Countless articles online discuss the need to improve security postures in response to the rapidly expanding attack surfaces of modern organizations. However, it seems more reminders are needed to convince organizations to improve the way they handle the possible points at which cyberattacks can take place.
An ESG research shows that only nine percent of organizations actively monitor all of their attack surfaces, while around 29 percent say that they actively monitor 75 percent to 89 percent of their attack surfaces. Some pundits predict that 2022 will be the year attack surface management becomes mainstream, but the certainty of this happening deserves a good deal of skepticism.
To be clear, securing attack surfaces is not as difficult as it previously was, given the availability of various tools to handle it effectively. Also, by now many would have identified the key areas organizations tend to overlook or downplay, particularly the rise of external attack surfaces, the surge of Internet-of-Things, and the rapid evolution of attacks.
External attack surfaces
What are external attack surfaces? The phrase refers to all IT assets and closely-related (third-party) resources of an organization that are visible to external threat actors or those who have no connection to the organization.
As the opposite of internal attack surfaces, it serves as a catchphrase for all attack surfaces that are not targets of insider threat actors and those who pretend to be (or usurp the access privileges of) stakeholders, business partners, or customers who get to access an organization’s IT resources through exclusive private channels.
External attack surface management is crucial for organizations, especially for those that are rapidly expanding and adding exponentially more attack surfaces along the way. It is an important focus area because most organizations tend to forget about the expansion of their cyber vulnerabilities as they focus more on maximizing profits, minimizing costs, and scaling in response to opportunities.
As businesses grow, they invest in more servers, cloud computing resources, web applications, and other resources to serve more customers in more areas. Keeping the IT status quo is not an option. Expansion calls for corresponding IT investments, which many are not ready to secure effectively. It does not help that there is an ongoing cybersecurity skills shortage.
External attack surfaces are considerably broader than their internal counterparts, and they keep expanding with most organizations not even realizing it. Continuously monitoring, undertaking attack surface discovery, analyzing IT asset attributes, prioritizing, and remediating this larger attack surface is logically harder. It is a welcome development, though, that advanced external attack surface management tools already exist to address this problem effectively and efficiently.
Internet of things
IoT security is a seriously neglected concern. This was true a couple of years back, and still is until now. Organizations do not pay that much attention to the security of the IoT devices they bring to their networks. A TechRepublic research says that 80 percent of corporate security teams are not even able to identify the majority of the IoT gadgets they have in their network. This has to change, and organizations need to maintain an updated inventory of their IT assets.
Many companies do not bother changing the default passwords of their IoT devices, especially those designed to be plug-and-play like audiovisual equipment. Ideally, all devices in a network should have their respective sets of complex or unique usernames/IDs and passwords that are changed monthly or quarterly. Enabling easy connections may be convenient, but the slightly tedious management of IoT passwords does a lot for security.
Additionally, many organizations fail to update their IoT devices to their latest firmware. This is problematic because the failure to update means that devices do not have security patches for newly discovered vulnerabilities or attacks.
Again, this can be tiresome, but it is an essential step in ensuring a reliable security posture. The same goes for digital certificates. They must be updated and ascertained to be effective. These digital certificates serve as the guarantee that authorizations, encryptions, and data integrity are in line with established standards.
Moreover, since most IoT devices are not accounted for, let alone managed, there is a tendency for default extraneous connections to become the norm. Wired and all wireless connections are enabled by default (in the guise of convenience), and many organizations fail to modify settings accordingly like enabling SSH but not telnet or disabling wireless connections when wired connections have been established.
Cybercriminals will stop at nothing to get what they want. They can tweak or rework their attacks multiple times until they manage to penetrate cybersecurity systems.
They are ruthlessly and relentlessly ingenious but without the time pressure. They attack whenever and whoever they want without worrying about goals to meet. Arguably, this allows them to come up with harmfully creative and effective attacks since they are not as stressed and anxious as the defenders or the cybersecurity teams of organizations.
Organizations are not defenseless against this cyber attacker advantage, though. Cyber threats are evolving, but so do the solutions to counter them. There are comprehensive and holistic cybersecurity tools designed to continuously monitor attack surfaces, conduct security validation, and actively block attacks. Organizations just need to examine their options carefully and pick the best security solution for their specific requirements.
Also, many players in the cybersecurity field have collaborated to establish up-to-date cyber threat intelligence sources and cybersecurity frameworks. The MITRE ATT&CK framework, for example, has been providing useful information, guidelines, and insights on adversarial tactics and techniques to alert everyone about the latest cyberattacks and their possible evolution. It has been integrated in many cybersecurity solutions to facilitate faster detection and response to various attacks.
Microsoft VP Vasu Jakkal has an excellent reminder for everyone regarding the rapid evolution of cyberattacks: “Cybersecurity threats are always changing—staying on top of them is vital, getting ahead of them is paramount.” With all the advanced cybersecurity tools and collaboration among cybersecurity specialists worldwide, it is not impossible to stay on top or even get ahead of the threats.
The three key points described above are not the only concerns in managing attack surfaces, but they are among the most important ones. Organizations that are too busy addressing their finances and operations tend to overlook these points or not pay enough attention to them.
Notably, these key points are helpful in choosing a good attack surface management platform. For starters, an effective attack surface management solution must be effective in handling the endless expansion of external attack surfaces. It also needs to take into account the impact of embracing IoT and adding more and more devices over time. Lastly, it should be able to keep up with the evolution of attacks by being updated with the latest threats and the most efficient solutions.