Attack surface management is certainly a concern for most organizations, but being top of mind does not mean it's easy for organizations to understand or implement. Unfortunately, there are many misconceptions about how hard managing one's attack surface is, so let's deal with five of the most common fallacies.
The fact is attack surface management is a lot easier said than done and to be effective, attack surface management demands a strong base of 'cyber hygiene'. So, let's break down the daunting task list into manageable steps.
Rather than spending valuable time, budget, and resources on chasing the next best cybersecurity technologies, organizations should first look to get the basics in a strong place. While this is not an easy task, it's crucial to the overall health of your organization's security.
With that said:
Myth One: The Basics of Cyber Hygiene are Easy
Cyber hygiene refers to the practices, technologies, and processes businesses have in place to maintain the health and security of their operations.
Cyber, like personal hygiene, is all about developing important habits, but in the case of security, those habits aim to detect problems and improve protection. Key cyber hygiene measures include strong password management, vulnerability scanning, and system patching. With the basics in place, IT teams can begin to protect systems, networks, and data and set the groundwork for more advanced security measures.
The problem with cyber hygiene is that businesses often assume the basics are easy and automatically in place. So instead of ensuring they've got it right, organizations spend their time chasing down new technologies and layering on new solutions. However, these technologies generally don't deliver the basics, and without these businesses are far less able to deliver on their promises.
And despite being "the basics" the basics of cyber hygiene are, in fact, pretty complex. Cyber hygiene requires addressing both technical and nontechnical issues: security controls and countermeasures that reduce risk, along with policies, procedures, and training.
Doing so might not seem too big of a challenge, but as soon as you're looking at patching across hundreds of thousands of machines or delivering a security awareness program across different departments, regions, and countries, it can become a significant business challenge.
Myth 2: It's Okay to Install Solutions Without IT Support
The short answer is NO. This activity, commonly called shadow IT, is when workers decide to install or use equipment, services, or solutions without their IT department's approval or knowledge.
Those workers who implement shadow IT generally aren't actively trying to do anything wrong. In fact, many believe they are being helpful by getting something new and needed into operation quickly. In this, they massively misunderstand the risk involved.
These tools and solutions may temporarily solve a business problem but instead, create vulnerabilities and leave businesses at heightened risk of exposure. Shadow IT is a real crux for many organizations; it results in people managing things they shouldn't, data possibly becoming accessible, and systems being put at risk of compromise.
On top of the inherent security risk, implementing solutions without bringing them into the organization's wider security policy can lead to other business problems. For example, the incompatibility of new systems can impact organization-wide collaboration and productivity, and app sprawl can lead to wasted time and money. Moreover, when someone sets up a new solution, they may be the only person who knows the passwords. If this person leaves, there's no way to manage or use the solution, and it can end up being left active with data exposed.
Myth 3: The Cloud is Inherently Secure
This myth has gained credence over the last few years as remote work has become the norm for many people forcing organizations to move to the cloud to support their workforce. However, the big rush for digital transformation has resulted in security often being an afterthought.
What the cloud has created is an even larger attack surface for many organizations. The more cloud services organizations make available to their employees and customers, the greater the chance of an attacker exploiting them and gaining a foothold in an environment.
Threat actors are drawn to large attack surfaces. Why? The general security posture is often poor because it hasn't been cared for, and there's a greater chance of successfully exploiting it. Although the cloud most certainly can be secure, making it so is a shared responsibility, and it's fundamental for businesses to put the right security policies, processes, and technologies in place.
Instead of assuming that infrastructure or platform services will simply run securely and autonomously, businesses must realize that most security providers only guarantee the underlying infrastructure. In addition, organizations still need to account for application and security management. The result is that a surprising number of unsecured databases and APIs are sitting in the cloud at risk of exposure, and they desperately need proper pen testing and vulnerability scanning.
Myth 4: You Can Be 100% Secure
Organizations can mitigate the risk of attacks by harnessing different defenses and layering solutions, but that's never enough. For example, even sophisticated software fails to address the vulnerability of employees. Social engineering, the manipulation of people through psychological means, is a prime attack route; people are the biggest problem in terms of security and will always be the weakest link.
Organizations need to view security as a continuous, evolving journey. An endpoint doesn't exist; security requires unceasing effort, and fixing things and keeping them secure over a long period of time can be extremely challenging. However, businesses can drastically improve their security by tackling the basics, regularly scanning, and partnering with a security expert.
Myth 5: Penetration Testing Alone Improves Security
Penetration testing uncovers but does not solve problems, and tests alone aren't enough to secure an organization. Often pen tests are written and run, with vulnerabilities discovered, but that is the end of the road.
The fact is that vulnerability management and continuous testing have no value if organizations do nothing to remediate the risks.
Two important events must occur when a pentest uncovers an issue. The first is validation. Finding a problem is one thing, but validating that it's an issue is another. It's vital for the testing team to exploit any vulnerabilities to discover the actual impact. The next step after validation is fixing the issue.
However, organizations often forget these steps due to miscommunication and a lack of ownership and resources.
Attack surface management can help every business identify, prioritize, and manage the risk of cyberattacks. However, to truly yield value, organizations must have the basics firmly in place and have full visibility of their attack surface.
It's counterproductive to assume that the cloud is inherently secure, to rely on silver-bullet solutions that don't exist, or to hope it's possible to be 100% secure.
Organizations need to see security as an ongoing business requirement. However, while every business should take some responsibility for cybersecurity, they don't have to go it alone.
A trusted security partner can help businesses achieve a security-first approach to cloud architecture, avoid misinterpreting the aim of pen testing, fix problems when they're found, and improve security maturity.
8 Experts on the Myths of Attack Surface Management
Attack surface management is an approach to security designed to help businesses identify, prioritize, and manage risks and exposures. Unlike standard threat management, it takes a contextual view of threats and focuses on understanding what's exposed and developing a process for determining and reducing risk.