How would your security program run differently if your perspective was shaped around attack-surface reduction? It's a great way to reframe the way your organization approaches security, especially when it comes to implementing the same basic controls that continue to be your very best line of defense against cyberattacks.
First off, what does "attack surface" mean? This term gets thrown around plenty within the infosec bubble, but are we all talking about the same thing? The first term you often hear people talk about is that of attack vectors. An attack vector really isn't much more than some avenue that a bad actor can use to exploit your systems, your networks, and your information.
The attack surface, then, is just the sum of all the attack vectors for your organization — the total surface area of potential system exposure, be it systems in your data center, laptops in the field, cloud applications, connected industrial systems, or any combination of these hybrid environments you may have.
If It's Boring, You're Probably Doing It Right
For example, the latest breach headline you've read relates back, in some way or another, to an exploited attack vector like an unpatched vulnerability. So, what's new about attack vectors? Nothing. The breaches making headlines today come from the same issues we've been seeing in cybersecurity for the past 20+ years. They're the result of unpatched vulnerabilities, misconfigurations, lapses in system updates, human error, and other run-of-the-mill oversights. In 2020, much of the world is still behind on the unglamorous basics.
Because let's face it: The basics are boring and often difficult to maintain. That's a tough combination to take on, especially when the cybersecurity industry touts a continuous stream of shiny new silver-bullet solutions meant to revolutionize the way systems are secured — if only such a thing existed.
New Environments, New Risks, Same Control
Every organization has a unique attack surface. But an increasing number of organizations have one thing in common: changing infrastructure. Modern enterprises are adopting new systems and rolling out new environments, including the cloud and the Internet of Things. The types of devices that we're trying to protect today are growing from what we've had in the past. We've always had to protect servers, laptops, endpoints, databases, and applications. Today we have to expand that to include cloud offerings, a very large array of services that are constantly evolving in shifting public cloud and private cloud platforms.
New infrastructure means new attack vectors, thereby increasing the organization's overall attack surface. This includes technology such as smart light bulbs, smart buildings, and other connected systems. But it's not just the surface; the ways that people are going to attack these systems are also evolving. The scale and complexity of cyberattacks are both increasing every year, with a higher magnitude of vulnerabilities to match. With global breaches that expose millions of private records at once, it's plain to see that threat actors have quickly learned how to leverage the cloud on a level that might've been unfathomable a decade ago. The situation calls for security practitioners to ask themselves how they can extend the coverage of their existing infrastructure into these new system environments.
What's the Cloud Got to Do with It?
Let's say you were an early adopter of public cloud storage using AWS S3 buckets. In that service's early days, there was much less attention being paid to exploiting the technology. But as more organizations adopt it, we see the attackers themselves increase their level of attention they're paying to how to exploit it; your attack surface changes in terms of its relative importance or its nature based on the technology that others adopt as well.
For example, Orvibo, a manufacturer of IoT smart home devices, exposed 2 billion records of data, including customer information, over the Internet. Because all of these IoT devices connect up to a common cloud environment, aggregating all data in one place, that gives attackers a central place to break into all of these systems.
Today, the cloud is one of the biggest attack surfaces that organizations need to worry about. Many organizations are still in a very early maturity stage in terms of their cloud adoption. So, whereas some companies in the financial market, for example, have done a lot of investment into cloud security today, other companies in areas like manufacturing, retail, and healthcare are just starting to dip their toes into the cloud.
How to Approach Cybersecurity in the 2020s
The reality is we're only getting more complexity with the advancement of new technologies, along with the growth of security sectors due to niche startups. Combining the number of new security tools with the growing attack surface and the increase in attack vectors, it's clear that the complexity of what we're trying to protect increases year over year. When you have more complexity, you have more risk.
However, system complexity doesn't need to be a root cause for security failures if the right basic controls are being enforced consistently across the entire environment. One of the most critical things to be aware of is whether or not you're using the right cybersecurity framework. Recently, there's been increasing adoption of the NIST cybersecurity framework, for example. Whether you're using NIST or one of the other security frameworks out there (such as ISO 27002, CIS Top 20, IEC 62443), you need to understand that framework in depth and know how you are going to iterate and continuously improve security with it.
To be successful now, you must focus on your framework and on maturing in different security areas, making sure you're getting the basics right first and foremost. Doing those basics right, identifying the gaps and investing in addressing them, and patching your vulnerabilities — the answer in 2020 is the same as the answer 20 years ago.
- 10 Security Services Options for SMBs
- Medical Devices on the IoT Put Lives at Risk
- BEC, Domain Jacking Help Criminals Disrupt Cash Transfers
- How Data Breaches Affect the Enterprise
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.