4 Steps to Reduce Cyber Risks
From IoT devices to cloud infrastructure, web applications and firewalls to VPN gateways, the number of internet-connected assets owned by companies is growing exponentially. They provide access to data, sensors, servers, online stores, websites, and other applications. But with each additional asset, the external attack surface grows, and with it the risk of successful intrusions.
This article is intended for CISOs and IT departments, IT project managers and IT specialists of small companies who have just embarked on the path to building a secure infrastructure. It contains general recommendations that suggest the direction for further action.
Asset discovery is not enough
For many companies, the external attack surface is fluid, complex, and challenging. It is important to always be aware of what (new) assets are exposed over the Internet and to be aware of any gaps in cyber defenses that are discovered. CISOs must therefore have a keen sense of potential vulnerabilities and misconfigurations. They must also have a team that knows how to mitigate the threats that are discovered and what actions to take.
But which security vulnerability should be closed first? To effectively protect a company's IT infrastructure, a multi-layered External Attack Surface Management (EASM) concept is needed, which also includes weighing the individual actual risk of vulnerabilities. This process can be roughly divided into four successive stages.
Step 1: Identification and classification of assets
Only those who know all assets can effectively protect them and actively manage the attack surface. It is difficult for mid-sized organizations and larger corporations with multiple subsidiaries to keep track of everything that is accessible from the outside. This is also facilitated by shadow IT, when employees, for example, install unauthorized software applications or use cloud services without the knowledge and formal consent of the internal IT department, which is contrary to current compliance rules.
To obtain a relevant overview of all assets, responsible persons should regularly and automatically check the external attack surface. Ideally, not only are all relevant assets identified, but also distributed among the relevant sub-organizations, subsidiaries, etc.
External attack surface management goes far beyond classic asset discovery and vulnerability scanning. It also targets “blind spots” such as forgotten cloud assets and IT infrastructures, as well as IoT that are no longer in use or misconfigured.
Step 2: Risk Identification
To determine which vulnerabilities exist and what potential risk they pose to the company, testing procedures are carried out at different levels. For example, Dynamic Application Security Testing (DAST) can be used to determine whether a potential threat comes from certain applications. It should also be checked whether security-critical data, for example for managing a production system, could already be inadvertently accessible via the Internet. Another security threat is unauthorized login. This is where credential validation comes into play. In addition, companies should constantly monitor whether their assets are exposed to known security vulnerabilities.
Step 3: Risk assessment
All discovered vulnerabilities carry a certain level of risk, but it is not always the same. To realistically assess and classify it, the main focus is on three questions:
Are there actually known attack vectors for a particular security vulnerability, or is it more theoretical and has not yet been exploited?
Is the vulnerability of the asset or target system interesting to attack? For example, a central database is much more valuable than an asset in a department that does not provide access to other systems.
How quickly and easily can a company designate an asset as a potential target. For example, is it directly on the website or is it “hidden” as an obscure risk in a subsidiary?
Step 4: Prioritize and Fix the Situation
The most important factor is the shortest possible response time to truly critical risks. This applies not only to identifying, but of course also to promptly closing the corresponding vulnerabilities. But what if the dashboard shows more problems than there are people ready to fix them?
Vulnerabilities need to be wisely prioritized to minimize the overall risk of successful attacks as quickly and effectively as possible. For example, direct, unsecured, unauthenticated external access to a customer database is usually much more important than a vulnerability in an IP camera that was previously only theoretically exploitable. For an operational security team, it is not primarily a question of closing as many holes as quickly as possible, but rather of closing the most important ones.
Conclusion
To effectively protect the external attack surface and minimize external cyber risks, it is necessary to continuously (preferably automatically) check and monitor the company's public cloud assets and applications, including all departments.
![[Личный опыт] What to do for an IT engineer in the UAE: they pay well, but prices bite and you won’t stay forever](https://prog.world/wp-content/uploads/2021/06/wq000szaz0jh1buacydkombzpey-768x576.png)
