Organizations frequently find their IT infrastructure in a state of chaos and complexity. The sheer number of devices, diverse applications, operating systems and reliance on cloud services keeps business moving forward but introduces challenges to maintain overall security.
Managing a modern IT environment is crucial for protecting against threats and mitigating risk. The consequences can be severe if neglected, ranging from data breaches and financial losses to reputational damage and regulatory penalties.
In this post, we will dive into the topic of cyber asset attack surface management (CAASM), reveal where organizations are most vulnerable, and detail what needs to be included and considered when creating an effective strategy.
Evaluating the threat landscape of your attack surface
Previously, organizations protected their IT infrastructure with a castle mentality. With all their workstations and data on-premises, the focus was on putting up firewalls and physical barriers to keep cybercriminals out. However, with the advent of cloud technology and the proliferation of device types, this approach has become less effective. Instead of merely building walls around assets, organizations now need to adopt a multilayered attack surface management strategy that minimizes access to potential threat vectors. By narrowing down the scope of attack surfaces and reducing the size of those attack vectors, organizations can make it more challenging for bad actors to execute malicious activities.
The role of least privilege
When managing security, the goal is to minimize the attack surface— that is, reducing the number of points through which attackers can enter your system. Attackers may target individuals within your organization, exploiting their access to move laterally across your network until they find valuable data to compromise.
The principle of least privilege grants access only to what is strictly necessary for each user. By limiting unnecessary access and disabling unused services, you effectively reduce the opportunities for attackers to exploit vulnerabilities within your environment.
Attack surface areas most susceptible to security breaches
Consider the scenario of a server: When it’s set up, various services like Samba sharing and SSH access might be enabled by default. However, each of these services presents a potential vulnerability and each individual computer is a potential entry point for an attacker. To counter this, you can disable services that are not in use to limit the number of attack vectors.
Beyond servers, other interconnected components such as partner networks or lab environments, also pose risks. Any entity connected to your network becomes a potential entry point for attackers to access your data.
Cloud-based systems
Your applications need to be hardened. Many applications today are cloud-based, and there has been a significant shift towards cloud-based infrastructure. However, moving to the cloud does not reduce your attack surface.
While cloud services are professionally managed and backed by robust security measures, they don’t shrink your exposure to threats. If anything, with both on-premises and cloud-based systems in play, your attack surface is expanded. There are some built-in security features in cloud platforms, but simply shifting your operations to someone else’s infrastructure doesn’t absolve you of security responsibilities.
The cloud has great potential and uses, but it is not a silver bullet and does not automatically equate to a smaller risk profile. Due diligence remains essential, even in cloud-based environments.
Access rights
If you’re involved in software development or sales, chances are, you’re part of a team with extensive permissions, some of which may not be necessary. Individuals may be logging into their workstations with administrator privileges instead of using standard user accounts, inadvertently opening up vulnerabilities.
Companies often utilize VM templates for testing and development, but the security of these templates isn’t always actively managed. Even if they’re regularly updated, vulnerabilities might still exist, especially if not actively scanned. Within development networks, several resources may spin up and down quickly to support the iterative nature of software development. All these resources represent potential points of attack that can be leveraged by malicious actors.
It’s crucial for companies to thoroughly evaluate their attack surface, considering factors like remote access services, file sharing systems and network security. If not essential, these services should be turned off or re-evaluated for permissions.
IOT devices
In modern offices, nearly everything is computerized. Light switches can be controlled through an app, and even security cameras can be linked to an app. The same applies to company buildings, where access systems are integrated with computer networks and databases. However, this interconnectedness also raises security concerns. The more devices that are connected to your main network, the more opportunities cybercriminals have to infiltrate systems that might be overlooked.
No matter how seemingly innocuous, any connected device can serve as an entry point for attack. There was an incident in Las Vegas where a casino was hacked through their smart fish tank. The fish tank, equipped with internet-connected sensors and controls, was used to gain access to the casino’s network and exfiltrate 10 gigabytes of data. It’s a reminder that even unexpected, peripheral devices can become a point of attack and need to be considered as potential vulnerabilities.
Infrastructure in mergers and acquisitions
When merging IT infrastructures due to company acquisitions, there needs to be a comprehensive understanding of the existing infrastructure before integration. Often, the integration process reveals cybersecurity issues that you will inherit from the acquired company. It’s important to keep those issues on their own segmented network until you can perform due diligence and safely merge networks.
Barriers to timely patching
Several barriers could prevent patches from being applied promptly. One major issue could be a lack of integration between the security team and the operations team. If these teams don’t work closely together or report to a single C-level executive, it can lead to conflicts. The security team might insist on applying the patch to prevent a hack, while the operations team might resist due to concerns about potential disruptions. For effective patch management, there needs to be a middle ground and tighter integration between security and operations. This cooperation ensures that security measures are implemented without significantly disrupting operational activities.
How to develop an attack surface management strategy
With the increasing complexity of IT environments, securing all your endpoints has become a sophisticated challenge. Effective cyber asset attack surface management involves a comprehensive approach that includes understanding and managing all assets, gaining executive support, involving stakeholders across departments, and continually analyzing and updating security measures.
Evaluate current landscape
You can’t secure what you don’t know you have. If you ask any IT administrator whether they know every asset in their environment, and they answer truthfully, they would likely say no. Understanding and managing endpoints is incredibly important, and the number of people who are aware of every IT asset in their environment is very small. A good strategy starts with a detailed inventory of all assets to ensure that nothing is overlooked.
Secure executive approval
To ensure success, you need buy-in from the C-suite. In most businesses, regardless of size, there’s likely already someone at that level who supports your initiatives. Engage with that person and other stakeholders to strengthen your case.
Engage stakeholders
It’s important to involve various departments — security, operations and even those on the business side. All stakeholders need to understand the risks, as any one of them can become roadblocks if they don’t see the value in what you’re doing. For instance, they might resist changes because current systems seem to work just fine. However, they need to understand the potential consequences.
60 percent of small businesses that are hit by an attack go out of business within six months. Having comprehensive business continuity and a disaster recovery plan is crucial. Everyone needs to be engaged and understand the importance of these plans for the company’s success.
Define objectives
If you’re starting from scratch, the first step is to educate yourself. If that’s not feasible, bring in an expert or hire a consulting firm to assist you. This can be particularly helpful if your business must meet compliance requirements, as you’ll have specific guidelines to follow.
Don’t rush into spending money without a clear plan. Investing in high-end tools won’t help if you haven’t covered the basics. Instead, address fundamental security measures first to make the most of your efforts. Implementing security in layers is one of the best strategies. Make sure you have a comprehensive plan in place before proceeding.
Review and update asset inventory
There are various checkpoints where you can restrict access. Segmented networks help ensure accounts are properly set up and managed, preventing unauthorized users from hopping from one network to another. Effective planning in these areas is a crucial part of cyber asset attack surface management.
Make sure everything is properly patched. Most attack breaches use vulnerabilities that are at least six months old, meaning patches were available but not applied. Knowing your assets – not just Windows, but all third party systems and applications – and keeping everything patched and up to date is crucial.
Create strategies for an effective security response
Even with great tools in place, if the information provided by these tools is not acted upon, it becomes a problem. Target once suffered a major breach that cost them millions of dollars and significantly impacted their business. Although their system alerted them of the problem and the active attack, they lacked properly skilled personnel to interpret the alerts and respond effectively.
If you don’t have the right people in the right place to quickly identify information and make decisions, it doesn’t matter how much money you invest in security tools. If your team doesn’t know when or how to respond, it won’t be effective. Having the proper people and plan in place, and making it available offline is vital during a crisis.
Perform a cost-benefit analysis of risk mitigation
Businesses can perform exercises to understand how much revenue is lost during downtime, especially for web-based operations. Knowing the potential financial impact and the likelihood of different threats allows for better risk assessment and decision-making. There are methodologies and formulas to evaluate whether the cost of mitigating a risk is justified based on the potential downside.
Allocating resources appropriately to protect against threats involves ongoing conversations and assessments to determine if investments are worthwhile. Some companies avoid patching applications to save on service costs, thinking patching Windows alone is sufficient. However, if ransomware enters through an unpatched application, the cost of not addressing this vulnerability can far exceed the savings.
Additional considerations for attack surface management
Assess and prioritize risks
Every organization’s risk tolerance is unique. If an event is unlikely or will have only a minor impact, a business may choose to address it only after more urgent matters. However, if an event is rare but potentially devastating, an organization might proactively implement some risk mitigation without using up a lot of the budget.
At the other end of the spectrum, consider areas with significant risks. These include events that are likely to happen and will cause substantial losses — financial and otherwise. When evaluating IT projects, leaders should reflect on which projects received funding and which did not. Applying these risk profiles can provide a new perspective on the challenges and IT initiatives in place.
Assess how these projects measure up on the risk heat map. Are you focusing on projects that best defend against elevated risks and disruptions? This is a constant balancing act for all businesses that must be weighed against the risk of inaction. Consider the consequences of delaying a project until next year. Where does that fall on the risk matrix?
This thought process helps teams prioritize projects and establish reasonable timelines. Often, the ability to significantly reduce risk can accelerate implementation schedules.
Determine what success looks like for your organization
To determine what success looks like for a company’s attack surface management, it’s important to recognize that nearly every network is constantly under attack from nation states and ransomware gangs. Just because a company hasn’t been breached doesn’t necessarily mean they are secure. Today’s defenses may not be effective tomorrow, as attackers continually modify their tactics and tools. Relying solely on signature-based detection is insufficient since attackers can easily change their scripts to avoid detection. Success in attack surface management is not static; it’s about continuously improving and adapting your defenses.
One effective measure of success is third-party penetration testing. Hiring an external company to conduct penetration tests and measure your vulnerability can provide an objective view of your security posture. This testing helps identify weaknesses and tests the strength of your defenses. Success involves understanding and protecting your critical systems, and constantly practicing and evaluating your response strategies. It’s about making sure you are prepared to withstand attacks through real-time assessments.
Ultimately, success in cyber asset attack surface management is a constant improvement cycle. Security needs to evolve with new technologies and emerging threats. For instance, the increasing use of artificial intelligence (AI) in attacks is a growing concern that wasn’t on the radar a few years ago but is now mainstream. AI can be used to generate malicious scripts, making it easier for attackers to exploit vulnerabilities. Being able to adapt to these threats as they arise will ensure that you stay one step ahead.
Patch, secure, and manage every endpoint
Empower your team
Success also means investing in people and ensuring they are continuously learning. This means sending them to security conferences, providing on-the-job training and facilitating formal education opportunities. Bringing in experts to speak can also be beneficial. No one can stay on top of everything all the time, so fostering continuous learning is a key indicator of success.
Conclusion
Even if the task of creating an attack surface management strategy seems daunting, it’s best to just get started. It’s like the saying, “There is only one way to eat an elephant: one bite at a time.” The scope of the work might be overwhelming, but taking that first step is crucial, as many never do.
In today’s world, our lives are stored on computers and in databases. Every company relies on data to function, and if that data were lost, the consequences would be severe.
Managing data is essential for organizations to operate and understanding the importance of data management should motivate you to tackle this challenge step by step.
