In August 2012, an unsuspecting employee at the Saudi Aramco oil company clicked on a malicious link in a phishing email and began one of the most expensive hacks in history. The cyberattack eventually infected 75 percent of the oil conglomerate’s computers and erased the majority of the data on them. For five months Saudi Aramco was forced to use fax machines, typewriters, and pen and paper. They had to buy 50,000 new hard drives, pay a premium to rush their production, and create a newly-secured computer network before they were able to resume normal business practices.
A phishing email is just one of many ways that hackers try to enter corporate systems. Companies often fail to adequately protect themselves from human attack points and only focus on the technical considerations of cybersecurity. Even if both are considered, however, there are still numerous access points left open to hackers. After all, the more interconnected devices grow, the more opportunities there are for cybercriminals. In order to account for all of them, an organization must map a comprehensive cyber “attack surface.”
Farther than the eye can see
A cyber attack surface consists of all points on a network where a hacker could infiltrate into a system and gain access to data within. It consists of devices, like phones and computers, software applications, and people—even those not directly connected to a network, such as third-party service providers. Of key importance is this: any given person’s or company’s cyber attack surface often includes numerous connections not typically thought of. They are therefore, in most cases, far more extensive than imagined. In order to better grasp this concept it’s best to first understand the three main components of any cyber attack surface: software, networks, and people.
The software component includes the actual coding behind user applications and tools. For this think of things like email services, web pages, and mobile apps. Compromises in the architecture of any of these applications could provide hackers the foothold they need to launch an attack. The case of RSA’s SecurID is a good example. In March of 2011, hackers compromised the security company’s SecurID product, a two-factor authentication tool used to strengthen log-in security. The breach rendered SecurID essentially useless, exposing 40 million users to weakened log-in security vulnerable to basic hacker exploits.
The network component pertains to physical devices, or endpoints, along the lines of phones, laptops, firewalls, servers, and other elements of a network’s architecture. The danger here lies in the ability of networks to allow isolated vulnerabilities to spread to multiple devices or to serve as bridges for hackers from weak entry points to hardened areas containing sensitive data. For example, it would be far easier for a determined hacker, eager to break into a well-defended company’s network, to target a single employee rather than the company itself. One employee, having connected to a phony Wi-Fi network while at Starbucks for morning coffee, could very easily walk a compromised device right into the target company. As soon as that employee connects the breached smartphone or laptop to the office network, the hacker has successfully bypassed many of the obstacles he would have faced.
The third, and perhaps most troublesome, component is people. This not only includes those directly connected to a given network, like the employees of a company, but also everyone else that has indirect access to those networks. This is the key complication presented by people. Whereas networks allow isolated threats to jump to many nearby devices, people often serve as the unsuspecting bridges between different networks. People are such great weak points into protected networks that an entire field of hacking has arisen devoted just to them—social engineering.
Any businesses with so-called “bring your own device” (BYOD) policies, or who permit their employees to take company devices home, immediately broaden their attack surfaces to include the home networks of every one of those employees. A laptop or smartphone could just as easily be targeted via compromised home Wi-Fi networks as they could at a Starbucks. Spouses, parents, and children, likely less aware of cyber threats, can inadvertently facilitate attacks by clicking malicious links and plugging in infected devices (e.g., USBs) while using the BYOD devices. Traveling salesmen who access their corporate accounts via unsecured Wi-Fi at airports or hotels, whose networks also then become part of the company’s attack surface, also provide a way in for hackers.
Like viruses, attack surfaces can spread quickly and cause lots of harm to the health of an organization. The best defense is awareness. By understanding what a cyber attack surface is, what it entails, and how extensive your own is, security professionals can begin narrowing the number of vulnerable points of entry their company is exposed to.
The best way for companies to secure their systems is to shrink the size of their attack surfaces as much as possible. A first step toward doing that must involve a thorough inventorying of all software, hardware, protocols, permissions, and employees. You can’t hope to begin protecting your network until you have an accurate idea of where it starts and ends. There are many cutting-edge network topology tools designed specifically for this purpose. Large and medium-sized organizations employing hundreds or thousands of people would be served best by utilizing such tools as their attack surfaces are likely far too intricate for any audit or interview process on its own to be effective.
Once your organization understands what’s at stake, the next step must be to make every employee fully aware of the threat. Implementing regular cybersecurity training into hiring and professional development processes can help lower the risk of social engineering attacks, which often prey on ignorance. Reviewing corporate BYOD and in-house technology policies is also a good idea. Any liberties granted to employees in which technologies they can use, as well as where, when, and how, must be carefully counterbalanced by appropriate security measures to mitigate consequent risks.
Lastly, for both the company and its employees, basic cyber hygiene is essential. For this there is no shortage of suggestions, but a few key tips include the following measures:
- Ensure strong network defenses, including well-calibrated firewalls and strong passwords on all your devices and applications (including your home Wi-Fi!).
- Conduct due diligence on all third parties with access to your networks. Do business only with those who take their own security seriously, and take steps to isolate all parts of your network they don’t need access to.
- Be aware that hackers are always preying upon ignorance. Avoid suspicious links in emails, download only from trusted sources, and keep your sensitive information private.
- Avoid using Wi-Fi and Bluetooth when you don’t need them. While you should always try to avoid it, if you must use public Wi-Fi take extra security precautions (e.g., VPNs).
- Limit the number of people who use your devices and accounts.
Follow these suggestions and you should be well on your way to a smaller, more manageable cyber attack surface.