Featured image by daniel_diaz_bardillo via Pixabay
Attack surfaces are all the different points where unauthorized or adversarial access can happen. These include workstations, Bring Your Own Devices, servers, websites, apps, app and web service servers, collaboration sessions, and shared files.
The best any organization can do is manage these attack surfaces and possibly reduce them. There are many instances, however, when an organization’s attack surfaces are greater than they should be. The following illustrates the ways attack surfaces become unnecessarily large and what an organization can do to control them.
This may sound like a given, but many organizations do not actually have a sound strategy to manage their attack surfaces. Many could not even identify what their attack surfaces are. Nor do they understand what to do to secure them.
Attack surface management, or ASM, can be undertaken manually. However, with the complexities of most organizations’ IT infrastructure nowadays, it is much more efficient to employ an automated attack surface management solution. The rise of DevOps, microservices, and other sophisticated setups and processes in modern-day organizations makes it extremely challenging to manage IT assets. Moreover, any of these can become attack points.
Effective attack surface management has the following main attributes:
- Continuous determination of an organization’s cyber-attack surfaces (asset and risk discovery)
- Monitoring of security controls at all times
- Continuous correction of defects and improvement of security controls
If it is not obvious enough, continuity is an essential ingredient in managing attack surfaces effectively. Many changes in an organization can happen in a matter of days or even hours. These changes can give rise to vulnerabilities that hackers can exploit. In fact, adversarial parties will waste no time in launching an attack. They will proceed with whatever defense-busting scheme they have patiently set up while they waited for the perfect time.
RELATED ARTICLE: 5 BIG BUSINESS PROBLEMS SOLVED BY THE CLOUD
Virtually every web-enabled device an organization uses can become a gateway for cybercriminals. From workstations to mobile phones and IoT devices, crafty bad actors can find ways to access IT resources. Once in, they steal data or introduce malware into a system through different kinds of hardware.
Also, non-hardware resources can become ways for attackers to compromise data or contaminate an organization’s network with malicious software. An unprotected form submission facility of an online marketplace, for instance, can serve as a gateway. Hackers can use it to infect an organization’s database with ransomware, spyware, and other kinds of malware. They can also target company websites or searchable online databases with cross-site scripting and other similar attacks.
Unprotected hardware, websites, and web apps appear as extremely broad attack surfaces. They are remarkably easy to target and penetrate. They allow cybercriminals to execute their nefarious plans with ease. Organizations must put in place sufficient protections. These include firewalls, antivirus software or malware shields, endpoint detection and response, and various other defenses.
It is not enough to simply install security controls. These controls also need to be tested to ensure that they work as expected and without glitches. No cybersecurity system can ever be flawless. Vulnerabilities can emerge in even the leading, most highly rated, and most expensive security solutions.
The effect of the installation of security controls in an organization’s security posture is significantly bolstered by a thorough security testing or validation process. It ascertains that all software defense tools are properly updated or patched. It also addresses misconfigurations and the lack of optimization in security settings. Furthermore, it minimizes the vulnerabilities attributable to human error.
Automated and continuous security validation platforms are usually preferable. This is especially true for organizations that operate on-premises resources, cloud solutions, and multi-cloud environments, as well as hybrid infrastructures. These platforms typically integrate the MITRE ATT&CK framework to benefit from the latest cyber threat intelligence. This is particularly the case for yet-to-be-identified tactics and techniques for penetrating security controls.
Old workstations, operating systems, and software that are no longer covered by compulsory security updates should be retired and taken out of an organization’s network. They are not only inefficient; they can also expand attack surfaces.
Old workstations that cannot run Windows 10 or 11 should be eliminated, even if they still operate with a somewhat decent performance. Microsoft’s official announcement to stop updates and support for older versions of the Windows OS should be enough reason to stop making do with old hardware. It makes little sense to avoid new hardware expenditure at the expense of greater security risks.
Similarly, organizations must retire old servers, virtual machines, and containers if they are no longer compatible with the latest security updates. More often than not, their utility in an organization is already insignificant. Usually, new resources can take over whatever usefulness they still have. Together with these steps, it is also important to close unnecessary or misconfigured ports.
Moreover, a good security posture dictates the need to delete unused accounts across an organization’s IT infrastructure. These include dummy accounts used to test a new service, sandbox accounts and the entire sandbox itself. Additionally, delete the accounts of resigned or retired personnel as well as others that are no longer being used in the regular conduct of a business. Their respective users are no longer monitoring these accounts. Therefore, it will be difficult to notice if adversarial parties have taken them over. It might also be possible that an insider who is trying to sabotage an organization’s operations could be using them.
Lastly, it is advisable to implement a policy of least privilege access (POLP). This means having an overarching policy of only providing just the right amount of access or privileges to a user or team to complete a specific task. This policy can be enforced by implementing a PAM solution.
Some may complain that this kind of policy is too restrictive. They may say this can potentially create unnecessary delays. It is true that a user or team may have to repeatedly request more privileges as they go through steps where their access rights are less than they require.
The delays do not have to exist, though, if an organization has a proficient IT or cybersecurity team who can accurately evaluate the IT resource needs for specific tasks or projects. Determining just the right amount of IT resource privileges should not be that difficult for an organization with competent people. If they lack the competence, the entire cybersecurity posture of an organization is already at risk from the get-go.
Besides, granting new privileges or elevating access rights is nowhere as difficult as undertaking remediation and mitigating courses of action when there are security breaches because of over provisioning.
RELATED ARTICLE: SHARED HOSTING VERSUS CLOUD HOSTING
Minimizing an organization’s attack surfaces is an important part of optimizing its security posture. It’s a matter of efficiency, clearer security visibility, and more effective security controls. Reducing attack surfaces translates to reductions in resource allocation for security controls and organizational oversight.
This is achievable with a good automated ASM platform, installing and validating essential security controls, getting rid of unused and unmonitored hardware and accounts, and implementing a policy of least privilege access. These are relatively easy steps that guarantee a significant boost in an organization’s cyber defenses.
RELATED ARTICLE: HOW TO BECOME A CYBERSECURITY ENGINEER