Traditionally an attack surface was simple enough to understand and document. Accounting for all possible technical risk areas was pretty easy to do. Servers, Laptops, Desktops, Network devices, limited software. Done.
Naturally with the evolution of technology there has been significant change and growth to this attack surface and in many cases it extends beyond business-owned property. Now we must consider all of the above including (but not limited to) virtual devices, mobile devices, public and private cloud environments, containers, active directory, web applications, third party products & integrations, Application Programming Interfaces (APIs), bring your own device (BYOD) hosts. Any technology that accesses our network is our responsibility to ensure it is secure and safe, protecting our assets.
Most corporate environments today are comprised of some, or all, of the above which makes the task of securing the company assets a significantly more complex chore than ever before. Where to begin?
- If you don’t know what you own then you cannot appreciate the extent of your attack surface. Identifying all relevant assets within your responsibility can be done via a number of means:
- Using an attack surface management (ASM) tool
- Discovery scanning
- Passive discovery
- Using existing asset registers
Building an asset registry with all the above findings allows you to to visualise the full extent of assets owned or monitored by your business and ultimately within your realm of security responsibility. Using an IT asset management (ITAM) solution makes this easier to maintain in a dynamic environment.
- Evaluating your exposure through risk assessment and targeted scanning is a valuable and vital part of the security process. It doesn’t stop there however. In order to do a full assessment and draw a conclusive attack path for risk assessment purposes you will need to regularly do a minimum of:
- Fully credentialed vulnerability assessment scanning
- Active directory auditing allowing for any new, modified or updated policy changes that may expand your attack surface
- Web Application scanning and auditing
- Cloud environment access and configuration auditing
- Cloud environment asset scanning and assessment suitable for dynamic assets including those that only exist for brief moments. They may be a reduced risk but are still a risk.
- Internet of Things (IoT) asset auditing. Leaving operational technology (OT) and manufacturing environments aside for the sake of this article, all businesses have some level of IoT assets that are often ignored during the assessment process.
- Integration reviews and scanning of third party assets and applications including APIs
- Mobile device and BYOD scanning
This is a primary but not exclusive list of items for a typical company. There may be other asset types that require consideration that have been identified and the risk for these should be assessed also. Once all the information is collected then it is important to regularly measure and appreciate your exposure view, attack paths, compliance requirements and apply that to your business resources. You will inevitably have to make some decisions around what is an acceptable risk for your company as nothing is foolproof.
-
- Introduce an access control policy that aligns to a recognised body so that you can ensure a minimum recommended standard is in place. NIST IT Asset Management Practice Guide is a great place to start. Whilst the guide is aimed at the financial services industry, the majority is relevant to most industries. By reviewing and deploying conscious and considerate access control you can ensure that only the access relevant to your organisation roles is the access given to the individuals in those roles.
- Do the rest of the work involved in securing your organisation’s business continuity and assets:
- Ideally use a tool to help prioritise your patching to work to your business needs. Keep in mind that not all assets are equal and something that is critical for one business may be a mere blip for another when it comes to continuity of business operations.
- Asset Tracking. This is especially important for mobile assets that have company data on them. Having the means to identify if an asset is not in a location (eg country) that it’s supposed to be in can allow significant time for the business to react and remote destroy any information on that host.
- Alerts and Notifications for changes in asset qualities and role-based access control (RBAC) rules (event monitoring). Even if you have the resources to constantly patch and update assets and carry out non-stop maintenance ensuring that the most recent updates and security measures are in place, there is still a risk – the human factor. Enabling notification through event monitoring and asset tracking would ensure that you can get enough time to respond once something unusual happens. Knowing that a modification or change has happened when unintended or unapproved is vital at the time of the change so that the asset can be locked down or the change rolled back if in error.
- Disaster Recovery. Don’t just put backups and plans in place. Execute these on a regular basis so that you can ensure that it works. Even the best laid plans can fail sometimes and it’s better to do this in a trial run than a live incident.
With a consideration of the level of effort needed, it is possible to appreciate the true attack surface. It’s never as simple as often percieved and we have to make many decisions about what is an ‘acceptable’ risk. The common goal is to have 100% coverage / protection in place. The reality is that it’s rarely possible to do. The best position to be in is one of transparency. If you do all the above then you can make active and purposeful decisions. That is how you appreciate your attack surface.
