Your Attack Surface Is Expanding in 2024—Here’s Why

Attack surface expansion is not just another industry buzzword but a glaring reality with serious implications. It’s no wonder, therefore, that three of Gartner’s top cybersecurity trends for 2023 (i.e., cybersecurity platform consolidation, security operating model transformation, and composable security) aim to cover organizations’ expanding attack surfaces.

Paying close attention to the major contributors to attack surface expansion can equip organizations in anticipating and addressing the risks they pose. As people say, forewarned is forearmed. So here are some business trends that are expanding attack surfaces and how they can be mitigated.

Top Drivers of Attack Surface Expansion in 2024

Most if not all business decisions are made with preservation and growth in mind. Cloud migration and remote work improve employee productivity and reduce costs. Mergers and acquisitions (M&As), meanwhile, provide opportunities for growth and increasing one’s market share.

However, these and other strategic moves have underlying consequences in threat exposure. They inevitably expand attack surfaces, adding more potential attack entry points.

Ongoing Digital Transformation

Business growth can be exponential when digital transformation is factored in. Done right, digital transformation can lead to immense increases in sales, cost savings, and the bottom line.

But with vulnerability exploitation becoming a common cause of successful cyber attacks, there is a correlation between using more interconnected digital systems and attack surface expansion.

The IT infrastructure that helps organizations improve operational key performance indicators may be the same ones exposing them to cyber attacks. Decision-makers must balance embracing advanced technologies and securing critical systems, affected information, and business processes. That can be achieved notably by improving visibility into all cloud assets, regardless of whether they are active and known, unsanctioned (e.g., shadow IT assets), or forgotten (e.g., decommissioned services).

Remote Work Arrangements

The shift toward remote work during the pandemic introduced new security challenges. Even now, post-pandemic, most employees who can telecommute choose to work from home all the time or opt for a hybrid work situation.

With employees often using personal devices and accessing networks outside the traditional and well-secured corporate environment, the attack surface has grown broader and more complex. The increased use of applications enabling remote work also can become problematic.

Just recently, widespread exploitation of vulnerabilities in remote work software Ivanti Connect Secure and Ivanti Policy Secure were detected. The issue prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue an emergency directive requiring federal agencies and urging all organizations using the products to mitigate the vulnerabilities immediately.

Unlike in the past, CISOs need not sacrifice cybersecurity to enable remote work. Remote work security requires a strategic approach that may combine the following:

• Providing secure corporate devices for remote work that reduces the risk of unmanaged personal devices accessing company data

• Implementing robust remote access solutions with strong authentication protocols

• Offering security awareness training and resources to employees so they can stay vigilant against phishing, fake software downloads, and other security risks

• Putting in place need-to-know access controls for remote workers

• Partnering with cybersecurity vendors for updated attack surface visibility, enabling advanced threat detection and prevention

As hybrid work continues, it’s crucial to have visibility over all exposed assets, including those associated with remote work.

Business Expansion

Favorable macroeconomic factors since Q4 2023 led to an optimistic outlook for M&As in 2024, with growth potential compared to the previous year. Business leaders will continue to pursue M&As to open up organizations to market expansion, diversification, and other opportunities.

As executives and dealmakers perform in-depth analyses of the business value of an M&A, CISOs should also assess the security risks that the target company may bring in. Inherited assets, systems, networks, and workforces can also become inherited liabilities. And it’s crucial to gain a comprehensive view of these potential risks early on. The key is to ask the right questions before sealing the deal, including:

• What security processes and systems are in place?

• How many employees are there, and what are their levels of access and security awareness?

• How many connected IP addresses are there? What are they used for?

• Are there open ports, expired Secure Sockets Layer (SSL) certificates, decommissioned cloud services, unused subdomains, and other web-facing vulnerabilities?

Knowing precisely what they are acquiring enables organizations to avoid unexpected costs from security risks and threat exposure. Organizations must perform a thorough security analysis of a target company’s overall digital infrastructure, including all public-facing assets and touchpoints, and determine any weakness, misconfiguration, or vulnerability.

All of these are critical parts of due diligence, considering that threat actors are drawn to M&A deals because of the vast volume of information released to the public about both buyers and sellers.

Software Supply Chain

Using third-party suppliers and vendors enables organizations to tap into specialized expertise so they can focus on their core competencies. However, to mobilize third-party services, organizations often need to create web application endpoints or open new ports to allow vendors to communicate with their systems. These are potential entry points for threat actors, too. Even worse, a vulnerability in a widely used software can grant attackers access to multiple organizations simultaneously.

Last year’s data breach on Okta’s support management system is one of the most recent and glaring examples. Threat actors created and downloaded a report that contained the names and email addresses of all customer support system users, some of whom were Fortune 500 companies and government agencies.

As a significant contributor to attack surface expansion, software supply chain risk management must go beyond traditional vendor assessment. While questionnaires and audits provide in-the-moment snapshots of a vendor’s security posture, they may not capture ongoing changes or new vulnerabilities. To effectively mitigate supply chain risks, organizations need to elevate vendor security assessment with:

• Increased visibility into all assets connected to the third-party ecosystem, including those owned by the vendors

• Risk prioritization based on the third party’s potential impact on the organization, considering the type of data and systems they have access to

• Automated vendor risk assessment of all potential suppliers for consistency in gathering security information

• Continuous monitoring of the vendor’s attack surface for early identification of new vulnerabilities, misconfigurations, and suspicious activities

• Clear end-of-contract guidelines emphasizing the need to surrender account access and decommission relevant services

As threat actors increasingly favor supply chain attacks to obtain sensitive data, thorough vetting of suppliers from the onset and throughout the duration of the client-vendor relationship has become more urgent than ever.

Your Role in Managing Attack Surfaces

Mitigating risks and building a secure and resilient environment are huge responsibilities in light of expanding attack surfaces. Nonetheless, there are concrete steps you can take which start with the following:

Obtain and Maintain Attack Surface Visibility

Up-to-date and automated visibility over all connected infrastructure components tied to technological advancements, workforce arrangements, business expansion, and third-party connections is essential for effective defense. That means constantly mapping all your assets, identifying vulnerabilities, and understanding your risk posture, considering the current and evolving threat landscape.

Risk Assessment and Prioritization

Efficient attack surface management goes beyond simply knowing what’s there. Regular risk assessment is necessary to prioritize risks based on their severity, potential impact, and exploitability. That way, you can focus your resources on vulnerabilities that could cause the most damage, such as those affecting critical systems or storing sensitive data.

Build a Security-Aware Culture

Some attack surface expansion contributors are beyond your direct control, such as the supply chain. While you can map out third-party assets connected to your IT infrastructure, it may be challenging to obtain a complete picture of outsiders’ overall security posture.

However, there are also contributors you have a major influence on. You can focus inward on employee behavior by conducting regular cybersecurity awareness training to help minimize risk exposure from remote connections, shadow IT, and insider threats.

Conclusion

As organizations grow and evolve, they take on more Internet-facing digital assets, inevitably leading to an expanding attack surface. While this expansion creates numerous challenges for CISOs, effective attack surface management is key. That begins with gaining constant visibility and a deeper understanding of your attack surface.