The more things change, the more they stay the same. Much of the world is still behind on the basics.

Dave Meltzer, Chief Technology Officer, Tripwire

April 15, 2020

5 Min Read

How would your security program run differently if your perspective was shaped around attack-surface reduction? It's a great way to reframe the way your organization approaches security, especially when it comes to implementing the same basic controls that continue to be your very best line of defense against cyberattacks.

First off, what does "attack surface" mean? This term gets thrown around plenty within the infosec bubble, but are we all talking about the same thing? The first term you often hear people talk about is that of attack vectors. An attack vector really isn't much more than some avenue that a bad actor can use to exploit your systems, your networks, and your information.

The attack surface, then, is just the sum of all the attack vectors for your organization — the total surface area of potential system exposure, be it systems in your data center, laptops in the field, cloud applications, connected industrial systems, or any combination of these hybrid environments you may have.

If It's Boring, You're Probably Doing It Right
For example, the latest breach headline you've read relates back, in some way or another, to an exploited attack vector like an unpatched vulnerability. So, what's new about attack vectors? Nothing. The breaches making headlines today come from the same issues we've been seeing in cybersecurity for the past 20+ years. They're the result of unpatched vulnerabilities, misconfigurations, lapses in system updates, human error, and other run-of-the-mill oversights. In 2020, much of the world is still behind on the unglamorous basics.

Because let's face it: The basics are boring and often difficult to maintain. That's a tough combination to take on, especially when the cybersecurity industry touts a continuous stream of shiny new silver-bullet solutions meant to revolutionize the way systems are secured — if only such a thing existed.  

New Environments, New Risks, Same Control
Every organization has a unique attack surface. But an increasing number of organizations have one thing in common: changing infrastructure. Modern enterprises are adopting new systems and rolling out new environments, including the cloud and the Internet of Things. The types of devices that we're trying to protect today are growing from what we've had in the past. We've always had to protect servers, laptops, endpoints, databases, and applications. Today we have to expand that to include cloud offerings, a very large array of services that are constantly evolving in shifting public cloud and private cloud platforms.

New infrastructure means new attack vectors, thereby increasing the organization's overall attack surface. This includes technology such as smart light bulbs, smart buildings, and other connected systems. But it's not just the surface; the ways that people are going to attack these systems are also evolving. The scale and complexity of cyberattacks are both increasing every year, with a higher magnitude of vulnerabilities to match. With global breaches that expose millions of private records at once, it's plain to see that threat actors have quickly learned how to leverage the cloud on a level that might've been unfathomable a decade ago. The situation calls for security practitioners to ask themselves how they can extend the coverage of their existing infrastructure into these new system environments.

What's the Cloud Got to Do with It?
Let's say you were an early adopter of public cloud storage using AWS S3 buckets. In that service's early days, there was much less attention being paid to exploiting the technology. But as more organizations adopt it, we see the attackers themselves increase their level of attention they're paying to how to exploit it; your attack surface changes in terms of its relative importance or its nature based on the technology that others adopt as well.

For example, Orvibo, a manufacturer of IoT smart home devices, exposed 2 billion records of data, including customer information, over the Internet. Because all of these IoT devices connect up to a common cloud environment, aggregating all data in one place, that gives attackers a central place to break into all of these systems.

Today, the cloud is one of the biggest attack surfaces that organizations need to worry about. Many organizations are still in a very early maturity stage in terms of their cloud adoption. So, whereas some companies in the financial market, for example, have done a lot of investment into cloud security today, other companies in areas like manufacturing, retail, and healthcare are just starting to dip their toes into the cloud.

How to Approach Cybersecurity in the 2020s
The reality is we're only getting more complexity with the advancement of new technologies, along with the growth of security sectors due to niche startups. Combining the number of new security tools with the growing attack surface and the increase in attack vectors, it's clear that the complexity of what we're trying to protect increases year over year. When you have more complexity, you have more risk.

However, system complexity doesn't need to be a root cause for security failures if the right basic controls are being enforced consistently across the entire environment. One of the most critical things to be aware of is whether or not you're using the right cybersecurity framework. Recently, there's been increasing adoption of the NIST cybersecurity framework, for example. Whether you're using NIST or one of the other security frameworks out there (such as ISO 27002, CIS Top 20, IEC 62443), you need to understand that framework in depth and know how you are going to iterate and continuously improve security with it.

To be successful now, you must focus on your framework and on maturing in different security areas, making sure you're getting the basics right first and foremost. Doing those basics right, identifying the gaps and investing in addressing them, and patching your vulnerabilities — the answer in 2020 is the same as the answer 20 years ago. 

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

About the Author(s)

Dave Meltzer

Chief Technology Officer, Tripwire

David Meltzer is a security industry pioneer bringing a unique blend of technical expertise, entrepreneurial skill and market vision to his current position as Tripwire's Chief Technology Officer. Meltzer joined Tripwire through its acquisition of nCircle, where he served as Chief Technology Officer and Vice President of Engineering. Immediately prior to joining nCircle, Meltzer was Founder and Chief Technology Officer at Cambia Security, where he pioneered the industry's first agentless configuration compliance auditing solution. A respected security researcher who founded the industry's first security vulnerability research group, the ISS X-Force, Meltzer is credited with the discovery of numerous security vulnerabilities.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights