Expanded attack surface: Why businesses need to rethink cyber security in the new threat landscape
For many, working a full week in the office feels like a distant memory.
In fact, our recent research found that 44% of workers across Europe split their time between the office and home. It is a working practise that is here to stay.
However, the shift to hybrid working brings with it a need for more complex IT and cyber security requirements. If work is now conducted on a mixture of home and corporate networks, as well as public networks provided by airports, trains, cafes and other similar establishments, then we need to factor this into our cyber security risk assessments. The most obvious threat today is allowing wide-scale access from devices and endpoints located anywhere in the world. This places a huge level of trust in the user logging in, that they are a legitimate employee and that their device is fully secure.
Additionally, anywhere your employees can initiate a connection to the corporate network, could be a malicious route into your organisation. Therefore, it’s important to consider how large the attack surface has become and how it can be reduced whilst still maintaining all user required functionality.
In technical terms, the attack surface is the sum of all possible egress points into your organisation or points where data can be accessed – it could be in the cloud, a data centre, office or someone’s home. The smaller the attack surface, the easier it is to protect. Gartner identified Attack Surface Expansion as the number one security risk for 2022, which we discuss below.
Understanding the new threat
As a global cyber security provider, Ricoh speaks with customers every day about their cyber security needs. The vast majority of organisations still rely on pre-pandemic risk assessments and risk registers. In fact, they do not fully understand the impact that changes in employee behaviour can have on their technical capabilities when adopting a hybrid working approach.
Ask yourself: does every employee sitting at home or traveling on the road have their internet traffic, email and endpoint fully monitored and protected? Next, ask yourself: is their identity also protected – meaning is the person logging on with their credentials actually a legitimate employee?
Changing the approach
Historically, the defence against cyber-attacks was to enclose all data and devices within the perimeter you control – deploy firewalls, antivirus, mail filtering and web filtering – whilst ensuring all employees remain predominantly office-based and all software is patched and up to date. This became the basic risk management profile of most organisations, with budgets and IT team sizes set against this. As attacks evolved, phishing became more prevalent. This meant User Awareness Training became a basic staple of a cyber security plan; often outsourced to an automated solution.
Cloud came next, with Cloud Access Security Brokers (CASB) being the next hot topic to secure access to SaaS applications and shadow IT problems. This then evolved into Cloud Security Posture Management and Cloud Workload Protection to secure what you have in your own public or private cloud.
The problem is these defences are predicated on most employees being in the office (or on a VPN) and using endpoints and devices owned by the organisation. Fast-forward to 2022 and, without much notice, all employees can now theoretically be anywhere in the world and connected or not connected to the corporate VPN. As they can potentially use their credentials on their own personal devices, the question is: are all the previously mentioned protections still as effective?
For most organisations the answer is something like “Well, they have worked in the past and we’ve not had a cyber-attack yet”.
The problem here is that the Attack Surface is no longer limited to what you have chosen to allow through the permitter firewall and what you are consuming in the cloud. It’s now expanded to every single corporate device in employee’s homes and any non-corporate device that an employee chooses to log in from and, by extension, every username and password (or identity) in use throughout your organisation. This is on top of all assets already in use within the cloud, datacentres and all web applications exposed to the internet – and lately, all supply chain routes.
When factoring this in, quite often just understanding what the attack surface is, becomes a significant challenge – and this is before establishing how to reduce and secure it.
Attack surface reduction
Reducing the attack surface is underpinned by first knowing what assets are in use, and where they are. Once this is understood, locating all vulnerabilities on these assets becomes the next priority and then remediation work (along with asset reduction) reduces the attack surface.
It’s possible to do all three with:
- Continuous (always-on) vulnerability scanning (that includes asset identification & classification)
- A Remediation Console that groups the assets and displays all vulnerabilities, including:
- Finding new vulnerabilities in real-time
- Assigning remediation actions to individuals
- Prioritising remediation based on greatest risk
- Tracking remediation success
- Real-time retesting / verification of remediation
- Trend analysis of where most vulnerabilities arise and what the root causes are
The last point here is the most critical one. Without understanding what the root cause of a vulnerability is, it’s not possible to prevent it reoccurring – leading to an endless loop of finding an issue and fixing it. It’s vital to analyse trends of vulnerabilities to enable you to address the root cause. It could be a skills shortage within the IT team, an oversight in a central patching solution, or perhaps a certain vendor just produces very poor software. Whatever it is, without addressing the root cause, the attack surface is not actually reduced, it’s temporarily hardened until another vulnerability arises.
Once all assets are found and vulnerabilities understood, it’s then possible to take steps to reduce it. This includes consolidating technologies, eliminating unnecessary software and services, upgrading software and operating systems, and ongoing vulnerability identification and management. Everything stems from this information: the scope of your next pen test, the scope of the next ISO audit, what a patching solution needs to cover, what technologies need to be replaced and who needs extra training - the list goes on.
Ultimately, to stay ahead of attackers, organisations must be able to accurately monitor their attack surfaces, maintain fully updated asset inventories, and truly judge which vulnerabilities to patch for the greatest risk reduction. A solution such as Ricoh Remediation can meet these requirements and many more to fundamentally ensure the attack surface is understood and reduced as much as possible.
Rethinking cyber security
There is no doubt that the shift to hybrid working brings significant benefits to businesses. But organisations must be cognisant of the changing cyber security requirements that come hand-in-hand with the expansion of working locations.
To adequately defend against a costly cyber-attack, businesses must acknowledge that potential attack points are as fluid as the myriad of working locations their people are using. Implementation of the right tactics and technology to cover areas where attack surfaces can't be reduced, is essential. The stakes are too high to not act – especially when data, reputation and market position are all at risk.
Director of Cyber Security, Ricoh Europe