In the first article in this series, we discussed a little about Understanding Attack Surface Analytics, and in this second installment we will examine exactly what constitutes your attack surface.
Put simply, your attack surface is the sum of your security risk exposure. Put another way, it is the aggregate of all known, unknown and potential vulnerabilities and controls across all software, hardware, firmware and networks. A smaller attack surface can help make your organization less exploitable, reducing risk.
A typical attack surface has complex interrelationships among three main areas of exposure: software attack surface, network attack surface and the often-overlooked human attack surface.
The Software Attack Surface
The software attack surface is comprised of the software environment and its interfaces. These are the applications and tools available to authorized (and unauthorized) users.
The software attack surface is calculated across a lot of different kinds of code, including applications, email services, configurations, compliance policy, databases, executables, DLLs, web pages, mobile apps and device OS, etc.
The Network Attack Surface
The network attack surface presents exposure related to ports, protocols, channels, devices (from routers and firewalls to laptops and smart phones), services, network applications (SaaS) and even firmware interfaces.
Depending on your infrastructure, you may need to include cloud servers, data, systems and processes to your network attack surface.
The Human Attack Surface
Humans have range of complex vulnerabilities that are frequently exploited. One of the great strengths of highly secure organizations is their emphasis on communicating security awareness and safety principles to their employees, partners, supply chain and even their customers (as when using the web to gain secure access to bank or 401K accounts).
Many breaches begin with an exploit directed at humans and it’s very clear that malicious intent, inadvertent errors and misplaced trust can all be exploited to cause great harm. Examples of successful attacks vary widely, (most notably phishing and spear phishing), but a comprehensive index should include processes, physical security, and privileges (including the ability to attach, read or write to removable devices).
In summary, to accurately determine your attack surface risk, all three of these attack surfaces must be considered. Using existing and emerging ASA technologies can provide improved insight and visibility to your organization’s security posture in each of these areas, as well as provide the underlying basis for the score.
For more information, check out the whitepaper Understanding Your Attack Surface: The First Step in Risk-Based Security Intelligence, and feel free to contact me at firstname.lastname@example.org.
In the next article in this three article series, we will examine Effectively Communicating Attack Surface Analytics… Stay tuned!
- Unbalanced Security is Increasing Your Attack Surface
- Strategies for Actively Reducing the Attack Surface
- Managing the Complexity of the Attack Surface
- Proactively Hardening Systems: Defining the Attack Surface
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock