Minimizing The Attack Surface Area A Key To Security

While many security experts lament the death of the network perimeter, the concept of attack surface area is still very much alive

Dark Reading Staff, Dark Reading

March 23, 2012

3 Min Read

Attackers looking for way into a company's network have a lot of options: Port scans, phishing attacks, and SQL injection have all been used to identify security weaknesses that can be exploited.

The latest tool that can inform both attackers and defenders is VPN Hunter, a website created by two-factor authentication firm Duo Security. The service, which went live on Thursday, allows anyone to scan a company's domain for remotely accessible services with entries in the domain lookup tables. A search on a southern university listed two SSL virtual private networks (VPNs), a remote access port, and an Outlook Web server. Another search on a U.S. Department of Defense domain turned up an intranet gateway and another Outlook Web server.

"People are a little surprised that these services are so easy to discover," says Jon Oberheide, co-founder and chief technology officer for Duo Security. "It is so trivial for an attacker to do the same thing and start knocking on the door, whether that is guessing usernames and passwords or constructing more effective phishing campaigns."

The service underscores the importance for companies to detect, survey, and minimize the exposed ports, services, and interfaces into their internal network. In the world of software development, Microsoft popularized the concept of "attack surface area" as a measure of the attackability of a piece of software. In the network world, companies are increasingly using the term to discuss their vulnerability to outside attack.

In most cases, that vulnerability is only increasing, says Jody Brazil, chief technology officer for network-security management firm FireMon.

"I would say that [network vulnerability] is going in the opposite direction of, say, Windows," he says. "If you are thinking about consumerization of IT and employees bringing devices into the network, the risks may be getting less controlled rather than more."

Like application development, there are a number of ways to measure the attack surface area of a company's information systems. Where static scanning of applications reveals potential defects and vulnerable pathways in software, network discovery and analysis can discover configuration issues, unpatched vulnerabilities, and rogue devices that impact a company's security. Where dynamic application scanning can positively identify exploitable flaws in software, penetration testing and other techniques can demonstrate critical vulnerabilities that could be used by attackers.

It's important for such products to "truly give you a picture of what you are choosing to expose to the network," says Brazil.

While many security experts have talked about the end of the network perimeter, thinking about the attack surface as the new perimeter can help companies better secure their networks and data, says Mike Lloyd, chief technology officer for RedSeal Networks, a provider of security intelligence and management products. For example, humans are a fundamental part of a company's attack service, and with the consumerization of IT, people and their devices have become the new perimeter.

"Any device in your network that receives e-mail that a human looks at can be considered part of the attack surface area," he says.

Lloyd points out a spectrum of attack surfaces that a company can measure to determine their risk. Security managers can look at the potential paths into the network or pair that with vulnerability information and attack data to create a prioritized list of attackable pathways. Finally, measuring the security intelligence of a company's employees can help determine how difficult attacker may find targeting employees.

People are always going to be a weak point for companies and the hardest part of the attack surface to minimize, says Duo Security's Oberheide. "Attackers have certainly realized that the easiest way to get into a company is through the user," he says.

Education and training can make employees more difficult to phish, but attackers have improved their social engineering techniques. Most companies should consider multifactor authentication to further harden their workers against network-based attacks, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights