Attack Surfaces vs. Vulnerabilities
By now, we can assume that there is no such thing as foolproof security. The only way to fail-safe a network is to unplug it. Where there is technology or IoT, we can assume vulnerabilities may be present. For an organization to maintain a secure and resilient environment, it must focus on implementing and practicing good "cyber hygiene."
Below are a few common approaches that an organization can add to their vulnerability assessment to reduce the risk of being attacked.
- Implement an asset inventory management system.
- Run monthly vulnerability scans.
- Regularly patch software.
- Apply the Principle of Least Privilege.
- Disable unnecessary services.
- Enforce a password policy with 2FA.
- Change default credentials.
- Backup data.
What is an Attack Surface?
One could say that the attack surface is the big picture of attack vectors. The attack surface would be all of the attack vectors in an organization's environment that an attacker can access to gain entry to an organization's digital and physical assets through vulnerabilities. An intruder will take advantage of these vulnerabilities they have found to remove data, disable, or destroy systems.
An administrator can reduce the organization's attack surface and improve their security posture by implementing a routine to detect and mitigate found vulnerabilities.
What is an Attack Vector?
An attack vector is how an attacker gains unauthorized access to an organization's devices or software to hijack sensitive data such as PII or place malicious code such as Trojan horses, viruses, or worms. An attack vector is like a key to a door. The key could appear in various forms, such as social engineering, rogue software, or bugs in software.
Common attack vectors:
Security Misconfiguration happens when an IT professional does not configure the security settings appropriately. Security misconfiguration could mean that the settings are left as default or do not meet industry best practices on a desktop, website, or server. These misconfigurations present easy entry points for an attacker and, in a worst-case scenario, lead to an organization having to shut down.
According to OWASP, "security misconfiguration can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage."
An organization must establish procedures and processes to identify gaps before an attacker discovers those risks. Using automated tools and following industry best practices relevant to the business's operation will help identify those configuration flaws.
Malicious insiders can be disgruntled employees, former employees, or vendors who intentionally steal data, damage data, or impair an organization's system or network for retaliation, intimidation, or financial gain. For example, an employee just found out from a colleague that their company will be reducing force, and he is on the list. The employee feels betrayed and codes a logic bomb. He has the logic bomb set to trigger on his birthday, in two days, at lunchtime. The logic bomb will wipe out the organization's hard drive.
Some noticeable indications of a malicious insider are:
- A disgruntled employee.
- An employee who is interested in taking on more tasks.
- An employee who has started working at odd times, such as 2 am.
- An employee who has increased their usage on the network.
- An employee who is searching through resources they do not need.
Some steps that an organization can implement to help reduce the risks of malicious insider threats:
- Build a positive work culture.
- Improve security visibility.
- Enforce policies.
- Know and protect critical assets.
Compromised Credentials are credentials such as usernames/passwords that unauthorized users can access, perhaps because an authorized user has fallen for a phishing attempt or social engineering attack. An attacker may also buy credentials from the dark web. Attackers then use these credentials to bypass organization security to steal data or take over the system. The compromised credential determines what level of access the attacker can gain. If compromised credentials are administrative, then privileged access will present a higher risk.
An organization can implement the recommendations below to reduce compromised credentials:
- Follow best practices to manage and set up passwords.
- Enforce Multi-Factor Authentication.
- Ban common passwords.
- Require passwords to include multiple characters.
- Educate users to not use the same passwords for all of their sign-ins.
- Suggest using a Password Management tool.
What is Vulnerability?
Querying Google for the term vulnerability will result in various definitions. NIST defines vulnerability as "Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source." According to The Open Group, a vulnerability is "The probability that threat capability exceeds the ability to resist the threat." Simply put, a vulnerability is a weakness or gap in a system that an attacker can exploit if detected.
According to OWASP, injection flaws "occur when an attacker can send hostile data to an interpreter." For example, attackers can inject malicious code into a database and steal or expose sensitive data. Analysis has identified SQL injection as the most common injection attack. Security analysts have also discovered injection flaws in OS commands, LDAP, HTML, and various other software.
To mitigate injection flaws:
- Utilize input validation.
- Update and patch vulnerabilities.
- Perform security audits.
- Adopt safe coding practices.
Sensitive Data Exposure occurs when a person's personal information, such as passwords, social security numbers, or credit cards, is exposed due to a lack of application security. Insufficient application security can be anything from weak or no encryption, coding flaws, or SQL injection attacks. The consequence of sensitive data exposure can cause financial loss, identity theft, and a loss of brand trust.
Tips to prevent sensitive data exposure:
- Classify data and encrypt according to sensitivity level.
- Reduce the attack surface.
- Administer regular risk assessments.
- Salt passwords.
An attack surface is all the techniques an attacker can use to enter an organization's environment to steal sensitive data or install malicious code. An organization's security team should aim to reduce the attack surface by regularly assessing the infrastructure for weaknesses and mitigating those risks from highest to lowest. An attack vector is how an attacker entered into the infrastructure. An attacker can use people or technology to access infrastructure. They do this through design flaws, ransomware, email spoofing, or man-in-the-middle attacks, to name a few. Vulnerabilities are gaps in the infrastructure that an attacker exploits to steal data and damage or control the infrastructure.
References Editor, C. C. (n.d.). Vulnerability - Glossary. Retrieved from https://csrc.nist.gov/glossary/term/vulnerability
Vulnerability (computing). (2020, July 06). Retrieved from https://en.wikipedia.org/wiki/Vulnerability_(computing)
A6:2017-Security Misconfiguration. (n.d.). Retrieved from https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration