Your Attack Surface is Bigger than You Think, Part I

It’s Cyber Entropy Month!?

As my colleague, Scott Foote, wrote “cyber entropy refers to the uncontrolled growth of all aspects of an organization within the ‘cyber’ domain.”? How out of control is it?? Well, for example, there are roughly nine million (not an exaggeration) handheld apps out there.? Ninety-seven percent of those apps are free.? Every day your staff downloads or accesses some new piece of technology which was unavailable yesterday.? Every one of those downloads increases the scope of your domain, whether you planned for it or not (most likely not).? And every one of those additions increases the risk to your organization.? Every.? Single.? Day.

So Happy Cyber Entropy Month!

Before you crawl back into bed and pull the covers over your head, fear not!? There are ways to bring order to this chaos.? Let’s start by addressing your ever-increasing attack surface.? Fortinet defines attack surface as ‘the number of all possible points, or attack vectors, where an unauthorized user can access a system and extract data.’? These are the traditional cyber-attack targets like networks, devices, and software.? Given what recently happened with CrowdStrike where a deployed vendor update wreaked havoc, you can add in deployments and vendors as part of the attack surface as well.

Already this is getting complex so let’s tackle each of these one by one.?

Network Entropy

Think of this as the roads that lead to Rome and you’re Rome.? There are a lot of them (500,000 roads lead to Rome according to the Smithsonian).? It is tempting to think that hardening your defenses is all you need (that’s what the Romans thought, too, until the city was sacked by the Visigoths).? You have next-gen firewalls with AI, next-gen VPN, SASE, etc.? You’re probably already using a zero-trust architecture.? No one is getting in.? Except…

What about things like rogue access points, all those home networks used by remote users, all those Starbucks, all those airport wifis and tethered networks?? How hardened are those?? Do you have any smart devices, any IoT?? Do those phone home?? How?? And sure you might keep your SCADA environment separate from corporate production but that doesn’t make it any less vulnerable, particularly with all those IoT devices managed remotely by their vendors.

The solution to controlling this entropy is really pretty simple.? You’re probably already doing it.? You need network topology maps and network traffic analysis.? Map all the roads coming in and have a plan to defend all of them.? But here’s the trick.? It needs to be up to date.? Is yours?? I’ll bet it isn’t.? Also, when was the last time you had a pen test done?? Can’t recall?? Don’t worry, you’re not alone.?

Combatting Network Entropy is less about the technology or about the procedures.? Most of us have that part down.? No, combatting Network Entropy is all about discipline.? It’s not like the old days where the network couldn’t expand without your input.? Now networks have a life of their own and that likely requires more rigor on your part to document and monitor them.

Device Entropy

You’re already thinking about this area as well.? Everyone has a laptop AND a handheld now.? The executive team wants to use their iPads. Your printers are now literally servers on your network with their own operating systems, vulnerabilities, and direct access to the internet. ?Your robots in the factory are controlled by tablets.? So are your whiteboards.? Your facilities’ HVAC, surveillance systems and security cameras. Heck, the new refrigerator has a touch screen.? The thermostat needs a wifi connection.? Now maintenance wants to use drones.? There’s also all those virtual devices that carry the same amount of risk as the physical ones.? And these are just the devices that you know about.?

Again, you probably have the necessary tools on hand.? You have an asset management system.? Maybe you run some form of continuous asset discovery.? You’ve got the data.? Now you need the discipline and rigor to use it.

Categorize all your assets and have a process for handling new devices.? That process may be ‘block them’ if you didn’t deploy them but make sure you are rigorous in doing so.? Every device should be categorized and classified based on the types of information it handles and appropriate controls should be applied based on that classification.? Just as importantly, have a well-documented, cradle-to-grave Asset Lifecycle that you follow religiously.? There’s nothing worse than realizing Accounting has an old laptop they used to use to communicate with the bank back in the aughts gathering dust but still attached to the network.

That was easy, no?? You most likely have the tools in place to bring order to this chaos.? You just need discipline and rigor.

If all this sounds overwhelming, don’t worry.? We here at Phenomenati can help if you need it.? As always, I’m happy to help in any way I can.? You can email me at [email protected] or check out our website.

Be sure to catch our free webinar on Bringing Order to the Chaos of Cyber Entropy on September 5th.?

That’s two of the five categories of attack surfaces.? We’ll discuss the other three in the next post with more Cyber Entropy to follow after that.