RiskXchange has developed an innovative way to reduce an attack surface and allow organisations to manage them at the same time.
The attack surface of your organisation is the number of attack vectors that could be used to gain entry to launch a cyberattack or gain unauthorised access to private and sensitive data. This could include vulnerabilities in your staffing, network, physical or software environments.
In simple terms, an attack surface is the window a cyberterrorist can use to gain access to sensitive data within your network. With a high number of data breaches being reported on a global scale, complex cybersecurity measures are needed to narrow the attack surface of any organisation.
What are the types of attack surfaces?
Here are the three main types of attack surfaces:
2. Physical attack surface
3. Social engineering attack surface
Anything that houses or has access to business data, sensitive data, protected health information (PHI) or personally identifiable information (PII) should be well examined.
Digital attack surface
A digital attack surface is everything that lives outside of the firewall that is accessible through the internet. It can be easy for cybercriminals to hack into your organisation unless there are secure protective measures in place.
Physical attack surface
There are additional risks that occur when an attacker gains physical access to your device or office. If they have physical access, it does not matter whether the device is connected to the internet or not. Think of physical access to an attacker as if they were able to gain access to your server room, office, or any other physical location. It should be protected in the best possible way.
Social engineering attack surface
Your staff, the people that work in your organisation, are the most dangerous and often overlooked parts of any attack surface. Social engineering exploits human psychology and susceptibility to manipulate victims into revealing sensitive data and confidential information or performing an action that breaks ‘normal’ security standards.
Attack surface analysis
Attack surface analysis maps out what parts of your organisation are vulnerable and what needs to be tested for further security vulnerabilities. It helps security teams minimize attack vectors.
Security teams, external risk assessors and attack surface management software is an increasingly popular way of doing it as it can continuously monitor infrastructure for both changes and newly found vulnerabilities and misconfiguration.
Internal vs External Attack Surface
Attack surface can be divided into two main categories:
1. OS Dependent (OSD) attack surface OR Internal attack surface
OSD or internal attack surface vulnerabilities could either fall into the primary or secondary category depending on whether the point of attack is directly through OS or through an authorised application installed on the OS.
The primary attack surface is one directly originating from the OS. The secondary attack surface originates from hardware, software or protocols that use OS resources to interface with the OS either directly or indirectly via a software or hardware bridge.
2. OS Independent (OSI) attack surface OR external attack surface OR authentication/access control attacks
OSI can also be labelled as access control attack surface or authentication attack surface. The authentication function isn’t quite the same as access control – authentication attack surface identifies the user and confirms that they are who they say they are while the access control attack surface determines whether the user is allowed to carry out the action that they are attempting to perform. In OSI attack surface, the attacker does not target the OS/app vulnerabilities but deploys password guessing strategies or brute force attacks, spoofed logon screens, man-in-the-middle (MITM) attacks, etc.
Attack surface and vulnerabilities
One of the best ways to improve cybersecurity measures within your organisation is to reduce the attack surface of a system or software. Attack surface reduction can be broken down into the following ways:
1) Reduce the amount of code running
2) Reduce entry points available
3) Eliminate services requested by a few users
Leaving less code accessible to unauthorised actors tends to yield fewer failures and vulnerabilities. By switching off unnecessary functionality, there will be fewer security risks. Attack surface reduction helps prevent security failures, but it does not mitigate the amount of damage an attacker can inflict once a vulnerability is found. Cyber threat vectors can be opened upon new software deployment and make security operations more complex and vulnerable.
Common vulnerabilities and exposure
Not only is your attack surface continually growing but so is the severity of the vulnerability or CVE (common vulnerabilities and exposure). In 2019, data from the National Vulnerability Database (NVD) show roughly 22,000 CVEs, including Common Vulnerability Scoring System (CVSS) scores.
Open source and attack surface
The use of open source components in the development of new applications increases the attack surface and therefore the vulnerabilities that come with it. Code reusing is a common practice in software which can leave areas wide open to attack on many surfaces.
Today’s software development strategy relies on building up software solutions using open source components from diverse sources. The trend has become one of the major reasons for constantly expanding attack surface over the past decade.
On top of software development trends that lead to a larger attack surface, security experts are facing another vulnerability from hackers – the exploit speed.
The speed of exploits has shortened by 93% – it takes only three days before a vulnerability is exploited as opposed to 45 days in 2006. This means that professional cybercriminals can exploit a new CVE virtually as soon as it is released. What’s more, zero-day vulnerabilities are now commonplace – a software security flaw that is known to the software vendor but doesn’t have a patch in place to fix the problem.
How RiskXchange can help reduce your attack surface
RiskXchange is one of the firms leading the fight against cybercrime, coming up with novel solutions to everyday problems experienced at the hands of hackers. We have developed an innovative way to reduce an attack surface and allow organisations to manage them at the same time.
With full visibility over your eco-systems’ entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. Our passive data collection methods are effective and have no impact on your network performance. Using data-driven insights to prevent breaches is the best way to reducing attack surface and prevent cyberattacks.
By aggregating data from open sources, RiskXchange helps you gain a broader picture of your network and your supply chain’s application attack surface over time. This enables you to prioritise securing your network and application assets that are most at risk from compromise and exploitation. We provide high priority alerts and easy to understand security score ratings that relate to genuine threats to your network and application infrastructure, as well or actionable technical information.
RiskXchange pinpoints five ways to reduce an attack surface:
1. Security checks and analytics
A detailed analysis is the best way to start reducing your attack surfaces. Traffic flow analysis, security configuration assessments and quantitative risk scores are the three most effective ways of reducing an attack surface.
According to OWASP, the point of attack surface analysis is to understand the risk areas in an application, to make developers and security specialists aware of what parts of the application are open to attack, to find ways of minimising this, and to notice when and how the attack surface changes and what this means from a risk perspective.
2. Reduce complexity
Reducing the complexity of a network helps to reduce an attack surface. Poor policy management can lead to mistakes or duplicates, unused rules and overly permissive rule definitions allow increased access beyond what is needed.
According to Security Magazine, unnecessary complexity elevates the possibility of human error and risk, underscoring the importance of simplicity in security infrastructures and policy management.
3. Vulnerability screening
Vulnerability screening and visualising vulnerabilities through modelling and simulation is a good way to reduce attack surfaces. Patch simulation and attack surface modelling all help to pinpoint your attack surface and identify ways in which an attacker can gain access to a network.
According to Research Gate, vulnerabilities can be dramatically reduced by a systematic approach of measuring the attack surface through component level dependency analysis.
4. Monitor your endpoints
Independent process monitors maintain constant surveillance over your endpoints and help to highlight, therefore being able to reduce, the number visible on the attack surface. The next step is being able to control what the endpoint does, and then ensure that its relation to the rest of the network is fully secured.
According to Security Boulevard, most organisations are ignoring a crucial portion of their attack surface — the endpoint:
– The endpoint is where attacks originate
– The endpoint is where persistence is gained
– The endpoint is where lateral movement goes to and from
– The endpoint is where processes are injected
– The endpoint is where network packets originate
– The endpoint is where the data lives
– The endpoint is where the bad guys exfiltrate from
5. Building up your perimeters
Building up perimeters and segmenting a network will drastically reduce any attack surface. By increasing the number of barriers visible on a network, the harder it will be for an attacker to gain access to your data.
According to the findings at the 7th International Conference on Information Warfare and Security, the key to minimising attack surfaces is by building up perimeters within a network. The conference determined that an attack surface is vulnerable if there are no “specific separations or dedicated functional controls for a given attack vector”.
About RiskXchange
RiskXchange provides a powerful AI-assisted, yet simple automated and centralised 360-degree cybersecurity risk rating management approach. We generate objective and quantitative reporting on a company’s cybersecurity risk and performance, which enables organisations with evolving business requirements to conduct business securely in today’s open and collaborative digital world.
RiskXchange is an information security technology company, which helps companies of all sizes fight cyber threats by providing instant risk ratings for any company across the globe. RiskXchange was founded and is led by recognised experts within the security industry, who have held leading roles within companies such as IBM Security.
Find out more here.