National Cybersecurity Awareness Month – Know your Attack Surface
October is National Cybersecurity Awareness Month. Our goal this month is to provide you meaningful information to help you make well-informed, conscious decisions about how you should be protecting yourself and company from cyber threats.
To start this month off we felt it was important for everyone to become familiar with the term “attack surface”. Your attack surface is all the information and vulnerabilities that can be found and used in a cyber-attack.
Generally, the attack surface has been attributed to software and hardware that are publicly accessible by attackers. For example, at home it would be your internet router, or smart devices, and at the office it would be firewalls, remote access, webservers, video-conferencing equipment, etc.
Too often do we forget that the true attack surface goes well beyond the software and hardware devices that exist on the network. Cyber threat actors use all of the other information available to them to create their attacks. What type of information? Glad you asked.
- Social media information – Job, title, names, pets, family, birthdays, employees, locations, times, colleges, awards, vendors, etc.
- Breached information – email addresses, passwords, phone numbers, names, addresses, etc.
- Job Postings – hiring manager, technology you use, people that do not exist in your firm, accepted document types, etc.
- Internet – IP addresses, DNS, website, hosted document metadata, clients, business partners, network devices, forums, blogs, GitHub, cloud storage, public records, wireless access points, etc.
- Physical – recycled documents, weak entry points, tailgating, RFID-cloning, no-security, shoulder-surfing.
These are just some of the examples used by attackers when evaluating you or your company’s attack surface. How can you create your own attack surface? For starters trying to develop a list based on the information found above. You can use the following to help with some of this.
- Use advanced google search operators such as “allintext”, “inurl”, “filetype”
- Example: allintext:”Your Name”
- Find out how many times your account information has been breached at http://www.haveibeenpwned.com.
- Search for IOT devices and IP addresses associated to yourself or your company here https://www.shodan.io/
Given the amount of information available about you and your company, and tools available to find it, you may want to engage with an expert to help create your attack surface.
Feel free to forward this on to your colleagues to help them create and understand their own attack surface.