In the first installment of this series on system hardening we looked the challenges involved in defining the attack surface. Here we will examine strategies to effectively manage attack surface.
In a perfect world, we might directly measure attack surface in order to balance the risk with utility. After all, the existence of a service implies some risk. We accept that risk because the benefit of the service outweighs it. In practice, there are only a few circumstances in which that level of detail is feasible.
The NERC Critical Infrastructure Protection (CIP) regulation, for example, requires that governed entities document every service and port on devices, along with the purpose of each.
While restricted to defined in-scope devices, this is essentially an effort to control attack surface directly. It’s an approach that’s very effective at reducing risk and hardening systems, but this sort of brute force method is very difficult to scale across a large number of devices.
In less regulated and generally larger environments, we tend to behave more like astronomers, looking for the reflected evidence of attack surface in things like vulnerability risk or compliance findings.
These abstraction layers are functionally valuable, in that they make the complexity of attack surface actionable, but there’s risk is misinterpreting the abstraction as the actual goal.
In other words, achieving compliance or reducing vulnerability risk are not the same thing as managing attack surface, but those two disciplines provide more achievable goals and do materially reduce risk when acted upon.
There is nothing wrong with driving risk reduction through vulnerability and compliance. Both provide valuable mechanisms to establish goals and measure progress. It’s important, however, to remember that where the goal is really the prevention of compromise, vulnerability and compliance only go so far.
At the end of the day, a fully compliant asset with no known vulnerabilities may still be compromised. As an industry, we have largely come to grips with the idea that compliance is not security and that a compliant device may still be vulnerable.
We have not quite reached the understanding that a device with no known vulnerabilities is not necessarily secure, though it’s empirically true.
In the next installment, we will examine strategies to reduce the attack surface…
See also from this series:
- Proactively Hardening Systems: Defining the Attack Surface
- Strategies for Actively Reducing the Attack Surface
- Continuous Security Monitoring: An Introduction
- The Role of Security in Creating a Standard of Due Care
- Prevention and Detection Strategies for Backdoors and Hardware Attacks
- Interesting but not Actionable Security Data – Should I Even Look?
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock