The human attack surface – an underestimated cyber security threat
Outdated systems, exposed databases, or public cloud resources are often considered the weakest links in an organization’s security posture. Nevertheless, an often overlooked yet critical entryway for cybercriminals is the human perimeter.
Many, if not most, data breaches result from simple human error, negligence, or lack of awareness. Cybercriminals exploit human behavior with social engineering tactics and use various attack methods such as phishing and business email compromise (BEC) to trick employees into uncovering sensitive data or breaking security procedures so they can infiltrate the target organization. People can pose a security risk by storing credentials unsafely or publishing other secret information, such as with keys on Github.
Employees, their behaviors, and activities contribute to an organization's attack surface. In today’s distributed workforce that allows employees to access company resources from different locations and devices, it’s essential to emphasize their impact on an organization’s security posture.
Identify the attack surface
An attack surface refers to every asset that belongs to an organization that has the potential to be exploited and can be used as potential entry points for unauthorized access to sensitive data. Simply put, an attack surface is an organization’s risk exposure that includes all known, unknown, and potentially exploitable weaknesses and vulnerabilities.
Digitization, cloud migration, the rise of mobile, IoT devices, and internet-connected assets has led to larger and more complex IT infrastructures. Unfortunately, this has also increased the attack surfaces and potential exposure for attackers.
Nonetheless, it’s not only IT and online assets that make up an organization’s attack surface. Cybercriminals are usually after business, personally identifiable, and other sensitive information. And anyone or anything with access to sensitive data can act as an entry point to an organization’s network.
When discussing types of attack surfaces that affect organizations, two types are usually recognized: physical and digital attack surfaces.
Digital attack surface
A digital attack surface includes all assets that connect to the network. These include software and web applications, ports, operating system services, cloud resources, websites, etc.
Physical attack surface
Examples of physical attack surfaces are laptops, computers, tablets, phones, TVs, printers, USB ports, and paper documents containing sensitive data. They include all the hardware devices and physical assets malicious actors can utilize to access sensitive information.
How do employees affect the attack surface?
While not commonly defined as a distinct type, the human attack surface introduces serious risk to an organization.
Indeed, employee behaviors can result in security holes or weaknesses, and thus must be considered a critical part of the attack surface. Some of the common ways employees can act as a catalyst for a cyber attack include:
Clicking on a malicious email attachment
Downloading a file from an untrusted source
Accessing company resources over public WiFi
Negligence in following security procedures
Using a weak, easily guessed password
Divulging confidential data on social media
Leaking private keys on Github
Using unsafe coding practices
Human behavior is unpredictable, and technology and technical processes can’t simply reduce the security gaps it leaves. Reducing the human attack surface should focus on maintaining the organization's cybersecurity awareness culture. Employees need to be equipped with knowledge and resources to recognize threats, their role in the organization's security posture, and what behaviors are expected of them in their daily tasks.
Employee policy suggestions for managing your attack surface
Developing a security awareness program and employee policies through your organizations can reduce the exposures employees create in your infrastructure.
Some policies might be required by various industry and regulatory compliance frameworks, and others are essential for growing organizations with complex IT infrastructures and large, distributed workforces. Here are some of Hadrian’s policy suggestions to reduce the human factor in security risks:
Social Media Policy
Much can be learned about a person from their social media profiles, both personal and professional information. Employees can unknowingly or accidentally share content on social media that can divulge sensitive information about their employer.
Malicious actors can also use employees’ social media profiles to create a better profile of their target. A social media policy lays down the guidelines on how employees should use personal and professional social media accounts. Here are some of the standard guidelines included in a social media policy:
Employees must be prohibited from sharing any confidential data on their personal social media accounts, including personal, financial, or strategic information, trade secrets, copyrighted material, etc.
Employees must be careful when sharing details about the company's internal structure on social media, both publicly and in private messages.
Employees must exercise caution when contacted by friends or acquaintances they haven't heard from in a while inquiring about their job and employer, not to reveal anything that can be used to gather information on the company.
Employees must exercise caution when clicking on unknown links on social media that are either shared publicly or privately, even those that appear to be sent by their coworkers.
Credentials provide direct access to an organization’s sensitive data and environments. If these credentials fall into the wrong hands, they can be a valuable tool for malicious actors looking for a way to infiltrate a target network under the guise of an authorized user.
Many data breaches involving stolen or breached credentials can happen in the cases of:
using weak, easily guessable passwords;
storing passwords in the Notes app;
inputting credentials on a fraudulent site;
or getting a device with access to company resources stolen.
Therefore, a policy addressing credential management is crucial in reducing human error.
Enforcing multi-factor authentication (MFA) across all accounts and users is critical in any credential management policies. This way, even if credentials are stolen, there would be another layer of protection from unauthorized access.
Access control dictates which users can access resources and ensures that only authorized users can retrieve data from an organization's network.
The most common guideline in a credential policy is undoubtedly regulating passwords, their complexity, and a schedule of enforced password changes.
Password managers lessen the chance of employees forgetting their complex passwords and using simpler ones, or storing them in unsafe locations.
Single sign-on (SSO) is a user authentication service that allows users to log in to multiple applications with only one set of credentials. SSO helps organizations and their employees to easily manage multiple credentials, reducing the chances of phishing.
Shadow IT policy
Shadow IT occurs when employees use unapproved applications or devices at work without the knowledge or approval of security teams. It's a prevalent occurrence when employees want to enrich their job procedures or speed up processes by using apps they once used and are more familiar with, thus introducing these apps into the organization's IT ecosystem.
Shadow IT poses security risks that can compromise data privacy, integrity, and security, leading to non-compliance.
One of the best ways to prevent shadow IT is with a shadow IT policy. A shadow IT policy should establish guidelines to standardize apps, devices, and technologies to use at work; as well as the main procedures for identifying shadow IT.
Security awareness and training policy
As mentioned, security awareness is critical in reducing risks introduced by the human factor. However, maintaining a security-aware workforce is more challenging than simply holding a yearly training session and multiple-answer question tests.
A security awareness training policy outlines what types of training employees should partake in, including those with role-specific purposes. Additionally, it should establish the training calendar (during onboarding, at year one, etc.) and business objectives for the program.
This will help employees maintain the integrity and security of sensitive data, follow regulations, and ensure a baseline of security competence.
Remote access policy
COVID-19 has caused a rapid increase in remote work and more people accessing company resources from their personal devices. Remote work has brought security risks related to unmanaged and often insecure user access.
A remote access policy establishes guidelines for remote users connecting to the company network. It builds on credential policies to authorize the user and goes one step further to cover everything from the types of devices that can be used to access the network to:
Defining secure remote access and enforcing the use of a VPN and strong user passwords.
Requiring MFA as additional protection against unauthorized access.
Standardizing hardware and software, including firewalls and antivirus systems, and when and how often they should be updated.
Acceptable use of resources remote users need to adhere to while using the company network.
The level of access individual employees should have to company resources, depending on their role’s needs.
The human attack surface isn't something that can be easily reduced, especially with complex IT environments and diverse workforces. Organizations must implement better employee policies to mitigate these exposures and reduce their human attack surface.
Before addressing specific risks in your organization’s attack surface, you should start identifying and understanding each asset in your infrastructure. Your employees could be interacting or introducing unknown assets that hold exposures, and without your visibility over each area of your IT infrastructure, you can’t mitigate these risks.
Hadrian’s Attack Surface Management technology continuously maps exposed assets, discovers security risks, and prioritizes remediation for security teams to harden their external attack surfaces. Visualize and explore how your assets are connected and get better insight into how human error can impact potential attack chains.
To get the hacker’s view of your attack surface, schedule a demo today.