3 Things You’re Responsible for in the Age of the Growing Attack Surface

The days are long gone when cybersecurity simply involved watching your internal networks behind the firewall. As businesses grow online and in the cloud in the name of innovation, their attack surface has exploded. Although the increasingly sophisticated online landscape puts more powerful tools into the hands of businesses, it also creates powerful opportunities for innovative hackers to exploit.

A modern business’s digital environment is highly interconnected with other services, often influenced by multiple internal actors, and open to ever more creative forms of manipulation. Welcome to the era of the attack surface. From now on, question all assumptions and remember that your targets are moving.

To outwit malicious actors, your enterprise security needs to evolve more than just its tactics. It needs to change its perspective on the whole by considering the reality that your digital environment consists of more elements than those you’ve created and have under control. Thinking in terms of perimeters no longer works.

Here are three things you’re responsible for in your digital environment that you may not have considered because they’re not based on actions that you, or your IT group, perform.

1. Third-Party Threats in the Age of Connectivity

To operate effectively on the internet, you must work with code, libraries, software, and plugins built and maintained by third-parties. These third-party components don’t belong to you but are nonetheless a part of your attack surface.

There are many advantages to using these third-party components, and often they form a vital part of your website — your business may even rely on them to operate. In fact, most companies cannot realistically avoid using them as they streamline development and facilitate efficiency.

Third-party components take many forms. On a typical website, this might include:

• Analytics codes
• JavaScript libraries
• E-commerce software
• Cloud services
• Workflow apps
• CMS plugins
• Widgets
• Servers and hosting

However, a widespread assumption in IT exists that third-party components, especially proprietary ones, are not a part of the attack surface. After all, when they’re acquired from a trusted source, installed correctly, and kept up to date, then there’s nothing to worry about, right?

Not exactly. Third-party components often fall prey to attacks because hackers understand that we’re taking for granted the security of these assets on account of our trust in the source. And the assumption that the security of third-party components is the problem of that organization’s developers.

While this last part is technically true, what happens once that asset is installed in our digital environment is very much our problem. When an attack infiltrates one of these third-party components in a way that renders your site vulnerable, we refer to it as asupply chain attack. Such attacks have very real consequences for businesses that choose to use these components.

While a lot of things will naturally be out of your hands, knowing which third-party components you’re using and where, and staying proactive about how these components interact with your assets goes a long way to keeping your digital environment secure.

How to Use Enterprise Security to Manage Third-Party Threats

The Magecart hackers showed us that major breaches could sometimes go undetected for a while, leaving your site vulnerable for a period of time while your customers’ data is stolen. It is also suspected that Magecart is injected into a site during development, or through the use of third-party e-commerce plugins. This underscores the necessity for a proactive stance on the use of third-party assets in your digital environment.

Third-party components all have one thing in common: they need to be installed. This means that responsibility for the ways these components affect your site begins when you choose to implement them in your digital environment.

Here are some recommendations for reducing the attack surface which third-party assets create:

1. Implement policy controls

Make sure that anyone who touches the backend of your website is clear on what may be installed, when, where, and by whom. Implement access controls for accessing code on a by-needs basis. This ensures that the acquisition process is kept tight and observable and that no unsafe or unauthorized installations occur.

1. Maintain up-to-date logs on acquisitions, installations, and updates

In a large, dynamic website, you may have a dozen or more third-party components installed. Keeping an up-to-date log regarding when a component is acquired, installed, and updated will keep you in the loop concerning potential threats.

1. Stay up to date with your components

Updates often provide proactive security measures and the elimination of vulnerabilities before a malicious actor discovers them. Likewise, staying up to date on the news around the assets you’ve installed on your website will help you spot trouble early.

1. Frequently analyze your digital footprint

Analyzing your digital footprint for changes in site activity or behavior can help you spot these threats and take appropriate action. RiskIQ offers powerful tools to accomplish this.

The dynamic nature of cyberspace demands taking an engaged and proactive approach to the use of third-party components. They are part of your attack surface, even if the breach isn’t occurring directly on your site.

2. Rogue Threats Creatively Expand Your Attack Surface

Malicious actors never cease to come up with ways to get their hands on credit card numbers, login credentials, or PII. Rogue threats are actions undertaken by individuals designed to undermine businesses’ security.

Like third-party threats, rogue threats often occur outside your immediate sphere of control. Most use social engineering, mimicry, or deception to trick users into handing over valuable data. They often occur by going after your employees, prospects, or customers directly on the internet.

When these attacks happen, you may find yourself facing an onslaught of complaints, lost business, and even lawsuits without realizing why. We’ll take a look at many of the ways these attacks can occur without your knowledge but still irrevocably damage your image. Early detection and takedown of infringing assets are one of the most effective ways of disrupting one of these targeted campaigns.

Phishing Pages Prey on the Distracted and Unobservant

Phishing is the art of creating an interface which mimics a brand to trick unwitting users into handing over credentials or data. While the tactic used to be associated with email scams, last year we detected an increase in the diversity of phishing deployments and targets. Rogue actors are getting more creative in their application of phishing, making this part of your attack surface even more nebulous.

Your enterprise security should consider phishing pages directed at both your employees and your customers.

Protect your employees: Provide training on how to spot phishing and develop asecurity culture which emphasizes minimal data exposure.

Protect your customers: Develop a policy for when you will and will not ask customers for certain information. Indicate this policy clearly in all communications and provide resources to help customers identify potential attacks.

Domain Infringement Fools Your Customers

Ever clicked on a link, you thought went to a brand, but then it took you somewhere unexpected?

Domain infringement occurs when an actor uses a domain name that is similar enough to your own that it confuses your users. The purposes for this may vary from malicious (credential stealing) to leveraging your brand to sell knock-off products. Either way, domain infringement siphons users from your site while exposing their data in insecure environments and costing you money.

US trademark law charges trademark owners with the responsibility to remain diligent about the protection of their marks. Therefore, you should make web crawls to identify and remove third-party-owned domain infringements a regular part of your security enterprise strategy. Quickly removing spoofs and look-alikes diminishes the chances that your customers will be fooled. It also helps maintain the integrity of your trademark in the eyes of the law.

Brand Abuse Takes Advantage of Hard-Earned Customer Loyalty

If you aren’t thinking about your brand as part of your attack surface, you should be. Many of the attacks we’ve covered so far rely on misusing the trust and loyalty your brand builds with your customers. Brand abuse is an up-and-coming tactic with many creative ways to target your customers and fans. It’s difficult to counter because it can take so many forms, including:

• Fake social media accounts
• Unofficial websites
• Impersonations of executives or employees
• Unauthorized mail servers
• Fake job listings
• Online scams

Brand protection tools can help you identify the many ways your brand might be exploited and retake control of your brand’s identity online.

Rogue Mobile Apps Are Wolves in Sheep’s Clothing

Rogue mobile apps are an important vector for malicious code and comprise 28 percent of all security breaches. Rather than attacking their targets directly, hackers develop these apps to masquerade as other, legitimate products. They are then submitted to Google Play or Apple Store where they’re downloaded by users.

Once installed, these apps have free access to your data — which is what they were after. These malicious apps have been and remain a huge problem, often reappearing innumerous guises.

Sometimes, they’re quickly identified and removed. Sometimes, a half-million people are exposed before someone figures it out.

Methods for dealing with rogue mobile apps belong in your enterprise security strategy for two reasons:

1. Employees may download a rogue app onto a company smartphone or computer, or access sensitive material on a device that is already compromised.

The prevalence of smartphones means that even if your company doesn’t have devices where employees might install things, they become part of your attack surface the moment an employee checks his or her work email on a personal device.

1. A malicious developer may impersonate your brand to lend an app legitimacy.

While we commonly see this in the banking industry, any brand which uses apps may fall prey to malicious look-alikes.

3. Shadow IT: What You Don’t Know Can Hurt You

The independent actions of individuals inside your organization also create vulnerabilities. A growing area of the modern digital footprint involves the rise of Shadow IT. This is defined as the creation or use of digital assets outside the purview of your company’s IT security staff. In other words, it’s the pieces of your digital footprint you don’t know about which create the attack surface here.

Shadow IT takes many forms from microsites and subdomains to social media profiles and subscriptions to cloud-based services. When neglected or poorly constructed, it has the potential to become a significant vulnerability in your digital environment. For example, a piece of software that is installed may have security flaws.

On its own, shadow IT is not malicious. Rather, its presence indicates that your company’s internal tech needs are not being met. Shadow IT may develop when:

• IT staff are not able to keep pace with business needs, causing departments to look elsewhere for support
• Developers or marketers build their own subdomains for testing or other purposes, then forget about them
• Public-facing digital assets may “get lost” in large and disorganized sites, or during mergers
• Employees download or install productivity-enhancing software or services without informing IT
• Development gets outsourced to meet tight deadlines

Shadow IT can be hard to track down, so we recommend the DIME approach: discover, inventory, manage and enforce security policy.

Discovery

A comprehensive assessment of your digital footprint will identify the presence of unauthorized or unknown digital assets.

Inventory

Taking inventory informs your enterprise security plan to accommodate the attack surface newly discovered assets may have created. Digital asset types include hosts, domains, websites, certificates, and third-party applications.

Manage

Manage by first understanding what assets exist and why. Then, either bring the asset under the purview of IT or remove it. Shadow IT forms when employees cannot rely on your IT group to achieve the solution they need. Therefore, create and implement procedures for efficiently and effectively introducing new IT element in your digital footprint.

Ultimately, Shadow IT is an opportunity to reveal the areas where your IT policy and digital environment need to evolve to better meet the needs of your team.

Next Steps

Your digital footprint reflects the nature of the modern online landscape: interconnected, shifting, and the aggregate of many people’s actions. The largest security vulnerabilities occur when organizations fail to consider how their digital assets are being impacted by other players. Whether propagated by internal or external actors, things like third-party threats, rogue threats and shadow IT create three often-missed faces of the modern digital footprint.

The shifting nature of cyberspace presents an unparalleled challenge to visualizing a company’s attack surface fully.

We encourage you to check out our webinar on Understanding and Taking Action on Risks Associated with Your Digital Footprint.

You’ll also find our guide on the anatomy of a digital footprint useful in evolving your company’s IT security paradigm.

Finally, got questions? Reach out and let me know if you’d like to discuss your attack surface, or what this means for you.