Attack Surfaces: A protector's perspective

A large attack surface is the biggest enemy for any system admin. A large attack surface means more work for the sys admins, more data recovery, more disaster recovery efforts, more reports. Aaah, yes, those reports!

The Attack Surface is the sum of all the points in a system that a threat agent can exploit to gain entry into the system, or extract data, or both.

But what are its components?

• Network attack surface. These are ports, protocols, network services, or even firewall rules.
• Application attack surface. These are apps that run on your network, and what they expose. For example, user interfaces like APIs can be exploited, application code and also third-party components like libraries or plugins.
• Endpoint attack surface. On a TCP stack, this can be represented roughly by the physical layer. It includes components like the Operating System, Applications and devices.
• Human attack surface. This covers things like social engineering as well as training and awareness.
• Physical attack surface. Physical access and device security fall here. Unauthorized access to facilities will easily be exploited and devices that can be accessed by an attacker will definitely be a gold mine.

How can a system admin manage these attack surfaces?

• Minimize exposure. Today this can easily be done using the principle of least privilege. Also, reducing the attack points by disabling unused ports and devices and removing unused applications will accomplish this.
• Continuous monitoring and assessment. Regular scanning and penetration testing fall here. There are automated tools (discussed below) that can do regular scanning for you.
• Security practices. it is common knowledge today that these three are as important as the systems themselves: patch management, security configurations and access controls. Patch management is self-explanatory. Security controls mean that the admins implement and regularly review secure configurations for system and apps, while access controls is where strong authentication mechanisms are used to limit access based on roles.
• Training and awareness. This is my most written about topic on this newsletter. User education and incident response are invaluable tools in any security arsenal.

Tools for managing attack surface.

• Vulnerability scanners. Tools like Nessus, Qualys, or OpenVAS can scan for vulnerabilities in systems and applications.
• Network Scanners: Tools like Nmap can help identify open ports and services on your network.
• Application Security Testing: Static and dynamic application security testing (SAST/DAST) tools like OWASP ZAP or Veracode can find vulnerabilities in application code.
• Endpoint Protection: Solutions like antivirus software, EDR (Endpoint Detection and Response), and DLP (Data Loss Prevention) can help manage endpoint vulnerabilities.

The attack surface is an important concept in cybersecurity necessary especially for system admins. By understanding and actively managing the attack surface, organizations can reduce the risk of successful attacks and enhance their overall security posture.