Cybersecurity consultants use lots of cool terminology. Some popular terms we regularly use are:
- Cyber threat actors
- Technical security debt
- Attack surface
That last term is the one I want to focus on for this article. What is an “attack surface?” Searching the Internet will reveal several interpretations of this metaphorical term. Some people define attack surface as, the sum total of vulnerabilities that can be exploited to carry out a cyber-based attacks. The limitation of this definition is that it only focuses on things that are “vulnerable.” Much of attack surface reduction has to do with turning off unnecessary services or features that may or may not be vulnerable just on the principle that less things to attack is better than more things to attack. A definition that follows this philosophy is posted on an OWASP “cheat sheet”
The Attack Surface of an application is:
- The sum of all paths for data/commands into and out of the application, and
- The code that protects these paths (including resource connection and authentication, authorization, activity logging, data validation and encoding), and
- All valuable data used in the application, including secrets and keys, intellectual property, critical business data, personal data and PII, and
- The code that protects these data (including encryption and checksums, access auditing, and data integrity and operational security controls).
Since this is an OWASP cheat sheet, the term is defined in the context of an application, but the principle can be applied to workstations, services, network devices, and even entire organizations. The attack surface is all the points that can be attacked. The more of these attack points, the larger the attack surface.
How is this helpful? The attack surface concept brings an additional dimension to the need for turning off unnecessary services, reducing extraneous features, enforcing least privilege, segmenting your network, and, generally, reducing your exposure to attack. Instead of trying to exhaustively know what vulnerabilities exist in a system, the attack surface should first be reduced as much as possible and then the remaining attack surfaces analyzed for vulnerabilities.
What areas should organizations review for reducing their attack surface? Here are some examples:
- Network – Internet-facing systems should be reduced to the absolute minimum number of accessible network ports needed to accomplish their purpose. To even further reduce the attack surface of these highly-exposed systems, their open ports should be restricted to known IP addresses (if possible). A common attack surface blunder we see during cybersecurity assessments is Microsoft Remote Desktop Protocol (RDP) exposed to the Internet with no restriction on source IP address. This lack of attack surface reduction allows hackers from around the world to attempt to login for days, weeks, and months or (even worse) attempt to bypass authentication by exploiting a flaw in the underlying RDP application (RDP has had a far-from-perfect security record judging by the number of CVE issues assigned to it).
- Software—there is a tendency (and this is a gross generalization, but absolutely true) for software developers to deliver software that accomplishes the job without considering the most secure way of getting it done. Integrating secure software development requirements into the software development lifecycle (and checking to ensure these requirements are being met along the way) is an important step to reducing the attack surface of custom-developed software packages. For commercial-off-the-shelf (COTS) software, turning off all but the minimum set of essential features is a way to reduce attack surface as well as requiring authentication before accepting user input.
- Physical—who knew hackers can easily exploit systems to which they have access? Publicly exposed USB ports, network connections, and other exposed infrastructure are like free passes to system exploitation on your network. To reduce these attack surfaces, guard computers and network infrastructure with protective enclosures whenever they’re put in public spaces.
There are many other ways systems can be analyzed for
improved security by reducing their attack surface. Future articles may share
innovative ways we’ve seen client organizations reduce their attack surface for
reduced risk and improved cybersecurity. To begin to understand your own attack
surface, some security scanning or pen testing (whether performed by internal
staff or a 3rd party) can help. Until you test, your understanding
of your attack surface is only based on what you think is there.