Intro
When developing cybersecurity strategies for your organization, you’ll need to create a plan for attack surface management (ASM).
Your attack surface is the total sum of all potential vulnerabilities outside your company’s firewall. Any software, hardware, SaaS, IP addresses, or cloud storage you use – anything that connects you to the internet and where you store private data – is a part of your attack surface.
Think of your attack surface in the same way you consider the Internet of Things (IoT), which can help you to visualize just how complex attack surface management can be.
Use this guide to begin developing your attack surface management strategy. A table of contents is below, or read the guide in its entirety. We’ll define key terms and explain new concepts so you’ll be able to confidently secure your organization’s data.
What Is Attack Surface Management?
Your attack surface is every possible vulnerability across all known assets, unknown assets, third-party vendors, and external assets that your organization engages with. Attack surface management (ASM) is the management of those vulnerabilities. ASM includes continuous monitoring, identification, and prioritization of all digital assets across your organization.
In cybersecurity terms, that means you continuously monitor all assets that transmit sensitive data, while adapting to and addressing new attack vectors. (Attack vectors are simply all the points at which a cyber attack can occur within your organization’s attack surface.) Understanding these security risks will help you to create strong remediation tactics for future use, including security controls and regular reporting.
Anatomy of Your Attack Surface
Known Assets
These are all the inventoried digital assets and data that your organization knows about, including your company website, internal servers, APIs, and any other software or hardware needed for operations to run smoothly. Known digital assets are what your security teams monitor and inventory on a regular basis, and typically these assets present the lowest risk to new attack vectors within your cyber ecosystem.
Unknown Assets
These could be websites or IT infrastructure that employees set up without your knowledge, or that have since been forgotten. You should do an inventory and analysis of any marketing sites or promotional pages that may still be public but are not currently monitored.
Also, if your organization uses SaaS or cloud storage programs like Office 365, you may have an unknown asset type called shadow IT. This simply means that while your stakeholders are using a cloud program, the security is no longer directly in your IT department’s reach. It is instead provided by that shadow IT.
Third-Party Vendors
Your ASM is only as good as any external parties you contract with. Third-party vendors in your supply chain can create huge attack vectors by not assuring top-tier cyber risk management for their own data.
External Assets
External assets are public-facing and a direct line to your customers. They are also known collectively as your external attack surface. Assuring complex attack surface management helps to reduce external attack vectors, securing your organization against reputational losses.
Attack Surface & Attack Vectors
Attack vectors are the points at which a cyber attack can occur across your attack surface. Some examples include:
- Compromised or stolen credentials. This type of attack vector is when user IDs are stolen or hacked from employees or customers. The damage from this attack can vary depending on the secured access the credential holder had. Stolen credentials from an internal source may be more damaging than those that are client-facing.
- Weak encryption. Encryption protects your data as it’s stored, scrambling the information while it is in transit. Only those with secured access can see the data translated back to plaintext. Weak encryption means your sensitive information may be shared as plaintext and not as an encrypted file that requires login to view.
- Malware. Malicious software can be installed on your systems and servers in a variety of ways, most commonly through email scams. Ransomware and phishing are two types of attack vectors that can compromise your sensitive information this way.
Should I Reduce My Attack Surface?
One obvious step to improve cybersecurity is to reduce your attack surface. This idea isn’t necessarily as easy as it sounds; it means reducing the number of applications facing the internet that your company runs, including mobile apps and services. For many organizations, that isn’t a viable option.
Also, reducing your attack surface might not even matter if you don’t also improve other cybersecurity protocols. An attacker can still find your vulnerabilities regardless of the scope of your attack surface, which means they can still cause a data breach or install malware.
Key Components of an Attack Surface Management Plan
As with all effective cybersecurity management, your attack surface management plan should begin with a discovery phase. This means you take inventory of every data asset, server, and internet-facing application your organization uses internally and externally.
Once you have that inventory, you can begin to create your ASM plan. A successful ASM strategy includes:
Risk Identification & Classification
Now that you’ve discovered all the data assets and sensitive information within your organization, you will need to identify and classify each piece. You’ll want to have a dedicated key stakeholder to carry out IT asset inventory, as it’s a task that evolves with your company’s data usage.
Continuous Monitoring
After your initial discovery and IT asset inventory, you’ll build upon your ASM plan by continuously monitoring your attack surface and attack vectors. An integrated dashboard can help you monitor complex threats while allowing you to share regular reports with key stakeholders. This phase of your ASM plan is crucial as new and developing cyber risks will appear during this process.
Reduce Complexity
Unnecessary complexity is often the result of incomplete rule definitions within an organization or poor cybersecurity policy management. By eliminating complexity, you’ll help avoid technical redundancies while keeping security access limited to the people who need it. This is key for vulnerability management, as reduced complexity helps to make the process more streamlined.
Control Your Endpoints
An endpoint is the physical device a person uses to access the IT system, whether that’s a laptop, mobile device, or desktop. Within your supply chain, you’ll have internal and external endpoints, including some with your third-party vendors and others with your customers. Enforcing tight controls for your endpoints helps to reduce the likelihood of attack vectors at those points, reducing the threat of malware or ransomware.
Monitor for Malicious Assets
Finally, a good attack surface management plan recognizes that not all cyber risks are confined to company IT assets. There are malicious assets, which are attack programs and software deployed by cybercriminals.
In addition to monitoring for attack vectors and vulnerabilities within your own IT infrastructure, you’ll need to monitor for these rogue assets coming from external sources. Company-wide cybersecurity training about email scams, phishing tactics, and other security failures can help to secure your organization against malicious assets.
Let ZenGRC Help You with Attack Surface Management
ZenGRC from Reciprocity provides an integrated dashboard and management platform for continuously monitoring your attack surface. You can discover, identify, and eliminate attack vectors in real-time, and the sharing function makes sending progress reports to key stakeholders a single action.
ZenGRC’s cyber security experts are available every step of the way, and they can help guide you to improved information security, whether you’re just beginning your ASM plan or you’re looking to re-evaluate an existing strategy.
To learn more about ZenGRC, request a demo today.