Understanding and Managing Your Attack Surface

By Kes Jecius, RedSeal Senior Consulting Engineer

The Center for Internet Security’s (CIS) ninth control for implementing a cybersecurity program is for your organization to manage the ports, protocols, and services on a networked device that are exposed and vulnerable to exploitation. The intent of the control is for your organization to understand and manage the “attack surface” of its computing assets.

Attack surface can be defined in two dimensions, the network dimension and the server configuration. The network dimension is about attack vectors, or how an attacker can gain access to a device. We assume that attackers come from an untrusted part of the network, such as the Internet. You reduce attack vectors by limiting which devices/servers are accessible from these untrusted network spaces. This is typically done by implementing firewalls within the network infrastructure.

The next attack surface dimension is the ports/protocols/services that are enabled and accessible on the server itself. Start by understanding what ports/protocols/services are required for an application to run on the network. Any that aren’t required should be disabled on the server. For instance, on a public-facing web server only ports 80 (http) and 443 (https) need to be enabled to view web content. Next, pair this basic understanding with an active vulnerability management program. Attackers continue to develop exploits for these commonly used ports. You’ll want to remediate these potential vulnerabilities in a timely fashion to reduce the risk of compromise.

Beyond your external attack surface, however, there is an additional dimension. Many current system exploits come from within your own internal network. Hackers regularly use phishing emails and false web links to entice people to click on something that will install some type of malware. This creates a new attack vector to critical assets as an attacker gains a toehold within your trusted internal network.

To manage both your external and internal attack surfaces, you need to use tools and platforms to understand both attack vectors and the ports/protocols/services needed on critical systems. CIS recommends:

  • Using your asset inventories generated from implementing CIS Control #1 (Inventory and Control of Hardware Assets) and Control #2 (Inventory and Control of Software Assets) to map active ports/protocols/services to critical systems.
  • Ensure that only required ports/protocols/services are enabled on these critical systems.
  • Implement mitigating controls in the network, such as application firewalls, host-based firewalls, and/or port filtering tools.
  • Perform regular automated port scans of critical systems to ensure that implemented controls are being effective.
    NOTE: Many servers are not tolerant of port scanning tools due to load on the server. Other solutions exist that allow organizations to validate that only required ports/protocols/services are enabled on critical servers.

Although no single product can be the solution for implementing and managing all CIS controls, look for products that provide value in more than one area and integrate with your other security solutions. RedSeal, for example, is a foundational solution that provides significant value for understanding and managing your external and internal attack surfaces. Additionally, RedSeal provides pre-built integrations with many security products and easy integration with others via its REST API interface.

Download the RedSeal CIS Controls Solution Brief to find out more about how RedSeal can help you implement your cybersecurity program using the CIS Controls.