A common theme for many of the External Penetration Tests that we do is unnecessary attack surface exposed to the Internet. So what is your Internet attack surface? How do you reduce it? And why is this even important? These are all great questions and seemed like a useful topic to cover in a little bit more detail given how often we’re seeing it.
What Do You Mean “Attack Surface”?
This may not be a phrase your familiar with, so let’s start at the very beginning by defining it. Your organizational attack surface is made up of all the targets (hosts, ports, services, etc.) that are exposed to a particular set of users. You have an external attack surface covering your assets that are exposed to the open Internet. You also have an internal attack surface to your network from the perspective of an employee sitting in your HR department, and a wireless attack surface that is exposed to a person in your parking lot. But for now, let’s hone in on the external attack surface which is by far the most important.
From the Internet, your attack surface encompasses all the systems your company owns and uses for business purposes, and all the ports/services on those hosts. This includes all on-premise servers, cloud-hosted solutions, Software-as-a-Service solutions (even though you may not be directly responsible for testing those assets), and marketing websites that a user can hit from anywhere in the world. That kind of ease-of-access comes at a price, however, as these are the most likely targets for attackers.
Why Does Your Attack Surface Matter?
The reason this is one of the most common things we discuss following an external penetration test with a first time customer is because of its importance. Anything that’s exposed to the Internet is a potential avenue of attack for a hacker. All of the software that’s sitting out there could have a vulnerability disclosed for it at any time, and your organization could be swept up in a wide-sweeping attack. Anything accessible from the Internet has an higher level of inherent risk, which warrants your best security controls. With this required level of security controls, though, comes increased cost and resources to maintain those security controls.
So why not reduce the number of targets for an attacker? That’s a better security posture and less organizational resources dedicated to maintaining your externally exposed footprint. Win-win, right?
How To Reduce Your Attack Surface
So now that we’ve established that a large number of hosts/services exposed to the Internet is a bad thing, from both a security and management perspective, let’s talk through some ways to ease the pain:
- Remove unnecessary hosts – Each computer system that is exposed to the Internet should have a management-approved business justification associated with each port/service exposed. If there isn’t a good reason a system is available from the Internet, it probably shouldn’t be. So moving systems to the internal network and restricting access to only internal users or users connected via the corporate VPN removes them as an easy target.
- Remove unnecessary services – Turn off unnecessary services running on exposed hosts and block access to those ports/services at the external firewall. If a host is supposed to be a web server, make sure it’s only serving up the application you’re expecting on the port you’re expecting and nothing else.
- Block traffic to unnecessary ports – If we do a port scan (or hopefully you’re doing your own port scans) and a Closed port is encountered, this is usually an indication that your firewall rules need to be updated. This is because traffic is reaching a port on a host that doesn’t have a service listening that is ready to accept that traffic. This can happen due to architecture changes that don’t have the appropriate firewall changes associated with them, or vice versa, with potentially accidental firewall changes.
- Remove unnecessary content – A lot of applications and web servers have default content on them, either due to the development team not knowing it was there when everything was pushed to prod or because it wasn’t a part of the hardening checklist. But any content, including help pages, error pages, configuration pages, default templates, etc. should not be exposed in your Internet-facing production environment. There are many cases of vulnerabilities in these kinds of files that have led to a much more serious exploit and compromise.
So beyond reducing what you are exposing to the Internet, you’ve also got to take some steps for those systems that are leftover that must be exposed for business operations. There are still some things to do to lessen the chance that your organization will be the lowest hanging fruit or will easily succumb to a targeted attack. You should consider:
- Multi-Factor Authentication for all login interfaces.
- Making sure all login interfaces are using best practice transport encryption (HTTPS, TLSv1.2, strong ciphers, etc.). You can check with Qualys’ free scanner.
- Account lockout policies for all login interfaces.
- Stronger password policies or alternative methods of authenticating (public keys for SSH can be a good alternative).
- Source IP filtering, when possible.
- Making sure your exposed login interfaces are not susceptible to username enumeration (a penetration test can help tell you this).
- Regular port scans to check what you are exposing, and making sure all services are expected using an approved baseline.
- Regular penetration tests (at least annually and after any major architectural changes).