Cruciana On Attack Surface Management

Cruciana On Attack Surface Management

Vulnerabilities exist in every organization, and bad actors are constantly on the lookout for ways to exploit these gaps and infiltrate a business. This collection of potential entry points, vulnerabilities, or gaps is referred to as an organizations “attack surface”.

More precisely, the National Institute of Standards and Technology (NIST) defines “attack surface” as a “set of points on the boundary of a system, system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment”.

Reducing this attack surface is important to minimizing the impact a data breach can have on your business, and a holistic, quality attack surface management solution is the best way to do it.

3 Types of Attack Surface

An attack surface can come in several different forms, all of which blend together and connect to form one large attack surface for an organization. A physical gap may contribute to your technical gap and vice versa. It’s important to address every part of your attack surface to ensure security.

  • Technical Attack Surface: An organization technical attack surface refers to your software configurations and overall system security.
  • Physical Attack Surface: This refers to the physical hardware you use, as well as the security of your office, server rooms, and network devices.
  • Social Engineering: Almost every data breach starts with social engineering. An organization’s social engineering attack surface refers to how much data is available for bad actors to use in a potential social engineering attack.
The Importance of Attack Surface Management

Speaking for ChannelPro, Lawrence Cruciana, founder and president of Corporate Information Technologies, stated that “attack surface management is continuous discovery and analysis”.

This means that attack surface management isn’t a one and done process. It involves to continual monitoring of an organizations security posture, and the constant reassessment of potential residual risk in a business. This process involves an initial inventory of businesses assets to “inform what attack might be successful”, states Cruciana. It’s important to note that not all assets are created equal. Some may be more critical than others in terms of business operations and must be treated as such. These critical assets are what need to be addressed first, to prevent a potential attack in the future.

The next step of attack surface management is making sure businesses know how to address social engineering and educate their employees about the potential risk to their business if they aren’t careful.

Lawrence Cruciana suggests that one “thinks like an attacker” to better understand how they may try to gain access to your workers and by extension your private data.

Knowing and controlling what information or public data bad actors can use is a crucial step in reducing your social engineering attack surface.

Once your organizations business has assessed where its vulnerabilities lie and how large its attack surface is, it’s time to do the work of filling those gaps. This may be a monumental task for SMB’s, which is why a managed service provider (MSP) can be an invaluable partner in a businesses attack surface management journey. A quality MSP has the resources and tools necessary to help SMB’s find and reduce the amount of vulnerabilities that can be exploited. This can give businesses peace of mind as well as increased security across the entire attack surface.

CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.

This website is for informational and educational purposes only and does not render professional advice nor is it a substitute for dedicated professional guidance from a competent and duly accredited cybersecurity professional specific to your needs and implementation. There is no endorsement of any kind for products or services listed on this website; it is entirely the readers responsibility to conduct appropriate due diligence and due care in selecting and engaging with any product or service.

Comments are closed

Learn More

Learn More