What is the attack surface?
Your attack surface is all the hardware, software, SaaS, and cloud assets that are accessible from the web that process or store your data. consider it because the total number of attack vectors cybercriminals could use to control a network or system to extract data. Your attack surface includes:
- Known assets: Inventoried and managed assets like your corporate website, servers, and therefore the dependencies running on them
- Unknown assets: like shadow IT or orphaned IT infrastructure that was stood up outside of the purview of your security teams like forgotten development websites or marketing sites
- Rogue assets: Malicious infrastructure spun up by threat actors like malware, typo squatted domains, or an internet site or mobile app that impersonates your domain.
- Vendors: Your attack surface doesn’t stop together with your organization, third-party and fourth-party vendors introduce significant third-party risk and fourth-party risk. Even small vendors can cause large data breaches, check out the HVAC vendor that eventually led to Target’s exposure of MasterCard and private data on quite 110 million consumers.
Millions of these assets appear on the web every day and are entirely outside the scope of firewall and endpoint protection services. Other names include external attack surface and digital attack surface.
Why reducing your attack surface isn’t a strong solution
It’s common for organizations to approach improving information security by reducing:
- The amount of code running
- Entry points available to untrusted users, e.g. access control, RBAC, and therefore the principle of least privilege
- The number of Internet-facing web applications, mobile apps, and services running
While this does reduce the attack surface of your organization, it doesn’t prevent security controls failures.
If an attacker is in a position to seek out an exploit or vulnerability in your remaining Internet-facing assets before you are doing , they will still inflict damage by installing malware and ransomware or by causing data breaches.
This is why many organizations are investing in tools that provide real-time attack surface analysis and vulnerability management like UpGuard BreachSight.
Why is attack surface management important?
Attack surface management is vital because it helps to stop and mitigate risks stemming from:
- Legacy, IoT, and shadow IT assets
- Human mistakes and omissions like phishing and data leaks
- Vulnerable and outdated software
- Unknown open-source software (OSS)
- Large-scale attacks on your industry
- Targeted cyber attacks on your organization
- Intellectual property infringement
- IT inherited from M&A activities
- Vendor managed assets
Timely identification of digital assets may be a fundamental part of robust threat intelligence and may greatly reduce the danger of knowledge breaches and data leaks. All it takes for an attacker to launch a cyber attack is one vulnerable point in your organization.
What are the components of a strong attack surface management solution?
A modern attack surface management consists of 5 parts:
- Inventory and classification
- Risk scoring and security ratings
- Continuous security monitoring
- Malicious asset and incident monitoring
The initial stage of any attack surface management solution is the discovery of all Internet-facing digital assets that contain or process your sensitive data like PII, PHI, and trade secrets.
These assets are often owned or operated by your organization, also as third-parties like cloud providers, IaaS and SaaS, business partners, suppliers, or external contractors.
Here may be a non-exhaustive list of digital assets that ought to be identified and mapped by an attack surface management solution:
- Web applications, services, and APIs
- Mobile applications and their backends
- Cloud storage and network devices
- Domain names, SSL certificates, and IP addresses
- IoT and connected devices
- Public code repositories like GitHub, GitLab, and BitBucket
- Email servers
Depending on the provider, the invention process can range from manual input of domains and IP addresses to automated scanning supported open-source intelligence and dark web crawling.
At UpGuard, we run this discovery process on a day to day through trusted commercial, open-source, and proprietary methods. this enables us to get any Internet-facing assets that are spun up.
What makes UpGuard different from other providers is our unparalleled ability to detect leaked credentials and exposed data before it falls into the incorrect hands.
For example, we were ready to detect data exposed during a GitHub repository by an AWS engineer in half-hour. We reported it to AWS and therefore the repo was secured an equivalent day. This repo contained identity documents and system credentials including passwords, AWS key pairs, and personal keys.
We were ready to do that because we actively discover exposed datasets on the open and deep web, scouring open S3 buckets, public Github Repos, unsecured RSync, and FTP servers.
Our data leak discovery engine continuously searches for keywords provided by our customers and is continually refined by our team of analysts, using the expertise and techniques gleaned from years of knowledge breach research.
Don’t just take our word for it. The NY Times, Bloomberg, Washington Post, Forbes, and TechCrunch have featured our security research.
Inventory and classification
Once your assets are discovered, it is the right time to commence digital asset inventory and classification, also referred to as IT asset inventory. This a part of the exercise involves dispatching and labeling the assets supported their type, technical characteristics, and properties, business criticality, compliance requirements, or owner.
It’s essential to possess an individual or team who is in charge of regular asset maintenance, updates, and protection.
With UpGuard BreachSight, we’ll automatically discover all of your externally facing IT infrastructure.
Within the platform, you’ll add as many of us as necessary, label, and organize assets by any property you would like ownership, asset, technical characteristics, business-critical, compliance requirements, or owner.
You’ll even be ready to run reports on specific parts of your infrastructure to ascertain where security risks are and who is liable for fixing them. This data are often easily accessed by our API and integration with other systems.
For the management of third-party risks, you’ll use UpGuard Vendor Risk to automatically discover the externally facing Internet-assets of your vendors and third-parties and label them accordingly.
Risk scoring and security rating
Attack surface management would be an impossible task without actionable risk scoring and security ratings. Many organizations have thousands, if not millions, of fluctuating digital assets.
Without security rating software it is often hard to know what security issues each asset has and whether or not they are exposing information that would end in data breaches, data leaks, or other cyber attacks.
This is why it’s crucial for digital assets to be continuously detected, scanned, and scored so you’ll understand what risks got to be mitigated and prioritized.
For reference, security ratings are a data-driven, objective, and dynamic measurement of an organization’s security posture.
Unlike traditional risk assessment techniques like penetration testing, security questionnaires, or on-site visits, security ratings are derived from objective, externally verifiable information.
With UpGuard, an organization’s security rating can range from 0 to 950 and is comprised of a weighted average of the danger rating of all externally facing assets, like web applications, IP addresses, and marketing sites.
The lower the rating, the more severe the risks they’re exposed to. Inversely, the upper the rating, the higher their security practices, and therefore the less successful cyberattacks are going to be.
To keep our security ratings up-to-date, we recalculate scores whenever an internet site is scanned or a security questionnaire is submitted. generally, this suggests an organization’s security rating is going to be updated multiple times each day, as most websites are scanned daily.
Continuous security monitoring
Continuous security monitoring is one of the foremost important parts of an attack management solution. The increasing adoption of open-source software, SaaS, IaaS, and outsourcing means misconfiguration, and vulnerability management is more complicated than ever before.
Any good attack surface management software will monitor your assets 24/7 for newly discovered security vulnerabilities, weaknesses, misconfiguration, and compliance issues.
UpGuard BreachSight will automatically discover and assess known vulnerabilities in your externally facing software. This information might be exposed by HTTP headers or website content.
We use the Common Vulnerability rating system (CVSS), a printed standard developed to capture the principal characteristics of a vulnerability to supply a numerical score between 0 and 10 to reflect its severity.
This numerical score is additionally translated into a qualitative representation (low, medium, high, and critical) to assist you properly assess and prioritize the vulnerability.
In addition to vulnerabilities, we run many individual misconfiguration checks to determine:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Network security
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
Unlike other providers, these checks are run on a day to day and maybe updated on-demand through our platform or via our API.
Malicious asset and incident monitoring
The above steps should highlight known and unknown assets operated by your organization and its third-party vendors. thereupon said, it is vital to know that the fashionable threat landscape goes further than legitimate corporate IT assets and may involve malicious or rogue assets deployed by cybercriminals, competitors, or merely forgotten assets.
This could include spear-phishing websites, email spoofing, OPSEC failures on social media like LinkedIn, ransomware, cyber squatted or typo squatted domain names, or a myriad of other cyber threats.
Increasingly this includes sensitive data, personally identifiable information, protected health information, biometrics, psychographics, passwords, and trade secrets that are leaked to the dark web in previous data breaches or current data leaks.
UpGuard BreachSight automatically scours the online for known third-party data breaches. the info is then fed into the platform to see whether any of your employees were exposed. this enables you to urge on top of leaked credentials before they’re wont to gain unauthorized access to your organization. you’ll even send notification emails inside our platform.
Given the accelerating number of third-party data breaches, continuous identity breach detection is crucial. And this simply isn’t something a person can do effectively anymore, there are too many breaches every day for it to be feasible.
In addition to third-party breaches, UpGuard BreachSight can scan the online for exposed datasets on the open and deep web, also as S3 buckets, GitHub repos, Rsync and FTP servers.
There is an enormous wealth of knowledge that’s being generated by every company with a digital footprint, which is now everyone.
Even if you’ve got great cybersecurity awareness training, all it takes is one mistake to show API keys, customer lists, or worse.
We shine at identifying a spread of knowledge points including exposed credentials, data sets, third-party apps, also as a customer, employee, and financial data. Like our third-party data breach data, we feed this into the platform to offer you a severity, description, status, and detection date so you’ll stay top of and secure discovered data leaks.