The rapid acceleration of digital transformation over the past decade has brought about numerous advancements and opportunities for organizations. Cloud hosted Software-as-a-Service (SaaS) applications, Internet of Things (IoT) devices, and the sudden shift to remote work due to the global pandemic have all necessitated the quick adoption of new technologies to keep businesses running smoothly. However, while these technologies offer significant productivity benefits, they also expand an organization’s potential attack surface, making them susceptible to cyber threats. Therefore, it is vital for security to be a driving factor when acquiring and managing new technologies, as neglecting security can result in significant vulnerabilities in an organization’s defenses.
The attack surface of an organization refers to the various points of entry that an adversary could exploit to gain unauthorized access, cause damage, or extract data from the system. To gain a better understanding of the attack surface, it can be divided into three primary components: the digital attack surface, the physical attack surface, and the human attack surface.
The digital attack surface encompasses all the digital assets that are accessible to potential adversaries. This includes well-known assets such as corporate websites, server infrastructure, and user workstations. Additionally, it includes unknown assets like shadow IT (unauthorized or employee-installed software and devices), as well as rogue assets such as malicious infrastructure and systems set up by threat actors. These could include existing malware infections or typo-squatted domains.
On the other hand, the physical attack surface comprises vulnerabilities that can be accessed if an attacker gains physical access to an office or an endpoint system. This encompasses various potential entry points, ranging from exposed network jacks in the lobby to unencrypted user laptops left unattended in vehicles. While an attack against the physical attack surface may seem unlikely, it often provides an opportunity for adversaries to easily escalate their privileges and move laterally within the organization.
Lastly, the human attack surface encompasses all individuals within an organization who are susceptible to social engineering. This includes well-known techniques like phishing and smishing (text message phishing), as well as less familiar techniques like media drops, where adversaries send malware-laced USB drives to victims in the hope of exploiting the curiosity of individuals who connect them to their laptops. The human attack surface can also involve fake employees deceiving real employees into performing detrimental actions.
One common shortcoming of IT and security teams in managing their attack surface is a lack of understanding of its breadth. Over time, technical debt can accumulate, and “quick fixes” may be implemented and then forgotten or neglected. To address this issue, it is important to conduct regular asset and data audits as part of a comprehensive security program. This involves identifying the owners of various assets and conducting risk assessments to determine their value and the potential risks of compromise. Employing questionnaires and asset discovery tools can help identify any overlooked assets.
Recent research conducted by Thales revealed that only 40% of non-IT staff have adopted multi-factor authentication (MFA). While this percentage is an improvement from previous years, it still highlights a significant gap for organizations that have not fully embraced MFA. Compromising a user’s credentials is often a simple task for threat actors, and without MFA, such credentials can provide them with access to an organization’s systems. Even with unprivileged accounts, experienced penetration testers often have near 100% success rates in elevating their access within organizations.
Simplifying an organization’s overall infrastructure is another crucial step in reducing its attack surface. Complexity often masks configuration or management errors that can create additional vulnerabilities. This is particularly important when it comes to protection and detection capabilities. According to a Gartner survey conducted earlier this year, 75% of organizations are pursuing security vendor consolidation in order to reduce complexity and improve response times.
Addressing the human element is also essential in an effective attack surface management program. Social engineering training should not only cover traditional email phishing but also educate employees about other common social engineering techniques and risky behaviors. Major breaches targeting companies like Uber and Microsoft have illustrated that even the strongest technical controls can be circumvented by a single human error.
It is important to note that managing the attack surface is an ongoing and evolving process that requires continuous attention and iterative improvements over time. It is a challenging task, especially for large or well-established organizations. However, starting with the basics can help address low-hanging fruit and make organizations less vulnerable to cyber adversaries, while also strengthening security programs gradually.
About the Author:
Marc Laliberte is the Director of Security Operations at WatchGuard Technologies. He has been a part of the WatchGuard team since 2012 and has played various roles in shaping the company’s internal security measures. Marc’s responsibilities include leading WatchGuard’s security operations center and the WatchGuard Threat Lab. As a leading thought leader, he provides security guidance to IT personnel at all levels through his regular speaking appearances and contributions to online IT publications. Marc can be found on LinkedIn at: [https://www.linkedin.com/in/marc-laliberte/](https://www.linkedin.com/in/marc-laliberte/).