In the first two installments of this series on system hardening (part one, part two) we looked the challenges involved in defining the attack surface and strategies to effectively manage the attack surface, so now we can concentrate on measures to actively reduce the attack surface.
It’s tempting, given the complexity to save attack surface for last and to attack well known functions like vulnerability management and security configuration management first. After all, there are plenty of vulnerabilities and configuration findings to deal with before you get to the ‘what’s left’ of attack surface, right? Wrong!
In fact, addressing attack surface early can be an incredibly effective means of reducing vulnerability and compliance findings. Rather than trying to address individual findings on a piecemeal basis, grouping them into affected applications, then evaluating the applications themselves can allow you to remove groups of findings with a single action.
This isn’t the same as grouping remediation actions by patch. While a single patch may fix multiple vulnerabilities, it won’t necessarily address configuration issues with that application, nor any risk from misuse by authorized users. Patching also doesn’t address future risk from that application; that can only really be done by effectively shrinking the attack surface.
Where to Start
If you can’t really measure attack surface across your organization, it’s unlikely that you’ll be able to start reducing it as an enterprise project. Instead, look for choke points that amplify benefit. For example, start with a standard desktop build.
If you don’t have one already, then just establishing a standard build can reduce variation and actually reduce risk. If you do have one, start by evaluating its attack surface and looking for ways to reduce it. This approach allows you to take localized action that’s propagated widely.
Evaluate the tools you have in place as well. In some cases, you may find that an existing tool can provide insight into attack surface in your organization with minor changes in reporting or use. Vulnerability Management is a good example.
Some VM tools, like Tripwire’s IP360, collect useful information that can be used to address attack surface directly, such as application inventory. If you have an enterprise configuration auditing or compliance tool in place, you may be able to create a simple policy that helps to assess attack surface directly as well.
Regardless of your approach, using attack surface as a concept can help drive greater risk reduction through your existing programs, and ultimately harden the systems throughout your environment against intrusion.
See also from this series:
- Managing the Complexity of the Attack Surface
- Proactively Hardening Systems: Defining the Attack Surface
- Continuous Security Monitoring: An Introduction
- The Role of Security in Creating a Standard of Due Care
- Prevention and Detection Strategies for Backdoors and Hardware Attacks
- Interesting but not Actionable Security Data – Should I Even Look?
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock