, ,

Quick Tips – How to Limit Your Attack Surface

A common theme for many of the External Penetration Tests that we perform is unnecessary attack surface exposed to the Internet. So what is your Internet attack surface? How do you reduce it? And why is this even important? These are all great questions and items worthy of a blog post, given how often we see findings related to them on our reports.

What Do You Mean by “Attack Surface”?

This may not be a phrase you’re familiar with, so let’s start at the very beginning by defining it. Your organizational attack surface is made up of all the targets (hosts, ports, services, etc.) that are exposed to a particular set of users. You have an external attack surface that relates to your assets that are exposed to the open Internet. You also have an internal attack surface to your network from the perspective of an employee or visitor to your office, and a wireless attack surface that is exposed to a person in your parking lot. But for now, let’s hone in on the external attack surface, which is by far the most important.

From the Internet, your attack surface encompasses all the systems your company owns and advertises on the Internet for business purposes, and all the ports/services on those hosts. This includes all on-premise servers, cloud-hosted solutions, Software-as-a-Service solutions (even though you may not be directly responsible for testing those assets), and marketing websites that a user can access from anywhere in the world. That kind of ease-of-access comes at a price, however, as these are the most likely targets for attackers.

Why Does Your Attack Surface Matter?

The reason this is one of the most common findings we discuss following an external penetration test with a first-time customer is because of its importance. Anything that’s exposed to the Internet is a potential avenue of attack for a hacker. All of the software that’s sitting out there could have a vulnerability disclosed for it at any time, and your organization could be swept up in a wide-sweeping attack. Anything accessible from the Internet has a higher level of inherent risk, which warrants your best security controls. With this required level of security controls, though, comes increased cost and resources to maintain those security controls.

So why not reduce the number of targets for an attacker? That’s a better security posture and fewer organizational resources dedicated to maintaining your externally exposed footprint. Win-win, right?

How To Reduce Your Attack Surface

So now that we’ve established that a large number of hosts/services exposed to the Internet is a bad thing, from both a security and management perspective, let’s talk through some ways to ease the pain:

Attack Surface
Anything you can remove from your external perimeter is one less target for a hacker.
  • Remove unnecessary hosts – Each computer system that is exposed to the Internet should have a management-approved business justification associated with each port/service exposed. If there isn’t a good reason a system is available from the Internet, it probably shouldn’t be. So moving systems to the internal network and restricting access to only internal users or users connected via the corporate VPN makes them less likely to be an easy target.
  • Remove unnecessary services – Turn off unnecessary services running on exposed hosts and block access to those ports/services at the external firewall. If a host is supposed to be a web server, make sure it’s only serving up the application you’re expecting on the port you’re expecting and nothing else.
  • Block traffic to unnecessary ports – If we do a port scan (or hopefully you’re doing your own port scans) and a closed port is encountered, this is usually an indication that your firewall rules need to be updated. This is because traffic is reaching a port on a host that doesn’t have a service listening that is ready to accept that traffic. This can happen due to architecture changes that don’t have the appropriate firewall changes associated with them, or vice versa, with potentially accidental firewall changes.
  • Remove unnecessary content – A lot of applications and web servers have default content on them, either due to the development team not knowing it was there when everything was pushed to production or because it wasn’t a part of the hardening checklist. But any content, including help pages, error pages, configuration pages, default templates, etc., should not be exposed in your Internet-facing production environment. There are many cases of vulnerabilities in these kinds of files that have led to serious exploits and compromises.

So, beyond reducing what you are exposing to the Internet, you’ve also got to take some steps for those systems that are left over that are necessary for business operations. There are still some things to do to reduce the chance that your organization will easily succumb to a targeted attack. You should consider:

  • Multi-Factor Authentication for all login interfaces.
  • Making sure all login interfaces are using best practice transport encryption (HTTPS, TLSv1.2, strong ciphers, etc.). You can check with Qualys’ free scanner.
  • Account lockout policies for all login interfaces.
  • Review sites like Shodan and Censys to see what external ports and protocols are exposed on your organization’s Internet connection.
  • Stronger password policies or alternative methods of authenticating (public keys for SSH can be a good alternative).
  • Source IP filtering, when possible.
  • Making sure your exposed login interfaces are not susceptible to username enumeration (a penetration test can help tell you this).
  • Regular port scans to check what you are exposing, and making sure all services are expected using an approved baseline.
  • Regular penetration tests (at least annually and after any major architectural changes).