Previous
Learn how PurpleSec’s experts can help reduce your organization’s attack surface.
Author: Michael Swanagan, CISSP, CISA, CISM / Last Updated: 5/20/22
Reviewed by: Seth Kimmel, OSCP & Josh Allen
View Our: Editorial Process
Table Of Contents
There are 6 strategies you can implement to reduce your attack surface including assuming zero trust, decreasing complexity, monitoring vulnerabilities, segmenting your network, using strong encryption policies, and training your employees.
What You’ll Learn
Understanding the attack surface of your business is an important step to properly securing your organization’s business architecture.
Any hardware asset, software system, business application, or mobile device that is indirectly or directly connected to the internet makes up what is known as the attack surface.
Threat actors today are continuously refining their techniques to exploit weaknesses within these systems through human interaction or digitally for financial gain and notoriety.
One of the primary goals of an effective cyber security program is to create as small of an attack surface as possible without impacting business operations.
Once this goal is satisfied, it must be continuously monitored for effectiveness, since the global threat landscape is constantly changing.
In this article, we will define and identify the vectors or sources of the attack surface.
We will then discuss how to create a map of your attack surface, followed by strategic processes designed to help your organization effectively reduce risk across the mapped attack surface.
In short, you can reduce your attack surface by assuming zero trust, decreasing complexity, monitoring vulnerabilities, segmenting your network, using strong encryption policies, and training your employees.
By the end of this article, your organization will be in a position to implement a sustainable management program designed to reduce the attack surface of your business.
Let’s start first by defining the attack surface and how to identify yours.
The attack surface is the total of all possible points, or attack vectors, where an attacker can access a system and extract data.
Every access point that allows unauthorized access or actions adds to the total attack surface.
The assets and devices that comprise the attack surface can be in the form of digital or physical attack surfaces.
An attack vector is the path that a threat actor takes to exploit security vulnerabilities.
The attack vector path can take on multiple forms.
As stated previously, attackers crawl public networks searching for vulnerable web components, such as unpatched or default web security configurations.
The attack vector can be the result of allowing weak encryption ciphers, deprecated TLS/SSL settings, or expired web certificates.
Poor identity access management can also create an unexpected attack vector.
If an unauthorized user can gain access to a system, they can elevate the privilege which can lead to more damage to business operations.
Let’s now look at a few examples of attack vectors and how to identify them.
An API is a software connection between computers or between computer programs.
It is a type of software interface, offering a service to other pieces of software.
Website and mobile apps are built with APIs, which provide a large set of out-of-the-box functions and save programmers from writing code.
In most cases, those APIs are often hosted by a third party, which means that part of your software is run on someone else’s server.
A plug-in is an element of a software program that can be added to provide support for specific features or functionality.
Plug-ins are commonly used in Internet browsers but also can be utilized in numerous other types of applications.
This attack vector exists due to the possibility of data being sent out from your internal software systems to secondary programs without knowing exactly what information is exchanged, or how it is secured.
Unpatched software refers to computer code with known security weaknesses that can be exploited.
Once the vulnerabilities are known to the public, software vendors write additions to the application program known as “patches” to remediate the security “holes.”
Running unpatched software is a risky activity because by the time a patch emerges, the criminal underground is typically well-aware of the vulnerabilities.
This term is broad and can apply to a host of systems where credentials or permissions are required to access a system.
An example would be a business user logging on to an unsecured public wireless network to access sensitive corporate or personal data.
This scenario could allow a malicious user to hijack their session and steal credentials.
Authentication to a system that has inadequate roles or permissions defined is highly vulnerable to an attack.
A threat actor can infiltrate a system with your credentials to install code that can remain undetected for any length of time.
Misconfiguration vulnerabilities are configuration weaknesses that might exist in software subsystems or components and can cripple an organization by way of a ransomware attack.
Social engineering is an attack vector that relies heavily on human interaction.
This technique often involves manipulating employees within an organization or anyone with a personal computer/device connected to the Internet.
Threat actors use this attack vector to trick people into breaking normal security procedures and best practices to gain unauthorized access to systems, networks, or physical locations.
Insider threat is one of the most common attack vectors.
Any employee within an organization can be susceptible to this threat simply by inadvertently exposing company data to someone not authorized to view.
Conversely, a disgruntled individual with a nefarious motive may intentionally disclose confidential information, steal, or damage the reputation of an employee or the organization.
Creating a successful security strategy to protect your organization involves continuous monitoring of the attack vectors.
Monitoring will provide the intelligence and data that can help identify vulnerabilities within systems that process information between your employees, customers, and partners.
This continuous, real-time surveillance will determine how you should map your attack surface and which security systems to implement for risk reduction across the attack surface.
In this section, we will review basic processes that you can implement to start mapping your attack surface
The first step in any type of scanning of your network is to identify your assets, basically, any device that is attached to your network via a cable or wirelessly – you need to know about it.
Knowledge of what is and how it is connected is a critical step in mapping out your attack surface.
When scanning systems on your internal network, ensure all network subnets are accounted for – production servers, DMZ IP addresses, ensure all assets are accounted for and scanned.
This should include Internet of things (IoT) devices as well as more traditional network-connected devices, such as printers.
IoT devices and printers often have vulnerabilities, and they probably aren’t patched anywhere near as often as your servers, laptops, and workstations are patched.
The value of vulnerability scanning isn’t just limited to internal systems on your network. If your company has a web presence, these systems need to be scanned regularly as well.
Scanning both internal and internet facing systems provides visibility and detects flaws in application code that can be potentially exploited.
Once completed, the vulnerability scan report will provide valuable insight into the state of your security program and risk score.
The scan report categorically ranks the findings by severity levels, typically on a scale of Low, Medium, High, and Critical.
The organization should have a policy that details how each severity finding should be prioritized for remediation, according to the risk level of the asset.
User accounts are necessary for employees to logon to network systems and perform their assigned job requirements.
Access to business systems and shared data is governed through access privileges.
A support engineer typically has higher privilege access than a help desk analyst.
A finance manager may utilize a privileged account based on his or her role to perform a bi-weekly function.
Accounts with administrative and elevated privileges are necessary for both business and IT functions, but also represent a significant risk to your organization if there is a lack of identity management.
Privileged credentials in the hands of the wrong employee or a threat actor can lead to a host of security issue, including data breaches, infrastructure outages, and compliance failures.
It is imperative that privilege accounts be audited routinely for these reasons.
Read More: Privilege Escalation Attacks: Types, Examples, And Prevention
Discover and identify each part of the organization’s digital footprint (websites, IPs, domains, services, certificates, apps, and data) and across multiple environments—cloud, IT, IoT, mobile, social, brands, third parties, and infrastructure.
Related Article: What Is Cloud Penetration Testing? (& When Do You Need It?)
Everything needs to be collected and identified to get total visibility enabling you to continuously update your asset inventory along with risks and relationships across your digital footprint.
A security risk assessment is an important tool that your organization can utilize to measure risk across your attack surface.
This assessment provides key metrics on how well your security strategy is performing.
Risk assessments can also be used to assess your third party business partners to ensure their environment meets the same or similar compliance requirements of your organization.
A risk management framework provides a road map of security controls that should be considered to reduce risk for the business.
It can help an organization evaluate the maturity of the security controls they have been implemented and also recommend controls in areas of deficiency.
When considering a framework, ensure the view represents both high and low risk areas that may be a target for an attack.
Another factor in determining a risk assessment framework is the vertical for your organization.
A highly regulated government agency may require a framework that may not meet the needs of a medical organization or vice-versa.
Read More: How To Perform A Successful HIPAA Risk Assessment
The final risk assessment report will vary from one framework to the next, however, the common thread for the report is typically formatted in topics similar the sections below.
Executive Summary
Details the results of the risk evaluation, and finally includes the recommended mitigation steps.
The executive summary typically includes four basic elements:
The scope of the risk assessment will vary based on the who is or what 3rd party is conducting the assessment and the sector of the organization requesting the assessment.
Once your assets are discovered, it’s time to implement a digital asset inventory and classification system, also known as IT asset inventory.
This software-based solution typically provides continuous asset discovery and management.
With this information, organizations can quickly observe, communicate, and manage changes in their internet facing assets to reduce risk across their attack surfaces.
In this section, we will learn how to classify assets and observe the risk of data breach on the assets within the inventory.
This part of the exercise involves dispatching and labeling the assets based on their type, technical characteristics and properties, business criticality, compliance requirements, or owner.
The items below are examples of common data classification and labeling techniques.
Inventory data location – Know where your data is stored.
Every physical space in your facility should have a location name.
This is critical in data centers where physical hardware is racked.
Equipment in office space should also be labeled and documented.
Data classification should match system classification, or be stricter.
Without classification, it can be difficult to understand what security issues each asset has and whether they are exposing information that could result in a data breach.
How PurpleSec Helps To Secure Your Organization
Our vulnerability management services and penetration testing services provide a holistic approach to securing what’s most important to you.
There are a few approaches you can take when determining the best approach to reducing your attack surface including:
The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred.
Zero Trust constantly limits access to only what is needed and looks for anomalous or malicious activity.
The items below are reference points that can be used to build a zero-trust system for your organization.
Identify and maintain an inventory of all assets within infrastructure:
To reduce the attack surface successfully, it bears repeating that you can’t protect what you don’t know.
It’s imperative that a complete inventory of all accounts, assets, and systems is up to date and documented accurately.
This inventory will identity out of date operating systems, legacy applications, and who and what access is required to access systems within the organization.
Note the items below that should be considered to reduce complexity within the environment and simplify controls.
The most important aspect of a zero-trust architecture is to be able to continuously monitor your attack surface.
The tools used to support management of your attack surface must be able to alert on exposed assets and allow you to verify the successful remediation of a detected risk.
The items below provide direction on how to monitor the attack surface for vulnerabilities.
The term network segmentation has become a household name recently due to the prevalence of ransomware attacks spreading across organization’s network, crippling their enter network infrastructure.
In basic terms, segmentation refers to setting boundaries around certain areas and limiting access from one section to another, with the intention of preventing lateral movement in case of an attack.
This method isolates the attack to one area of the network, which in turn minimizes the attack surface.
The bullet points below provide additional information on why network segmentation is critical in managing the attack surface of your network.
Encapsulate systems and users based on data classification:
Simplify access controls with centralized management:
Articulate the purpose of network segmentation to peer teams and organization leadership:
Encryption policies provide the strategy that determines what data should be considered classified or sensitive, its whereabouts on the network, how it is accessed, address compliance requirements, how the encryption is applied, and other relevant information related to the data in its resting state on a server or database.
Encryption is a powerful method that can be used to manage the attack surface especially if the data is leaked, lost, or moved outside of the organization.
The following items are basic steps that support a strong encryption policy.
You may have heard it mentioned that the weakest link in an organization’s cybersecurity program is the person behind the keyboard.
That may be true to an extent, but their weakness and what they do behind the keyboard may be indicative of their security awareness – which points back to who?
It’s the responsibility of the compliance and security teams to instruct their employees on how to quickly identify and react to phishing or social engineering attack.
The employees should follow through as well on their security awareness training, so the accountability is two-fold.
Let’s see what can be done to prepare your employees for the attack that is referred to as the “human or physical attack surface.”
The final measurement to reduce the attack surface is analysis.
Security configuration assessments, traffic flow analysis, and quantitative risk scores are three common methods of analysis that can be extremely effective in reducing the attack surface.
An attack vector is the path or route that malware or malicious actor may use to compromise your network and access your data and services.
The attack surface encompasses all your company’s attack vectors.
In other words, your attack surface is the set of all possible methods an attackers may employ to compromise your network.
Attack vectors may include the following:
Simply defined, the human attack surface is the sum of all exploitable security holes or gaps created by humans within your organization.
Examples include the employee’s susceptibility to a phishing attack, and unintentional or intentional activities that expose corporate information to an unauthorized recipient.
The digital attack surface area encompasses all the hardware and software that connect to an organization’s network.
These include applications, software code, network ports, servers, and websites, as well as Shadow IT
The frequency of assessing your attack surface depends on the identification of the attack vectors that exist within your organization.
The vulnerabilities associated with the attack vectors are continuously under attack, therefore, the assessment of the attack surface should be continuous as well to counter the constant flow of attacks from threat actors.
Many organizations incorporate real time monitoring and scheduled vulnerability scans to protect the infrastructure.
The main objective for any organization would be to continuously assess their attack surface.
Recent Articles
Categories
Policy Templates
Popular Articles