It used to be that people were the greatest cybersecurity vulnerability, but this is no longer true.
The rise of the internet made people more connected than ever. Attackers capitalized on that fact and targeted employees directly to gain access to an organization. Leveraging highly automated methods (such as phishing that redirects users to compromised websites), attackers must only fool one employee to start a catastrophic attack against the entire organization. These methods are extremely effective and low cost, as they require modest technical capabilities. Thus, the employees-are-our-weakest-link mantra became an unquestioned industry dictum, embraced by both defenders and attackers.
But in the past 10 years, defenses for employees have improved dramatically, raising the cost and lowering the effectiveness of such attacks. At the same time, the volume and variety of corporate IT systems directly accessible over the internet has exploded.
Organizations frequently run Internet-facing IT systems with years-old software that hasn’t been patched and that are not integrated into any security monitoring framework. These exposed systems are highly heterogeneous, including everything from database servers, core business applications, and workstations to embedded systems like cameras, IoT devices, and even building control systems; all scattered across the world wherever the company has a presence.
The number and variety of internet-accessible IT systems have outpaced the ability of both security teams and security technologies to fully monitor and protect these assets. Attackers have come to realize that such unmonitored systems present the same opportunity of access employees once did – namely, an attack surface that can be found and exploited using highly automated, low-cost methods. So company IT assets exposed on the public Internet became the new weakest link.
If a vulnerability like the one discovered a few years ago in the Log4j library was found again in another widely used library tomorrow, how long would it take for your organization to identify all your vulnerable systems? Would you be confident that you found them all? Would attackers know more about your systems than you do?
Organizations must prioritize attack surface management to address this new threat because if they don’t, attackers will know about these weaknesses before they do.
Phishing stopped being easy
Once upon a time, tricking people into clicking links or opening messages that could grant threat actors access was a simple and effective attack tactic. But because cybersecurity companies have worked so hard to address this problem, phishing scams aren’t as effective as they used to be. They still happen, but their success depends on attackers being able to bypass many defenses – and modern technology allows for most of these attacks to be intercepted before they reach the intended recipient. And if a phishing message manages to land in an employee’ inbox, anti-phishing and security awareness training help mitigate the risk.
While technology has helped to block incoming phishing attacks, it can also help identify and capture a threat actor if they get past these defenses. Emails and links can be tied back to an individual unless the threat actor has taken great care and effort to conceal themselves. This possibility has made many bad actors shy away from this tactic to ensure they don’t get caught. Instead, they look at compromising IT assets, where there’s less of a chance of being caught. Think of it like you would about a bank robbery: Why would attackers choose to walk through the front door, which is heavily monitored by cameras and security guards, when a side entrance they discovered has little or no monitoring in place?
Trending target: IT assets on the internet
I have asked every CSO I’ve worked with: How many servers do you have on the internet, and why are you confident in that number? There has only been one instance in my career where a CSO was close to knowing the real number.
In today’s digital world, there are thousands of assets on the internet that leave an organization vulnerable, and many of them were not created by IT. Gartner projects that by 2026, only 20% of companies will have more than 95% visibility of all their assets. While this shows promise because this is up from less than 1% of companies in 2022, that’s still far-off.
The next piece of the puzzle is identifying end system owners and then having the assets become part of the standard security baseline. Much of the time, these IT assets are not secure because the onus lies with the IT team, not the security team. The security team is often not able to help identify and secure the assets because they’re unaware they even exist.
Securing your attack surface
While IT assets present an increased risk of attack, there are ways to improve your attack surface management to protect your organization.
First, go back to the basics. Compile a list of all your IP addresses and domains. If you already have this on hand, how much confidence do you have that it’s accurate and up to date? Take the necessary steps to ensure you’ve compiled a thorough list and put a process in place for it to be regularly updated. This will give you greater, ongoing visibility into your attack surface.
You should also conduct asset inventory. Are you confident that all vulnerable systems are known and protected? These are tough questions but vital to answer to safeguard yourself and avoid millions of dollars in losses.