It used to be that we kept the bad guys out and let the good guys in this was enough to control risk. We could assume that if you are on the outside, and you are not an employee you would be treated as a bad guy. If you are on the inside and were an employee you were treated like a good guy and trusted. This is actually known in the data security industry as the trust model. If a trusted person or entity communicates with an outside or untrusted person or entity that is ok, they are allowed to communicate. However, if an outside entity that is not trusted is trying to communicate with an internal entity that is not allowed and is untrusted. Pretty straight forward right?
Well, it may have been in the past but it certainly isn’t anymore. Several questions arise. Who do you trust, and why? If you do trust them what do you trust them with? If you have specified all of that, what is the effective timeframe of that trust relationship? What about the outside? Many employees reside on the outside of the network, via traveling, home office, or just checking your email from a remote location such as on vacation or at the airport.
Familiar With Attack Surface?
This is a fancy new term for saying where in your network the bad guys can launch an attack. Going back to our earlier analogy previously an entity was either on the outside or the inside. That simply is not the case anymore. There are several reasons in addition to having multiple locations where employees may use your IT resources. You also have multiple players that cannot be easily classified as employees; you have contractors, temporary workers, guest workers, visiting guests. Maybe employees from another part of the company that needs to be granted temporary access. The efficacy of the old system is severely limited.
All of these variables complicate the process of defending your data. To make things worse it is expanding even more. With the IOT or internet of things which we will talk about more in the future, most devices in your domain are going to be potentially connected. They will have to be protected also. Because, every Samsung refrigerator with a network connection, expands your attack surface, and makes you vulnerable. Every time you add a security camera or alarm sensor that is on your network, you have more attack surface increasing your risk.
How Do You Know?
Now you know what an attack surface is. And you know it is a massive opportunity to make your company vulnerable and increase risk. What do you do about it? Well in most instances what companies do is when there is an attack they respond to the specific attack. They deal with the crisis at hand. Understandable I would too. But after the crises is over what happens then? They go back to what they were doing, maybe patch the hole and move on. All the while leaving the company in the same vulnerable position it was in before. Why is this? Because the typical approach to data security is as I have mentioned before is reactive instead of preventive. It is prescriptive instead of holistic.
We will also get into preventive modeling in the future. But for now, we need to know that this approach will not work. Once your attack surface is recognized, then it can be analyzed and quantified. After this, your policy makers within your organization can marshal the resources to make this attack surface smaller, and protect its vulnerabilities. But this will only come from the top. I think you can see that just adding a newer firewall or plugging a hole is not the answer.