Attack Surface 101: How well do you know your organization’s attack surface
By now, the term digital footprint shouldn’t be a mystery anymore. We roll our eyes every time we see an old college colleague, our teenage niece or that guy on Facebook we don’t really know exposing half of their life online. “Are they not thinking about the dangers?”
Now think about the company you work for. Does it have 10 or 100 or more internet domains under control? How big is its digital footprint? Internet domains spanning each 50 active subdomains? Or 500? Which web applications and files are exposed? Do they leak sensitive information? How are new assets in your company reported to the risk & security stakeholders? Is there an inventory of all assets and is it complete and up-to-date?
If these questions are hard to answer, you’re not alone. Our discussions with organizations show Risk, Security and IT teams are having difficulties to cope with all the work and their visibility of what they have to secure (availability, confidentiality and integrity) is fading with the increasing complexity and dynamic nature of digital footprints.
What is an attack surface?
An attack surface refers to the sum of all possible points where an unauthorized user, or attacker, can attempt to enter or extract data from an environment. This includes all the hardware, software, and network components that are exposed to potential threats. In essence, it’s the total scope of vulnerabilities that an attacker could exploit to gain unauthorized access to your systems or data.
For example, an attack surface might include:
- Open ports and protocols
- Software applications and their vulnerabilities
- User accounts and credentials
- Physical access points to devices or networks
- Third-party services and integrations
Knowing your organization’s infrastructure is always the first step in protecting it against threat actors. After all what you don’t know, you can’t protect. We believe, in order to gain visibility and spend money adequately, the question is not if whether or not an organization is aware of the dangers, but if it has the capability to keep an overview and spot weaknesses (before they become dangerous) in an ever growing attack surface that is the digital footprint. You need to become aware of the ‘unknown-unknowns’ lurking in your infrastructure.
Why does your attack surface matter?
The last decade has been one of digital transformation. Organizations move to the cloud, implement automation in their daily tasks (e.g. marketing automation) and gather massive amounts of data via (analytics) tools and platforms.
According to a TechRepublic survey, nearly 70% of companies are either using or considering cloud services. On top of that, TechJury states that by the end of 2020, 67% of enterprise infrastructure will be cloud-based. In their article about digital transformation statistics, Finances Online reveal that 70% of organizations have a digital transformation strategy or are working on one, and the top five technologies already implemented include big data/analytics (58%), mobile technology (59%), and APIs and embeddable tech (40%).
Organizations rely more and more on a multitude of technologies to conduct their online business. Apart from this technology overflow, it is important to know that each 3rd party technology within your attack surface has an attack surface of its own.
Digital transformation and technologies overflow
The trend of digital transformation, digital adoption, and continuous software improvement results in a technology overflow in your environment. In other words: attack surfaces are continuously growing because organizations use multiple digital platforms and 3rd party technologies to conduct online business. Apart from employees making human errors when using and leveraging this multitude of software, a lack of overview can cause problems too.
It is easy to get lost: your brand’s online presence is built on content management systems (e.g. WordPress), analytics tools (e.g. Google Analytics), web frameworks (e.g. Java), server software (e.g. Apache), ecommerce tools (e.g. Shopify), captchas (e.g. reCAPTCHA) and more 3rd party technology suppliers.
Security holes and data breaches
Not only are these 3rd party technologies a part of your organization’s attack surface, these elements also have an attack surface of their own. We know that technologies contain vulnerabilities, can be discovered and hacked over time by bad actors.
Take a look at these historical incidents:
- In 2018 British Airways reported they had been hacked and sensitive information from thousands of their customers had been stolen. The cause of the breach was malicious 3rd party code.
- A similar attack happened to Capital One, where a hacker took advantage of a Amazon server misconfiguration.
- In December, word got out that a database containing information on Honda owners in North America was exposed online. An Elasticsearch cluster containing this data was reachable via the internet without authentication.
- Threat actors are known to exploit JavaScript security holes for advanced attacks, for example to steal sensitive information from website visitors.
In a nutshell: it is your company’s responsibility to monitor and manage your online attack surface and all its digital building blocks and make sure you have the visibility and control to take action if your organizational security posture and reputation is degrading.
Do you know your attack surface?
Outpost24’s external attack surface management (EASM) solution, Sweepatic, discovers a wide variety of technologies across your attack surface. This 3rd party framework discovery is integrated in the Sweepatic secure portal, so you can have a clear, centralized view on all your internet-facing assets and the technologies related to them.
What if, for example, a vulnerability is discovered in WordPress or Drupal? Do you know where all your WordPress and Drupal instances are residing? Do you know which version is running in your organization? You can find out with just a few clicks in the Sweepatic Platform.
Read more about how Attack Surface Management is defined.
If a 3rd party vulnerability is discovered, you need to know where your internet-facing assets that are related to this technology are residing to take immediate action and protect your organisation from harm.
Through the Sweepatic platform asset tagging, actionable insights and notifications around outliers, unknown, rare and outdated technologies and version numbers are supported, across your entire internet exposed attack surface.
After a sweep by our solution, we’ll enrich you with actionable information in the form of:
- all your existing and active subdomains.
- which subdomains are vulnerable to subdomain takeovers.
- what web applications/technologies/files each of them contains.
- which information is exposed and where (WHOIS, DNS records, PII, used software, file paths…)
- all potential cybersquatting domains out there.
- and much more!