SSL

Attack Surface: How can I reduce the attack surface?

There are various ways to decrease the attack surface. Let’s take a look at some of the more widely used techniques.

The digital side

The easiest target to attack is the digital attack surface. Let’s explore effective strategies to reduce the attack surface.

Less code, less software attack surface

When you reduce the code you’re running in your desktop, server, or cloud instance, you’re reducing the possibilities for entry points to be discovered and later exploited. Turn off, disable, or remove unnecessary software features, and simplify your code. Fewer codes also mean fewer software bugs and vulnerabilities; at the end of the day, that equals fewer security risks overall.

Remove unnecessary OS software and services.

Cleaning the OS includes removing unnecessary functions, applications, and system tools. Do you need a printing service running if you don’t use a printer? What about that MYSQL server running on the 3306 port? Do you need it if you don’t host any databases? And is Adobe Suite required if you don’t work with any PDF files? Install only the strictly necessary applications for your employees’ daily work, and turn off all unused protocols or services. The same advice goes for servers.

Scan your network ports.

Scanning the open ports in your public IP addresses is often the first thing attackers do when performing infosec reconnaissance on any target.

Luckily, there are many ways for you to stay one step ahead of your attackers. And your best bet is to begin auditing your network ports before they do. In our previous article about most scanned ports, we showed a quick way to get famous using the almighty Nmap command.

While using the Nmap top-ports option helps audit your port exposure, this activity can be done using different port scanners such as Unicornscan, Angry IP Scanner, or Netcat.

Analyze your SSL certificates.

People often see SSL certificates as a way to prove a website is secure, but that can be a big mistake.

How hardened are your SSL certificates? Are you keeping your SSL chains complete and well-secured? Are you using strong cipher suites? These are fundamental questions that all developers, system administrators, and technical managers should ask themselves more often. Additional information can be found in our article: Is SSL a real sign of security?

But SSL security doesn’t end up in your hardening, chain, and overall security score. You also need to consider the data you’re exposing to the public.

Have you ever thought about your SSL certificate expiration and validity? Your attack surface includes all your SSL certificates—valid, active, and expired ones.

Of course, the bad guys can explore such public information. So, remember that while SSL certificates are suitable for encrypting your information…not having a thorough audit or control over them can lead to some of your worst nightmares.

Segmentation your network

Keeping all your assets within a single network is often one of the biggest mistakes you can make. Splitting and segmenting your network is one of the easiest ways to reduce your attack surface.

This will help increase your network barriers and, at the same time, help you gain better and more effective server or desktop controls over all machines connected to the network.

Audit your software, network, and traffic.

Auditing your software is one of the oldest known tactics for reducing your attack surface. This will help detect misconfigurations and outdated software, test the security system, and keep users’ activity under control.

Analyzing the network, protocols, OS services, and current and past traffic over the network is a great way to detect factors that could expose your attack surface even more.

Log analysis plays a critical role in reducing your attack surface. Also, running scheduled audits on overlooked services (such as the DNS service) can help keep your exposure under control, as we covered in our previous article: Why should I perform a DNS audit?

The human side

The physical attack surface involves our world, making its most significant component none other than the human being.

As we’ve said before, company staff is often one of the weakest links in the cybersecurity chain of your online business.

Let’s see what can be done to avoid exposing your physical attack surface as much as possible:

Train all your employees to avoid getting tricked by social engineering calls or phishing emails. These are two of the most common ways to sabotage networks, routers, and other physical hardware, most of the time allowed by your human capital.

While nothing can prevent rogue employees from stealing sensitive information about your company (including email or user logins), human resource and hiring departments do have psychological tests in hand for screening applicants. These tests may reveal the true nature (including many unconscious aspects) of the people in line to work with your team.

Teaching your employees correct policies concerning using unknown and unauthorized devices in the office can also help reduce baiting attacks.

There are more social engineering techniques we’ll explore in future posts. Fortunately, they all rely on following company-based security practices and constant employee education.

November 15, 2023 by Brian Cyber Security 0

Attack Surface: What is an attack surface?

Photo by Bernd 📷 Dittrich on Unsplash

What does “attack surface” mean? I see the attack surface as the entire network and software environment exposed to remote or local attacks. For others, it’s the sum of compromised points—although that’s not the attack surface, but the attack vectors.

An attack surface refers to all the ways attackers can exploit your apps. This includes software, operating systems, network services and protocols, domain names, and SSL certificates.

A classic example to help illustrate the concept of attack surface is your business’s physical office. What’s the attack surface of your local office?

The answer is simple: doors, windows, safe boxes, etc. What about your home? Even simpler: front and back doors, windows, garage doors, climbable trees or tables, etc.

The difference between detecting a breach in your home and a violation in your company’s online attack surface can be characterized by the size of the area and its inclusion of multiple complex regions to explore.

You’d clearly notice if someone had broken a window or forced open the door in your home. It’s even easier to have a home alarm system that notifies you immediately.

However, due to the extensive network, software, protocols, and services running within an online company, detecting what part of the attack surface was the origin of the breach or intrusion can be tricky, even with a solid IDS in place, application firewalls, and notification alerts. Most of the time, it may pass unnoticed.

November 7, 2023 by Brian Cyber Security 0

What Is a Man-in-the-Middle Attack

Photo by Stephen Phillips – Hostreviews.co.uk on Unsplash

A man-in-the-middle attack, often abbreviated as an MITM attack, is a type of cyber assault in which an unauthorized individual interposes themselves in the communication flow between two parties who assume they are engaging in direct communication. In this scenario, the attacker gains the ability to intercept, eavesdrop on, and potentially manipulate the content of the communication taking place. Man-in-the-middle attacks pose a significant threat as they allow for clandestine surveillance and potential tampering with communications across various contexts, such as interactions between individuals, clients, and servers, and even secure connections like HTTPS and other SSL/TLS protocols, as well as Wi-Fi network connections, among others.

Here is how a Man-in-the-middle attack works.

Picture a scenario where you and a colleague are engaged in a conversation through a secure messaging platform. In this situation, an adversary with malicious intent aims to intercept your exchange, clandestinely monitor it, and insert fabricated messages into the conversation, making it appear that these false messages are coming from you to your colleague. This form of cyber attack illustrates the peril of a man-in-the-middle assault, where the attacker attempts to undermine the integrity and confidentiality of your communication.

Initially, you request your colleague’s public key to establish secure communication. If your colleague sends her public key, but an attacker manages to intercept it, a man-in-the-middle attack becomes possible. The attacker sends you a fabricated message skillfully designed to mimic your colleague’s communication. However, this message contains the attacker’s public key instead of your colleague’s legitimate one. Thinking you are using your colleague’s public key, you encrypt your message and unknowingly employ the attacker’s key to secure it. Subsequently, you send this encrypted message back to what you believe is your “colleague.”The attacker, once again, intercepts the message, decrypts it using their private key, manipulates the content, and then re-encrypts it using the public key they initially intercepted from your colleague, who had intended to send it to you. As your colleague receives and examines the encrypted message, she is under the impression that it originated from you, unaware of the attacker’s meddling.

August 16, 2023 by Brian Cyber Security 0

What is an SSL Certificate?

Photo by Stephen Phillips – Hostreviews.co.uk on Unsplash

An SSL certificate (or TLS certificate) is a digital certificate that binds a cryptographic key to your organization’s details. Secure Sockets Layer (SSL) are cryptographic protocols designed to encrypt communication between a server and a web browser.

While SSL certificates are installed server-side, there are visual cues in the browser that show SSL protection. If SSL is present, you may see https:// in the address bar, a padlock, a green address bar, or a combination of the three. SSL secures your connection to a web server and encrypts any transferred data. Encrypting data reduces the cybersecurity risk of man-in-the-middle attacks or many other cyber attacks. SSL has traditionally been used to secure credit card information on e-commerce sites, personal data transfers, and social media sites.

Today, search engines like Google have called for HTTPS everywhere, even if websites don’t handle sensitive data or information like personally identifiable information (PII). HTTPS not only provides critical information security and data integrity but is a requirement for many new web browser features like progressive web apps (PWAs). What is Transport Layer Security (TLS)?

Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL). Think of it as a more secure version of SSL. Despite new certificates using TLS (RSA or ECC), it remains common for security certificates to be referred to as SSL certificates.

TLS, like SSL, provides privacy and data integrity between two or more communicating applications. When secured by TLS, connections between your browser and a server must have one or more of the following properties:

The connection is secured by symmetric cryptography. The keys for symmetric encryption are unique to each connection, based on a shared search negotiated at the start of a session through a TLS handshake. The server and your browser negotiate the details of which encryption algorithm and cryptographic keys are used before data is transmitted. Negotiating a shared secret is secure (preventing eavesdropping) and reliable (no attacker can modify messages without being detected, preventing man-in-the-middle attacks).

The identity of communicating parties can be authenticated using public-key cryptography. Public keys are disseminated widely, and private keys are only known to the owner. People can encrypt a message using the receiver’s public key, but only their private key can decrypt. Authentication can be optional but is generally required for at least one of the parties (typically the server).

The connection is reliable because each transmitted message has integrity checked using a message authentication code (MAC), preventing undetected loss or manipulation of data. A MAC is a short piece of information used to confirm the message came from the stated sender and has not been changed. This protects data integrity and authenticity.

In addition, the configuration of TLS can provide additional privacy-related benefits like forwarding secrecy. Forward secrecy ensures future disclosure of session keys only compromises a particular session. This is achieved by generating a unique key for each session, so the compromise of a single session key cannot affect the data exchanged in any other session.

What is Hypertext Transfer Protocol Secure (HTTPS)?

Hypertext Transfer Protocol Secure (HTTPS) is an extension of Hypertext Transfer Protocol (HTTP). It is used to securely transfer data over a network. In HTTPS, the communication is encrypted using TLS.

HTTPS provides authentication of the accessed website, protecting the privacy and integrity of exchanged data. It also protects against man-in-the-middle attacks such as eavesdropping and tampering with transmitted data. Because HTTPS piggybacks HTTP on top of TLS, the entire HTTP protocol is encrypted, including the requested URL (the specific page requested), query parameters, headers, and cookies (which often contain identifying information about the user).

The one thing that eavesdroppers can see is the website address and port numbers which are part of TCP/IP protocols and not protected by HTTPS. This means an eavesdropper can infer the IP address and port number of a web server (the domain name but not the specific page) that you are communicating with, as well as the amount of data transferred and session time.

Modern web browsers know which HTTPS websites to trust based on pre-installed certificate authorities. Certificates authorities like Let’s Encrypt are trusted to provide valid certificates. This means HTTPS connections are only trusted if all the following are true:

You trust your web browser correctly implements HTTPS with valid certificate authorities. You trust the certificate authority will only vouch for legitimate websites. The website you visit provides a valid certificate signed by a trusted certificate authority. The SSL certificate correctly identifies the website and not another entity. You trust SSL/TLS is sufficient to protect against eavesdroppers.

December 29, 2022 by Brian Application Security 0

SSL