Understanding your attack surface is key to recognizing what you are defending
In this interview with Help Net Security, Marc Castejon, CEO at Silent Breach, discusses what organizations should be worried about at the moment, and what technologies they should focus in the near future.
Cybersecurity threats are evolving quickly. Based on your experience, what should SMBs be most worried about at the moment? What protection strategies should they focus on?
Most SMBs are struggling with building an effective cybersecurity strategy and sometimes focus on the wrong threat vectors. They are not aware of their cyber security posture and how they look like from an outside perspective, which is crucial in understanding how hackers operate.
SMBs should focus on their attack surface and work on reducing it to the bare minimum required to operate their business. This is challenging considering the attack surface is constantly evolving from every angle (supply chain, remote workers, instances in the cloud). Attackers are getting increasingly organized, working in teams and executing the cyber kill chain that starts with the most basic step: reconnaissance. So, understanding your attack surface is key to understanding what you are defending and how.
My recommendation for building an effective cyber security strategy:
1. Identify and monitor your attack surface: SMBs can’t protect what they don’t know, use attack surface management tools to see what hackers can gather through OSINT, active scanning, social networks and threat intelligence. You will be surprised.
2. Defend your attack surface by testing its security: penetration testing, cloud configuration audits, social engineering training, endpoint protection, etc.
3. Respond to attacks: invest in log monitoring and incident response because it’s not a matter of if, it’s a matter of when. Prepare business continuity plans, disaster recovery plans, incident response plans, etc.. and make sure your backups are up to date.
4. Work toward an international compliance framework like ISO 27001, NIST CSF, HIPAA. Being compliant shows that your cyber security strategy is mature and can be certified as the best in the industry.
What are some of the biggest security mistakes you see organizations making?
As a cybersecurity vendor, we execute penetration tests and vulnerability assessments day in and day out. The biggest mistake we see is organizations thinking that 2FA is the ultimate protection. When social engineering is in scope during our pentest, we can usually work around 2FA in less than 15 minutes using Vishing, Smishing or Spear phishing.
Humans are always the weakest link in any cybersecurity program, and the information they choose to make public (or are made public by the corporation) is also part of the attack surface that attackers see from the outside, and use against the company to trick their people in giving away confidential information.
What is one key infosec technology that you believe will make a difference for organizations in the long term?
Attack surface management tools are key, in my opinion, in making a real difference in the long term. We see it as a central piece of a sound cyber security strategy because it allows to take snapshots of an SMB’s cybersecurity posture and track how it evolves over time.
It can be used to track the progress of the infosec team in their effort to patch publicly accessible servers, reduce the number of ports exposed, hide email addresses that can be used for phishing, monitor company data available on the dark web, and so on.
The market is still young for those tools, but they are getting increasingly popular with SMBs and large corporations because they can track how the attack surface evolves in real-time, and react quickly if anything abnormal is detected.
When you think about the future, what key trends do you expect to have a notable impact over the next 5 years?
Quantum computing will be a game changer for encryption because many security protocols rely on them today. We know they are coming, but yet little is done to increase the strength of our encryption. I think they will be a before and an after (affordable) quantum computers, we are not prepared for what is coming.