Seven deadly sins hiding in the company’s attack surface

In mapping out the seven deadly sins of security teams, today’s columnist, Tamir Hardof of Cyberpion, writes that companies need to better understand the shared responsibility policy of the major cloud providers. (Photo by Sean Gallup/Getty Images)

 

Much like the world has changed around us, an organization’s attack surface looks different today than it did in the past. Organizational attack surfaces were once well-defined and internally-focused on each organization’s physical network. Digital transformation, innovation, and the passing of time have changed this. Today, interactions between employees, customers, stakeholders, and the organization are taking place online via web-based SaaS apps and cloud services.

Digital initiatives are increasing every organization’s online presence, with multiplying connections to external resources including cloud infrastructure, web applications from third parties, and the use of open-source software. Add to these conditions the shift to hybrid and work-from-home models, and the external attack surface at most organizations is now at least three times larger than their internal attack surface, and growing every day.

Wondering what the results of this ever-expanding organizational attack surface? New cyber risks and vulnerabilities keep IT and security professionals busier than they’ve ever been, as they try to expand the scope of protection for their businesses. Let’s dig into the most common cyber risks to keep aware of with a modern digital attack surface:

  • Not understanding the cloud’s shared responsibility model.

Cloud environments, whether public and private, offer a quick, easy, and often inexpensive way for organizations to modernize and grow their digital infrastructure. As organizations move further into the cloud, adopting Software-as-a-Service (SaaS) tools to improve business efficiencies and operations and keep pace with today’s digital transformation, they also open themselves up to increased risk.

The National Security Agency reports that the most common type of cloud-security vulnerability comes from misconfigurations within the cloud. Cloud service providers, like Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure, all use shared models of the responsibility for cloud security. The important word here being shared. Much of the responsibility for cloud security still remains with the organizations using these clouds and their IT departments. To make matters more complicated, the major cloud providers all have their own unique approach to sharing cloud security responsibility. The security components that an organization is responsible for when using GCP are very different from AWS, and so on.

  • Lax management of access control.

While all major cloud providers have improved their security over time, there are still ways for attackers to exploit vulnerabilities related to access control and authorization. Safeguards have been implemented to prevent unauthorized access to cloud infrastructure, however they are often inadequate. Weak authorization methods for accessing the cloud can actually allow attackers to elevate their privileges once they are in the cloud, expanding their access to sensitive data. Additionally, because of the ease of use and simplicity involved in cloud services today, less security-savvy professionals are now tasked with setting up IT servers and services in the cloud. This leads to inevitable oversights and misconfigurations in the cloud.

  • Vulnerable domain name systems.

The Domain Name System (DNS) became a part of online communications before the dawn of major cybersecurity concerns. That inherently makes it vulnerable to cyberattacks. Today, virtually every business uses a variety of DNS servers within its digital supply chain. Like any other asset or application, DNS servers have vulnerabilities that hackers can exploit. Attackers see DNS servers as an attractive target, hijacking them through vulnerabilities to gain an “insider” position of trust as the basis to then make any number of cyberattacks.

  • Not protecting web applications and third parties.

Every modern business today leverages web applications for business-critical operations. This means inputting and sharing sensitive data, including email addresses, passwords, and credit card numbers. These web applications interact with or connect to multiple third-party systems and services, increasing the attack surface by which this service can be accessed. Attackers know this, and keep a watchful eye out for attack vectors within direct and indirect digital supply chains, including vulnerabilities through SQL injections, privilege misconfigurations, and authentication flaws, to gain data access. It’s not just an organization’s own applications that need to stay properly protected, it’s every connected web application and third party.

  • Not locking down email servers.

Email remains one of the most popular forms of communication for a business between employees, customers, partners, and other stakeholders. The ease of access and use for email also leaves it so susceptible to a cyberattack. Every organization uses different internal and external email servers for daily communication, which means best practices for email cyber protection vary quite a bit from company to company or server to server. Cyber attackers are trained to recognize vulnerable email servers and launch takeover attempts. Once they gain access to an email server, they deploy email-based phishing attacks to anyone they can reach, including customers.

  • Losing control of shadow IT.

Shadow IT refers to the technology, including systems, software, applications, and devices used by an organization’s employees without the IT team’s approval. Shadow IT has grown substantially in recent years as employees log in to work from home on the most convenient device. Employees often create public clouds to migrate workloads and data without understanding the security standards and risks involved, and without the watchful eye of the organization’s security team. Sometimes, employees will misconfigure a public cloud while they create it, leaving vulnerabilities exploited. IT and security departments, meanwhile, remain none the wiser to these vulnerabilities and any attempted or successful breaches, because of the nature of Shadow IT.

  • Mismanaging assets.

Thanks in large part to the digital transformation, business operations are running at a faster rate than ever before. Many organizations still maintain ownership of and connectivity to servers, systems, and applications that have not been used in weeks, months, and even years. These assets use outdated software with known vulnerabilities that remain unpatched. Even as the organization updates software, and makes patches to vulnerabilities for the software currently in use, neglected and unmanaged assets remain available and open for cyberattacks.

Every modern organization’s digital attack surface continues to expand. This will remain the case for the foreseeable future. Businesses must take responsibility for their expanding digital attack surface and prioritize protecting it. This means gaining visibility into, and assessing vulnerabilities across all internet-facing assets and their connected digital supply chains. Then identify which vulnerabilities must get addressed, and take swift action to remediate these threats before they are exploited. We see new stories every day of what happens when these types of threats are left unaddressed. The damage remains done in these instances unfortunately, but serves as a continued reminder of what organizations must prioritize and protect, before it happens again.

Let Us
Show You.

Discover Your Exposure So You Can Protect It

Request a free hyper external attack surface scan today.