Remembering my childhood, I recall when riding your bicycle with anything more than a helmet made you seem weak. Kids scoffed and mocked the kids who were heavily protected by long-sleeves, pants, knee and elbow pads, gloves and a helmet. The scabbed knees and scars were worth not being on the receiving end of the teasing.
However, in today’s cyber environment, attack surface analysis informs cybersecurity planning. You need to be that heavily-protected kid. The scuffed knees and scars of yesterday are today’s millions of dollars of damage and potentially lasting harm to your company’s brand.
Attack Surface Analysis Informs Cybersecurity Planning
For the average business, there may be thousands of unique attack points. For example, one research study cites that “58% of companies have over 100,000 folders open to every employee”. Discovering these types of vulnerabilities is challenging and takes considerable resources.
However, it is
Attack surface analysis (ASA) informs cybersecurity planning by increasing awareness of your attack surface. It assesses the total number of exploitable vulnerabilities in a system, network, or other potential target. Most importantly, it allows you to see what you look like from the outside-in. For example, open ports on outward facing servers, expired certs, services inside and outside the firewall, compromised employees with access to sensitive information, high-risk areas of code, and more.
First, ASA maps out what parts of a system need to be reviewed and tested for security vulnerabilities. Second, it identifies areas most at risk for exploitation. For example, one recent cybersecurity report cited that “millions of websites are still running versions of PHP that will make them vulnerable”. ASA flags these types of vulnerabilities so they can be addressed.
Finally, ASA explores ways to minimize any identified risks. You achieve a level of management where you notice when and how the Attack Surface changes. As a result, you can make security course corrections as necessary.
Three Attack Surface Categories to Consider
There are three basic Attack Surface categories to consider when performing ASA:
- Network Attack Surface
- Software Attack Surface
- Human Attack Surface
Even for those well-versed in ASA, it is common to focus on internal networks and overlook risks outside the firewalls. You may have analyzed and mapped open ports, looked at services inside the firewall, reviewed code protecting network paths and valuable data, and provided basic security awareness training to your workforce. Although these are components of an ASA, they do not cover your business’s entire Attack Surface.
To understand where your vulnerabilities lie and how you look from the outside-in, you need analyze the entire attack surface. This includes expired certificates, patching, employee risks and threats (whether intentional or not), third-party components, Shadow IT, and more.
4 Key Questions to Ask About Your Attack Surface
Key questions to ask about your Attack Surface include:
- What vulnerabilities exist with your third-party vendors or supply chain?
- Which employees have access to sensitive company data? Do they have a need for that access?
- Have credentials and accesses been removed from departing employees?
- Have patches been placed, certs renewed, and code reviewed?
In conclusion, going beyond the typical information security checklist with attack surface analysis informs cybersecurity planning. So, go beyond the helmet and put on full ASA armor, eye-guards, the whole shebang. Don’t risk operating your security with only a helmet when you need full-body protection.
Contact GPSG at cyberteam@gpsg.co for a free consultation on Cybersecurity & IT Assessments and Compliance Readiness.