What is an Attack Surface And Are You Protecting It?
The rise in technology use for businesses and the level of complexity required to run it, means that everyone is a target for cybercrime – with IT security now more important than ever.
While no organisation can be completely safe from a cyber attack, they can reduce their attack surface area and ensure that they are cyber resilient in the face of an attack.
In this article, we’ll look at what attack surface is, some of the common vulnerabilities organisations have and the key attack surface reduction and security tips.
What is attack surface?
Every organisation’s IT systems have areas that can be compromised, and that is the unprotected “surface” exposed to malicious activity (the “attack”).
The attack surface NIST definition is: “The set of points (attack vectors) on the boundary of a system, a system element, or an environment where an attacker (threat actors) can try to enter, cause an effect on, or extract data from, that system, system element, or environment.”
The fundamental IT security measure is to keep the attack surface as small as possible.
There are two types of attack surface:
1. Digital attack surface
This encompasses the attack surface of software and hardware that connect to a businesses’ network. These comprise servers, websites, applications – all the points of access that a hacker could use to enter the system.
For example, if a company doesn’t regularly review if their software is up to date, it unknowingly has a vulnerability and is at risk of criminal activity.
2. Physical attack surface
This type of attack typically refers to endpoint devices (laptops, mobile devices, USBs), but it has another risk – the users themselves. Human attack surface is one of the weakest links in cyber security, and a very real threat to any organisation because of the errors employees can commit.
For example, if an employee is using a weak password, it can easily be hacked and your company data compromised this way.
What are attack vectors?
An attack vector is the method that a cybercriminal uses to penetrate the attack surface. It’s the “in” inside your company, the access to your sensitive data. For example, attack vectors can be phishing attacks, malware or compromised passwords.
How are attack vectors and attack surfaces related? The technique of gaining unauthorised entry to a system is an attack vector. The endpoint(s) an attacker uses to gain access is the attack surface. Common attack surface vulnerabilities include any security hole in a network that can result in a data breach through an attack vector.
A hacker checks the system for vulnerabilities, examines the attack surface and deploys an attack vector to get access. If successful, cybercriminals can steal sensitive data from your company.
What are attack trees used for?
Attack trees are a strategic way a company can use to look at a system from the point of view of a cybercriminal – and try to find the entry points as sequences of steps.
The attack tree method’s purpose is for penetration testing (pen-testing) where there is less information about the system.
The main difference between attack surface and attack tree is that an attack tree is the set of methods to defend against unauthorised users whereas an attack surface is the area which is used to attack a system.
5 common attack vectors in 2022
Now that we understand what attack vectors are, let’s take a look at the most common ones. Threat vectors commonly include social engineering attacks, vulnerability exploits (such as API security risks), credential stealing attacks, and insufficient protection (such as the lack of antivirus programs).
Phishing attacks are a type of social engineering where, oftentimes, the target is sent a malicious link or attachment through email.
This type of threat vector refers to malicious software such as viruses, Trojans or ransomware. Ransomware is a form of extortion, such as what happened with the Optus data breach 2022 in Australia, or with WannaCry globally.
3. Weak or compromised credentials
One of the most common attack vectors is compromised passwords, which is directly linked to the human attack surface – employees using weak passwords and the organisation not employing safety measures such as MFA (multi-factor authentication) and training.
4. Lack of or poor encryption
Data encryption methods such as SSL certificates can prevent man-in-the-middle (MITM) attacks from viewing the data being transmitted. Missing encryption can lead to sensitive data being exposed. Put simply, encrypted data is protected data that can’t be read by and stolen by hackers.
5. Unpatched software
Hackers actively search for vulnerabilities in software, servers, operating systems that have been overlooked by organisations.
What is attack surface management?
“Attack surface management (ASM) is the continuous discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organisation’s attack surface” (IBM). As opposed to other security practices, the ASM approach to the company’s attack surface security is from the perspective of an attacker.
Why is attack surface management important? After mapping the attack surface area, it’s essential to keep monitoring your systems to minimise security risks now and in the future.
Here are some attack surface management benefits:
- Identify attack surfaces and entry points
- Identify high-risk areas and prioritise potential risks
- Identify changes
- Assess user privileges
Optus data breach: how did the worst cyber attack in Australian history happen?
An attack surface example from 2022, is the recent Optus cyber attack.
According to journalist Jeremy Kirk, the attack was due to API security vulnerabilities. What this means is that Optus hadn’t checked their attack surface and didn’t find this entry point. All a hacker had to do was look, and there was no authentication needed for them to access all the data.
Implementing penetration testing protocols such as the NIST Cybersecurity Framework Penetration Testing could have helped Optus identify this vulnerability – and address it before a third party got access to sensitive data that affected about 10 million customers (40% of the population).
This event has harmed Optus’ reputation – with long-term consequences – and could cost the company millions of dollars.
How to reduce attack surface
With infrastructures getting more complex each day, and cybercriminals developing more sophisticated attacks, how can you protect your organisation?
These 5 tips are going to help you reduce the attack surface and mitigate risk in your organisation:
- Implement a zero-trust policy
- Simplify your network
- Deploy continuous attack surface testing
- Add barriers to block attackers (such as a firewall)
- Train your employees
Cybercrime is becoming more ruthless – and entrepreneurial. With their reputation on the line and so much sensitive data at risk, organisations can no longer afford to overlook their cybersecurity.
As a managed service and security provider, we are the team that can help you map out your attack surface, assess risk management and help protect your data from getting leaked on the dark web. Contact us today and we can create a solid strategy for your IT security.