity, and deciding which products and services are the right fit for your company.
In your opinion, what type of cyberattacks should the general public be prepared to tackle in the near future?
The general public should be prepared to face ongoing threats from phishing and spear phishing, which are not going away anytime soon. Although we’ve become more aware of these attacks and how to identify them, we still have a lot of work to do. These are some of the primary methods of delivering ransomware and are often targeted at employees as well as home users. Phishing has become more sophisticated and difficult for some users to spot, and the danger lies in the fact that it only takes one successful attempt for damage to be done.
What security tools do you think will become crucial to combat such threats?
There are technical solutions that do help prevent some phishing attacks by means of stopping malicious actors from spoofing emails that appear to originate from the company, but this won’t stop all of it. The only true solution is educating users and employees on the danger and how to identify it. Increasing user awareness greatly reduces the risk and goes hand-in-hand with maintaining network security to stop both internal and external threats.
And finally, what’s next for TrustedSite?
We’re continuously innovating and expanding our services at TrustedSite. We just launched a new service we call Human Assessment to help businesses get more access to frequent business logic assessments. For about the same cost as our traditional penetration testing service, with Human Assessment customers can have an application or network service evaluated by our pentesters every 3 months.
There are many platform updates on the horizon as well. We’re working on a community support feature so customers can connect with their peers and seek support from one another. We also just finished up a refactoring of our API and have plans to create more integrations with firewalls in third-party services, Azure, and other services.