3 REASONS YOUR ENTITY'S ATTACK SURFACE IS SO BROAD

With the increase in global cyber threats and the continued modernization of protection frameworks, public and private entities need to adapt their approach to a proactive defense.

In 2012 when I was an analyst for an internal call center, we had one path to report cybersecurity events. It was simple, create a service ticket and assign it to the affected system administrator. When the event was urgent, call the system administrator as well.  

The process was easy for any front-line analyst to follow. There were only a handful of support groups to receive the service tickets. From there, a new ticketing module had entered our service desk. Incidents. Incidents came with urgency and impact declarations allowing analysts to measure the effect the Incident had on the business. This gave us more leverage when requesting support from our path of escalation.

Next came the testing of my team after the release of the incident module. Unbeknownst to us, other internal support teams were contacting the service desk and reporting fictitious vulnerabilities or  false hacking scenarios. The callers reported they were hacked or their mouse moved without their action. The outcome using service management was a reactive way to understand if our company’s internal service desk knew how to manage time sensitive incidents. 

Service management alone wasn’t remotely enough for defending agains today’s threat actors.

Fast forward to 2022 and this same company which relied on system administrators for remediation now has a Security Operations Center (SOC), security policies procedures, follows the NIST-800-53 cybersecurity framework, allocated full time staff for incident management, monitors account administration, and hires 3rd party penetration testers to audit and test for vulnerabilities within their network. 

With all these improvements, companies like the one referenced above ask themselves if what they’re doing is enough.

Vulnerabilities that lead to ransomeware incidents pose a breathtaking problem for both the private and public sector. 66 percent of organizations came under ransomeware attacks in 2021. 

The federal government is so concerned with attacks on critical infrastructure in the United States that the current administration created the Strengthening American Cybersecurity Act of 2022. President Joe Biden signed this act into law requiring critical infrastructure entities to report cyber attacks within 72 hours and report ransom payments in 24 hours.  

Here we are almost in the year 2023 and we find ourselves facing persistent and known threats. Here are the 3 top reasons your organization’s attack surface may be so broad and what you can do to remediate.

Penetration and Vulnerability Assessments: You’re not doing them or only testing once every 5-10 years. 

This is a must-have recurring requirement for your organization. Organizations can’t see where they're most vulnerable if they are not looking for it. Penetration testing allows for authorized simulated attack on your network. Tests like these show you exactly where your organization is vulnerable. There are several forms of these tests:

• Open-box tests (single blind) in which the tester or ethical hacker has information about the target network before their assessment.
• Closed-box tests give no information to the testers about the targeted environment. 
• External and internal penetration tests are as they sound. External tests are ethical hackers attempting to gain access to your network using known vulnerabilities or popular intrusion tools from outside your virtual perimeter. Internal tests are used for simulating an attack from within the organization's network. 
• Vulnerability assessment is the process of defining, identifying, and prioritizing known vulnerabilities. Being able to identify vulnerabilities early enough gives the host entity enough time to remediate before the vulnerability is exploited. A number of companies such as BeyondTrust and Cloudfare offer more information and consulting services for vulnerability assessments.

Cybersecurity Policies and Procedures: Either your organization doesn’t know they exist or you only have a password update policy.  

Each organization should require an in-depth suite of security policies and procedures.  And once the suite is created it should be broadcast from the rooftops! Employees won’t spend their free time combing through policy, so make it part of annual training, or have leaders include new policy content within staff meetings.  

If you’re starting from zero, begin your search with NIST Special Publication 800-53 Rev 5. This document outlines controls for information systems and organizations to better manage risk using security and privacy controls. At first glance the security and privacy controls from this document can be daunting, but after a nice cup of coffee and a few deep breaths you’ll start to recognize patterns in the control formatting. And the nice thing is you can start from the very first control and document whether your organization complies with this control practice. 

In the end it’s invaluable to have documentation that leadership and staff can reference which succinctly defines how your organization protects itself.  Many of the well known and required data security standards such as PCI DSS, IRS 1075, or SOX contain overlap from NIST SP 800-53.

Incident Response Playbook: To this day some entities have not created an incident response playbook or plan.  This creates a large gap for staff and leadership alike when responding or attempting to remediate an incident. Instead of the dreaded email storm, wouldn’t it be nice to know exactly how your organization would respond to any given Incident?

Incident response playbooks have many forms but most will standardize the processes and procedures to better help coordinate a response between teams/entities, enable tracking of a given incident, provide the ability to cataloging Incidents for better future management, and to guide analysis and discovery. 

The Cybersecurity & Infrastructure Security Agency (CISA) has a straightforward document to guide entities in the creation of both an incident response playbook and a vulnerability response playbook. The target audience of this particular document are federal agencies, however I find it’s easy to read and a great place to start.