Insights

21
Apr 2016

Your attack surface: what it is, and how to reduce it

In a world where security breaches, hacks and data theft are becoming evermore commonplace, you’ve probably heard the expression attack surface. But what is your attack surface, and – more importantly – how do you reduce it?

Put simply, your organisation’s attack surface is your exposure to security risk. It covers all the weaknesses or vulnerabilities an attacker could exploit to get information out of – or into – your business. These weaknesses are sometimes called attack vectors.

An attacker may wish to steal sensitive information or customer data to damage your company’s revenue and reputation, or to enter malicious code that stops something working in the way it should. Reducing your attack surface means minimising the chances of an attack.

The losses involved in security attacks are immense. Loss of reputation leads to loss of customer trust… which, in turn, leads to loss of business and therefore profits. And that’s before you consider the hefty fines payable for breaching the Data Protection Act, or the internal investigation costs.

Your goal is to protect the integrity of your data as best you can – reducing the possible entry points an attacker could use to infiltrate your organisation, and minimising the risk of a security breach.

Safe as houses?

Picture your home. There could be a number of vulnerabilities that someone wanting to break in could exploit. Windows, doors, guttering, roof, cellar, garage… the list goes on.

Perhaps you invested in a strong, solid front door but the downstairs window out the back has a dodgy lock (about time you got that fixed, isn’t it?). Or perhaps your lodger isn’t as trustworthy as you’d hoped. It’s not just hardware that’s vulnerable – risks come in human form, too.

Distraction, action, reaction

Consider the trend for distributed denial of service (DDoS) attacks. Such attacks aim to make an online service unavailable by overwhelming it with a barrage of traffic from multiple sources. DDoS attacks are often used to mask or distract from the attacker’s true purpose, whether that’s stealing valuable data, or rendering a system useless.

DDoS attacks often involve taking control hundreds of thousands of PCs and using them as a “botnet” to attack another target. Think of them as an army of burglars, all trying to break in at once, or someone knocking at your front door with the aim of confusing and distracting you while a second person sneaks in round the back and steals your precious possessions.

On New Year’s Eve 2015, an anti-ISIS organisation, going by the name of New World Hacking, took out the BBC’s websites and iPlayer1. Though the group responsible described the attack as a test of its server power, the hack is believed to have been the largest DDoS attack in history.

A recent DDoS attack was the hack of mobile phone provider TalkTalk which happened here in the UK last year. The loss of 157,000 confidential data records cost the company an estimated £35 million2.

Any means of accessing data, equipment or your network becomes an attack surface, whether that’s your network sockets, PCs, your software or web applications, or the network itself. But there’s also a significant human element in your attack surface, whether that’s an insider threat from an employee with an axe to grind, someone with malicious intent who has been manipulated to exploit their position within the company, or simply human error.

Anyone within your organisation who has access to sensitive data is at risk of being exploited – from the CEO to the cleaners.

All it takes is insufficient training, the immense pressure of a crazy workload or a cleverly planned distraction, and suddenly a phonecall from someone purporting to be from IT and asking for a password could be all it takes for your staff to crack. “Look, we’re really up against it. I know you’re busy – just give me the password and I’ll do it myself.”

It’s vital to carefully vet your staff – carrying out security and financial checks if necessary, to ensure your employees have no reason to be susceptible to bribery or coercion – and to make sure employees are completely committed to the company’s security ethos.

You could invest in the world’s most secure firewall, only to find that the biggest vulnerability in your organisation isn’t technological – it’s human.

Don’t get caught in the web

Websites are another weakness for many businesses. Customers need to be able to access their own accounts, which they do by logging in securely. Yet by providing customers with this access you’re also providing attackers with connectivity from your website to the database that stores billing information and personal details – leaving your system vulnerable to attack.

The solution

So, just how do you go about addressing these issues and reducing your attack surface? There’s no one-size-fits-all solution, but there are some relatively simple steps you can take right away.

Start by blocking off USB ports throughout your network. Tighten your password policy. Restrict user access and network access controls, and limit the number of users and devices that can access your data. Your aim should be for only approved staff to use only the parts of the system they are authorised to access.

The vital balance

There is a trade off when it comes to reducing your attack surface, and it’s a big one. Lock down all the computers that contain valuable information, and while you’ve achieved your aim of having complete information security you may find your staff can no longer access the data – or parts of the system – they need to do their job.

The aim is to achieve a balance between confidentiality, integrity and availability. That is, complete integrity of your data and security of your systems, while maintaining systems that can still be used… by the right people.

Remember the household security analogy? If you had to enter a 20-digit code to operate your household alarm you probably wouldn’t use it that often. By implementing an onerous high security feature – or overly stringent controls – you’ve actually made your home less secure.

Keep it simple

Getting that balance right can be tricky, but one of the most effective ways to shrink your attack surface is to invest in high-quality, single-purpose products – cutting edge tamper-proof technology that doesn’t involve third parties or outsourced programming in its manufacture, limiting the risk of vulnerability.

Greater functionality and complexity come with a greater risk. Rather than choosing multi-function products that claim to do everything from routing to encryption, remove all the functionality you don’t need and choose best-of-breed technology that does just one thing… and does it incredibly well.

Invest in robust, government-grade encryption devices that help you reduce your attack surface and stay one step ahead of the security threat.

About L-3 TRL

With more than 30 years of experience at the forefront of technological development, L-3 TRL is an official supplier to Her Majesty’s Government, and part of the Cyber Growth Partnership (CGP). Our high-grade, best-of-British hardware encryption products are accredited and approved by CESG, and hold a Queen’s Award for outstanding innovation.

We have full quality control over our supply chain and know the provenance of every product we sell. When you choose L-3 TRL you know you’re getting top quality, wholly evaluated technology that’s entirely British built – no risk, no compromise.

For more information, visit www.l-3com.com/trl