Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

3/23/2012
04:47 PM
50%
50%

Minimizing The Attack Surface Area A Key To Security

While many security experts lament the death of the network perimeter, the concept of attack surface area is still very much alive

Attackers looking for way into a company's network have a lot of options: Port scans, phishing attacks, and SQL injection have all been used to identify security weaknesses that can be exploited.

The latest tool that can inform both attackers and defenders is VPN Hunter, a website created by two-factor authentication firm Duo Security. The service, which went live on Thursday, allows anyone to scan a company's domain for remotely accessible services with entries in the domain lookup tables. A search on a southern university listed two SSL virtual private networks (VPNs), a remote access port, and an Outlook Web server. Another search on a U.S. Department of Defense domain turned up an intranet gateway and another Outlook Web server.

"People are a little surprised that these services are so easy to discover," says Jon Oberheide, co-founder and chief technology officer for Duo Security. "It is so trivial for an attacker to do the same thing and start knocking on the door, whether that is guessing usernames and passwords or constructing more effective phishing campaigns."

The service underscores the importance for companies to detect, survey, and minimize the exposed ports, services, and interfaces into their internal network. In the world of software development, Microsoft popularized the concept of "attack surface area" as a measure of the attackability of a piece of software. In the network world, companies are increasingly using the term to discuss their vulnerability to outside attack.

In most cases, that vulnerability is only increasing, says Jody Brazil, chief technology officer for network-security management firm FireMon.

"I would say that [network vulnerability] is going in the opposite direction of, say, Windows," he says. "If you are thinking about consumerization of IT and employees bringing devices into the network, the risks may be getting less controlled rather than more."

Like application development, there are a number of ways to measure the attack surface area of a company's information systems. Where static scanning of applications reveals potential defects and vulnerable pathways in software, network discovery and analysis can discover configuration issues, unpatched vulnerabilities, and rogue devices that impact a company's security. Where dynamic application scanning can positively identify exploitable flaws in software, penetration testing and other techniques can demonstrate critical vulnerabilities that could be used by attackers.

It's important for such products to "truly give you a picture of what you are choosing to expose to the network," says Brazil.

While many security experts have talked about the end of the network perimeter, thinking about the attack surface as the new perimeter can help companies better secure their networks and data, says Mike Lloyd, chief technology officer for RedSeal Networks, a provider of security intelligence and management products. For example, humans are a fundamental part of a company's attack service, and with the consumerization of IT, people and their devices have become the new perimeter.

"Any device in your network that receives e-mail that a human looks at can be considered part of the attack surface area," he says.

Lloyd points out a spectrum of attack surfaces that a company can measure to determine their risk. Security managers can look at the potential paths into the network or pair that with vulnerability information and attack data to create a prioritized list of attackable pathways. Finally, measuring the security intelligence of a company's employees can help determine how difficult attacker may find targeting employees.

People are always going to be a weak point for companies and the hardest part of the attack surface to minimize, says Duo Security's Oberheide. "Attackers have certainly realized that the easiest way to get into a company is through the user," he says.

Education and training can make employees more difficult to phish, but attackers have improved their social engineering techniques. Most companies should consider multifactor authentication to further harden their workers against network-based attacks, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
3/24/2012 | 2:27:52 AM
re: Minimizing The Attack Surface Area A Key To Security
eEye also put out a free tool recently to help organizations detect configuration errors and the like that contribute to security holes.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.