Your Newly Vulnerable Attack Surface and How to Reduce It

In 2023, a surprising number of organizations operate with a newly expanded attack surface.  Even though most already invest significantly in cybersecurity.  All companies are acutely aware of the threat posed by cyberattacks and the resulting data breaches.  And sadly, many have already been victimized. If they wish to avoid being breached, CEOs, CFOs, CHROs and all other non-IT department heads must become educated about how and why their organizations’ attack surface has been expanded.  Cyber threats have evolved into business threats, and every department should be vigilant. Once they do, they will undoubtedly want to immediately address the challenges of shrinking the attack surface.  This document will shed light on what the attack surface is and what can be done to minimize it – even if an organization already invests significantly in information security.

If you’re a CFO, CEO or other organizational leader not directly involved with information security and IT, you may not often hear the term “attack surface”.  So, here’s a basic definition of the term. 

The attack surface of an organization is defined as all the possible points of entry a cybercriminal might exploit to gain unauthorized access to information systems.  This includes every endpoint – e.g., mobile device, desktop, server, web applications/software, APIs, etc. – and other potential vulnerability to cyberattacks or data breach attempts.

Most modern organizations have a sprawling attack surface because information systems, computing networks and cloud hosting/storage have become so integral to the operations of every industry.  There are generally two classifications or subsets of attack surfaces in a broad sense.  Chief Information Officers or Chief Information Security Officers know they must apply different strategies to secure the digital attack surface as well as the physical attack surface.  And many have been working for years to reduce their exposure.

The physical attack surface is comprised of all the hardware that hackers might try to infiltrate.  These are all your organizations’ endpoint devices such as desktop computers and workstations, mobile devices, phones, tablets, even USB drives and other portable storage devices.  Remember that when retiring old hardware, the discarded devices may still contain log in credentials, passwords, sensitive user or organizational data or more.  To a lesser extent the physical attack surface also includes protecting actual physical locations from intruders who could sneak into facilities and steal data manually.  To shrink the physical attack surface, InfoSec leaders implement hardware management policies and other common endpoint security measures.

The digital attack surface is more difficult to defend because it is distributed across the internet.  It is comprised of software systems, applications, websites, servers, email systems, cloud storage/hosting, and unauthorized system access locations.  Digital information security is largely focused on closing holes and other vulnerabilities that arise from poor coding, insufficient passwords, weak encryption, open APIs, outdated software, etc.

The goal of any organization is to shrink, to the smallest extent possible, their physical and digital attack surfaces to guard against unwanted public access to sensitive data.

The New Social Engineering Attack Surface

In recent years a new attack surface has emerged, and it is clearly undermining the efforts of IT and InfoSec leaders to protect their organizations.  This new attack surface has been dubbed the “Social Engineering Attack Surface”.  For organizations that had successfully shrunken their digital and physical attack surfaces, the rise of social engineering attacks has exploded the scope of potential attack vectors and breaches are on the rise. 

Social engineering can straddle digital and physical attack vectors and leverages unregulated external data available for sale or even for free on the public internet.  This article from Privacy Bee details the methods cybercriminals use to exploit weak external data privacy in social engineering attacks.

While physical and digital attack surface management involves a fairly concrete set of processes and best practices, social engineering attack surface management presents a more slippery challenge.  CISOs, CIOs and InfoSec professionals can exert robust control over the digital and physical assets under their supervision and purview.  By contrast, social engineering attacks are not directed at surfaces under the direct control of the organization.  Instead, social engineering attacks are directed toward any or every member of the organization’s workforce.  Social engineering attacks also regularly target the workforce elements of an organization’s vendors, third-party associates, supply chain partners and any external group that has systems integrations with the organization.   InfoSec leadership has far less ability to control the online activities of all these persons.  And it is the human element that hackers exploit.  This is why the social engineering attack surface is so much more difficult to reduce.

Finding the Shortcomings in Existing Attack Surface Management Practices

Respected B2B technology vendor marketing firm TechTarget published an overview of the steps involved in creating a risk mitigation plan.   To summarize, there were five recommendations:

1. Identify the risk – catalog existing and potential events and event sequences where risk is inherent. Whether from existing vulnerabilities or known threats against the organization
2. Perform risk assessments – using a weighted system to determine the possible impact of each risk and how likely it is to occur
3. Prioritize – ranking the potential risks identified in the assessment and acting first on the areas with the lowest acceptable risk
4. Track risks – this involves an ongoing monitoring of risks identified and noting frequency of attacks in different types of risk pools
5. Implementing mitigation and monitoring progress – Once a risk mitigation plan has been developed and deployed to address the risks identified and prioritized in the earlier steps, the organization should monitor the efficacy of the plan, keep tabs on the threat levels and make modifications to the plan as the priorities may shift

The five recommendations from Tech Target are indeed well-conceived and if applied, should serve well to reduce the size of any organization’s attack surface.  But this is if and ONLY if the organization is savvy enough to apply it to the new, social engineering attack surface.  Evidence suggests this is not yet happening across the preponderance of organizations in the US. 

In 2022, leading tech research and advisory firm Gartner predicted the expansion of the attack surface driven by the dispersal of enterprises (by expanded remote work arrangements, further supply chain diversification and other causes).  At the time of their prediction, Gartner estimated information security spending would reach $172 billion in 2022.   In 2023, Gartner expects $188 billion will be spent.  Clearly, US organizations are willing to spend mightily to combat the risk of cyberattack.  However, simply throwing money at the problem will not suffice.

$172 billion in 2022 — $188 billion in 2023

Estimates of InfoSec Spend according to Gartner Research

The shortcomings in contemporary efforts don’t lie in the level of spend being directed toward the problem.  Rather, the problem is that organizations are not applying the above five risk mitigation steps properly to the specific risks of social engineering strategy.  To successfully shrink the social engineering attack surface, InfoSec leaders must understand that the risks of social engineering attacks originate, on average, a full YEAR before the attack is perpetrated. 

When performing TechTarget’s “step 1” (risk assessment), one cannot simply focus on “intrusion attempts” as the inception of the risk.  However, that is precisely what the current strategy dictates for Physical and Digital attack surface management.

In order to interrupt social engineering attacks and shrink the social engineering attack surface, organizations need to adopt a forward-looking, preemptive posture towards risk assessment.  They must focus on external data privacy and external data hygiene practices.

In the article “The Anatomy of Spear Phishing Attacks” published by Privacy Bee, the typical cyber attack process is detailed in a step by step process.  Illustrated in the graphic below, is a clear characterization of the breadth of the attack surface currently exposed for most organizations.

Today’s mainstream strategies for attack surface management only address steps five and six.  So, it becomes easy to see that steps one through four represent a social engineering attack surface some 66% larger than is acceptable. 

When performing the risk identification process – or Step 1 in the TechTarget Attack Surface Management process – it is essential to identify unsecured external data as the primary risk. 

External Data Privacy expert, Arnez Edwards of Privacy Bee explains, “If external data privacy is left wholly unaddressed, cyber criminals and other threat actors are given the opportunity to reconnoiter and map out your company’s organizational structure.  They can identify the appropriate targets within the workforce (and vendor/affiliate workforce) to determine which workers have appropriate access to the data and systems the criminals want to attack.”  This is steps one and two in the Anatomy of a Successful Cyber Attack graphic – Reconnaissance and Identification of Weaknesses.  The reconnaissance is often as simple as visiting the target organization’s website and reading the information posted there about the company, its executives, its locations, business partners and business activities. 

Step three in the anatomy graphic is “research target”.  This is where, according to Edwards, “the gaping hole of external data privacy represents an unacceptably large attack surface” for many organizations.   Using resources such as People Search Sites, Data Broker firms, search engines and social media profiles, bad actors are able to glean highly specific information about their targets.  Whether they purchase personally identifiable information (PII) from data brokers or simply do the legwork of scraping PII from social sites like LinkedIn, Facebook or others, compiling PII about identified targets helps hackers prepare for step four – crafting the message for social engineering attacks.

For detailed examples of the way cybercriminals craft messages for different flavors of social engineering attacks, review Privacy Bee’s article titled, “Spear Phishing Attacks: Types, Elements, and Detection”. With detailed personal information about a specific employee/target’s life and recent activities, creative hackers and cybercriminals are able to produce a broad array of attacks like Spear Phishing, business email compromising, whaling and credential harvesting and others.

Also, note in the Six Steps of a Successful Cyber Attack graphic, the imbalance between defenses applied to steps five and six.  This additionally illustrates the unprotected attack surface posed by social engineering risk.  The graphic makes it clear that organizations have processes and practices in place to address the physical and digital attack surface.  It also clarifies where organizations must focus their efforts to shrink this new and significant attack surface.

External Data Privacy Management Shrinks the New Attack Surface

Managing and protecting access to the PII of every single employee and those of all third-party affiliates (like vendors and other partners) may seem like an overwhelming challenge.  Knowing there are 350+ People Search Sites and data brokers, dozens of social media platforms, powerful search engines and tons of publicly searchable data makes it an even more sobering prospect.  However, as Arnez Edwards says, “You can’t sit around waiting for defenses to fail.  You must act on the offense and disrupt attacks before they start.  That’s why Privacy Bee is the fastest growing data privacy platform.”  Here are some of the broad solution elements from Privacy Bee to help immediately begin shrinking the attack surface back to acceptable tolerances.

Engage the Privacy Bee solution, a cost-effective method for taking control over the social engineering attack surface. 

Privacy Bee’s Employee Risk Management (ERM) solution is an easy but powerful way to get visibility into your External Data Privacy risk. After just a few minutes to load and configure your employees (usually an exported CSV from your HCM software), Privacy Bee automatically begins scanning hundreds of external sources, searching for any exposed privacy risks on each employee. Any discoveries are flagged as an exposure, and affect that person’s aggregated Privacy Risk Score.

ERM helps quickly paint a full picture of an organization’s real-time cyber risk from external privacy exposures. This privacy intelligence platform is 100% free for all businesses, powered by Privacy Bee.

Privacy Bee’s External Data Privacy Audit (EDPA) is another100% free, web-based privacy app for quickly and easily scanning employees PII exposure.  This tool set lets you build an extensive audit, identifying privacy exposures and vulnerabilities, then extrapolates potential financial impact across your company. It’s a critical view into risk assessment, operational inefficiencies, emerging cyber risk, and External Data Privacy management.

The EDPA provides unified employee audits, bringing together real-time dark web monitoring with 24/7 active clear web monitoring (Data Brokers, People Search Sites, paste sites, and more). Delivering a centralized view into public employee exposures, and insight into the tangible financial impact it has within your organization.

Privacy Bee’s Vendor Risk Management (VRM) extends the privacy bubble to targets outside your organization but who may have a degree of access to your sensitive information systems. This solution evaluates all your vendor/partner organizations for Electronic Data Privacy risks.  It then reports simple Privacy Risk Scores on each company, highlighting each vendor’s risk at a glance.   Analytics further break vendors down by department, risk tier, and more, with all thresholds fully customizable. While most vendor risk software stops at the report, Privacy Bee VRM keeps going, offering to work with all your 3rd party vendors 1-on-1 to decrease their vulnerabilities, effectively de-risking your company at no cost to you.

While all these (and other) audits and monitoring services are for use at no cost, removing employee PII from all unsafe locations on the net is what reduces the risk and the attack surface.  While this is a function your organization could take on as an internal activity, most organizations prefer to outsource the removal service for your employees and vendors identified as at risk to Privacy Bee.  Privacy Bee has teams of experts working 24x7x365 to scrub client employees’ PII from all unsafe corners of the internet.

Engaging the Privacy Bee for Business solution offers many other ancillary benefits as well such as eliminating physical threats to executives and other high profile members of your team.  It helps reduce unwanted spam and telemarketing that sap productivity.  It helps curb HR poaching, saving significantly on HR and lost opportunity costs. It helps foster a culture of data privacy that makes your organization more secure and a much more attractive partner to prospective customers.

Don’t wait to focus on shrinking your attack surface.  Contact Privacy Bee today for a demo and more information on how to be proactive with data privacy and attack surface reduction in your organization.