The IT infrastructure of any online company is quickly becoming more complex, distributed, sprawling and fluid – even for small companies. For large companies, keeping on top of what they have online can become an unmanageable task. As a consequence, too many cyber security incidents are caused by shadow IT, forgotten servers and neglected websites.
A typical company’s infrastructure is progressively spreading out from on-premise and subsidiary networks to the cloud. The increase in home working and remote access requirements also adds complexity. On top of this is the fact that infrastructure is always changing; whether through new resources, new or changed services, or more widespread changes due to company mergers and organisational changes.
The sum total of everything an organisation has online is its attack surface. We could call it their defence surface, but the convention is to see it from an adversary’s perspective. A company’s online attack surface includes everything online that hosts or processes their data, or forms a part of that hosting or processing, that could be targeted by an attacker. This can include server and desktop computers, cloud assets, websites and certificates, domain records, email configuration, and much more.
A company’s attack surface may also technically include some elements owned and managed by vendors or by third-parties, which are outside their control but still form a part of their infrastructure. With the use of SaaS products and Content Delivery Networks (CDNs), the defence of your infrastructure is now a global challenge.
You cannot secure what you don’t know about, and therefore the unknown or unmanaged assets are likely to be a vector of choice for an attacker as they are likely to be easy targets.
It is not uncommon for a company’s infrastructure to include unknown and unmanaged online assets. There may be legacy systems that have not been retired, shadow IT setup to circumnavigate controls, or simply something you meant to get around to updating last year but never actually got updated. To anyone unfamiliar with modern IT this might seem like an unforgivable oversight, but it’s very easy for omissions and mistakes to creep in. This is especially true for medium-size and large organisations, with multiple offices, services and IT teams involved.
With a targeted attack, sophisticated attackers might explore some or all of an organisation’s attack surface as they try to find a way in. As common these days are indiscriminate attacks; when a new vulnerability is discovered some particularly aggressive attackers will automate the whole process of finding and exploiting vulnerable targets. This is one reason why the old argument of “but why would anyone try to hack us” doesn’t really stand up. If it’s part of your attack surface, it can be attacked.
Either way, the answer is the same: understand your online attack surface, and keep on top of it. More on how to manage an attack surface in our next blog.