The 2021 Deloitte Digital Transformation Executive Survey offers more data that supports the already widely-accepted idea that “digitally mature companies” are more resilient in weathering crises and more agile in dealing with changes and challenges. The survey also shows that these companies perform better financially.
However, as companies proceed further with digital transformation, they also increase their exposure to cyber-attacks. The digitalization of more aspects of operations creates new attack surfaces. These new possible attack points should never be ignored or downplayed, as they can nullify the benefits of going digital.
Expanding cyber-attack surfaces
Cyberattack surfaces refer to the path threat actors take to gain access to a system by exploiting vulnerabilities. They are different from cyberattack vectors, which are about the ways or techniques used to access or penetrate a system, however; both are crucial in attack surface management. Organizations need cyber attack management systems that are capable of monitoring attack surfaces and detecting and stopping attack vectors.
Protecting systems is not as easy as plugging attack surfaces to prevent attacks. Installing perimeter protection does not always work. Defending these attack surfaces requires a sophisticated way of regulating traffic, not a simple blocking of all data transfer or communications.
The complexity of attack surface management is demonstrated by the challenges organizations encounter as they go further with their digital transformation initiatives. In particular, the following additional attack surfaces emerge:
Software supply chains
As organizations turn to third-party software and software-as-a-service solutions, it becomes more difficult to evade cyberattacks, especially those perpetrated by advanced persistent threat (ACT) actors. The use of multiple software for different aspects of operations broadens the possibilities for more successful, discreet attacks that take advantage of vulnerabilities in the software supply chain.
The National Institute of Standards and Technology (NIST) lists three common attack techniques aimed at supply chains. These techniques may be used together or independently, depending on the opportunity threat actors find.
- Hijacking of software updates – Software vendors regularly send out updates or patches to the users of their products through a central server. Threat actors can hijack the server to send out malware to all customers
- Undermining of code signing – Code signing refers to the process of digitally signing executables and scripts to verify their author and ensure that they have not been tampered with, modified, or corrupted. This technique is related to the hijacking of updates. When cybercriminals undermine code signing, they get to act as legitimate sources of updates for a specific software vendor and push malicious codes to the users of the software. They get to simulate the update server and deceive automated app patching systems to source updates from a contaminated source.
- Compromised open-source code – As the term suggests, open-source codes are developed by using codes from freely available code libraries. Crafty cybercriminals can add malicious scripts to open source code libraries, which may then be picked up by open source app developers. In turn, they unwittingly insert malicious codes into their projects and send out harmful codes to users.
Internet of Things
According to McKinsey, around 25 percent of businesses use IoT devices, and this number is projected to increase to 43 percent in 2023. These devices include smart thermostats that regulate the central AC system in a building, advanced door or entry/exit controls, motion detectors, and activity trackers. Organizations are also using smart speakers, connected appliances, biometric cybersecurity scanners, smart light bulbs, smart factory equipment, assembly line robots, and various other smart devices.
These web-connected devices with microcomputers in them are viable targets for threat actors. They can be used to gain remote access to networks or accessed physically to aid the penetration of cyber defenses. Also, they can be hijacked to serve as bots for DDoS campaigns.
IoT devices are quite difficult to secure. Cybersecurity and emerging technologies thought leader Chuck Brooks, in an article on Forbes, explains the daunting challenge of securing Internet-of-Things devices. “Each IoT device represents an attack surface that can be an avenue into your data for hackers…and unlike laptops and smartphones, most IoT devices possess fewer processing and storage capabilities,” Brooks writes. This memory and processing capability limitation makes it hard to install antiviruses, firewalls, and other security controls within the devices.
Industry 4.0 or the Fourth Industrial Revolution (4IR) refers to the rapid change in technology, industries, and societal patterns induced by greater interconnectivity and automation. This entails the greater use of advanced robotics, artificial intelligence, and other technologies that boost efficiency and add new capabilities.
In other words, organizations adopt more sophisticated systems that require advanced proficiency to safeguard against cyber threats. The complexities of the software used and greater technical work involved in maintaining systems make it challenging to protect an organization’s IT assets and infrastructure, especially in view of the global shortage of cybersecurity skills.
To adequately protect systems under the industry 4.0 paradigm, having a competent point person to handle cybersecurity needs is not optional. It is crucial to have a team to oversee the deployment and maintenance of an organization’s cyber defenses. It is not as easy as installing antiviruses to protect computers or having firewalls turned on. Organizations need to regularly monitor threats and proactively respond to them. Static protections and conventional security controls will not suffice.
Attack surface management is the key to addressing the rise of new or more complex cyber-attack surfaces. Organizations can do this through a three-step process that starts with the discovery of all potential attack surfaces to comprehensively account for everything an organization owns and should secure. It is then followed by the analysis of the IT infrastructure and asset discovery to detect vulnerabilities, risk areas, misconfigurations, as well as exploitable organizational information. The third step is the mitigation of the vulnerabilities, security controls validation, and the examination of cyberattack vectors.
When it comes to the evaluation of attack vectors, it helps to take advantage of globally accessible threat intelligence and frameworks, particularly MITRE ATT&CK, which provides comprehensive and up-to-date information about the latest adversarial tactics and techniques. There are cybersecurity platforms that automate and simplify the whole process of attack surface management. They also integrate cybersecurity frameworks like MITRE ATT&CK. It would be a significant boost for organizational cybersecurity posture to use these platforms.
A good attack surface management solution covers everything from the new threats involving software supply chains to the new vulnerabilities posed by the use of IoT devices and the move towards industry 4.0. The industry 4.0 situation is particularly important, as it represents various elements of the more prevalent use of technology in organizations.
A Deloitte paper on industry 4.0 and cybersecurity offers a salient reminder on this. “For cyber risk to be adequately addressed in the age of Industry 4.0, cybersecurity strategies should be secure, vigilant, and resilient, as well as fully integrated into organizational and information technology strategy from the start,” the paper writes, as it emphasizes the need to be secure, vigilant, and resilient.
Digital transformation is still the right way to go
Digital transformation has its challenges. Many may have a hard time adapting to the changes and the difficulties along the way. However, it is still the best option for all kinds and sizes of organizations. Instead of avoiding or delaying it, the better response to is to face the challenges head on, particularly in the area of cybersecurity by using the right tools and developing sufficient cybersecurity proficiency among security teams and developing adequate cybersecurity know how for the rest of the people in an organization.