There are various ways to decrease the attack surface. Let’s take a look at some of the more widely used techniques.
The digital side
The easiest target to attack is the digital attack surface. Let’s explore effective strategies to reduce the attack surface.
Less code, less software attack surface
When you reduce the code you’re running in your desktop, server, or cloud instance, you’re reducing the possibilities for entry points to be discovered and later exploited. Turn off, disable, or remove unnecessary software features, and simplify your code. Fewer codes also mean fewer software bugs and vulnerabilities; at the end of the day, that equals fewer security risks overall.
Remove unnecessary OS software and services.
Cleaning the OS includes removing unnecessary functions, applications, and system tools. Do you need a printing service running if you don’t use a printer? What about that MYSQL server running on the 3306 port? Do you need it if you don’t host any databases? And is Adobe Suite required if you don’t work with any PDF files? Install only the strictly necessary applications for your employees’ daily work, and turn off all unused protocols or services. The same advice goes for servers.
Scan your network ports.
Scanning the open ports in your public IP addresses is often the first thing attackers do when performing infosec reconnaissance on any target.
Luckily, there are many ways for you to stay one step ahead of your attackers. And your best bet is to begin auditing your network ports before they do. In our previous article about most scanned ports, we showed a quick way to get famous using the almighty Nmap command.
While using the Nmap top-ports option helps audit your port exposure, this activity can be done using different port scanners such as Unicornscan, Angry IP Scanner, or Netcat.
Analyze your SSL certificates.
People often see SSL certificates as a way to prove a website is secure, but that can be a big mistake.
How hardened are your SSL certificates? Are you keeping your SSL chains complete and well-secured? Are you using strong cipher suites? These are fundamental questions that all developers, system administrators, and technical managers should ask themselves more often. Additional information can be found in our article: Is SSL a real sign of security?
But SSL security doesn’t end up in your hardening, chain, and overall security score. You also need to consider the data you’re exposing to the public.
Have you ever thought about your SSL certificate expiration and validity? Your attack surface includes all your SSL certificates—valid, active, and expired ones.
Of course, the bad guys can explore such public information. So, remember that while SSL certificates are suitable for encrypting your information…not having a thorough audit or control over them can lead to some of your worst nightmares.
Segmentation your network
Keeping all your assets within a single network is often one of the biggest mistakes you can make. Splitting and segmenting your network is one of the easiest ways to reduce your attack surface.
This will help increase your network barriers and, at the same time, help you gain better and more effective server or desktop controls over all machines connected to the network.
Audit your software, network, and traffic.
Auditing your software is one of the oldest known tactics for reducing your attack surface. This will help detect misconfigurations and outdated software, test the security system, and keep users’ activity under control.
Analyzing the network, protocols, OS services, and current and past traffic over the network is a great way to detect factors that could expose your attack surface even more.
Log analysis plays a critical role in reducing your attack surface. Also, running scheduled audits on overlooked services (such as the DNS service) can help keep your exposure under control, as we covered in our previous article: Why should I perform a DNS audit?
The human side
The physical attack surface involves our world, making its most significant component none other than the human being.
As we’ve said before, company staff is often one of the weakest links in the cybersecurity chain of your online business.
Let’s see what can be done to avoid exposing your physical attack surface as much as possible:
Train all your employees to avoid getting tricked by social engineering calls or phishing emails. These are two of the most common ways to sabotage networks, routers, and other physical hardware, most of the time allowed by your human capital.
While nothing can prevent rogue employees from stealing sensitive information about your company (including email or user logins), human resource and hiring departments do have psychological tests in hand for screening applicants. These tests may reveal the true nature (including many unconscious aspects) of the people in line to work with your team.
Teaching your employees correct policies concerning using unknown and unauthorized devices in the office can also help reduce baiting attacks.
There are more social engineering techniques we’ll explore in future posts. Fortunately, they all rely on following company-based security practices and constant employee education.
