If you try to keep up on the latest in IT and cyber-security, you are probably hearing a lot about Attack Surface Management (ASM). However, unless you are specifically in business for IT and/or cyber-security, you probably have not been able to make a lot of sense of what you’ve seen and heard. In short: your attack surface is all the different points a hacker can use to gain access to your critical data.
Your attack surface is from the hacker’s point of view, so everything that you have nice and locked up behind a firewall doesn’t count, assuming the firewall is configured correctly. The problem? People assume that just because they have a firewall, everything is safely behind it. That is extremely far from the truth. What is true is that a business’s attack surface is a constantly expanding thing.
Parts of an Attack Surface
There are four contributors to your attack surface:
- What you own and control (known assets): this includes websites, desktop and laptop computers, and servers.
- What you own but may not control (unknown assets): these are all your random sites or orphaned IT hardware set up for a variety of reasons and left unattended and outside of a security team.
- What you don’t own and only partially control (vendor assets): every application installed on your system falls in this category – if you didn’t program it, you cannot guarantee that it does not introduce access points to your system. Similarly, this includes all cloud storage; that data is no longer behind your firewall, so you do not KNOW how safe it really is.
- What you don’t own, don’t control, and probably don’t even know about (rogue assets): this includes employee-owned devices, malware, websites or applications that impersonate your domain, and the like.
Those are the “official” parts of an attack surface, and none of them include the human factor. Even the most informed and alert of us are fallible – and there are a great deal of uninformed people out there. Make sure you and your employees understand and keep current on:
- how hackers gain access
- the importance of strong UNIQUE passwords
- the security protocols in place
- what to do in case of a breach
Obviously, you can reduce and heavily protect your known assets. Similarly, you can seek out and rein in most of the unknown assets. Finally, you can train and be trained about ongoing cyber-security issues. Unfortunately, that is only a fraction of your surface. For all practical purposes, it is impossible to eliminate your attack surface.
And So It Grows
Attack surfaces grow more than they shrink. The more third-party applications used, the bigger the surface. The more data saved to the cloud, the bigger the surface. Other contributors to the attack surface are remote/work-from-home users and older IT infrastructures.
Consider this, your business has all the latest and greatest in cyber-security, and then you go home and do a little work after dinner. Did all that security come home with you? Is the infrastructure in your home as solid as at your business? Bringing a work computer home opens it to attack, even if you do not access the work network. Similarly, accessing the work network from your home machine gives hackers a huge opening.
The flexibility that technology gives us also makes us more open for attack. Just about any “smart” aspect of your home, such as a remote thermostat, can be hacked. Remember, if you can access it remotely, so can someone else – especially because those items generally do not include robust security measures.
There’s another thing about technology that causes problems: it gets old and requires supervision. Out of date applications, old components, all smart devices with out-of-date firmware, and unauthorized installations can create additional access points to your sensitive data.
Manage Your Attack Surface
As you can see, unless you go completely off the grid, you cannot eliminate your attack surface. You can, however, manage it.
There are many things you can do to reduce your surface, such as:
- Uninstalling unused or unnecessary applications
- Remove unused accounts
- Identify and secure employee personal devices that access company data
- Be sure to make sure all firmware and security applications are up to date
Additionally, there are multiple ASM applications out there that compliment the security protocols you already have in place. Not every application is for every user, make sure what you choose meets your needs and budget. Some key functions to look for:
- Automatic Discovery: with limited input, the application needs to continuously redefine the surface.
- Authentic Perspective: for the most part, hackers are not going to spend time on a complex attack route because there are easier targets out there, the application needs to identify the easy hack points over the convoluted ones.
- Risk Prioritization: your chosen ASM needs to prioritize assets most likely to be attacked – again, most hackers are looking for an easy score.
- Understandable Results: if the data returned makes no sense, what good does it do you?
- Continuous Monitoring: because your attack surface is an ever-changing thing, your ASM needs to always be on.
- Real-Time Results: you should always be able to see what the application has found, and the application should alert you to critical issues immediately.
- Integration: if it will not interact well with the protocols you already use, look for another system.
As a small business owner, if you have any IT or cyber-security questions, contact Wade at Cantrell’s IT.