Attack Surface Management: Strategies for Cybersecurity and Risk Reduction

BoDSMB
Written By Michael F. D. Anaya | Founder

In cybersecurity, attack surface management (ASM) is a critical defense measure — but it requires you to think like a criminal.

What does that mean? Let’s start with what it does not mean. This is not about becoming a criminal. You’re not actually trying to break into any systems to steal data or demand ransom payments.

You’re just asking questions like:

  • “If I were to attack my business, where would I attack it?” 

  • “Where are my organization’s weakest entry points?”

  • “Do I even know where all of them are?”

  • “Wait, do I even know everything I should be protecting?”

This thinking forms the basis of a cyber ASM defense. But there’s a big difference between getting the gist of it and using it to protect your business. Ready to go deeper?

Let’s dive in!

Why ASM is critical for a remote work environment

According to recent research, when an organization is breached, 68% of the time, it’s through an asset (like a computer) that:

  • The company doesn’t manage.

  • The company barely manages.

  • The company doesn’t even know about.

Think about that. How could a business not manage its devices? How could it not know about them? Actually, it’s more common than you might think. 

According to research by Zippia, 92% of employees work remotely at least once weekly in the United States. If an employee has a company-issued laptop, their organization probably has a record of all software and networks associated with that laptop (but not necessarily).

Is the company prepared to update that record forever? Is the company using its complete security standards for everything on that laptop? Also, what if, one day, the employee uses their personal laptop for work? What if they go to the airport, connect to public WiFi on their phone, and check their work email? Is the company recording all these interactions systematically and ensuring they’re secure?

These questions get us even closer to the heart of ASM. Let’s define the phrase “attack surface.”

An “attack surface” is simply all the ways into your organization’s network.

The attack surface commonly comprises internet-facing devices, like a web server. These are external entry points into your organization’s internal network. Think of them like doorways. They represent a potential opening for a bad actor to exploit. Now, do you see why thinking like a criminal is essential?

So that’s a basic explanation of the attack surface. But what about the “management” part? Time to go deeper!

ASM is forever

It would be great if protecting your organization meant locating your digital perimeter organization, throwing up a fence, and getting back to business. But no fence is tall, wide, or thick enough. No fence can survive people, animals, vehicles, or weather, especially not forever. Situations change. Will you change with them?

Here’s how Forrester defines ASM:

The process of continuously discovering, identifying, inventorying, and assessing the exposures of an entity’s IT asset estate.

In other words:

Continually find, track, and monitor all your organization’s computers (and any vulnerabilities linked to them).

Let’s talk about what that looks like in practice.

The 5 types of attack surfaces

A modern organization has 5 types of “surfaces” that can be attacked.

  1. On-premises surfaces

    This surface houses assets (you own) that you can physically touch, because they are located on your company premises. Think about your computers (or servers) that aren’t on the cloud.

  2. Cloud surfaces

    This surface houses assets (you own) outside your physical reach, like Software-as-a-Service (SaaS) applications. You access them through your computer, but they don’t live on your computer. They live in the cloud, which just means servers that are housed in databases in different physical locations.

  3. External surfaces

    This surface houses assets you purchase from vendors and partners. These vendors may be third parties, but they’re still integrated with your company and are part of your attack surface.

  4. Subsidiary surfaces

    This surface involves shared networks (some you own, some you might not) and might be relevant if you merge or go through an acquisition.

  5. Rogue surfaces

    This surface houses all the fake assets bad actors set up for nefarious purposes. Things like webpages designed for phishing sitting on your infrastructure (the objective is to harvest stolen credentials to be sold on the dark web). This attack surface also includes assets that an employee might set up without your knowledge on your network for personal benefit, like mining cryptocurrencies.

Go down that list. How many on-prem assets do you have? How many apps do you have on the cloud? How many vendors do you deal with? How many networks do you access throughout everyday business? 

Multiply all those numbers, and you’ll get a super rough estimate of the sheer size of your attack surface.

The 4 stages of ASM

Once you know your attack surface, how do you manage it? In 4 phases.

  1. Discovery

    In the discovery phase, you continuously scan for your internet-facing assets and identify them for potential entry points that bad actors could exploit. Depending on the size of your business, this could prove to be extremely challenging. Refer to the previous section (5 types of attack surfaces) and ask yourself if you can map out your attack surface.

  2. Classification

    In the classification phase, you identify these assets — for instance, by IP address — so you can analyze them for specific risks (like certain types of cyber attacks) and decide which ones are most vulnerable.

  3. Control

    In the control phase, you take measures to secure all vulnerable assets. 

  4. Monitor

    The monitor phase is keeping an eye on everything. This means removing, modifying, and discovering new assets (which includes going back to square one — you’re closing your ASM loop).

How ASM expands 

Let’s wrap up with an example illustrating what tends to happen when companies undergo rapid growth. Think about a real estate entrepreneur. Imagine this person buying a house and renting it to a family. 

Attack Surface Management

Random real estate fact!

As of 2020, the full stock of U.S. housing was worth roughly $36.2 trillion.

Do they have to worry about their attack surface? Probably not. They’ve just got a handy spreadsheet, a business email, a few bank accounts, maybe a website. And all of this is done through a browser on their personal computer. 

Now imagine the entrepreneur buying 10 more houses. Most are rentals, some flips, but all in the same neighborhood. A lot of stuff to keep track of, but they got a trusted new business partner who handles their “books,” so everything is still relatively contained.

Soon the business is expanding throughout the city, then the region, and eventually to other states and countries. Soon the two partners own tens of thousands of properties across multiple jurisdictions. 

They started with a focus on residential properties, but they now own commercial, industrial, and land properties. They even launched two subsidiary businesses to manage properties for them and others. Their revenue target for this year is over $2 billion. 

How do they manage operations? They hire a full staff of managers, associates, and contractors.

Why are they so successful? Because they empower their team. 

There’s only one problem: now their attack surface area is enormous, with tons of money and data flowing through it every second. How many internet-facing assets do you think they own now? Do you think they accurately accounted for all of them as they grew? 

The risk is that a bad actor needs to find just one internet-facing asset (or computer) that isn’t being watched. Why? All it takes is one vulnerable computer (a hole in your security) to get in. How can you protect something you don’t even know is yours? You can’t. Therein lies the danger — as a business scales, it might neglect to scale its security. 

Never implementing cyber ASM principles concerning the 4 stages of ASM can be catastrophic, especially if a business isn’t tracking all of the changes that could occur in its attack surface. 

Think of employee turnover, new SaaS providers, mergers and acquisitions, changes in the cloud infrastructure, etc. There are a large number of factors that will change a business’s attack surface.

Closing the loop in ASM

Attack surfaces change constantly. That’s why it’s essential to keep track of your devices and systems at all times and maintain them continually. Something secure last year might be exposed next year. If you know these areas, you can adjust and add new controls.

ASM is a technical and policy issue, like many things in cybersecurity. But it’s also a logistics problem. After all, you'll have difficulty securing it if you don’t know what you own, where it is, and who has access to it. Following all the guidelines in this article is a great way to ensure that doesn't happen to you.

Are you curious about how to develop an ASM solution? Feel free to email us and one of our experts will get in touch. Or check out our other articles on other critical cybersecurity concepts like zero trust and defense in depth. We are here to help!

Roads? Where we're going, we don't need roads. But before we leave, we should share this article. #sharingiscaring

Are you looking to go to a persona page?

Cyber 101 | The Solopreneur | SMB | BoD

Michael F. D. Anaya | Founder

I’m a techie who’s been in cybersecurity for over two decades. My passions are being a top-tier dad, helping others, speaking in public, and making cyber simple. I am also partial to cheesecake and bourbon, but not together… well, come to think of it, it might be a killer combo! TBD.

https://www.mfdanaya.com
Previous

5 Easy Website Security Best Practices for Small Businesses
Next

Why the CISO Needs to Report to the CEO and Share Insights with the BoD