The blog is about how fast companies are transforming with digital and cloud technologies. What are the cyber security risks that come along with it? How a large US-based organization faced a data breach that impacted more than 143 million people. Also discover answers to what contributes to the growth of digital attack surface and attack vectors, how to identify the attack surface, how to reduce it, and eventually what benefits your business can reap.
Companies have seen a seismic shift in how they operate businesses, owing to digital technologies. The amount of data that is stored on the cloud today is massive. Thousands of data points underpin the rapid cloud adoption and here’s a handful of them that summarize the point:
The numbers have shot through the roof. Businesses are adopting these technologies to improve operations, maximize availability, enhance customer experience, and at the same time bring down costs.
There are security risks associated with cloud adoption. About 93% of businesses see cloud security as the top concern. These risks could be unauthorized access to data, DDoS (Denial Distribution of Service) attacks, cloud misconfigurations, data leaks, data breaches, insecure APIs (Application Programming Interface), and more. As companies undertake transformation initiatives, the digital attack surface grows along with it – in simple terms, the security risks also grow. Imagine your company as a fortress, and as you further build it – you’re adding more doors and windows to it. These doors and windows could serve as entry points for bad guys to intrude. That’s exactly what happens when companies adopt technologies to become digital, the entry points increase – thus increasing the attack surface.
In a real-world scenario, what contributes to an increase in the digital attack surface? Some examples are given below:
With the above factors, risks like unsafe plugins, unsecured access, misconfigured authentication, social engineering, malware, phishing attacks, insider threats, unpatched software, and more grow – thus increasing risks significantly. Organizations should be concerned because the larger the attack surface, the larger the risk. Many cyber incidents around the world are attributed to attack surfaces like insecure access, unpatched software, and more.
Here’s an infamous incident that occurred due to unpatched software -
In 2017, Equifax – a US-based credit reporting agency, suffered one of the worst data breaches in history. Approximately, this data breach affected 143 million people as their details like social security numbers, driver's licenses, names, birth dates, addresses were leaked. About 40% of the US population was affected due to this data breach. For about 200,000 people, it was even worse as their credit card details were also stolen.
Multiple factors led to this breach, but it all started with a vulnerability that could have been fixed. Equifax’s consumer-compliant web portal had a vulnerability (Apache Struts) – which attackers were aware of and took full advantage of. They entered systems through this loophole. The attackers were able to move from one system to another freely as the systems weren’t segmented. Further, the attackers were able to find usernames and passwords in plain text. This enabled them to get access to even more systems. The data was exfiltrated for months undetected because the security certificates for Equifax’s internal tool had expired.
Before this cyber incident took place, there was a patch released to fix the Apache Struts vulnerability (which was widely known in the market during that time). To its bad luck, Equifax missed the patch update and the vulnerability remained unfixed. Regrettably, none of their scans could detect this vulnerability.
This incident attracted a lot of bad press, lawsuits, and reduced financial ratings for Equifax. The company spent about $1.4 billion to upgrade its technology and to improve security. It also spent $1.38 billion in settlements and resolving consumer claims.3
This is not a one-off incident due to unpatched errors, misconfigurations, or insecure access. There are many examples like JP Morgan Chase, Uber, US Voter Registry, Yahoo, Target, Home Depot, and so many more. About 70% of organizations have faced a cyber-attack through an unknown or unmanaged asset.4 Yet only 9% of the organizations have tested 100% of their attack surface.
This highlights the need for attack surface reduction by getting rid of vulnerabilities as companies are adding new devices and technologies by day. All entry points must be secured so that there’s no risk of unauthorized access, infection, data breach, or any cyber incident.
Identifying the attack surface is an effort-intensive process, nevertheless, here are some fundamentals that can help any organization to find the attack surface.
Asset inventory
Create a comprehensive inventory of all assets including all servers, databases, hardware, applications, and so on. The inventory should include resources on-premises and cloud-based infrastructure.
Network mapping
With too many assets and endpoints, understanding network architecture becomes crucial. All connection points (external and internal) need to be assessed.
User permissions
Check user permissions and access control granted. Are all of them still relevant? Should some of them be revoked? Most of the time, unnecessary access privileges increase the attack surface.
Third-party tool evaluation
Interacting and exchanging data with vendors and third-party tools need to be assessed because these also act as gateways to internal systems.
Once the attack surface is identified, here are steps that a business can take to reduce the attack surface:
Patch outdated software and systems
All software applications need to be updated and vulnerabilities must be fixed by deploying patches as received.
Network segmentation
Implement network segmentation or micro segmentation. This can restrict the lateral movement of an attacker, in case of an incident.
Least privilege principles
Least privilege or Zero Trust security principles will help businesses grant access to authorized users only and will continuously verify the access. This will eliminate granting access to bad actors or hackers.
Security assessments
One of the key factors to keep the attack surface secure is conducting assessments and vulnerability scans regularly – so that unknown assets and risks are identified. Besides the above factors, it’s also crucial for businesses to train their teams and employees with basic security awareness. Humans are the weakest links in the system, and it’s imperative to make them aware of the risks.
In Equifax’s case, the company failed to identify the attack surface – even further, proper security measures weren’t in place. Had the vulnerability been patched, the attacker would never been able to intrude in. If the networks were segmented, the attacker could have been confined to a single segment, and lastly, if least privilege or Zero Trust security principles were applied, then access to internal applications would have been even more difficult. It is evident that a business strengthens its security posture by reducing the attack surface and is relatively more successful in avoiding cyber-attacks. However, there are more benefits of attack surface management and reduction.
Improved compliance
Constantly managing and reducing the attack surface helps companies to meet compliance requirements and regulations. This helps companies avoid legal battles and fines. Better compliance demonstrates your commitment to handling data.
Cost savings
A reduced attack surface means there will be fewer cyber incidents to deal with. This leads to lower costs associated with incident response, recovery, lawsuits, downtime costs, loss of business, and more.
Efficient incident response
A smaller attack surface helps companies to monitor and respond to security incidents quickly. Faster incident response enables better detection, containment, and remediation. This minimizes the impact of the security events.
Better reputation and customer trust
Better compliance and minimal security incidents help in building customer trust and a better reputation amongst stakeholders. The modern customer transacts with businesses that he/she trusts.
Increased productivity
Reducing attack surface minimizes the disruptions due to cyber incidents, hence ensuring maximum uptime and increased productivity.
Security as a competitive advantage
A minimized attack surface along with better compliance demonstrates the company’s ability to handle and protect customer data. Strong security is an advantage that attracts new customers.
In summary, the benefits of reducing the attack surface extend beyond immediate security concerns, impacting operational efficiency, regulatory compliance, and overall business resilience in the face of evolving cyber threats. For businesses looking forward to efficient attack surface management, T-Systems can help you by assessing and evaluating your current security architecture. We have the ‘tried and tested’ approach for attack surface management, right from asset mapping and remediation to measuring program effectiveness.
1 Cloud Adoption Statistics, 2023, Zippia
2 IoT Connect Devices, 2023, Statista
3 Equifax Data Breach, 2020, CSO Online
4 Attack Surface Management Statistics, 2023, Webinarcare
