Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/15/2020
10:00 AM
Dave Meltzer
Dave Meltzer
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cybersecurity Prep for the 2020s

The more things change, the more they stay the same. Much of the world is still behind on the basics.

How would your security program run differently if your perspective was shaped around attack-surface reduction? It's a great way to reframe the way your organization approaches security, especially when it comes to implementing the same basic controls that continue to be your very best line of defense against cyberattacks.

First off, what does "attack surface" mean? This term gets thrown around plenty within the infosec bubble, but are we all talking about the same thing? The first term you often hear people talk about is that of attack vectors. An attack vector really isn't much more than some avenue that a bad actor can use to exploit your systems, your networks, and your information.

The attack surface, then, is just the sum of all the attack vectors for your organization — the total surface area of potential system exposure, be it systems in your data center, laptops in the field, cloud applications, connected industrial systems, or any combination of these hybrid environments you may have.

If It's Boring, You're Probably Doing It Right
For example, the latest breach headline you've read relates back, in some way or another, to an exploited attack vector like an unpatched vulnerability. So, what's new about attack vectors? Nothing. The breaches making headlines today come from the same issues we've been seeing in cybersecurity for the past 20+ years. They're the result of unpatched vulnerabilities, misconfigurations, lapses in system updates, human error, and other run-of-the-mill oversights. In 2020, much of the world is still behind on the unglamorous basics.

Because let's face it: The basics are boring and often difficult to maintain. That's a tough combination to take on, especially when the cybersecurity industry touts a continuous stream of shiny new silver-bullet solutions meant to revolutionize the way systems are secured — if only such a thing existed.  

New Environments, New Risks, Same Control
Every organization has a unique attack surface. But an increasing number of organizations have one thing in common: changing infrastructure. Modern enterprises are adopting new systems and rolling out new environments, including the cloud and the Internet of Things. The types of devices that we're trying to protect today are growing from what we've had in the past. We've always had to protect servers, laptops, endpoints, databases, and applications. Today we have to expand that to include cloud offerings, a very large array of services that are constantly evolving in shifting public cloud and private cloud platforms.

New infrastructure means new attack vectors, thereby increasing the organization's overall attack surface. This includes technology such as smart light bulbs, smart buildings, and other connected systems. But it's not just the surface; the ways that people are going to attack these systems are also evolving. The scale and complexity of cyberattacks are both increasing every year, with a higher magnitude of vulnerabilities to match. With global breaches that expose millions of private records at once, it's plain to see that threat actors have quickly learned how to leverage the cloud on a level that might've been unfathomable a decade ago. The situation calls for security practitioners to ask themselves how they can extend the coverage of their existing infrastructure into these new system environments.

What's the Cloud Got to Do with It?
Let's say you were an early adopter of public cloud storage using AWS S3 buckets. In that service's early days, there was much less attention being paid to exploiting the technology. But as more organizations adopt it, we see the attackers themselves increase their level of attention they're paying to how to exploit it; your attack surface changes in terms of its relative importance or its nature based on the technology that others adopt as well.

For example, Orvibo, a manufacturer of IoT smart home devices, exposed 2 billion records of data, including customer information, over the Internet. Because all of these IoT devices connect up to a common cloud environment, aggregating all data in one place, that gives attackers a central place to break into all of these systems.

Today, the cloud is one of the biggest attack surfaces that organizations need to worry about. Many organizations are still in a very early maturity stage in terms of their cloud adoption. So, whereas some companies in the financial market, for example, have done a lot of investment into cloud security today, other companies in areas like manufacturing, retail, and healthcare are just starting to dip their toes into the cloud.

How to Approach Cybersecurity in the 2020s
The reality is we're only getting more complexity with the advancement of new technologies, along with the growth of security sectors due to niche startups. Combining the number of new security tools with the growing attack surface and the increase in attack vectors, it's clear that the complexity of what we're trying to protect increases year over year. When you have more complexity, you have more risk.

However, system complexity doesn't need to be a root cause for security failures if the right basic controls are being enforced consistently across the entire environment. One of the most critical things to be aware of is whether or not you're using the right cybersecurity framework. Recently, there's been increasing adoption of the NIST cybersecurity framework, for example. Whether you're using NIST or one of the other security frameworks out there (such as ISO 27002, CIS Top 20, IEC 62443), you need to understand that framework in depth and know how you are going to iterate and continuously improve security with it.

To be successful now, you must focus on your framework and on maturing in different security areas, making sure you're getting the basics right first and foremost. Doing those basics right, identifying the gaps and investing in addressing them, and patching your vulnerabilities — the answer in 2020 is the same as the answer 20 years ago. 

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

David Meltzer is Chief Technology Officer at Tripwire, a leading provider of security, compliance, and IT operations solutions for enterprises, industrial organizations, service providers, and government agencies (www.tripwire.com). He began building commercial security ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
VerifyWithSMS
50%
50%
VerifyWithSMS,
User Rank: Apprentice
4/21/2020 | 6:48:32 PM
Re: good post, interesting content
Excelent content! +1
mpuig9406
50%
50%
mpuig9406,
User Rank: Apprentice
4/19/2020 | 11:38:53 PM
good post, interesting content
good post, interesting content

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4035
PUBLISHED: 2020-06-03
In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to...
CVE-2020-13783
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.
CVE-2020-13784
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.
CVE-2020-13785
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.
CVE-2020-13786
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.