Whenever I see news about a new data breach, one of the first questions that comes to my mind is “How the attackers did it?” The answer is often a simple one. Attackers prefer exploiting the low hanging fruit: known vulnerabilities, simple software bugs and configuration errors. In many cases, getting rid of these simple attack vectors is just a matter of keeping your software up-to-date. However, in order to protect an application from all external attacks, you need to understand and manage the attack surface.
The attack surface is the sum of different attack vectors where an attacker can try to extract or enter data. Keeping the application attack surface as small as possible is the best protection against cyberattacks. The first step is to understand and identify the attack surface.
Mapping the attack surface
Identifying the cyberattack exposure of your application is not always an easy task. The attack surface is often surprisingly complex and large especially with web applications. Examples of possible attack vectors for a web application:
- User interface (input forms, admin interfaces)
- Application Programming Interfaces (APIs)
- Code processing the input data
- Network ports of the server (e.g. port 80 for HTTP, port 21 for FTP)
- Employee with access to admin interface. Human attack surface is often overlooked although social engineering attacks are common.
- Possible cloud aspects. Cloud vendor provides security for the cloud, but you need to ensure security in the cloud.
Keep your eye on possible hidden attack surfaces like development version of the web application, undocumented entry points or a badly configured DNS server. Attackers will certainly look for them.
Identifying the attack vectors early in the application design phase is important. Threat modeling is a good approach, because you also need to identify the valuable data or assets of the application.
Attack surface tend to change and increase over time. It is important to revisit the attack surface map whenever the application or environment changes. Using a process such as SDL helps to ensure that regular checks of the attack surface are done.
Reducing the attack surface
Here are some best practices that will reduce the attack surface of your web application:
- Reduce the amount of running code. Disable or remove features that are not required or being used. Eliminate unused code.
- Reduce the privilege of each component to the lowest possible. Components running with high privileges typically cause more damage when attacked.
- Disable protocols, services and entry points that are not used. You can apply the 80/20 rule: do 80% of users use this protocol or service? If the answer is no, turn it off or make it inaccessible for internet users and computers.
- Do not store confidential data unless necessary. If you must store confidential data, encrypt it properly.
- Apply the principle of least privilege: limit access rights for users to minimum permissions they need to perform their work.
- Select your third party libraries, add-ons, APIs etc. carefully. Apply security patches when they become available.
- Perform proper input validation in your code. The most common web application security weakness is the failure to properly validate all input coming from the client.
Attackers are usually unauthenticated. This is why requiring authentication can greatly reduce the attack surface. However, when you introduce authentication, the attack surface gets more complex with security critical features such as user login and session management.
You can also introduce operational controls such as Web Application Firewall (WAF) to reduce the attack surface. However, additional security tools may have vulnerabilities and weaknesses. Operational controls can help, but securing web applications is more important.
Human attack surface is challenging. A simple phishing attack could bypass all security controls. Organizations should arrange awareness trainings with simulated attacks. There are also technical solutions that can prevent some of the social engineering attacks.
Once you have a map of the attack surface, identify the high-risk areas. Focus on remote entry points, access control, APIs, web forms and controls defending your assets. Threat modeling methods will help to achieve this.
Open-source web applications
Let us assume that you want to implement a public blog for your organization and decide to use an open-source solution. In order to minimize the cyber risk, you should select a battle-hardened publishing platform.
Using an open-source web-application does not mean you do not need to worry about the attack surface. For example, if you select WordPress as your blogging platform, see the hardening guide and OWASP WordPress Security Implementation Guide. Guides like these will help you to manage the attack surface.
Identifying and managing the application attack surface is critically important. Once you have mapped and minimized the attack surface, make sure to test it.
If you need help with attack surface mapping, management and testing, feel free to contact us.
Janne Ahlberg works as a Principal Security Specialist at Insta DefSec.