What is Attack Surface Management?
Unfortunately, organizations across nearly every sector are still struggling to secure their public-facing applications.
In 2020, for example, Silent Breach security consultants found that 92% of web applications tested contained serious or critical security flaws. In particular, we recently reported that 97 of the 100 largest airports are similarly compromised.
A major contributor to this trend lies in the fact that, for most organizations, the attack surface is only growing. CISOs are finding that they must defend against cyberattacks on multiple fronts: web, mobile, social, physical, wireless, cloud, and insider threats, to name just the most obvious.
What is your attack surface? And why is it important?
Your attack surface is the sum of every attack vector that can be used to breach your perimeter defenses. In other words, it is the total quantity of information you are exposing to the outside world.
Typically, the larger the attack surface, the more opportunities hackers will have to find a weak link which they can then exploit to breach your network. And, as seen with the exercise above, your organization's attack surface can be quite large, thereby exposing you and your customers to a vast array of security threats.
The key to effective attack surface management, then, is to reduce your attack surface as much as possible, without compromising other business functions in the process. Here's how.
Reducing Your Attack Surface
The first step to reducing your attack surface is to first identify and prioritize all of your internet-facing assets. For smaller companies this can be done manually, but typically an attack surface management tool can be used for this. For example, Silent Breach's Quantum Armor is a free agentless tool that can be set up in a matter of minutes, and will run automatically identify and prioritize your exposure.
Next, it's important to determine what level of risk your current level of exposure brings with it. Again, this can be assigned manually, but Quantum Armor will provide this for you automatically. Once we've identified your total exposure, we'll assign a holistic risk rating to your current network. This will serve as your baseline.
In addition, it's important to have access to the latest threat intelligence as this will help you distribute the risk ratings in an accurate and realistic manner. For example, at first it may not seem significant that you have 92 email address exposed, but when you learn that a dozen of these accounts have been compromised in a recent data breach this will likely impact your risk assessment. Quantum Armor has a built-in Threat Intelligence engine which automatically correlates your personal exposure to events occurring both in the real world and on the dark web.
Finally, as you begin to reduce your attack surface — either by applying mitigation measures, merging components, or eliminating them entirely — you should see a corresponding dip in your overall risk. Once you've implemented a monitoring tool, this process will continue to run on repeat, keeping you up-to-date on the current state of your attack surface security, and helping you reduce your risk along the way.
By now, it is commonly accepted that cybersecurity is no longer exclusively an IT job, but the reality is that CISOs are both the newest C-level executives and the least understood. According to recent estimates, by 2022, only 5% of CISOs will report security metrics that are useful for senior executives.
Consequently, the ability of CISOs to translate technical issues into business jargon backed with hard data will be a defining security trend of 2021. In crucial ways, it will be cultural adjustments such as these that will provide the sorely needed expenditure increases in cybersecurity, and transitioning to quantitative risk models such as Attack Surface Management will help pave the way.
About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.