Attack Surface Management
The computing world is constantly throwing up new buzz words. Attack Surface Management is like many of these novel terms. It is not a completely new concept but a mix of existing ideas with some new ones branded as an all-in-one service.
The theory behind Attack Service Management is to look at system vulnerabilities from the point of view of a potential attacker and hence to minimise their risk of exposure. External Attack Surface Management is a sub-set or extension of the concept which concentrates on external devices in addition to vulnerabilities through social media or inadequate staff training. Although there are statistics showing that with an increase in home working and the use of cloud services the potential attack surface itself is expanding these tend to come from vendors promoting Attack Service Management. We can only infer that the problem and its exploitation by hackers is increasing.
The first step is to determine what is the ‘attack surface’ by performing an audit of hardware that is connected to the Internet. This would show up previously unknown and uncontrolled assets; Shadow IT devices. Vulnerabilities will also extend to cloud based services upon which the user only has limited control. Another potential threat surface could be through vendors, suppliers and other linked businesses who may share access to data. The latter could be particularly vulnerable where systems are poorly integrated or new systems have been introduced following recent takeovers, mergers or collaborations. Discovered assets could be categorised as:
- Known assets
- Abandoned assets
- Unknown assets
- Impersonating assets
- 3rd party assets
As more devices are added or changed it becomes more difficult to map the attack surface. Machines will be powered up and down, software installed and updated. Any scanning and remediation process needs to be a continuous activity to keep up with the state of the network.
Having identified possible points of attack these will be rated according to their vulnerability and steps identified to reduce this. The Attack Surface Management approach is to consider how a hacker might gain access to systems and mimic technologies that they would use. Remedies might include patching, retiring unused software and hardware or updating policies and trading regimes. Although the Attack Surface Management system can identify and prioritise issues it will only be as good as the willingness of the system owners to work with its recommendations.
Several cloud-based services offer an integrated solution with dashboards and summary reporting tools. This is generally as a software as a service model where the costs and benefits need to be weighed before making a choice of vendor. Some existing roles such as hardware and software inventories will be partly duplicated but this should not be seen as an excuse to discontinue them. The Attack Surface Management solution will use some degree of Artificial Intelligence or Machine Learning and needs training to its new environment. The risk of false positives will also be minimised by maintaining existing solutions until it is absolutely certain that any redundant services can be discontinued and that their data is safely archived.