Showing items from what is attack surface management

Further Examination into External Attack Surface

Reducing Attack Surface Decreases Security Risk In my previous write-up I explained why tracking digital assets is important, and listed some methods to get started with it. I trust that once you read it, you immediately set off to gather a list of your IP and domain assets. Since then, Tuomas Haarala has further elaborated on discovery methods from a systems administrator perspective in a write-up of his own. Armed with these tools, we can now venture further into the realm of attack surface reduction. This write-up will concentrate on the process of moving from cataloguing assets to having an idea on the attack surface involved. As laid out in my previous post, the steps in this process are: Research the attack surface, i.e. open services, related to these assets. Determine whether there is something that needs fixing within these services. This write-up will focus on the first step, and the second will be covered in a follow-up.

Continue Reading

Management Interfaces - Attack Surface Hidden in Plain Sight

A management interface, who is it for? Modern web-based management interfaces help with the economy of scale. If you are a software vendor making a solution, supporting it is easier with clearly defined UI options rather than debugging obscure configuration file parameters. If you are an end-user, a management interface is there to make life easier for you as well. Having a management interface helps you: deploy the solution make complex changes to it generate management level reporting for the key KPI. These features often become tender items and a vendor will find itself in a position where developing a management interface web UI is a must have instead of a nice to have. Too often features are implemented in software through a tick box comparison, since the rationale is that we must have them since our competitor has them. It doesn’t really matter, whether the features actually serve the customer and their business function or not.

Continue Reading