Published Feb 15, 2023 by Xiph
Reducing your business’ attack surface is a basic, but critical cyber security measure. While many small and medium-sized businesses (SMBs) may think they’re too small to be attractive targets to hackers, the reality is quite the opposite as smaller organisations tend to have overall weaker cyber security aka a larger attack surface. This makes them more susceptible to data breaches and more attractive to cyber criminals.
What’s an attack surface?
An attack surface is the entire area of an organisation or IT system that’s susceptible to hacking. In other words, it’s the sum of vulnerabilities and entry points — also referred to as attack vectors — that hackers can exploit to gain unauthorised access to your business network and data, or to launch a cyber attack. Businesses should always aim to keep their attack surface as small as possible as a basic cyber security measure.
As more businesses pivot to cloud services and hybrid work models, they’ll need to work much harder to minimise their attack surface and protect their networks and digital systems. Attack surfaces are becoming larger and more complex as technologies evolve.
Basics of exploitation
Your business’ attack surface includes all vulnerabilities or security issues at any endpoint that can be exploited by malicious actors or unauthorised users. Your enterprise attack surface also includes your users and all the possible ways in which they can be tricked by an attacker.
What are the three types of attack surfaces?
Attack surfaces or vectors typically come in three categories: Digital attack surfaces, physical attack surfaces, and social engineering attack surfaces.
- Digital attack surface: Includes anything outside of the firewall that’s connected to the Internet ─ basically all digital assets like cloud and on-premises infrastructure, applications, code, ports, servers, websites, and unauthorised system access points.
- Physical attack surface: Think of your physical attack surface as all the security vulnerabilities physically accessible to an attacker. This also includes assets and information typically accessible only to users with access to your organisation’s physical office/location or endpoint devices. Examples include computers, laptops, mobile devices, USB ports, IoT devices, servers, and operational hardware.
- Social engineering attack surface: This exploits human weaknesses rather than technical or digital system vulnerabilities. Consider the social engineering attack surface as the number of people in your business who are susceptible to social engineering, including employees, contractors, and teams. People are one of the most dangerous, and often overlooked parts of any organisation's attack surface. Social engineering attacks, like phishing, typically try to trick people into handing over sensitive information or clicking a link that contains some type of malware. Social engineering is a technique that exploits human error, which is why it’s sometimes called ‘human hacking.’
Common attack surfaces businesses should watch out for
Here’s a list of possible attack surfaces businesses should monitor to mitigate cyber risks and data breaches:
- Internet-facing IT assets
- Access control systems
- Legacy, IoT, and shadow IT assets
- File sharing & storage
- Open ports or misconfigured network ports, wireless access points, or firewalls
- Unpatched/outdated software & operating systems (OS)
- Unknown open-source software (OSS)
- IT inherited from M&A activities
- Third-party vendors, including on-premises & cloud assets
- Deactivated or outdated domains, devices, data, applications, SSL certificates
- Weak passwords
- Phishing & human error
Attack surface vs attack vector: What’s the difference?
The terms attack surface and attack vector are often used interchangeably but aren’t the same thing. The surface is the totality of assets that can be exploited. Examples of attack surfaces include servers, desktops, laptops, applications, and network infrastructure. Meanwhile, a vector is the means or method by which a hacker could gain access to those assets. Examples of attack vectors include poor encryption, misconfigured applications, or weak passwords.
How to reduce your business’ attack surface
Conducting a surface analysis is a good first step to reducing or protecting your attack surface. Businesses should regularly undertake stringent attack surface management or monitoring (ASM) which basically takes a hacker‘s view and approach. ASM is designed to continuously identify and monitor points of attack and vulnerabilities with your networks and systems that potential hackers would see and attempt to exploit.
ASM provides an inventory of your organisation‘s IT assets, including on-premises and cloud assets and monitors them in real-time to identify vulnerabilities and potential attack vectors. Those IT assets are scored according to their security risks and prioritised for threat response or remediation. Some immediate mitigation strategies may include deactivating applications and endpoint devices no longer in use, patching software and operating systems, and enforcing stronger passwords and multi-factor authentication (MFA). Longer-term remedies may include user training on phishing scams and revising security controls and policies around software downloads and removable media.
On a broader scale, businesses should always employ Zero Trust security based on the notion of least-privileged access controls and strict user authentication—not assumed trust. Zero Trust requires all internal and external users of an organisation to be authenticated, authorised, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. This typically includes network segmentation components that divide a network into multiple segments, therefore restricting the risk of exposure or attack surface of an organisation.
Read more: Why your business needs Zero Trust security
A final word
Every business small, medium, or large should have information security experts conduct attack surface analysis and management. This is particularly important for SMBs which are often slow to react to ever-evolving threats as they lack adequate cyber security acumen and resources. This is also amplified by human error risks in the workplace and the overall lack of security awareness education in most enterprises. With knowledge of key security measures and a proactive approach to cyber security, businesses and organisations can better understand their risks and implement strong, cost-effective cyber security protection to reduce their attack surface. For more information on how to reduce your exposure to cyber attacks as a small business, contact us via email: enquiries@xiphcyber.com.
Posted in: Security