What the heck is an attack surface … and why do I need to protect it?
Overview
Maybe you’ve heard your IT security team talking about attack surfaces? Or, maybe the term has come up during a virtual conference or in your newsfeed. It’s important to take a step back and understand what an attack surface is and why you need to protect it.
First things, first, let’s establish what exactly we’re talking about. An attack surface is the technical term IT security teams use to describe the collection of all access points hackers can exploit to break into your network.
And guess what? There are a lot of them out there – including some your IT team likely isn’t thinking about (we’ll get into those in a bit). If you’re asking, “That’s great, but why do I need to protect them?,” well, there are plenty of reasons. But most importantly: If you don’t secure your attack surface you’re putting your bottom line at risk.
The “general” attack surface
A multitude of access points or technology assets make up an attack surface.
These usually are top of mind for most IT teams. They include everything from your website to third-party logins and employee authentication portals.
Common attack surface components:
- Company website
- AWS
- O365
- Web servers and firewalls
- Employee portals (insurance, 401k, etc.)
- Virtual private networks (VPN)
- Devices (employee cell phones, tablets, laptops)
- Cloud storage
Think of these points not technically as a surface but as doors hackers try to break through. Their goal is to get into your network, where they can access sensitive data such as financial information, employee passwords and customer data.
Now, some of these doors are locked and secured with your IT team standing guard. Others look like that broken screen door your Labrador has run into one too many times. This often happens as an organization grows and assets are forgotten.
As part of our process we audit and ID the entire attack surface of our clients, using a variety of methods (we’ll cover those in the next blog post). The goal is to find and secure an entire attack surface, so bad guys can’t exploit those hard-to-find, but poorly defended, attack vectors.
The “other” attack surface (and the one you need to worry about)
What is considered an attack surface has evolved rapidly. With the popularity of social media, chat apps and of course, good ol’ email, hackers have more opportunities to break into your network than ever before.
So, what is the common thread that ties those assets together? Yep, your employees.
While an IT team can ultimately have total control over the website and other enterprise software and apps, the one thing that’s much hard to control is employee behavior and technology habits.
When auditing your entire attack surface, it’s important to include and consider:
- Corporate social media accounts
- Employee email
- Chat solutions (Slack, Skype, etc.)
This is a critical part of your attack surface to monitor and strengthen, because hackers know your employees most likely don’t know all their tricks your IT team does.
To strengthen and defend the security of your employee base, we use a number of strategies and tools. They include employee training, testing (where we play the role of the bad guys), and other social engineering tactics. For instance, we’ll test your password policy and how it stands up against modern account compromise methods. We do that using password spraying, where we attempt to guess hundreds of employee passwords to gain access to an account.
Wrapping it up …
Remember, understanding what makes up your total attack surface is critical. Leaving one door unlocked can cost you money, customers, and your organization’s reputation.
Working with experts, such as our team at Sprocket Security, will ensure you’ve identified all access points, tested and secured them. In our next article, we’ll show you how you can start to secure and protect attack surfaces hackers are always hunting for.
If you have questions or want to learn more about how we ID and secure an attack surface send us a note any time at contact@sprocketsecurity.com
Nicholas Anastasi
Sr. Penetration Tester
Nicholas Anastasi started his career in cybersecurity at Sprocket and hasn't looked back. Continuous Penetration Testing is all he knows and during his day to day he leads the penetration testing team, writes a ton of Python and works tirelessly to improve the CPT process. In his free time, Nicholas enjoys running, eating too much candy and developing on his homelab.
Nicholas and the rest of the team are dedicated to making sure our clients continuously maintain a strong security posture. If you are interested in talking with Nicholas about our services, reach out today!
Further Reading
Explore Related Content.
Cybersecurity Slang – Key Terms for talking the talk
If you’re not in the cybersecurity trenches daily, it can be tough to get a clear understanding of many popular terms used by the professionals testing your organization’s network. read more →
Read moreContinuous Human & Automated Security
The Expert-Driven Offensive
Security Platform
Continuously monitor your attack surface with advanced change detection. Upon change, testers and systems perform security testing. You are alerted and assisted in remediation efforts all contained in a single security application, the Sprocket Platform.
Expert-Driven Offensive Security Platform
- Attack Surface Management
- Continuous Penetration Testing
- Adversary Simulations
