We will discuss a few key areas in the vast attack surface today. With increasing technology advancement and its intervention into the enterprise world makes the scope of cyber defense enormously large. It reminds me of depth-first and breadth-first search algorithms to cover scopes in varied situations. The security landscape is so widely expanding, the change is constant and the depth and breadth is too.
In this article, we will try to make this task a little easier by bringing forward a few of the areas which might help you gain an insight into a large attack surface targeted by hackers for your organization.
Key Attack Surface Dimensions :
- Unpatched Elements In Web Assets
This is a common scenario. Many small elements often go unnoticed and remain unpatched. We could take the example of content management systems which are highly popular for website development. Multiple plugins (some unmanaged) are used in these websites and remain unpatched and not maintained. In reality, this happens a lot. However, this can be contained if proper measures are taken
- The Mobile Apps (Extra-Threat Factor)
Since the intervention of Steve Jobs and smartphones, corporates and personal lives have changed. The power these devices give is enormous. With it came the various apps to fill in the gaps, solved problems and have become a part of our lives. This extra ecosystem burden adds its own dimension to the security world. It needs careful analysis and secured policies for it to function securely in the enterprise world. Eg. If a person has a compromised mobile/handset that he uses to access sensitive data from the enterprise, it stands a chance of affecting the enterprise.
- Unmanaged Assets (Birth Of Shadow IT)
These are the orphaned assets that the central IT control hasn’t got a clue of. These often got created without the proper safety measures and know-hows because of quick business actions with IT functions in nature without going via IT. With technology advancement, most operations in business have become tightly coupled with IT, thus having large business impacts. A department facing the choice of time deadline and IT bandwidth constraints may consciously or unconsciously choose business delivery over the process. There are multiple such instances which may not actually have a rigid policy of implementation eg. a ghost domain used by the marketing department for testing purpose. Such assets remain beyond the IT logs and could pose serious threats.
- Social Engineering Tactics
We’ve read the stories of Kevin Mitnick and so many more. Social engineering can be fishy. Without careful training and awareness, any resource involved in the business process could become a target to this method of attack. Common tactics are known and staff including third-party dependencies could be trained in a manner to provide security.