The Incredible Expanding Attack Surface

GOT YOUR CUSTOMERS’ PCS AND SERVERS safely protected against the latest security threats? Good! Now what about their fish tanks?

That’s right, fish tanks. In a much-discussed incident disclosed last year by security vendor Darktrace, hackers once worked their way past network defenses at a casino through a vulnerability in an aquarium equipped with an internet-enabled thermometer. Hard to blame the casino’s IT provider for failing to anticipate that exploit. These days, attacks are coming at companies large and small from some pretty unusual places.

“You have all kinds of technology entering the office, whether it’s refrigerators, or light bulbs, or keyless entry systems, [or] security cameras,” says Robert Boles, president of BLOKWORX, a managed security service provider in Reno, Nev. Moreover, he adds, the companies that make those devices tend to be far more interested in minimizing time to market than in sealing out would-be intruders.

The upshot for channel pros, of course, is a significantly bigger and more varied attack surface to monitor and protect. Shielding clients from today’s continually proliferating threat vectors is possible just the same, experts say, with the help of some new tools and old best practices.

Unacknowledged Entry Points

Ironically but perhaps predictably, the technologies responsible for the worst of today’s new risks are the same ones empowering businesses with potent new capabilities. Take cloud computing, for example. Microsoft’s Office 365 productivity suite gives users anytime, anywhere access to information and other people, but also offers cybercriminals a rich new set of data repositories to target. You’re not just getting email with Office 365, observes John Pescatore, a director at research and training organization SANS Institute who studies emerging security trends.

“You’re getting OneDrive, which is storage in the cloud. You’re getting SharePoint. You’re getting all these other services, and other ways users can inadvertently leave sensitive data [exposed],” he says.

Thanks to the Internet of Things (IoT), meanwhile, everything from thermostats and whiteboards to heating systems and fire alarm panels are now potential entry points for uninvited intruders as well. “They can use that as a launching point to get to the rest of your network, get on your desktops and your phones from there and maybe into your access points, and then be able to monitor all of the internet traffic, including when you log into your bank account,” notes Richard Stiennon, chief research analyst at security consultancy IT-Harvest.

Breaching IoT hardware is often all too easy, moreover, thanks to weaknesses like default passwords that vendors say nothing about and users neglect to change. Boles, for example, recalls logging into a video surveillance system installed for one of his clients by another technology provider and finding 12 previously unknown administrator accounts in use. “The very thing that they had brought in to secure their environment was actually making them more vulnerable because the cameras that they were watching were also available to the world to watch,” he observes.

Test, Isolate, and Restrict

Boles and other security specialists point to a number of techniques channel pros can use to combat threats like that. For starters, look for every opportunity to shrink the attack surface by retiring systems no one really needs. “There’s on-premise gear that is just kept around for no compelling business reason whatsoever,” observes Ian Trump, chief technology officer for Octopi Managed Services, a Canadian managed security service provider and U.K.-based cyberthreat research lab.