How To Reduce Your Attack Surface (6 Strategies For 2023)

Learn how PurpleSec’s experts can help reduce your organization’s attack surface.

Author: Michael Swanagan, CISSP, CISA, CISM / Last Updated: 5/20/22

Reviewed by: Seth Kimmel, OSCP & Josh Allen

View Our: Editorial Process

There are 6 strategies you can implement to reduce your attack surface including assuming zero trust, decreasing complexity, monitoring vulnerabilities, segmenting your network, using strong encryption policies, and training your employees.

Understanding the attack surface of your business is an important step to properly securing your organization’s business architecture.

Any hardware asset, software system, business application, or mobile device that is indirectly or directly connected to the internet makes up what is known as the attack surface.

Threat actors today are continuously refining their techniques to exploit weaknesses within these systems through human interaction or digitally for financial gain and notoriety.

One of the primary goals of an effective cyber security program is to create as small of an attack surface as possible without impacting business operations.

Once this goal is satisfied, it must be continuously monitored for effectiveness, since the global threat landscape is constantly changing.

In this article, we will define and identify the vectors or sources of the attack surface.

We will then discuss how to create a map of your attack surface, followed by strategic processes designed to help your organization effectively reduce risk across the mapped attack surface.

In short, you can reduce your attack surface by assuming zero trust, decreasing complexity, monitoring vulnerabilities, segmenting your network, using strong encryption policies, and training your employees.

By the end of this article, your organization will be in a position to implement a sustainable management program designed to reduce the attack surface of your business.

Let’s start first by defining the attack surface and how to identify yours.

What Is An Attack Surface?

The attack surface is the total of all possible points, or attack vectors, where an attacker can access a system and extract data.

Every access point that allows unauthorized access or actions adds to the total attack surface.

The assets and devices that comprise the attack surface can be in the form of digital or physical attack surfaces.

• Digital Attack Surface: Includes vulnerabilities found in connected hardware and software code, or applications. Threat actors thrive on this surface because they can easily scan public facing websites for open ports remotely, crawling internet exposed systems for weaknesses to exploit.
• Physical Attack Surface: Includes vulnerabilities that an attacker can exploit if they have gained access to your network equipment, mobile devices, laptops, servers, USB devices, or any assets located within your server room or datacenter.

What Is An Attack Vector?

An attack vector is the path that a threat actor takes to exploit security vulnerabilities.

The attack vector path can take on multiple forms.

As stated previously, attackers crawl public networks searching for vulnerable web components, such as unpatched or default web security configurations.

The attack vector can be the result of allowing weak encryption ciphers, deprecated TLS/SSL settings, or expired web certificates.

Poor identity access management can also create an unexpected attack vector.

If an unauthorized user can gain access to a system, they can elevate the privilege which can lead to more damage to business operations.

Examples of Common Attack Vectors

Let’s now look at a few examples of attack vectors and how to identify them.

API (Application Programmable Interface)

An API is a software connection between computers or between computer programs.

It is a type of software interface, offering a service to other pieces of software.

Website and mobile apps are built with APIs, which provide a large set of out-of-the-box functions and save programmers from writing code.

In most cases, those APIs are often hosted by a third party, which means that part of your software is run on someone else’s server.

Plugins

A plug-in is an element of a software program that can be added to provide support for specific features or functionality.

Plug-ins are commonly used in Internet browsers but also can be utilized in numerous other types of applications.

This attack vector exists due to the possibility of data being sent out from your internal software systems to secondary programs without knowing exactly what information is exchanged, or how it is secured.

Unpatched Software

Unpatched software refers to computer code with known security weaknesses that can be exploited.

Once the vulnerabilities are known to the public, software vendors write additions to the application program known as “patches” to remediate the security “holes.”

Running unpatched software is a risky activity because by the time a patch emerges, the criminal underground is typically well-aware of the vulnerabilities.

Unsecured Access

This term is broad and can apply to a host of systems where credentials or permissions are required to access a system.

An example would be a business user logging on to an unsecured public wireless network to access sensitive corporate or personal data.

This scenario could allow a malicious user to hijack their session and steal credentials.

Misconfigured Authentication

Authentication to a system that has inadequate roles or permissions defined is highly vulnerable to an attack.

A threat actor can infiltrate a system with your credentials to install code that can remain undetected for any length of time.

Misconfiguration vulnerabilities are configuration weaknesses that might exist in software subsystems or components and can cripple an organization by way of a ransomware attack.

Social Engineering

Social engineering is an attack vector that relies heavily on human interaction.

This technique often involves manipulating employees within an organization or anyone with a personal computer/device connected to the Internet.

Threat actors use this attack vector to trick people into breaking normal security procedures and best practices to gain unauthorized access to systems, networks, or physical locations.

Insider Threats

Insider threat is one of the most common attack vectors.

Any employee within an organization can be susceptible to this threat simply by inadvertently exposing company data to someone not authorized to view.

Conversely, a disgruntled individual with a nefarious motive may intentionally disclose confidential information, steal, or damage the reputation of an employee or the organization.

How To Map Your Attack Surface

Creating a successful security strategy to protect your organization involves continuous monitoring of the attack vectors.

Monitoring will provide the intelligence and data that can help identify vulnerabilities within systems that process information between your employees, customers, and partners.

This continuous, real-time surveillance will determine how you should map your attack surface and which security systems to implement for risk reduction across the attack surface.

In this section, we will review basic processes that you can implement to start mapping your attack surface

Conduct Vulnerability Scanning

The first step in any type of scanning of your network is to identify your assets, basically, any device that is attached to your network via a cable or wirelessly – you need to know about it.

Knowledge of what is and how it is connected is a critical step in mapping out your attack surface.

Visibility Review

When scanning systems on your internal network, ensure all network subnets are accounted for – production servers, DMZ IP addresses, ensure all assets are accounted for and scanned.

This should include Internet of things (IoT) devices as well as more traditional network-connected devices, such as printers.

IoT devices and printers often have vulnerabilities, and they probably aren’t patched anywhere near as often as your servers, laptops, and workstations are patched.

The value of vulnerability scanning isn’t just limited to internal systems on your network. If your company has a web presence, these systems need to be scanned regularly as well.

Scanning both internal and internet facing systems provides visibility and detects flaws in application code that can be potentially exploited.

Assess Risks

Once completed, the vulnerability scan report will provide valuable insight into the state of your security program and risk score.

The scan report categorically ranks the findings by severity levels, typically on a scale of Low, Medium, High, and Critical.

The organization should have a policy that details how each severity finding should be prioritized for remediation, according to the risk level of the asset.

Audit Accounts And Privileges

User accounts are necessary for employees to logon to network systems and perform their assigned job requirements.

Access to business systems and shared data is governed through access privileges.

A support engineer typically has higher privilege access than a help desk analyst.

A finance manager may utilize a privileged account based on his or her role to perform a bi-weekly function.

Accounts with administrative and elevated privileges are necessary for both business and IT functions, but also represent a significant risk to your organization if there is a lack of identity management.

Privileged credentials in the hands of the wrong employee or a threat actor can lead to a host of security issue, including data breaches, infrastructure outages, and compliance failures.

It is imperative that privilege accounts be audited routinely for these reasons.

Read More: Privilege Escalation Attacks: Types, Examples, And Prevention

Identify All Points Of Success

Discover and identify each part of the organization’s digital footprint (websites, IPs, domains, services, certificates, apps, and data) and across multiple environments—cloud, IT, IoT, mobile, social, brands, third parties, and infrastructure.

Related Article: What Is Cloud Penetration Testing? (& When Do You Need It?)

Everything needs to be collected and identified to get total visibility enabling you to continuously update your asset inventory along with risks and relationships across your digital footprint.

Perform Risk Assessments

A security risk assessment is an important tool that your organization can utilize to measure risk across your attack surface.

This assessment provides key metrics on how well your security strategy is performing.

Risk assessments can also be used to assess your third party business partners to ensure their environment meets the same or similar compliance requirements of your organization.

Select An Appropriate Risk Assessment Framework

A risk management framework provides a road map of security controls that should be considered to reduce risk for the business.

It can help an organization evaluate the maturity of the security controls they have been implemented and also recommend controls in areas of deficiency.

When considering a framework, ensure the view represents both high and low risk areas that may be a target for an attack.

Another factor in determining a risk assessment framework is the vertical for your organization.

A highly regulated government agency may require a framework that may not meet the needs of a medical organization or vice-versa.

Read More: How To Perform A Successful HIPAA Risk Assessment

Understanding A Risk Assessment Report

The final risk assessment report will vary from one framework to the next, however, the common thread for the report is typically formatted in topics similar the sections below.

Executive Summary

Details the results of the risk evaluation, and finally includes the recommended mitigation steps.

The executive summary typically includes four basic elements:

• Purpose of analysis
• Scope of analysis
• Assessment steps
• Finding’s summary

The scope of the risk assessment will vary based on the who is or what 3rd party is conducting the assessment and the sector of the organization requesting the assessment.

Data Inventory

Once your assets are discovered, it’s time to implement a digital asset inventory and classification system, also known as IT asset inventory.

This software-based solution typically provides continuous asset discovery and management.

With this information, organizations can quickly observe, communicate, and manage changes in their internet facing assets to reduce risk across their attack surfaces.

In this section, we will learn how to classify assets and observe the risk of data breach on the assets within the inventory.

Identify Data Classification

This part of the exercise involves dispatching and labeling the assets based on their type, technical characteristics and properties, business criticality, compliance requirements, or owner.

The items below are examples of common data classification and labeling techniques.

• Public – data assessable for public consumption, i.e., public websites or public reports containing non-proprietary information.
• Internal/FOUO (For Official Use Only) – anything not explicitly marked for public use.
• Confidential – data that can reveal operations or compromise security or competitiveness which might cause harm to a respondent or establishment if released.
• Secret – data that relates to company information that could severely damage the company if breached. This could be intellectual property, research information, blueprints.

Inventory data location – Know where your data is stored.

Every physical space in your facility should have a location name.

This is critical in data centers where physical hardware is racked.

Equipment in office space should also be labeled and documented.

Analyze Data Breach Risk

Data classification should match system classification, or be stricter.

Without classification, it can be difficult to understand what security issues each asset has and whether they are exposing information that could result in a data breach.

Strategies And Best Practices For
Reducing Your Attack Surface

There are a few approaches you can take when determining the best approach to reducing your attack surface including:

• Assume Zero Trust
• Decrease Complexity
• Monitor Vulnerabilities
• Segment Your Network
• Use Strong Encryption Policies
• Train Your Employees

Step 1: Assume Zero Trust

The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred.

Zero Trust constantly limits access to only what is needed and looks for anomalous or malicious activity.

The items below are reference points that can be used to build a zero-trust system for your organization.

Identify and maintain an inventory of all assets within infrastructure:

• Understand how the network is structured, i.e., network architecture diagrams
• Document existing security tools or applications, determine feasibility and purpose
• Create perimeters around every system and user (i.e., network firewalls, VPN technology)
• Maintain strict access control based on identifying access types – understand your data, where it is, who can access, based on data classifications
• Use multifactor authentication or MFA
• Enroll devices into a system for identification and verification prior to accessing internal resources

Step 2: Decrease Complexity

To reduce the attack surface successfully, it bears repeating that you can’t protect what you don’t know.

It’s imperative that a complete inventory of all accounts, assets, and systems is up to date and documented accurately.

This inventory will identity out of date operating systems, legacy applications, and who and what access is required to access systems within the organization.

Note the items below that should be considered to reduce complexity within the environment and simplify controls.

• Reduce redundant or legacy software systems – ensure no end-of-life systems are on the network unless approved by senior leadership to retain.
• Assign systems and users to groups
• Use “Least Privileged Access” principle
  • Users are only given access to a minimum of systems/software needed to complete the job
  • Applies to system and software access controls
  • Requires centralized user access management and secured secrets for access (password vaults)
• Centralize access control management with an application or an Identity Access Management system

Step 3: Monitor Vulnerabilities

The most important aspect of a zero-trust architecture is to be able to continuously monitor your attack surface.

The tools used to support management of your attack surface must be able to alert on exposed assets and allow you to verify the successful remediation of a detected risk.

The items below provide direction on how to monitor the attack surface for vulnerabilities.

• Perform continuous vulnerability monitoring – Implement a solution that allows for scheduling or ad-hoc scans of internal and internet exposed assets with complete reporting of severity grades and recommended remediation.
• Ensure full network visibility – Understand the layout of network, including all ingress/egress points
• Prioritize based on risk – This goes back to the asset inventory. Servers and the applications that reside on them should be prioritized according to business impact. Vulnerability scans can be created based on the pre-defined priority.
• Remediation – Create a vulnerability remediation plan or ensure the expectations are documented and approved in a policy.

Step 4: Segment Your Network

The term network segmentation has become a household name recently due to the prevalence of ransomware attacks spreading across organization’s network, crippling their enter network infrastructure.

In basic terms, segmentation refers to setting boundaries around certain areas and limiting access from one section to another, with the intention of preventing lateral movement in case of an attack.

This method isolates the attack to one area of the network, which in turn minimizes the attack surface.

The bullet points below provide additional information on why network segmentation is critical in managing the attack surface of your network.

Encapsulate systems and users based on data classification:

• Ensure application traffic is encrypted between highly classified systems – including database systems.
• Build network segmentation based on business roles and functions.
• Encrypt traffic between on-premises data sources and cloud systems, i.e., Office365, Salesforce, Azure, and AWS.

Simplify access controls with centralized management:

• Requires having robust network controls between segments.
• This should include network IPS and IDS to monitor outgoing and incoming data for malware
• Utilize a centralized tool to manage, log, and report metrics.

Articulate the purpose of network segmentation to peer teams and organization leadership:

• Helps contain attacks.
• If one environment is compromised it can’t impact others.
• Stops the spread of malware.
• Prevents elevation of access.
• Easier to recover one segment than the entire infrastructure.
• Create perimeters around groups of systems and data.
• Access controls and monitoring between each segment.

Step 5: Use Strong Encryption Policies

Encryption policies provide the strategy that determines what data should be considered classified or sensitive, its whereabouts on the network, how it is accessed, address compliance requirements, how the encryption is applied, and other relevant information related to the data in its resting state on a server or database.

Encryption is a powerful method that can be used to manage the attack surface especially if the data is leaked, lost, or moved outside of the organization.

The following items are basic steps that support a strong encryption policy.

• Enforce strong encryption based on data classifications – Know your business vertical. Healthcare, the Payment Card Industry (PCI), and the Federal Government classify different and will have different encryption requirements.
• Use modern versions of cipher suites.
• Replace legacy devices that don’t support modern encryption.

Step 6: Train Your Employees

You may have heard it mentioned that the weakest link in an organization’s cybersecurity program is the person behind the keyboard.

That may be true to an extent, but their weakness and what they do behind the keyboard may be indicative of their security awareness – which points back to who?

It’s the responsibility of the compliance and security teams to instruct their employees on how to quickly identify and react to phishing or social engineering attack.

The employees should follow through as well on their security awareness training, so the accountability is two-fold.

Let’s see what can be done to prepare your employees for the attack that is referred to as the “human or physical attack surface.”

• Schedule and implement regular phishing simulations.
• Provide security awareness videos to all employees.
• Post security awareness tips in high traffic areas or internal web communications.