Free Book - External Exposure & Attack Surface Management for Dummies
Continuous attack surface testing is the process of monitoring an organization’s IT ecosystem to identify and provide timely visibility into cyberthreats or risks. By discovering and monitoring all assets in the IT ecosystem, both known and unknown, security professionals can then find the path of least resistance and vulnerabilities that attackers may use as a security gap to penetrate organizations.
Center for Critical Security Controls gives pragmatic, actionable recommendations for cyber security. The CyCognito platform maps to 14 of the CIS controls at least partially and provides extensive coverage around inventory of assets, vulnerability and penetration testing, and security of ports and services.
Cyber risk management involves continuously identifying, assessing, and mitigating potential cyber risks as well as understanding their potential impacts. Because cyber risk cannot be effectively managed without a comprehensive view of the overall attack surface, it is vital to have an awareness of all assets and understand their business context.
A cyber kill chain is a series of 7 stages that model the primary actions conducted in a cyberattack. Lockheed Martin developed the cyber kill chain model in 2011 to help cyber defenders identify and prevent the steps of an attack. Other organizations have slightly different models and critics have noted that attackers increasingly flout the cyber kill chain model, but there is broad agreement that organizations should always strive to eliminate potential threats as early as possible in the cyber kill chain.
Another model for the cyber kill chain is the MITRE ATT&CK framework which provides a detailed list of tactics and techniques attackers will use.
The seven phases of the Lockheed Martin model are: reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objectives. An attacker conducts reconnaissance by probing for security gaps themself (or can purchase reconnaissance services / results as well). Once a weak point has been identified, the attacker moves to the weaponization phase and develops (or purchases) a weapon to exploit it, such as a virus or zero-day. In the delivery phase, the weapon is launched, for example, by email, delivering an infected USB key, via cross site scripting, or accessing a system remotely. Once the target is exploited, the attacker can install tools to maintain access, execute actions remotely, cover their tracks, and gather data. During command and control and actions on objectives, data may be exfiltrated, other systems targeted and, in the case of ransomware, data may be encrypted to get a “double” extortion: First by selling data or access to criminals and then by having the victim(s) pay for access to their own systems and data.
Cyber reconnaissance is a cybersecurity term built from the French word “reconnaissance,” which means “surveying” and adapted from the military practice of reconnaissance, conducting an exploratory survey of enemy territory.
Attackers use cyber reconnaissance techniques to identify the easiest digital entry points into their targets. Reconnaissance can include passive activities where an attacker searches for information without compromising the target. Reconnaissance can also be active, where the attacker gains unauthorized access and engages to gather information. Many attacks include both types.
When conducted defensively, cyber reconnaissance helps organizations to understand where and how cyberattackers could gain access to their networks.
CVSS is an open framework articulating the severity of a threat through the principal characteristics of a vulnerability. These consist of three metric groups: base, temporal, and environmental. Once a number score is produced, the score is translated into low, medium, high, or critical risk categories.
CVSS is used worldwide as a standard measurement system for industries, organizations, and governments requiring accurate and consistent vulnerability severity scores. CVSS is owned and managed by FIRST.Org, Inc., a US-based non-profit organization.
CPE is a structured naming scheme for IT systems, software, and packages. The naming scheme is based on the generic syntax of uniform resource identifiers (URI), and includes a formal name format that checks names against a system, as well as a description format for binding text to a name.
The CPE Product Dictionary (NIST) provides a publicly available agreed-upon list of official CPE names in XML format, hosted and maintained by NIST.
CVE is a database of publicly disclosed security vulnerabilities and exposures occurring in publicly released software packages. It’s a system helping IT professionals coordinate their efforts to prioritize and address vulnerabilities to make computer systems more secure. It was launched in 1999 and is currently operated by the National Cybersecurity FFRDC, funded by the US National Cyber Security Division.
Cloud security is a broad term referring to the tools and processes organization’s use to protect assets and data stored in the cloud from cyber attacks and threats. This also includes data running in the cloud’s workloads, and anything housed in Software-as-a-Service (SaaS) applications.
There are different types of cloud computing categories under the umbrella of cloud security, including:
Public cloud services (public provider), such as Software-as-a-Service (SaaS), Infrastructure-as-a-Service (Iaas), or Platform-as-a-Service (Paas). In these cases, the software may be owned by a third party, the hardware is run by others, and only the data is owned by the primary organization.
Private cloud services (public provider), such as a corporation running email on G Suite rather than operating their own email servers. In this case, data and implementation may belong to the corporation, while the responsibility for the infrastructure is the provider’s.
Private cloud services (internal staff), such as IT staff running applications and workloads on servers that aren’t housed elsewhere in the cloud. In this case, the provider may be responsible for the server’s operation, but internal IT staff owns what runs on the servers, including applications and data.
Hybrid cloud service, which is perhaps the most common. It’s a hybrid environment that includes assets, applications, and data in each category.
The biggest challenge in a cloud security model is the difficulty of pinpointing who is responsible for securing what. Most security solutions advocate a shared responsibility model.