When we security types talk about “attack surface” or “threat surface,” we mean the part of our technology environment that’s potentially vulnerable.
Think of your skin. We wear clothing to protect it from the sun’s harmful rays. A construction worker wears heavy leather to guard against wounds from tools and sharp materials. A cook wears an oven mitt to avoid burns. Any skin we leave exposed is vulnerable to these threats. We often deliberately accept these risks—for example, wearing just a swimsuit to the beach—sacrificing some security for some enjoyment and versatility. Ideally, we use good judgment and make a sensible, balanced risk decision. We can also use compensating safeguards (e.g., sunscreen) to limit the downside risk of our decision.
Each of us has a technical “skin” in our personal and professional lives, made up of the technology we use on a daily basis. If I install a convenient new utility on my MacBook or phone, that becomes part of my skin and yet another place for threat actors to target if I don’t protect it. I have to decide if the convenience is worth that risk. Similarly, if I install software on a server that communicates with the Internet, or even just internal to corporate networks, that becomes part of the company’s attack surface. Is it worth it? What compensating protections can we put in place? What steps must I take to stay on top of any security bulletins for this software? We need to ask these questions in every situation.
There’s no one-size-fits-all answer to these questions—it depends on the technology in question and the risks and benefits it poses. But here are some general steps to take whenever implementing new technology:
- Have a conversation with your security team first. They may already be aware of pitfalls with a given technology, or know of existing functionality your organization already has in-house.
- If the software/service involves authentication, enable two-factor (2FA) or multi-factor (MFA) authentication. Use a long password that you don’t use anywhere else.
- Sign up for the software’s official communication channel (mailing list, social media feed, etc.) so you’ll be alerted when a vulnerability is discovered and can take swift action.
- Disable features you don’t need. If the software runs on a server but doesn’t need Internet access, disable that access or firewall it. If it has a cloud feature you don’t need, disable it.
- Once you stop using the software, uninstall it.
Does this mean information security is always your job? Well, yes! But there are certain broad safeguards your security team can put in place for your whole organization. They can have a downside of limiting what you can and can’t do in your environment. But sometimes the risk is great enough to justify this cost.