Software developers coding and testing applications using cyber-security

Shrink the surface: Why does reducing attack surface matter?

Find out why attack surface management is vital to boost security posture for today’s digital businesses

January 29 2024Dheeraj Rawal

What is this blog about?

The blog is about how fast companies are transforming with digital and cloud technologies. What are the cyber security risks that come along with it? How a large US-based organization faced a data breach that impacted more than 143 million people. Also discover answers to what contributes to the growth of digital attack surface and attack vectors, how to identify the attack surface, how to reduce it, and eventually what benefits your business can reap.

Digital transformation shooting through the roof

Companies have seen a seismic shift in how they operate businesses, owing to digital technologies.  The amount of data that is stored on the cloud today is massive. Thousands of data points underpin the rapid cloud adoption and here’s a handful of them that summarize the point:

  • About 94% of enterprises use cloud services
  • Around 60% of corporate data is stored in the cloud
  • In 2010, the cloud computing and hosting market stood at $24.6 billion, in 2020 the number stood at $156.4 billion
  • Over 10 years, these numbers have risen by 535%
  • About 36 cloud-based services are used by an average employee each day1

The numbers have shot through the roof. Businesses are adopting these technologies to improve operations, maximize availability, enhance customer experience, and at the same time bring down costs. 

Transformation brings the risks along

There are security risks associated with cloud adoption. About 93% of businesses see cloud security as the top concern. These risks could be unauthorized access to data, DDoS (Denial Distribution of Service) attacks, cloud misconfigurations, data leaks, data breaches, insecure APIs (Application Programming Interface), and more. As companies undertake transformation initiatives, the digital attack surface grows along with it – in simple terms, the security risks also grow. Imagine your company as a fortress, and as you further build it – you’re adding more doors and windows to it. These doors and windows could serve as entry points for bad guys to intrude. That’s exactly what happens when companies adopt technologies to become digital, the entry points increase – thus increasing the attack surface. 

In a real-world scenario, what contributes to an increase in the digital attack surface? Some examples are given below:

  • Addition of digital assets and technologies
    Over the period, companies add assets like new devices, servers, databases, applications, and so on. New technologies also add entry points as they introduce new interfaces, communication channels, etc. 
  • Increased connectivity
    As more systems and devices are interconnected, more pathways open. These pathways are potential ways for an attacker to strike. 
    There will be about 75 billion connected devices globally by 2025.2
  • Remote and hybrid work
    Employees accessing applications from multiple devices (official and personal) and different locations also increase the attack surface. Moreover, these personal devices and networks may not be fully secure.
  • Outdated and unpatched software
    Any software application running with outdated or unpatched software could have vulnerabilities leading to potential attacks (an anecdote of an attack in this blog below).
  • Third-party services
    Businesses need to interact with third parties and vendors, which involve external systems, APIs, apps, etc. Such third-party applications increase the attack surface. Also, external systems may not comply with your security policies. 

With the above factors, risks like unsafe plugins, unsecured access, misconfigured authentication, social engineering, malware, phishing attacks, insider threats, unpatched software, and more grow – thus increasing risks significantly. Organizations should be concerned because the larger the attack surface, the larger the risk. Many cyber incidents around the world are attributed to attack surfaces like insecure access, unpatched software, and more. 

The story of vulnerability and 143 million people

Here’s an infamous incident that occurred due to unpatched software -

In 2017, Equifax – a US-based credit reporting agency, suffered one of the worst data breaches in history. Approximately, this data breach affected 143 million people as their details like social security numbers, driver's licenses, names, birth dates, addresses were leaked. About 40% of the US population was affected due to this data breach. For about 200,000 people, it was even worse as their credit card details were also stolen.

Multiple factors led to this breach, but it all started with a vulnerability that could have been fixed. Equifax’s consumer-compliant web portal had a vulnerability (Apache Struts) – which attackers were aware of and took full advantage of. They entered systems through this loophole. The attackers were able to move from one system to another freely as the systems weren’t segmented. Further, the attackers were able to find usernames and passwords in plain text. This enabled them to get access to even more systems. The data was exfiltrated for months undetected because the security certificates for Equifax’s internal tool had expired.

Before this cyber incident took place, there was a patch released to fix the Apache Struts vulnerability (which was widely known in the market during that time). To its bad luck, Equifax missed the patch update and the vulnerability remained unfixed. Regrettably, none of their scans could detect this vulnerability.

This incident attracted a lot of bad press, lawsuits, and reduced financial ratings for Equifax. The company spent about $1.4 billion to upgrade its technology and to improve security. It also spent $1.38 billion in settlements and resolving consumer claims.3

This is not a one-off incident due to unpatched errors, misconfigurations, or insecure access. There are many examples like JP Morgan Chase, Uber, US Voter Registry, Yahoo, Target, Home Depot, and so many more. About 70% of organizations have faced a cyber-attack through an unknown or unmanaged asset.4 Yet only 9% of the organizations have tested 100% of their attack surface.

This highlights the need for attack surface reduction by getting rid of vulnerabilities as companies are adding new devices and technologies by day. All entry points must be secured so that there’s no risk of unauthorized access, infection, data breach, or any cyber incident.

How to identify the attack surface?

Identifying the attack surface is an effort-intensive process, nevertheless, here are some fundamentals that can help any organization to find the attack surface.

Asset inventory

Create a comprehensive inventory of all assets including all servers, databases, hardware, applications, and so on. The inventory should include resources on-premises and cloud-based infrastructure.

Network mapping

With too many assets and endpoints, understanding network architecture becomes crucial. All connection points (external and internal) need to be assessed.

User permissions

Check user permissions and access control granted. Are all of them still relevant? Should some of them be revoked? Most of the time, unnecessary access privileges increase the attack surface.

Third-party tool evaluation

Interacting and exchanging data with vendors and third-party tools need to be assessed because these also act as gateways to internal systems.

How to reduce the attack surface?

Once the attack surface is identified, here are steps that a business can take to reduce the attack surface:

Patch outdated software and systems

All software applications need to be updated and vulnerabilities must be fixed by deploying patches as received.

Network segmentation

Implement network segmentation or micro segmentation. This can restrict the lateral movement of an attacker, in case of an incident.

Least privilege principles

Least privilege or Zero Trust security principles will help businesses grant access to authorized users only and will continuously verify the access. This will eliminate granting access to bad actors or hackers.

Security assessments

One of the key factors to keep the attack surface secure is conducting assessments and vulnerability scans regularly – so that unknown assets and risks are identified. Besides the above factors, it’s also crucial for businesses to train their teams and employees with basic security awareness. Humans are the weakest links in the system, and it’s imperative to make them aware of the risks.

In Equifax’s case, the company failed to identify the attack surface – even further, proper security measures weren’t in place. Had the vulnerability been patched, the attacker would never been able to intrude in. If the networks were segmented, the attacker could have been confined to a single segment, and lastly, if least privilege or Zero Trust security principles were applied, then access to internal applications would have been even more difficult. It is evident that a business strengthens its security posture by reducing the attack surface and is relatively more successful in avoiding cyber-attacks. However, there are more benefits of attack surface management and reduction.

Benefits of attack surface management and reduction

Improved compliance

Constantly managing and reducing the attack surface helps companies to meet compliance requirements and regulations. This helps companies avoid legal battles and fines. Better compliance demonstrates your commitment to handling data.

Cost savings

A reduced attack surface means there will be fewer cyber incidents to deal with. This leads to lower costs associated with incident response, recovery, lawsuits, downtime costs, loss of business, and more.

Efficient incident response

A smaller attack surface helps companies to monitor and respond to security incidents quickly. Faster incident response enables better detection, containment, and remediation. This minimizes the impact of the security events.

Better reputation and customer trust

Better compliance and minimal security incidents help in building customer trust and a better reputation amongst stakeholders. The modern customer transacts with businesses that he/she trusts.

Increased productivity

Reducing attack surface minimizes the disruptions due to cyber incidents, hence ensuring maximum uptime and increased productivity. 

Security as a competitive advantage

A minimized attack surface along with better compliance demonstrates the company’s ability to handle and protect customer data. Strong security is an advantage that attracts new customers.

In summary, the benefits of reducing the attack surface extend beyond immediate security concerns, impacting operational efficiency, regulatory compliance, and overall business resilience in the face of evolving cyber threats. For businesses looking forward to efficient attack surface management, T-Systems can help you by assessing and evaluating your current security architecture. We have the ‘tried and tested’ approach for attack surface management, right from asset mapping and remediation to measuring program effectiveness. 

For more details, download the flyer here

About the author
Dheeraj Rawal

Dheeraj Rawal

Content Marketer, T-Systems International GmbH

Show profile and articles

You might also be interested in

We look forward to your opinion

Do you have any ideas, suggestions, or questions on this topic? We cordially invite you to exchange ideas with us. Get in touch with us!

1 Cloud Adoption Statistics, 2023, Zippia
2 IoT Connect Devices,  2023, Statista 
3 Equifax Data Breach, 2020, CSO Online
4 Attack Surface Management Statistics, 2023, Webinarcare

Do you visit t-systems.com outside of Germany? Visit the local website for more information and offers for your country.