Understanding Your Attack Surface Area
In OATI’s recent blog “Security Best Practices for Small Organizations,” we listed minimizing the surface area for attacks as a best practice. But what exactly is an attack surface area?
It is anything and everything that exposes an organization to liability or risk of any sort of cyber-attack. This used to be a lot easier to define and control when all of an organization’s assets sat protected inside the perimeter of the network. The growth of the internet, cloud computing, and mobile devices resulted in many proclaiming the death of the network perimeter. Are they right? Yes and no. Networks are more elastic today than ever but we still control our exposure.
The attack surface area consists of three components: Network, Software, and Human. Let’s look at a few examples of what constitutes our surface area for attack throughout these categories.
Network Attack Surface
Ports, protocols, and services that are externally facing to the Internet
Network technologies that can be used as a tunnel (SSH, PTTP, IPSEC, Teredo)
Remote access Virtual Private Networks (VPNs)
Unsecured wired networks
Software Attack Surface
Application functionality that is available to unauthenticated users
User interface forms and fields
Application Programming Interfaces (APIs)
Human Attack Surface
Employees with access to sensitive information
Lack of training/awareness
Susceptibility to social engineering or phishing attacks
Malicious insider threats
With these examples, you can get an idea of how wide the attack surface area has become. It’s curious that with all these technical avenues for exploit that the most common method used by attackers is email. This is the path of least resistance toward discovering credentials or infecting a system and is why OATI constantly involves employees in cyber-security awareness. As for the rest of these threats, we can attempt to minimize our exposure to the degree we can remain productive in our operations. Everything we’re left with is our own unique attack surface area and what we need to defend.
In future postings, we will talk about ways to fortify your defenses and mitigate your risk of falling victim to a successful attack.
If you have any questions, please feel free to contact firstname.lastname@example.org.