Your Attack Surface is Bigger than You Think, Part II

Happy Cyber Entropy Month to those that celebrate!

If you are not familiar with the terms Cyber Entropy or attack surface, check out part one of this post.? Otherwise, let’s jump right into other areas where your attack surface is expanding.

Software

There are literally nine million handheld apps out there and 97% of them are ‘free.’? ‘Free’ almost always means that you are paying with your data, not your dollars.? In many cases whatever data you enter into these systems becomes the property of the vendor (what, you didn’t read the ten pages written in 8-point font before agreeing to the terms?).? Your employees are using free software of some kind and loading your data in it right now.? Generative AI anyone?

This does not even consider the fact that your refrigerator has software on it, your vehicles depend on it, and you have a next-gen doorbell that captures and stores video that might put you in violation of privacy laws.? All of this needs to be monitored and patched regularly because all of it creates vulnerabilities that puts your whole organization at risk.

Again, Happy Cyber Entropy Month!

The best first step to bringing order to this chaos is a well-crafted acceptable use policy for software.? You’ll need regular training as well.? We don’t want employees to forget the policy and they need to be reminded of the risks.? There is always a recent news story that can bring the risks to life for them but you have to tell the stories regularly so they don’t forget.

Ideally part of the policy includes centralized acquisition and license management.? That way no one can use any new software without checking with you first.? But you better have a streamlined process that can quickly approve new software.? Your employees can download it with a click.? They don’t want to wait hours for approval much less days and weeks.? The better your acquisition and approval process, the less rogue installs you’ll get.

Deployment Entropy

Once you’ve got your arms around all your software, you’re not done.? You still need to make sure you have a good deployment process for updates and patches.? And don’t forget your software lifecycle management.? You need to get rid of the stuff you no longer use.? Those forgotten apps are like old munitions sitting out there waiting to explode.?

Automation is no panacea here, as Crowdstrike just proved.? Automated updates and patches can cause problems every bit as bad as attacks by malicious actors.? You need testing protocols and rollback protocols.? Remember, there are literally millions of pieces of software out there.? You’re not going to have the resources to apply testing rigor to all of those patches.

So categorize your software.? Prioritize the mission critical for testing prior to rolling out patches.? Have rollback plans for as much as you can, but make sure your plans for mission critical applications are up to date.?

Finally, do you know who is doing the updates and when they are occurring?? Cloud and SaaS vendors do most of the patching themselves.? The best have schedules to inform you but you need the discipline to monitor those deployment plans and that can be hard with limited resources.

Vendor Entropy

Cloud vendors usually handle patching for the applications.? They manage the security.? They update their hardware.? But their actions, their vulnerabilities, directly impact you.? As you move more and more to the cloud, to SaaS, you rely more and more on those vendors to keep you safe.? It gets worse, of course, when you include AI (which we won’t right now).

Consider committing staffing resources to Third Party Risk Management (TPRM).? This does not have to be just an IT effort.? It can be cross functional.? After all, the cleaners have access cards to the building, marketing outsourced it’s social media generation, and the client conference is run by a third party.? Beyond the vendor explosion in IT your company has a lot of other vendors to manage as well.?

But maybe you’re not large enough to commit those resources right now.? So do two things.? First, have a vendor lifecycle plan.? You’ll want your onboarding plan to clarify who is responsible for patches and data security with clear remedies if there is a problem up to and including termination of the contract.? Also make sure the plan includes offboarding, particularly in regards to your data.? You want it back or you want it destroyed.? You don’t want it adrift.

Second, classify your vendors.? The app for ordering food is not equivalent in risk to the Human Capital Management system.? You’ve got limited resources.? Classification helps you point them at the most valuable targets.

As always, we here at Phenomenati are happy to help bring order to your chaos.? You can reach me at [email protected] or check out our website.

And don’t miss our webinar on Bringing Order to the Chaos of Cyber Entropy on September 5th.