Attack surface management (ASM) is a growing focus for security teams and many C-Level executives with a stake in data management and security such as CIOs, CTOs, and CISOs.
A glance at the news in any given week is likely to produce reports of another data breach or ransomware attack perpetrated by cybercriminals. Attacks are becoming much more sophisticated and are often being carried out by dedicated teams of state-sponsored hackers. Recent incidents include targeted cyberattacks on companies involved in essential infrastructure.
Cybercriminals often gain access to enterprise data resources and databases indirectly by compromising weak security somewhere in an organization’s network. Once access has been gained, malware can perform many activities ranging from stealing login credentials to encrypting data so they can initiate a ransomware attack.
What is an Attack Surface?
The National Institute of Standards and Technology (NIST) defines an attack surface as the set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.
Implicit in the definition is the fact that unauthorized entry into a system element can put the whole environment at risk. Once systems have been compromised they can be used to attack other areas of an organization’s infrastructure.
This means that every access point needs to be protected with the same level of security. The extent of an environment’s security is predicated on that of its weakest link.
The COVID-19 pandemic and associated increase in the number of remote workers has dramatically increased the size of an enterprise’s attack surface. Remote access is initiated from outside corporate firewalls and poses substantial additional risks to the computing environment. A worker falling victim to a single malicious phishing email can put the whole organization at risk.
What is Attack Surface Management?
Attack surface management (ASM) describes the preemptive measures an organization should take to mitigate risks to an attack surface. It involves the monitoring of digital assets that relate to, make use of or store sensitive data.
Attack surface management also extends to the process of identifying and classifying digital assets to establish the potential for risk, and the prioritization of how those risks should be addressed.
The attack surface encompasses everything outside the corporate firewall that can be attacked by hackers searching for vulnerabilities to exploit. This includes known assets, unknown assets, rogue assets spawned by threat actors, and assets belonging to enterprise vendors.
4 Steps for Robust Attack Surface Management
Robust attack surface management is made up of four related activities:
1. Discovery
The first phase of an ASM initiative is the discovery of all Internet-facing digital assets that are related to the processing of sensitive data. These assets include those owned by an organization as well as those of cloud providers and contractors.
2. Inventory and classification
After assets are discovered, they need to be inventoried and classified in some way that makes sense to the business. It might start with separating systems that do and do not process sensitive data. Business-critical infrastructure elements should be identified at this time.
3. Rating risks and security standing
A thorough assessment of all assets should be conducted to identify risks and evaluate the current state of the element’s security. This should be an iterative process that provides insight into assets with fluctuating risks or a modified security posture.
4. Continuous security monitoring
Continuously monitoring the security of enterprise assets is an essential component of ASM. Security threats need to be promptly identified and mitigated to stop prospective attacks or minimize their impact.
ASM demands a coordinated approach that includes understanding the assets that need to be protected and monitoring them to ensure they have not been compromised. It’s not a one-time process but rather needs to be an ongoing initiative to fully protect the environment.
Attack Surface Management for SQL Server Environments
SQL Server databases are commonly used to store enterprise data resources which include sensitive and business-critical information. Databases and the information they contain are a prime target of cybercriminals intent on perpetrating a ransomware attack or stealing sensitive data.
IDERA’s SQL Secure is a dedicated SQL Server security tool and an essential part of attack surface management for SQL Server environments. Following are some of the features offered by SQL Secure that address ASM.
- The tool identifies the attack surface area including the servers, ports, protocols, and applications that may enable malicious actors to attack SQL Servers located on-premises or in the cloud. It can detect weak passwords which may allow hackers to easily gain access to critical systems.
- SQL Secure analyzes server object settings and security properties so gaps can be identified and addressed before systems are compromised. The tool also analyzes the security standing of the opening system to identify potential risks.
- Powerful standard and customized reporting provide teams with insight into the security of the complete SQL Server environment. Security scorecards can be generated that indicate issues at a glance and make it easy for teams to remediate risks before they become problems.
- Security data is stored in a central repository so it can be used for reporting and forensic analysis. This repository provides the necessary information to understand changes in SQL Server security that may put an organization at risk.
With a strong attack surface management program that includes security tools like SQL Secure, teams can minimize the chances of systems being compromised by cybercriminals.