Redefining The Cybersecurity Attack Surface, Part 1
When discussing an organization’s security posture, “attack surface” is the common term used to describe the aggregate vulnerabilities that the firm exhibits. Prevailing wisdom holds that the attack surface is (at least in theory) a tangible, observable set of vulnerabilities. This is useful guidance. Managers should strive to understand the attack surface first, so that they might discover critical weaknesses and enact measures to protect those first. But the guidance is incomplete – the attack surface is far greater than the sum of its pieces.
For a simple example of attack surface, think of an inventory of devices that operate on your network. If you can tally them up, the guidance goes, then you will know your attack surface. In theory, this inventory represents the totality of potential network entry points that could be exploited by an attacker.
But devices themselves are deaf and dumb without software, and the software provides the true enabler of exploitation. Recognizing this, software must also be included in order for an attack surface inventory to be effective. Adding this critical requirement makes the inventory more complex.
Now we must consider that neither hardware nor software is the real target of an attacker – they simply provide the infrastructure through which an attack takes place. A bad actor, in most business cases, seeks data. This represents a more precise definition of the attack surface. Your organization’s vulnerability is directly related to the type, quantity, and nature of data that you store. So in order to truly understand the attack surface, you must have a method to identify, inventory, and monitor data on your network. The complexity mushrooms.
By defining the risk of data, the vulnerabilities of software with which the data is handled, and the type of devices that run the software, we’ve come very close to the traditional definition of the attack surface. But there is another layer here, one that is arguably the most important – and most vulnerable – of them all. Those who operate devices, install software, and trade data are simultaneously the largest and most poorly protected surface of all – the people.
We have all heard the adage that “the greatest security risk is people”, and none of us has ever felt compelled to argue with that. The data are very clear – phishing attacks (emails that trick a user into divulging information or giving unauthorized access) grew 233% from 2014 to 2015. Across all organizations, 23% of users will open a phishing email and 11% will click a link – at which point your network is compromised1.
An attacker only needs to send 10 emails to your firm in order to have a greater than 90% chance that at least one user will click a malicious link. This is an easy game – hit the largest, weakest attack surface with the cheapest weapon available, and gain access. Game over.
This is a tremendous challenge for managers, but not an insurmountable one. These attacks, known as social engineering, rely on weaknesses in the workforce that can be programmatically addressed with training, testing, procedures, policies, and enforcement.
This is not a technology issue – it’s a management and governance issue. It is important to think of the attack surface as something that wraps around and folds within the entire organization. Attack surface isn’t an array of servers running software, nor is it limited to the administrators who guarantee the confidentiality, integrity, and availability of those resources. It’s the entire corpus of people who operate around and within that resource environment, and it is made vulnerable by the very nature of their jobs – to have access to resources. The appropriate question is not “how many endpoints” or even “how much data” but “how many people have access to those things?” This is the true attack surface.
It will always important to maintain hardware, software, and data inventories. Now, it is also important to include people in those inventories, and to take stock of those people’s level of awareness and education regarding the risks they carry. A proactive organization can enable these processes with well-considered policies and clearly-defined procedures for compliance. Above all, it is important to know all the stakeholders, and to ensure that each of them knows how important they are in protecting the organization’s critical data.
In Part 2, we will reveal another layer of vulnerability that derives from this human attack surface.
1 Verizon DBIR, 2015, http://www.verizonenterprise.com/DBIR/2015/