How Risky Is Crowd-Sourced Data?January 20, 2023 - 2 min read
Crowd-sourced security solutions require the efforts of many non-professionals, often volunteers, to identify and address security threats. Crowd-sourced security services can provide adequate coverage for non-essential assets, however, there are significant risks associated with the crowd-sourced security model.
- Lack of accountability: It can be difficult to hold individuals accountable for their actions when working with a large, anonymous crowd. Problems, such as unclear remediation instructions, happen from time to time. It would be difficult to gain further insights into issues like these without being able to have a dialogue with the individual finding and addressing that particular security threat.
- Quality control: Many people working on a problem with a wide range of experience levels, it can be difficult to ensure that all the work is being performed correctly. A lack of relevant experience can lead to vulnerabilities being overlooked or triaged incorrectly. For example, to compensate for their fear of missing something, inexperienced cybersecurity practitioners will often misdiagnose a perceived vulnerability, resulting in a false positive.
- Security risks: Working with a large group of unknown practitioners exposes an enterprise to an added level of security risk, especially when concerned with critical assets. For example, sensitive information may be accidentally shared with unauthorized individuals, or malicious actors may try to infiltrate to gain access to sensitive information. Outside of certifications and years of experience, it’s important that penetration testers have completed background checks and proper oversight.
- Segmented Visibility: Incomplete data leads to incomplete insights. There is a saying in security that “you can’t protect what you can’t see” and the same holds true for crowd-sourced data – anonymous crowds can’t be trusted with full visibility into all security vulnerabilities and asset risk, which means they can’t supply correct data describing your entire digital estate. This also necessitates having a separate solution to cover your enterprise’s critical assets, creating another avenue for a potential supply chain attack.
- Legal issues: There may be legal issues to consider when working with a crowd-sourced security service. For example, it may be unclear who is liable if a problem arises because of a decision predicated on anonymous, crowd-sourced data. Is it the vendor? The anonymous penetration tester? Or perhaps your own enterprise? Legal precedent is sparse here, leaving your company open to potentially expensive litigation.
Crowd-sourced security services can be useful for small businesses, but it is important for enterprises to carefully consider the risks involved with crowd-sourcing security vendors and take steps to mitigate them, such as thoroughly vetting anyone being given credentials to critical assets.
The Edgescan platform delivers enterprise-level security throughout an organization’s entire digital estate via targeted attack surface management, unauthenticated and authenticated scans, business logic testing, mobile app testing, penetration testing, and full-stack vulnerability management.
Targeted ASM (Attack Surface Management) allows an enterprise to identify assets, most critically, shadow APIs or zombie APIs using continuous API discovery. After all, “you can’t protect what you can’t see.”
Full-stack vulnerability management (VM) creates a single pane of glass to view your entire digital estate, including the infrastructure underlying your applications. Any data shown in the Edgescan platform have been expertly validated and false-positive free. Traditionally, enterprise security programs take a siloed approach to Vulnerability Management, where there is a different point solution at every layer (ex. application, network, host, etc.). There have been increased concerns over supply chain attacks, where enterprises are being compromised as part of their vendors being hacked. Edgescan’s full-stack VM approach allows you to consolidate vendors and by extension your enterprise’s risk exposure.
Edgescan has a professional team of CREST and OSCP-certified penetration testers that work out of an ISO 27001 location. Our highly credentialed penetration testers have been background checked, which translates to peace of mind for your enterprise. The Edgescan platform records which penetration tester performed every validation and has built-in functionality to contact them for further clarification.
Edgescan has created a clickthrough demo that allows you to see how the platform can identify and prioritize vulnerabilities, as well as monitor your attack surface.
If you are interested in a personalized demo, you can fill out a demo request form on the Edgescan website.