CDP (Carbon Disclosure Project)

C
Written By Threat NG Staff

The Carbon Disclosure Project (CDP) is a global non-profit organization that runs a system for companies, cities, and governments to disclose their environmental impacts. While CDP's primary focus is on environmental sustainability (specifically climate change, water security, and deforestation), its work has implications for cybersecurity.

Here is a breakdown of CDP in the context of cybersecurity.

CDP's Core Mission and Its Connection to Data

CDP's mission is to encourage transparency and action on environmental issues by collecting and scoring data from thousands of organizations worldwide. Companies submit data on their environmental practices through a standardized questionnaire.

The connection to cybersecurity is that this entire process is data-driven. The information submitted to CDP is sensitive and can be commercially significant. It often includes:

  • Financial information related to environmental risks and investments.

  • Operational data on energy use, emissions, and water consumption.

  • Supply chain details that could reveal business relationships and vulnerabilities.

Protecting this information from unauthorized access, modification, or destruction is a critical cybersecurity concern.

Indirect Cybersecurity Relevance

While CDP does not have a specific "cybersecurity questionnaire," its environmental disclosure framework and scoring process indirectly touch upon cybersecurity in the following ways:

  • Third-Party Risk Management: Companies are often asked to disclose information about their supply chain. This means they need to assess their suppliers' environmental performance. Similarly, companies must also assess the cybersecurity posture of their vendors and partners to protect their own data.

  • Data Integrity and Governance: The accuracy and reliability of the data submitted to CDP are of paramount importance. This requires strong internal data governance and security controls to ensure the data has not been tampered with. A cyberattack that compromises this data could lead to a company receiving a lower CDP score or facing legal and reputational damage.

  • Public Disclosure and Reputation: The scores assigned by CDP are publicly disclosed and used by investors and other stakeholders to inform their decisions. A cybersecurity incident that affects a company's ability to submit accurate data or results in a data breach could directly harm its reputation and CDP score, which in turn could affect investor confidence.

While CDP focuses on environmental disclosure, the processes and systems used to collect, manage, and report that data are subject to the same cybersecurity risks as any other business function. Therefore, a robust cybersecurity program is an essential part of a company's overall strategy for effective and secure CDP reporting.

ThreatNG can significantly assist with the CDP disclosure process by providing a comprehensive, outside-in view of an organization's digital security posture, which directly impacts the integrity and reliability of the data required for CDP reporting, particularly the ESG (Environmental, Social, and Governance) aspects.

External Discovery & Assessment

ThreatNG's external discovery capabilities offer a comprehensive view of an organization's digital presence, eliminating the need for credentials or internal access. It identifies all public-facing assets, including domains, subdomains, cloud services, and code repositories. This is crucial for CDP as companies must disclose information about their operations and supply chain. For example, ThreatNG can discover unsanctioned cloud services or exposed assets that might be a source of data leaks.

ThreatNG conducts several external assessments relevant to CDP reporting, specifically the ESG exposure score. This score rates an organization based on discovered ESG violations from external attack surface and digital risk intelligence. It analyzes and highlights offenses in areas such as:

  • Environment: This is directly relevant to CDP's focus. ThreatNG can identify environmental-related lawsuits, which are factored into its Sentiment and Financials findings.

  • Safety: If a company's external digital footprint reveals safety-related offenses, this would be flagged by the ESG Exposure score.

In addition to ESG, ThreatNG's assessments cover other areas that affect the overall security of CDP-related data:

  • Data Leak Susceptibility: This score is based on factors such as Cloud and SaaS Exposure and Dark Web Presence, including compromised credentials. A data leak could expose sensitive environmental data before it is reported to CDP.

  • Breach & Ransomware Susceptibility: This score assesses exposed sensitive ports, private IP addresses, known vulnerabilities, and compromised credentials on the dark web. A ransomware attack could disrupt the entire CDP reporting process.

  • Web Application Hijack Susceptibility: This assesses parts of a web application accessible from the outside world to identify potential entry points for attackers. A successful hijack could compromise the integrity of submitted environmental data.

  • Subdomain Takeover Susceptibility: ThreatNG analyzes subdomains, DNS records, and SSL certificates to evaluate this risk.

Reporting & Continuous Monitoring

ThreatNG offers various reports, including executive and technical reports, as well as a specialized report for External GRC Assessment Mappings, which covers PCI DSS, HIPAA, GDPR, and POPIA. While not a direct CDP report, this GRC assessment demonstrates a company's commitment to compliance and data security, which is a crucial part of a robust ESG program. Continuous monitoring is another key capability. ThreatNG constantly watches the external attack surface, digital risk, and security ratings, ensuring that any new risks are identified in real-time. This is essential for CDP, as it enables a company to proactively address new vulnerabilities that could compromise the security of its environmental data, such as newly discovered code secrets or compromised credentials.

Investigation Modules & Intelligence Repositories

ThreatNG's Investigation Modules and Intelligence Repositories provide the deep insights needed to support CDP reporting.

Investigation Modules

These modules allow for detailed investigations into discovery and assessment results. For example:

  • Domain Intelligence: This module uncovers potential brand impersonations through domain name permutations. An attacker could use a similar-looking domain to launch a phishing campaign aimed at employees responsible for CDP reporting.

  • Sensitive Code Exposure: This module identifies public code repositories and mobile applications that contain sensitive data, including API keys and credentials. A leak of an API key could allow an attacker to gain access to a system containing environmental data.

  • Sentiment and Financials: ThreatNG analyzes lawsuits, SEC filings (including risk and oversight disclosures), and ESG violations. This directly supports the ESG component of CDP reporting by providing external context on the company's environmental and social performance.

Intelligence Repositories (DarCache)

ThreatNG's Intelligence Repositories contain continuously updated information that directly supports the assessments and investigations.

  • DarCache ESG: This repository contains explicit information on ESG violations, including environmental and financial offenses.

  • DarCache Vulnerability: This repository consolidates information from sources such as NVD, EPSS, and KEV to offer a proactive and comprehensive view of external risks and vulnerabilities. This helps companies prioritize and address vulnerabilities that could impact their ability to report securely to CDP.

Complementary Solutions

ThreatNG can be used with complementary solutions to enhance an organization's security posture for CDP reporting.

  • Security Information and Event Management (SIEM) / Security Orchestration, Automation, and Response (SOAR) solutions: ThreatNG's external intelligence, such as a flagged toxic combination of a known vulnerability and compromised credentials, can be fed into a SIEM or SOAR solution. The SIEM then correlates this with internal log data from firewalls and other systems. A SOAR platform can then automate the response, like blocking an IP address. This synergy ensures that external threats identified by ThreatNG are quickly mitigated within the internal network, protecting the data used for CDP reporting.

  • Vulnerability Management Platforms: ThreatNG's external view of vulnerabilities complements internal vulnerability scanners, providing a comprehensive approach to vulnerability management. For example, ThreatNG might discover an external-facing web application with a Web Application Firewall (WAF) bypass vulnerability. At the same time, an internal scanner finds an unpatched operating system vulnerability on the same server. Together, these two pieces of information create a "toxic combination," a chain of vulnerabilities that is more severe than the individual issues. The combined intelligence allows the organization to prioritize patching the vulnerabilities with extreme urgency.

Threat NG Staff
Previous

CDE Exposure Intelligence
Next

Certificate