In cybersecurity, the attack surface refers to the entirety of the software environment that can be targeted by a threat actor.
Essentially, it’s anything that can be hacked.
To protect assets, it’s necessary to reduce the attack surface through identification, properly managing them, analyzing them, and strengthening attack points at all times.
A smaller attack surface provides a better overview.
Smart organizations aim to reduce their attack surface because it allows greater visibility of the possible access points cyber criminals might try to exploit.
How do you know what should be protected in the first place? And how can you continually manage the attack surface, avoiding breaches along the way?
Asset Discovery – Where to Begin?
The IT assets of a company refer to all devices, hardware, and software, as well as the external information connected to the company. To get the ball rolling, it’s best to scan:
- Physical devices
- Applications and software platforms
- Cloud-based assets
- Internet-facing data concerning the company
Let’s break this down even further.
Cataloging Physical Devices
The easiest place to start with is hardware or any physical devices that are used on the company premises and that employees connect to from their homes.
For instance, that can include laptops, smartphones, tablets, servers, and routers that are available for use on the premises. To be thorough, don’t forget devices that use IoT technology, such as printers and coffee makers, that can put the network at hacking risk.
Also, Bring Your Own Devices (BYOD) technology, such as employees’ personal phones and PCs they use to connect to the network and do their work, should not be omitted as they can also create a vulnerability for the company.
BYOD can refer to any devices that remote workers use to do their jobs from home — if they use their own smartphones, laptops, etc.
Whether it’s the smallest IoT component, computer in the office, or smartphone that a team member uses from home — no physical assets should go uncategorized.
Installed Software Platforms
Whether software is installed for work purposes or without the explicit permission of the company, it’s necessary to have an overview of anything that could endanger the systems of a business.
Scan and catalog all approved and unauthorized software that’s installed on the devices — including those that run on outdated, unpatched versions.
After that, move on to software libraries (data and code used for programming), scripts, and EXE files.
For instance, applications on mobile phones, public code archives, and web-based apps should be included when compiling the software list.
Don’t Forget the Cloud
Many businesses have added cloud computing to their systems. The technology has enabled telecommuting during the pandemic, increased storage in cost-effective ways, and allowed other features they need to access remotely.
As a result, they might have cloud storage, complex multi-cloud structures, or entire applications essential for businesses that are on the cloud.
This includes any databases, repositories of code, containers, Software-as-a-Service (SaaS) applications such as Microsoft Office 365, virtualized networking devices, and more.
They have to be indexed and analyzed to ensure that they don’t allow access points for opportunistic hackers.
Discover External (Internet-Facing) Assets
Any assets that are available for the attackers when they’re looking at the organization from the outside have to be analyzed. This includes data that is available on the internet that can put the users at risk or can get leaked at any moment.
For example, this could refer to leaked data such as emails or credentials available on hacking forums that are accessible on the external attack surface. That data can appear on the internet at any time.
What’s more, threat actors can impersonate domains and harm your clients and teams.
Such weaknesses may not be discovered by the more traditional tools that guard the infrastructure by focusing on internal vulnerabilities.
How to remain thorough and safe at all times?
Attack Surface Management
Nowadays, companies don’t have to waste resources to manually systematize and find assets. That would take up a lot of time that could be spent on the more complex issues.
Instead, they automate the process and discover assets as a hacker would — by seeking the vulnerabilities that can appear at any given time and scanning the ever-growing attack surface 24/7.
But is it possible to be one step ahead?
Yes. For that purpose, organizations use Attack Surface Management (ASM) — a tool designed to identify and catalog all the internal and external assets of the company.
With the help of artificial intelligence, the software continuously scans the entire IT infrastructure to uncover whether they are exposed to cyber criminals.
It’s paired with the resource MITRE ATT&CK Framework to be updated on the latest hacking techniques.
Both internal and external attack surfaces have to be considered nowadays. External attack surface refers to any leaked intelligence or information that can be discovered by hackers that scan the internet.
ASM is capable of scanning and categorizing the assets that are placed on both internal and internet-facing surfaces.
The findings are generated in a single dashboard and updated in real-time as well as accompanied by suggestions on how to mitigate the issue.
Key Takeaways
To conclude, are hackers likely to obtain your most valuable IT assets?
Well, every business has a unique portfolio of assets, the software they use, and security architecture.
What they do have in common is that the size of the attack surface for any business is continually growing.
Leaked credentials can appear on the internet at any time, and an employee can bring their unprotected device to work.
To keep pace, organizations use Attack Surface Management to categorize the assets as well as estimate the likelihood of them being exploited by hackers.
Automated tool notices and detects gaps in the security that traditional tools might bypass and leave the organization at high risk of a cyber threat.