In a world where security breaches,
hacks and data theft are becoming evermore commonplace, you’ve probably heard
the expression attack surface. But
what is your attack surface, and – more importantly – how do you
Put simply, your organisation’s
attack surface is your exposure to security risk. It covers all the weaknesses
or vulnerabilities an attacker could exploit to get information out of – or
into – your business. These weaknesses are sometimes called attack vectors.
An attacker may wish to steal sensitive
information or customer data to damage your company’s revenue and reputation,
or to enter malicious code that stops something working in the way it should. Reducing
your attack surface means minimising the chances of an attack.
The losses involved in security
attacks are immense. Loss of reputation leads to loss of customer trust… which,
in turn, leads to loss of business and therefore profits. And that’s before you
consider the hefty fines payable for breaching the Data Protection Act, or the
internal investigation costs.
Your goal is to protect the
integrity of your data as best you can – reducing the possible entry
points an attacker could use to infiltrate your organisation, and minimising
the risk of a security breach.
Safe as houses?
Picture your home. There could be a
number of vulnerabilities that someone wanting to break in could exploit. Windows,
doors, guttering, roof, cellar, garage… the list goes on.
Perhaps you invested in a strong,
solid front door but the downstairs window out the back has a dodgy lock (about
time you got that fixed, isn’t it?). Or perhaps your lodger isn’t as
trustworthy as you’d hoped. It’s not just hardware that’s vulnerable – risks
come in human form, too.
Distraction, action, reaction
Consider the trend for distributed
denial of service (DDoS) attacks. Such attacks aim to make an online service
unavailable by overwhelming it with a barrage of traffic from multiple sources.
DDoS attacks are often used to mask or distract from the attacker’s true
purpose, whether that’s stealing valuable data, or rendering a system useless.
DDoS attacks often involve taking
control hundreds of thousands of PCs and using them as a “botnet” to attack
another target. Think of them as an army of burglars, all trying to break in at
once, or someone knocking at your front door with the aim of confusing and
distracting you while a second person sneaks in round the back and steals your
On New Year’s Eve 2015, an
anti-ISIS organisation, going by the name of New World Hacking, took out the
BBC’s websites and iPlayer1. Though the group responsible described
the attack as a test of its server power, the hack is believed to have been the
largest DDoS attack in history.
A recent DDoS attack was the hack
of mobile phone provider TalkTalk which happened here in the UK last year. The
loss of 157,000 confidential data records cost the company an estimated £35
Any means of accessing data, equipment
or your network becomes an attack surface, whether that’s your network sockets,
PCs, your software or web applications, or the network itself. But there’s also
a significant human element in your attack surface, whether that’s an insider
threat from an employee with an axe to grind, someone with malicious intent who
has been manipulated to exploit their position within the company, or simply
Anyone within your organisation who
has access to sensitive data is at risk of being exploited – from the CEO
to the cleaners.
All it takes is insufficient
training, the immense pressure of a crazy workload or a cleverly planned distraction,
and suddenly a phonecall from someone purporting to be from IT and asking for a
password could be all it takes for your staff to crack. “Look, we’re
really up against it. I know you’re busy – just give me the password and I’ll
do it myself.”
It’s vital to carefully vet your
staff – carrying out security and financial checks if necessary, to ensure
your employees have no reason to be susceptible to bribery or coercion – and to
make sure employees are completely committed to the company’s security ethos.
You could invest in the world’s
most secure firewall, only to find that the biggest vulnerability in your
organisation isn’t technological – it’s human.
Don’t get caught in the web
Websites are another weakness for
many businesses. Customers need to be able to access their own accounts, which
they do by logging in securely. Yet by providing customers with this access
you’re also providing attackers with connectivity from your website to the
database that stores billing information and personal details – leaving
your system vulnerable to attack.
So, just how do you go about
addressing these issues and reducing your attack surface? There’s no
one-size-fits-all solution, but there are some relatively simple steps you can
take right away.
Start by blocking off USB ports throughout
your network. Tighten your password policy. Restrict user access and network
access controls, and limit the number of users and devices that can access your
data. Your aim should be for only approved staff to use only the parts of the
system they are authorised to access.
The vital balance
There is a trade off when it comes
to reducing your attack surface, and it’s a big one. Lock down all the
computers that contain valuable information, and while you’ve achieved your aim
of having complete information security you may find your staff can no longer
access the data – or parts of the system – they need to do their job.
The aim is to achieve a balance
between confidentiality, integrity and availability. That is, complete integrity of your data and security
of your systems, while maintaining systems that can still be used… by the right
Remember the household
security analogy? If you had to enter a 20-digit code to operate your household
alarm you probably wouldn’t use it that often. By implementing an onerous high
security feature – or overly stringent controls – you’ve actually made your
home less secure.
Keep it simple
Getting that balance right can be
tricky, but one of the most effective ways to shrink your attack surface is to
invest in high-quality, single-purpose products – cutting edge tamper-proof
technology that doesn’t involve third parties or outsourced programming in its
manufacture, limiting the risk of vulnerability.
Greater functionality and
complexity come with a greater risk. Rather than choosing multi-function
products that claim to do everything from routing to encryption, remove all the
functionality you don’t need and choose best-of-breed technology that does just
one thing… and does it incredibly well.
Invest in robust, government-grade
encryption devices that help you reduce your attack surface and stay one step
ahead of the security threat.
About L-3 TRL
With more than 30 years of
experience at the forefront of technological development, L-3 TRL is an
official supplier to Her Majesty’s Government, and part of the Cyber Growth
Partnership (CGP). Our high-grade, best-of-British hardware encryption products
are accredited and approved by CESG, and hold a Queen’s Award for outstanding
We have full quality control over
our supply chain and know the provenance of every product we sell. When you
choose L-3 TRL you know you’re getting top quality, wholly evaluated technology
that’s entirely British built – no risk, no compromise.
For more information, visit