Attack surface, and you… Friday rant.
Definitions
What is Attack Surface?
Imagine you and a few friends are in a snowball fight.
Let’s say target number 1 is 4′9” tall and weighs 75 lbs.
Lets say target number 2 is 6′2” tall and weighs 290 lbs.
Now you start throwing snowballs.
Who are you more likely to hit, Skinny Bob, or Big-A$$ Charlie?
In the Infosec space, we refer to this as Attack Surface.
We measure size by quantifying the number of installed software or services available in an information system.
Mitigation
Say Big-A$$ Charlie hates getting hit by snowballs.
Now, unless he get some major plastic surgery and possibly significant amputations, he’s still going to be a pretty easy target.
But in the IT space things are a little different.
We have the ability to decrease the attack surface with little loss in capability.
Rant
So why don’t we?
Convenience.
Bruce Schneier in his book with Niels Ferguson, “Practical Cryptography” state:
“There are no complex systems that are secure. Complexity is the worst enemy of security, and it almost always comes in the form of features or options.”
We need to quit thinking about security as something we can address whenever we get an IDS alert.
Security should be pervasive.
It must influence decisions from the start of a project.
When we do a project, we look at cost-benefit.
Security issues can pose significant costs. Ask any company with a large data breach…
It’s time to quit acting like a bunch of little sissies and start taking this stuff seriously.
I can assure you, motivated and financially backed attackers are…
Bill