Philosophy of Security, part 7 – Risk Management – What is and “attack surface”?
In part 6 we have discussed threats and vulnerabilities, their relationship with each other and with overall idea of risk. This post is a small side trip to explore a related concept.
There is a related concept, that is often used in information technology systems risk analysis. This concept is is very closely related to the concept of vulnerability and is called “attack surface”.
While attack surface has originated from software systems analysis, it is equally applicable other systems, to processes and physical assets and can be used as a useful abstraction, a different way of thinking about vulnerabilities and their associated potential for exploitation.
To put it simply, an attack surface is a measure or a description of how many features or a functions of a system, a process or an asset can be accessed by an entity in a way that can be used to discover and exploit a vulnerability in that feature.
All attack surfaces need to calculated or estimated in the same context as our analysis of threats context of our risk management.
To illustrate this concept with a couple of simplified examples:
- Physical asset such a a storage warehouse is used for storing of valuable electronic goods that we have imported at form a land far away. This warehouse has a truck gate, a personnel access door and some windows. The gates doors have locks on them, while the windows are high up in the walls and have plain glass panes in them. Once the warehouse is locked up for the night, a potential thief appears. What vulnerabilities can the thief exploit to get at warehouse quietly and efficiently? The thief could exploit the vulnerability in the locks and unlock the doors or simply climb up the walls and go in through a window, by cutting the glass. Therefore we conclude that the attack surface of the warehouse are the the doors, locks on the doors and the windows.
- A computer system such as web application server, the vulnerability lies in the fact that an external or an unauthorised user has a way to access various features and functions of the server is via services, user input fields, interfaces and protocols, and to use them to attempt to subvert the system. Therefore the attack surface of a web server is comprised of the externally accessible user input fields, interfaces, protocols and services.
- An benevolent organisation of some sort (please indulge me, here for sake of an example) has a process for issuing of a new energy efficient entertainment widgets to all citizens in a particular city. They wish to one gcomputer ive everyone, but they only wish to give out one per person. The idea is that the only way to get this new widget is to fill in a form and turn it in, in exchange for the item. The process a person returning a filled in form that has been sent to each household, in return for the new widget. The attack surface of this process is the form and the form verification sub-process (if any). This is because if there is no way to uniquely identify each form, and to weed out duplicate claims, someone could manufacture a number of fake forms and obtain a number of widgets.
Reduction of attack surfaces.
The basic response to “features” included in an attack surface, is reduction, be removal of external access to the potentially vulnerable points of the system, process or asset. This process reduces the number of potentially vulnerable entry points, but does not mitigate against damage that can be done if a vulnerability in the system is found and exploited.
This can be done for both existing systems processes and assets:
- In case of the web server we might choose to disable or block access to unnecessary services and protocols, and remove any unused or unnecessary software from the server.
- In case of the warehouse we might choose to apply shutters over the windows, thus removing them as potential points of entry.
- In case of a process, the name and address of the person who is claiming the widget could be checked against a form of photo ID and the issue recorded recorded in a database, allowing fake claim forms to be detected and dealt with.
Also being able to measure attack surface of a system, process or of a physical asset during development time, will lead to a more secure product :
- A new warehouse design could eliminate windows, thus eliminating them as a n access point (a vulnerability).
- In case of a web web application that is under development, the attack surface analysis will identify all the externally accessible user input fields, and programmers will proceed to add user input validation routines on those fields, thus reducing the risk of exploitation, resulting in a more secure system.
- In case of a business process development, we might require that each form have randomised serial number printed on it, and that these be recorded so that so that each form could be verified (perhaps in an automated fashion to save form processing time and effort) at the time it is handed in. This would prevent faked forms from being used to claim more than one widget per person.