Maybe you’ve heard your IT security team talking about attack surfaces? Or, maybe the term has come up during a virtual conference or in your newsfeed. It’s important to take a step back and understand what an attack surface is and why you need to protect it.
First things, first, let’s establish what exactly we’re talking about. An attack surface is the technical term IT security teams use to describe the collection of all access points hackers can exploit to break into your network.
And guess what? There are a lot of them out there – including some your IT team likely isn’t thinking about (we’ll get into those in a bit). If you’re asking, “That’s great, but why do I need to protect them?,” well, there are plenty of reasons. But most importantly: If you don’t secure your attack surface you’re putting your bottom line at risk.
The “general” attack surface
A multitude of access points or technology assets make up an attack surface.
These usually are top of mind for most IT teams. They include everything from your website to third-party logins and employee authentication portals.
Common attack surface components:
- Company website
- Web servers and firewalls
- Employee portals (insurance, 401k, etc.)
- Virtual private networks (VPN)
- Devices (employee cell phones, tablets, laptops)
- Cloud storage
Think of these points not technically as a surface but as doors hackers try to break through. Their goal is to get into your network, where they can access sensitive data such as financial information, employee passwords and customer data.
Now, some of these doors are locked and secured with your IT team standing guard. Others look like that broken screen door your Labrador has run into one too many times. This often happens as an organization grows and assets are forgotten.
As part of our process we audit and ID the entire attack surface of our clients, using a variety of methods (we’ll cover those in the next blog post). The goal is to find and secure an entire attack surface, so bad guys can’t exploit those hard-to-find, but poorly defended, attack vectors.
The “other” attack surface (and the one you need to worry about)
What is considered an attack surface has evolved rapidly. With the popularity of social media, chat apps and of course, good ol’ email, hackers have more opportunities to break into your network than ever before.
So, what is the common thread that ties those assets together? Yep, your employees.
While an IT team can ultimately have total control over the website and other enterprise software and apps, the one thing that’s much hard to control is employee behavior and technology habits.
When auditing your entire attack surface, it’s important to include and consider:
- Corporate social media accounts
- Employee email
- Chat solutions (Slack, Skype, etc.)
This is a critical part of your attack surface to monitor and strengthen, because hackers know your employees most likely don’t know all their tricks your IT team does.
To strengthen and defend the security of your employee base, we use a number of strategies and tools. They include employee training, testing (where we play the role of the bad guys), and other social engineering tactics. For instance, we’ll test your password policy and how it stands up against modern account compromise methods. We do that using password spraying, where we attempt to guess hundreds of employee passwords to gain access to an account.
Wrapping it up …
Remember, understanding what makes up your total attack surface is critical. Leaving one door unlocked can cost you money, customers, and your organization’s reputation.
Working with experts, such as our team at Sprocket Security, will ensure you’ve identified all access points, tested and secured them. In our next article, we’ll show you how you can start to secure and protect attack surfaces hackers are always hunting for.
If you have questions or want to learn more about how we ID and secure an attack surface send us a note any time at firstname.lastname@example.org
About the Author
Nicholas Anastasi, penetration tester
As an Offensive Security Certified Professional (OSCP), Nicholas is focused on pushing the boundaries of clients’ networks, ensuring they are protected against the latest attacks and vulnerabilities. He joined Sprocket in early 2019 and has a particular interest in cloud technologies and DevOps. Email him at email@example.com