Why you need to think about both attack surfaces and vectors
Cyber criminals are constantly on the hunt for new victims. Keen to cause disruption or score a financial payback, they seek out opportunities to gain access to new IT infrastructures. Steve Dillon from Ping Identity explores.
A focus on attack surfaces became particularly relevant during the global pandemic. With large numbers of people working from home, organisations could no longer rely on traditional measures such as firewalls to keep IT assets protected.
The ongoing trend of remote working means organisations need to find new ways to protect their assets. One strategy is to pay particular attention to the overall attack surface.
The importance of attack surfaces
An attack surface comprises all the potential access points a cyber criminal could use to enter an IT network. Typical access points include:
- Applications, software and websites: These can be deployed internally or externally, either off-the-shelf or as a custom solution. Developers often rely on open-source code that can contain vulnerabilities.
- APIs: Client-side applications, such as mobile and web apps, communicate with the server-side of an application through APIs. As with apps, software and websites, in-house and third-party developers may rely on open-source code to save time and money or fail to properly test their APIs for security vulnerabilities.
- Networks: An organisation’s network and all points of interaction with it can be vulnerable. This includes remote access, Wi-Fi, internet of things (IoT), virtual private networks (VPNs), wide area networks (WANs), local area networks (LANs), cloud platforms, servers, and ports.
- Employees and devices: Employees are often the target of hackers looking for credentials to get into a network. In addition to credentials, bad actors also look for ways to steal personal and corporate devices.
The role of attack vectors
To take advantage of weak points in an organisation’s attack surface, a cyber criminal will use what they believe will be the most effective attack vector. These are techniques or paths that can be used to gain access.
Cyber criminals have many attack vectors from which to choose and often spend more time looking for vulnerabilities than IT departments have time to defend against them. Examples include:
- Phishing attacks: These use social engineering to trick employees into sharing credentials with fraudsters by pretending to be trusted sources.
- Credential stuffing: This is the automated injection of compromised username/password pairs into website login forms to fraudulently gain access to user accounts.
- Account takeover attacks: These attacks involve a fraudster using compromised credentials to take over a valid user’s account.
- Business email compromise (BEC): These are some of the most financially damaging online crimes. Cyber criminals can pretend to be a vendor or use malware to infiltrate the network to gain access to email threads about billing and invoices.
- Brute-force/dictionary attacks: These are used against remote services such as SSH and are one of the most common forms of attack on the internet that compromise servers.
- Supply chain attacks: This type of attack is becoming a popular method for cyber criminals to target multiple enterprises at the same time. One of the most well-known is the attack targeting IT management software company SolarWinds.
Defending against attacks
During the past two years, there has been a significant move by many Australian businesses towards increasing their usage of cloud-based services and remote working tools. While traditional controls such as firewalls are still important, identity is the new cornerstone of security in a world where network perimeters are increasingly blurred.
This new security landscape calls for intelligent controls that minimise friction for end users while also ensuring they are acting in good faith at every step of their journey. This is what has been dubbed the Zero Trust approach to security.
An effective Zero Trust strategy requires a wide range of controls, however a few of the key capabilities include:
- MFA: Multi-factor authentication (MFA) requires users to provide proof of their identity using stronger mechanisms than just a password. By denying access to cybercriminals with compromised credentials, MFA defends against multiple attack vectors and is therefore one the single most effective security measures for protecting information systems.
- API security: API security best practices include API access control and privacy, and detection and remediation of attacks on APIs through API reverse engineering. API security encompasses network security concepts such as rate limiting and throttling, along with concepts from data security, identity-based security and analytics.
- Dynamic authorisation: While authentication answers the question ‘Who are you?’, authorisation answers the question ‘Are you allowed to do this?’ Dynamic authorisation provides enhanced security when compared to traditional role-based controls by providing context-aware access control for data, services and transactions.
The approach also improves agility via centralised integration and policy management and gives better visibility and higher assurance of alignment with organisational policy
By being aware of both attack surfaces and vectors, security teams can be much better placed to ensure their organisation’s IT infrastructures are robust enough to withstand attack. Putting a Zero Trust strategy in place is one of the most effective moves they can make.
Steve Dillon is the head of APAC Architecture at Ping Identity.