Rapidly Expanding Threat Surfaces
In the past five years, Enterprise Attack Surfaces (EAS) have evolved significantly. EAS refer to the various entry points that cybercriminals can exploit to gain unauthorized access to an organization's digital assets. With the increasing use of cloud-based services, the proliferation of connected devices and the growing reliance on third-party vendors, attack surfaces have become broader, more numerous and more complex.
One of the most notable changes in attack surfaces has been the shift to cloud-based infrastructure. The use of cloud-based services, such as Amazon Web Services, Microsoft Azure and Google Cloud, has become more prevalent. These services offer a range of benefits to organizations, including scalability, cost effectiveness and agility. However, they also introduce new vulnerabilities that cybercriminals can exploit. For example, the Capital One breach in 2019 was the result of an exploited vulnerability in an AWS server.
Another trend in attack surfaces has been the proliferation of connected technologies, such as Internet of Things (IoT) devices. These devices are typically designed to be easy to set up and use, but often lack adequate security controls. Cybercriminals have taken advantage of these vulnerabilities to launch attacks such as botnet attacks and distributed denial-of-service (DDoS) attacks. For example, In August 2020, security researchers discovered a new botnet called FritzFrog that was actively targeting secure-shell (SSH) servers worldwide. What made FritzFrog unique was that it was designed to run on compromised IoT devices, including routers and other network devices, rather than traditional servers or computers.
The botnet was able to spread rapidly by scanning the internet for vulnerable SSH servers and then using brute force attacks to gain access to them. Once a server was compromised, it would be used to infect other devices and expand the botnet's reach.
What made FritzFrog particularly dangerous was its ability to evade detection and remain hidden on infected devices, making it difficult to remove. The botnet was also highly scalable, with the potential to infect thousands of devices and launch large-scale DDoS attacks.
Third-party vendors have also become an increasingly attractive target for cybercriminals. Organizations often rely on third-party vendors for critical services, such as payment processing, data storage and customer support. However, these vendors may not have the same level of security controls as the organizations they serve. One recent example of a cyberattack that exploited third-party weaknesses to target an organization is the Accellion File Transfer Appliance (FTA) cyberattack that was discovered in December 2020.
In this attack, threat actors targeted organizations that were using the Accellion FTA file sharing software, which is a third-party tool used by many companies to share large files. The attackers exploited a vulnerability in the software to gain access to sensitive data belonging to the targeted organizations.
This attack is an example of how third-party vulnerabilities can be used to compromise the security of an organization, even if that organization has implemented strong security measures of its own. It highlights the importance of organizations thoroughly vetting and monitoring the security of all third-party tools and services that they use to prevent such attacks.
The concept of attackers leveraging attack surfaces within third parties to ultimately reach an intended victim is often referred to as a “supply chain attack” and the past few years have seen many such attacks occur, including the famous Solarwinds attack of 2020.
A Challenge for the CISO: More Tools = More Complexity & Risk
The role of a Chief Information Security Officer (CISO) is becoming increasingly complex as organizations are facing a growing number of cyber threats and associated threat surfaces. CISOs are responsible for ensuring that their organization's sensitive data and digital assets are secure from external and internal threats. To fulfil this responsibility, CISOs often acquire and deploy multiple security tools to monitor and protect their organization's network and data. However, having too many security tools can create more risk and cost and create new risks. An outline of each of these potential risk follows:
Human Error Through Increased Complexity
Every security tool requires a certain level of expertise to operate effectively. The more tools a CISO deploys, the more staff are required to manage them. This increases the complexity of the security infrastructure and creates a need for a larger workforce to manage the tools. This, in turn, increases the likelihood of human error and misconfiguration, which can introduce vulnerabilities in the security infrastructure.
Coverage Gaps & Overlaps
Deploying multiple security tools often leads to duplication of functionality. Many security tools, such as intrusion detection systems (IDS), intrusion prevention systems (IPS) and firewalls, perform similar functions but with different technologies and interfaces. This can lead to confusion, overlap and potential gaps in coverage, as well as potential performance degradation of the infrastructure. This problem gets worse when considering that these tools are distributed among multiple disjointed teams across the organization – secure development pipeline might be owned by the R&D team, while web application security belongs to the central SecOps or SoC team. This might lead to false assumptions about who monitors what, leading to blind spots for the organization.
Security Tools as Attack Surfaces
Thirdly, having too many security tools can actually (and somewhat ironically) increase the attack surface area within an organization. Security tools such as endpoint protection traditionally have special access to the system resources to perform their duties (for example, to clean up after a virus infection), which makes their vulnerabilities especially dangerous. And their track record is not great – Microsoft Defender for example had a bug for 12 years that allowed hackers to gain admin rights. So, it’s safe to assume that tool brings its own set of vulnerabilities that can be exploited. Furthermore, attackers can leverage the complexity of the infrastructure to their advantage, such as using a vulnerability in one tool to gain access to another.
Increased Cost
The cost of maintaining and licensing multiple security tools can be prohibitive, especially for smaller organizations with limited budgets. The licensing fees and maintenance costs for each tool can add up quickly, resulting in a strain on the organization's financial resources.
Quantity Does Not Equal Quality
Having many security tools can lead to a false sense of security. CISOs may assume that they have covered all their bases with the tools they have deployed, but this may not necessarily be the case. They may miss potential threats that their tools are not designed to detect or fail to configure the tools correctly, leading to gaps in coverage and exposure to cyber threats.
So, the proliferation of security tools, in many cases, has led to an “I can’t see the woods for the trees” situation, where the very tools deployed to protect an organization are, in fact, preventing security analysts from seeing a breach unfold whilst introducing risk and cost into the security organization.
CISOs must be mindful of the potential risks associated with deploying too many security tools. Rather than deploying as many tools as possible, CISOs should focus on acquiring and implementing a smaller set of tools that can cover a broad range of threats and provide comprehensive coverage without introducing unnecessary complexity. In addition, it is our belief that identity security is critical to this tool consolidation strategy. It should be noted that the Identity & Access Management (IAM) software domain is, itself, fragmented. Many organizations are using five or more identity management tools today. A migration to identity management platforms is an undertaking that many organizations are embarking on to mitigate the risks and costs created by multiple identity management systems.
Bringing Identity & Access Management to the Center of Security Strategy
The cybersecurity industry recognized years ago that the traditional perimeter security is not working well enough. Post-COVID, we can safely claim that the infrastructure perimeter is dead. Identity is the new perimeter and identity-based tools, like Access Management, Privileged Access Management (PAM) and Identity Governance & Administration (IGA) are now doing the heavy lifting of making organizations secure across the globe.
This emerging intersection of IAM best practices and expanding threat surfaces is a critical consideration for organizations that seek to manage cyber risk effectively. IAM best practices help organizations reduce the attack surface by limiting access to sensitive resources. They also help prevent unauthorized access by ensuring that users authenticate themselves properly. One could certainly argue that every breach starts with a stolen or misused credential and, therefore, IAM should be a priority as CISOs seek to find approaches to mitigate new cyber risks and keep up with expanding threat surfaces.
However, as threat surfaces expand, IAM best practices must also keep pace. One size does not fit all here, and an effective identity security strategy must be designed to be nimble. Effective identity management is essential to prevent unauthorized access to digital assets. One of the critical best practices in IAM is the principle of least privilege. This principle ensures that users only have access to the resources they need to perform their duties. This reduces the risk of insider threats, accidental or intentional data breaches and other security incidents. Another essential best practice in IAM is the use of advanced authentication mechanisms. This involves the use of Multi-Factor Authentication (MFA), context-aware, behavior-based authentication, passwordless policies, PAM and other authentication methods to ensure that only authorized users can access resources. Advanced authentication mechanisms help prevent brute force attacks, credential stuffing and other types of attacks that target weak or stolen credentials.
Identity & Access Management has always been a crucial aspect of information security. It helps organizations ensure that only authorized personnel can access sensitive data, systems and applications. However, with the proliferation of attack surfaces discussed in this article, IAM best practices are becoming more critical than ever before and should be a core consideration in any cybersecurity strategy.
As organizations adopt new technologies, such as cloud computing, IoT and mobile devices, their threat surfaces expand. This means that there are more points of entry for attackers to exploit. Attackers can leverage vulnerabilities in these technologies to gain access to sensitive data and systems. There are many ways to mitigate the risks associated with these dynamics, but a strong argument can be made for the prioritization of IAM projects since the “privileged credential” is always the target of a threat actor in the early phases of a cyberattack.
In Conclusion
The attack surfaces associated with cybersecurity have evolved significantly in the past five years. The use of cloud-based infrastructure, the proliferation of connected devices and the reliance on third-party vendors have introduced new vulnerabilities that cybercriminals can (and do) exploit. One of the consequences of this is that CISOs and their teams now have too much cost and complexity inherent in the security tooling and consolidation must occur to reduce risk and cost. IAM best practices are critical for organizations to manage identity and access effectively. They help reduce the risk of insider threats, accidental or intentional data breaches and other security incidents. However, as organizations adopt new technologies and expand their threat surfaces, IAM best practices must evolve to keep pace. By implementing advanced authentication mechanisms and the principle of least privilege, organizations can ensure that their IAM policies are effective in protecting against evolving threats and, with modern IAM at the heart of security strategy, we can reduce costs, simplify the management of the security infrastructure and minimize attack surfaces, along with their associated risks.
Call To Action
To start bringing identity security to the center of your cyber security strategy, you might want to consider taking the following first steps:
- Implement the basics. 90% of credential theft can be handled by implementing a world-class Access Management solution that incorporates password management and Multi-Factor Authentication.
- Audit your companies’ identities and zoom in on privileged users. It’s very likely that you have privileged accounts that are either dormant or overprivileged that you should delete or alter.
- Implement Privileged Access Management. Modern PAM solutions will help you to stay in control of privileged accounts and align them to your preferred risk posture.
- Lock down your Active Directory. Microsoft AD is often the first port of call for a cybercriminal looking to understand and steal credentials. Implement an Active Directory Management solution to ensure maximum security in this area.
- Explore what is possible with Identity Governance & Administration. Ideally, the identities associated with your organization should conform to standards and policies that have been designed with your organization’s preferred risk posture in mind. An IGA solution will help you to define and manage identities in the context of these policies.
One Identity specializes in many of the tools and best practices discussed in this article. For further information, please refer to the following web resources:
Identity Governance & Administration
To sign up for a free trial of any or all of these technologies, this site for Access Management trials or this site for Identity Governance, Privileged Access Management and Active Directory Management trials.
