Discover Your Exposure So You Can Protect It
Request a free hyper external attack surface scan today.
Webinar Jan. 18, 2023: Cybersecurity New Year’s Resolution – Go On the Offensive
Cybersecurity is an ever-present concern for businesses, particularly as the modern attack surface continuously expands and changes due to the shift to remote work in response to the COVID-19 pandemic, cloud adoption, and the growth of shadow IT, among other factors. Implementing the appropriate security control types for attack surface reduction is crucial for bolstering your company’s cybersecurity posture in the modern threat landscape.
Security controls are measures a company implements to reduce the attack surface, minimize or eliminate cybersecurity threats, and safeguard its sensitive data. They should be designed for risk mitigation. For example, employees should be required to take regular cybersecurity awareness training reducing the risk that they’ll fall victim to a phishing attack or other social engineering attack.
The attack surface is all of the possible points at which cyber attackers or unauthorized users can potentially access the system. It includes:
On the other hand, an attack vector is the method an unauthorized user or attacker leverages to gain access to or breach an application, account, or system. Attack vectors can include distributed denial of service (DDoS) attacks, malware, exposed assets, weak passwords, phishing, poor encryption, and more. In other words, the attack vector is how the attacker breaches a point of entry on the attack surface.
Security controls for attack surface reduction include measures to eliminate unnecessary points of entry on the attack surface, or to reduce vulnerabilities at points of entry on the attack surface by making them more difficult to breach.
Attack surface vulnerabilities are weak points on the attack surface that can result in a breach. Common attack surface vulnerabilities include:
Let’s take a look at some of the most effective types of security controls for attack surface reduction.
The layered security approach includes administrative controls, physical controls, and technical controls placed throughout the IT environment. Also known as defense in depth, the layered security approach creates a number of roadblocks that make it difficult for cybercriminals or unauthorized users to access sensitive data even if they successfully break through one of your defenses.
The principle of least privilege aims to provide each user with the proper level of access to systems and sensitive data but no more access than what is necessary to complete their tasks. It condenses the attack surface by limiting the access a cybercriminal would have should they successfully hack a user’s credentials. If a user has system-wide access, so, too, would a cyber attacker who gains access to their account.
It’s also crucial to reduce the entry points available to unauthorized users, such as restricting public access to certain company resources. For example, companies may limit access to knowledge bases or product demos that contain sensitive information or expose code to registered users and employees.
Similarly, the principle of least functionality operates on a minimum-necessary concept but in relation to system configuration rather than user access. Rather than limiting access, it limits the capabilities of a system to only those necessary to conduct authorized activities and prohibits or restricts the use of and access to any non-essential services and capabilities.
For example, if a device has only the essential software applications installed, services on, and ports open, it limits the potential means of attack for cybercriminals, reducing the size of the attack surface. Additionally, when a system has only the essential capabilities, it’s easier to maintain as there is less software to update and patch.
Zero-trust policies assume all assets and entities are untrustworthy and prohibit all communications between systems, applications, and services until their identity is properly verified. Zero-trust policies provide awareness of what assets are connected to the network and how they’re communicating — because if an asset’s identity cannot be verified, it won’t be permitted to connect or communicate with other assets.
Zero-trust strategies are among the most effective cybersecurity and attack surface reduction best practices. In fact, Industrial Cyber reports that the U.S. Department of Defense has adopted a zero-trust cybersecurity framework to reduce the attack surface while also supporting the need for secure data-sharing and risk management.
Network segmentation goes hand-in-hand with zero-trust policies. By putting blocks between different areas of your network or infrastructure, you create obstacles for potential cyber attackers. The attacker won’t automatically gain access to your entire network if one area is breached. Likewise, if a vulnerability in one area is exploited by inserting malicious code, the malware won’t automatically spread throughout the entire network. Network segmentation also allows you to apply more granular security controls to areas of the network and even specific endpoints.
A lack of network segmentation is the failure that made the NotPetya attack on Maersk, a global shipping company, so devastating. As soon as one element in Maersk’s network was breached, it had unfettered access to Maersk’s systems in every location around the world. It was so widespread that it shut down all the company’s IT systems, forcing the company to shut down by the end of the day. And it didn’t just impact Maersk but also spread to other companies, from hospitals to pharmaceutical companies and other logistics providers, resulting in $10 billion in damages.
Software applications should minimize exposed code to reduce vulnerabilities and limit the potential for attackers to exploit it. Eliminating outdated code and parameters that are no longer needed provides fewer opportunities for cybercriminals to target the application.
Reducing the amount of code executed by browsers and applications also limits opportunities for attackers. Functions that are unsafe or create vulnerabilities that are difficult to mitigate should be eliminated whenever possible.
Redundant functionality between systems and applications presents more potential entry points for attackers. Eliminating redundant functionality not only reduces the attack surface but also simplifies processes for users.
Unused and abandoned assets are an attack surface goldmine for cyber attackers, particularly if those assets have access to sensitive systems and data. Assets should be eliminated as soon as possible when no longer used or necessary.
Today, many applications and data reside in the cloud, and businesses can no longer rely on firewalls to prevent unauthorized users from accessing sensitive data. Unpatched software is one of the most common attack surface vulnerabilities exploited by attackers, and it’s also one of the simplest vulnerabilities to mitigate. Keep all systems and software up-to-date with the latest security patches to limit opportunities for cyber attackers.
More companies are using third-party services and implementing third-party functionality into software applications via APIs. Many of these third-party services have publicly available code that cyber attackers can easily exploit, and poorly designed APIs can also provide potential entry points for attackers. Minimizing the number of third-party services used and ensuring that APIs are adequately secured helps mitigate risk.
Disabling or eliminating any software and devices that are unused or no longer necessary reduces the attack surface by providing fewer endpoints for cyber attackers to exploit. Keeping the number of endpoints used is also a good practice for attack surface reduction.
Despite all of the technical vulnerabilities that can exist, humans remain the weakest link in cybersecurity. You can restrict users’ access to certain systems and data, but you can’t create a firewall that blocks every potential mistake a human makes. That’s why robust and ongoing employee cybersecurity awareness training is one of the most vital security controls you can implement for attack surface reduction.
Employees should be trained to recognize phishing attempts, understand why some data is sensitive, know the potential risks and vulnerabilities, and understand how to follow best practices for keeping sensitive data safe. There’s no way to prevent every human error, but you can reduce the likelihood of mistakes leading to data breaches with proper education and training.
Implementing security controls for attack surface reduction starts with defining your control objectives and goals, followed by attack surface discovery. A comprehensive attack surface management (ASM) solution like Cyberpion streamlines this process and provides the attack surface visibility needed to detect and mitigate vulnerabilities and risks adequately.
Cyberpion enables thorough supply chain discovery, conducting a rigorous attack surface inventory that includes:
Following discovery, an effective attack surface management solution evaluates your attack surface to help your security analysts determine what to update, what to mitigate, and what to retire, such as irrelevant, redundant, or no longer needed assets. Then, your ASM assesses the vulnerability and determines the most appropriate action items to secure those assets.
Implementing security controls for attack surface reduction is not an activity to conduct once (or even periodically), and assume that the controls you implemented will sufficiently protect your systems and networks. For most enterprises today, the attack surface is constantly expanding, with more vendors and services connected via the digital supply chain. An employee might use a new service, third-party services might move or reconfigure infrastructure, or data might be migrated to a different cloud server. Many changes can occur without the security team ever being aware of them.
To address the constantly changing attack surface, leverage a comprehensive ASM like Cyberpion for the continuous discovery of your company’s internet-facing assets, their connected digital supply chains, and shadow IT. Cyberpion continuously assesses the vulnerability and risk of discovered assets, determines the risk, and provides clear action items to accelerate mitigation.
Learn more about effectively managing your organization’s attack surface with Cyberpion by requesting a free attack surface scan today.
Request a free hyper external attack surface scan today.