Securing Australia’s cyber future Part 4: managing your attack surface

As the companies that were breached scramble to deal with the fall out, the rest of us have an obvious question: will we be next?
The rise of remote work, adoption of cloud services and increased data sharing between partners have dramatically complicated the business of cybersecurity. The idea of a single perimeter that can be policed with firewalls and swipe cards is a relic of the past. Instead, as attack surfaces grow increasingly distributed and complex, cybercriminals have more weaknesses to exploit than ever. If there’s one lesson to take from the carnage, it’s that assessing and protecting your attack surface is crucial to managing cyber risk.

The closer you look, the more gaps there are

The dust from this year’s cyberattacks is still settling, but it seems that every attack exploited a different weakness. In the Optus hack, a criminal discovered a misconfigured API. For Medibank, inadequate identity and access controls let in a ransomware group, while for MyDeal, compromised credentials were used to access records. Vinomofo exposed real customer data while testing changes to its digital platform, while the Australian Music Examinations Board didn’t patch its online shop’s software quickly enough.

As this mix shows, criminals are opportunists who seek out weaknesses to target Personally Identifiable Information (PII). Across these incidents, API misconfiguration, poor identity and access controls and slow patching let criminals in. The reality is that with the number of integrations and potential entry points modern organisations have, there is simply no practical way to cover every single security gap. With so many different avenues of attack, where should you start your defence?

Start by identifying and actively managing your data

It may go without saying, but protecting your assets is harder if you don’t know what (or where) they are. Audits of the data you hold should be undertaken regularly. That’s particularly true for Personally Identifiable Information, or PII, which is governed by policies like Australia’s Privacy Act and the European Union’s GDPR.

Many organisations don’t think about data once they’ve captured it, but in many cases – think of data used to certify an individual’s account or address – hanging on to it offers no benefit to you but is a serious risk if your attack surface is breached.

An audit that includes cloud-based storage, partner organisations and testing platforms can help you trim away data you don’t need, identify the data you do, and find out who’s accessing it. Older parts of your network are a particular risk. “Legacy systems can be easily compromised,” says one member of Mimecast’s Advisory Board, “and organisations must invest the time and resources into hunting and updating.” Data usage reports are a vital tool here, allowing you to see commonly used data and identify areas with unusual traffic.

Assess your attack surface

Once you’ve audited your data, you can assess how attackers might reach it. Open-source intelligence, monitoring and threat intelligence can help you assess points of vulnerability. You’ll need to also weigh the impact of the exposure of data against the costs of protecting it. Some organisations are happy with a basic assessment, or one that relies more on meeting general maturity or regulatory targets. But a thorough risk-based analysis that puts dollar numbers on the impact of different threats can help CISOs and boards assign resources more scientifically.

Every organisation will strike a different approach to assessment, based on their environment, the data they hold and the nature of their workflows. One useful model to keep in mind is the CIA Triad, which sees the confidentiality, integrity and accessibility of data as core principles that shape decision making.

Start with the basics – and trust no one

CISOs should always start with the basics. Getting the fundamentals right can dramatically strengthen your cybersecurity posture at relatively little cost. That means reviewing tools, checking certifications are up to date, optimising firewalls and undertaking rigorous patch management that ensures high-risk updates are applied immediately. “Security ops have been saying the right things for years,” says another Mimecast Advisory Board Member. “Now IT ops needs to listen and catch up with the reality of where we are now. Patching is the perfect example; you have to do it all the time. It’s about creating the right habits all the way across, from leadership to IT ops.”

If carried down consistently, these measures will significantly reduce your attack surface. But it’s important to remember all we can do is reduce the probability of a breach. Eventually, someone will break through. When they do, segmentation and zero trust can ensure they don’t get too far. Network segmentation relies on sub-networks with strict access controls. Zero-trust frameworks are more holistic solutions, in which every request is assessed and validated separately, no matter who is making it or where they are on your network. That means in the event of a breach, the damage can be contained and minimised.

Manage human risk with Identity and credential management

Just as you audit your data, you should audit your staff. Strong access protocols that remove users’ credentials as soon as they leave your company and ensure employees only have the credentials they need should go hand in hand with strong authentication, whether attribute- or role-based. MFA and the latest passwordless technologies, meanwhile, make it harder for stolen credential attacks to succeed.

“Identity is a big one: how we uplift capabilities and what controls and context-based technologies are available,” agrees one Mimecast Advisory Board member. “We are now revisiting the budget to look at accelerating capabilities to adapt to new threats.”

The right training can reduce the risk of human error and ensure that cyber awareness runs through your company. It should be targeted, and based on real scenarios – the recent incidents provide plenty of material – with appropriate focus placed on phishing, devices, the use of social media and part time and gig employees. Neglect no one: you can be sure attackers won’t.

Budget and executive buy-in are crucial

Discovering a risk to your attack surface is only a marginal gain if you’re not able to strengthen your defences. CISO’s budgets have often been constrained, as one Mimecast Advisory Board member notes. “Sadly, vulnerabilities are often picked up on pen tests,” they explain, “but the time and money to fix the vulnerability is not available and so the fix is not actioned.”

That makes this wave of attacks a moment of opportunity for security leaders. Worried boards are turning to their CISOs for solutions. “We’re the new cool kids,” jokes another member, “because finally everyone cares what we have to say.” Striking when the iron is hot may give extra weight to awareness training and encourage other departments to factor cybersecurity into their decision making, as well as loosening the board’s purse strings.

Lessons learned and attack surface

The attacks on Optus, Medibank and the rest have jolted organisations across the country. So seize the moment. Now is a prime time for companies to review the data they store and the attack surfaces that surround it. The measures we’ve listed would have prevented almost all of this spring’s big breaches.

By evaluating your biggest assets, and adopting the right policies to protect them, you can massively reduce your risk profile. And by making auditing and optimising a continuing, ongoing operational practice, you can build true cyber resilience.