Creating a successful security strategy to protect your organization involves continuous monitoring of the attack vectors.
Monitoring will provide the intelligence and data that can help identify vulnerabilities within systems that process information between your employees, customers, and partners.
This continuous, real-time surveillance will determine how you should map your attack surface and which security systems to implement for risk reduction across the attack surface.
In this article, we will review basic processes that you can implement to start mapping your attack surface.
Free Security Policy Templates
Get a step ahead of your cybersecurity goals with our comprehensive templates.
Conduct Vulnerability Scanning
The first step in any type of scanning of your network is to identify your assets, basically, any device that is attached to your network via a cable or wirelessly – you need to know about it.
Knowledge of what it is and how it is connected is a critical step in mapping out your attack surface.
Visibility Review
When scanning systems on your internal network, ensure all network subnets are accounted for – production servers, DMZ IP addresses, and ensure all assets are accounted for and scanned.
This should include Internet of Things (IoT) devices as well as more traditional network-connected devices, such as printers.
IoT devices and printers often have vulnerabilities, and they probably aren’t patched anywhere near as often as your servers, laptops, and workstations are patched.
The value of vulnerability scanning isn’t just limited to internal systems on your network. If your company has a web presence, these systems need to be scanned regularly as well.
Scanning both internal and internet-facing systems provides visibility and detects flaws in application code that can be potentially exploited.
Assess Risks
Once completed, the vulnerability scan report will provide valuable insight into the state of your security program and risk score.
The scan report categorically ranks the findings by severity levels, typically on a scale of Low, Medium, High, and Critical.
The organization should have a policy that details how each severity finding should be prioritized for remediation, according to the risk level of the asset.
Audit Accounts And Privileges
User accounts are necessary for employees to log on to network systems and perform their assigned job requirements.
Access to business systems and shared data is governed through access privileges.
A support engineer typically has higher privilege access than a help desk analyst.
A finance manager may utilize a privileged account based on his or her role to perform a bi-weekly function.
Accounts with administrative and elevated privileges are necessary for both business and IT functions but also represent a significant risk to your organization if there is a lack of identity management.
Privileged credentials in the hands of the wrong employee or a threat actor can lead to a host of security issues, including data breaches, infrastructure outages, and compliance failures.
Privilege accounts must be audited routinely for these reasons.
Read More: Privilege Escalation Attacks: Types, Examples, And Prevention
Identify All Points Of Success
Discover and identify each part of the organization’s digital footprint (websites, IPs, domains, services, certificates, apps, and data) and across multiple environments—cloud, IT, IoT, mobile, social, brands, third parties, and infrastructure.
Related Article: What Is Cloud Penetration Testing? (& When Do You Need It?)
Everything needs to be collected and identified to get total visibility enabling you to continuously update your asset inventory along with risks and relationships across your digital footprint.
Perform Risk Assessments
A security risk assessment is an important tool that your organization can utilize to measure risk across your attack surface.
This assessment provides key metrics on how well your security strategy is performing.
Risk assessments can also be used to assess your third-party business partners to ensure their environment meets the same or similar compliance requirements of your organization.
Select An Appropriate Risk Assessment Framework
A risk management framework provides a road map of security controls that should be considered to reduce risk for the business.
It can help an organization evaluate the maturity of the security controls they have implemented and also recommend controls in areas of deficiency.
When considering a framework, ensure the view represents both high and low-risk areas that may be a target for an attack.
Another factor in determining a risk assessment framework is the vertical for your organization.
A highly regulated government agency may require a framework that may not meet the needs of a medical organization or vice-versa.
Understanding A Risk Assessment Report
The final risk assessment report will vary from one framework to the next, however, the common thread for the report is typically formatted in topics similar the sections below.
Executive Summary
Details the results of the risk evaluation, and finally includes the recommended mitigation steps.
The executive summary typically includes four basic elements:
- Purpose of analysis
- Scope of analysis
- Assessment steps
- Finding’s summary
The scope of the risk assessment will vary based on the who is or what 3rd party is conducting the assessment and the sector of the organization requesting the assessment.
Data Inventory
Once your assets are discovered, it’s time to implement a digital asset inventory and classification system, also known as IT asset inventory.
This software-based solution typically provides continuous asset discovery and management.
With this information, organizations can quickly observe, communicate, and manage changes in their internet facing assets to reduce risk across their attack surfaces.
In this section, we will learn how to classify assets and observe the risk of data breach on the assets within the inventory.
Identify Data Classification
This part of the exercise involves dispatching and labeling the assets based on their type, technical characteristics, and properties, business criticality, compliance requirements, or owner.
The items below are examples of common data classification and labeling techniques.
- Public – data assessable for public consumption, i.e., public websites or public reports containing non-proprietary information.
- Internal/FOUO (For Official Use Only) – anything not explicitly marked for public use.
- Confidential – data that can reveal operations or compromise security or competitiveness which might cause harm to a respondent or establishment if released.
- Secret – data that relates to company information that could severely damage the company if breached. This could be intellectual property, research information, or blueprints.
- Inventory data location – Know where your data is stored.
Every physical space in your facility should have a location name. This is critical in data centers where physical hardware is racked. Equipment in office space should also be labeled and documented.
Analyze Data Breach Risk
Data classification should match system classification, or be stricter.
Without classification, it can be difficult to understand what security issues each asset has and whether they are exposing information that could result in a data breach.
Wrapping Up
Mapping your attack surface begins with vulnerability scans across all networked assets to identify potential vulnerabilities. Findings should be risk assessed based on severity, asset value, and compliance requirements. User accounts and privileges must be audited for over-privileged accounts.
Your full digital footprint needs identifying across IT, cloud, mobile, third-parties, etc. With asset visibility, perform risk assessments based on an established security framework. The final report will recommend mitigation steps.
Building a classified data inventory is key – knowing data locations enables proper protections. Data breach risk can be analyzed by mapping data to system classifications.
Overall, activities like scanning, auditing, risk assessments, and data inventories are essential for understanding and managing cyber risk exposures.