Recently I came to know about an incident which forced me to draft my thoughts here on my blog about Attack Surfaces and Attack Vectors. This will also talk about some preventive measures which are basics and should be taken care in the organisation. That said, we should also understand that if someone tells us that his tool/ or he can make our organisations security posture unbreakable and hack proof, please ignore them to start with. Our focus should always be to perform internal assessments and to apply best practices as much as possible to reduce the attack vectors and surfaces, and to have processes to deal with such security incidents. There will always be a new way which the hackers will work out to penetrate the network.
The IT space currently has been under pressure due to cyber attacks and viruses / malware being released leading to huge losses and creating a panic specially for the IT support teams as they were not ready for it. We all should accept that this is now a new normal and instead of pushing the panic button we need to change our strategy and get the people with the right skills to do the job.
I think it was John Chambers who said that "There are two types of companies: those that have been hacked, and those who don't know they have been hacked." and actually I feel that is very true.
I personally am of an opinion that no tool can solve all your issues, you should put the right people on the job, do extensive analysis, change your current processes and ways of work. Tools come in the end.
Attack Surface
It is the sum of the different points, the attack vectors, in a given computing device or network that are accessible to an unauthorised user which is called the "Attacker"
- Classification of Attack Surface
- Network
- Open Ports
- Insecure Protocols
- Low Bandwidths
- Multiple users for administrative accounts
- Software
- Improper Coding
- Privacy Settings
- Opensource Apps without support for patch and releases
- Physical
- Internal Employees
- Rouge Devices
- Social Engineering
- Passwords on notebooks / sticky notes / etc
- Phishing Emails
- As I mentioned above, attacks are unstoppable
- We should be focussing on the high risk areas first
- We will have to deploy advanced techniques and technologies against emerging threats
- We should perform an internal analysis of the attack surface
- We should perform an internal vulnerability assessment on the system and software
- Formulate an security incident response process
- We should consider deploying Security Incident Management tools e.g. SIEM
- Hide vulnerable ports
- To implement a technique to perform a realtime monitoring of data flows over the network
- Design and Develop of network infrastructure with recommended security features. Follow security by design.
- Promptly respond to changes realtime
- Uninstall / Remove all the unused applications / services from servers
- Limit the number of users and applications for both performance and security reasons
- Enforce policies and procedures to everyone in the organisation
- Cut down on unnecessary requests (emails, database access)
- Use load balancers, advance firewalls, VLAN's, honeypots to divert the attacker from high value areas
Attack Vectors
Methods by which a hacker exploits the systems, network and software based on possible attack surfaces. The most common attack vectors are : Viruses, emails, spam, ads and spyware.
- Classification of Attack Vectors
- Low Risk - Low threat to the the business / IT environment
- Medium Risk - Threat with a mitigation workaround available
- High Risk - Imminent threat to the business / IT environment
- Examples of Attack Vectors
- SQL Injection
- DDoS Attacks
- Phishing
- Eaves Dropping
- Malware Injection
(I assume that you are aware of the techniques which are specified in the examples above)
- Update all the systems / devices with the latest patches
- Updated Antivirus
- Deploy Advanced Firewall protection and endpoint security
- Deploy Honeypots
- Deploy Load Balancers
- Enforce appropriate security policies
- Provide education to the users of the environment
- Deploy Security Incident Management tools e.g. SIEM
Now with EU GDPR in the mix, it will be even more interesting to see the response by the IT Teams. My advise, don't panic just start working step by step on the points mentioned above and you should be there. Experience in IT and awareness about Cyber Security and Data Protection is all what it should take.
If anyone is looking for any help you can reach me on : catchme@ashuarunsethi.in, I love to work on new challenges in my free time.
