Today's lesson, we're going to discuss attack's surfaces. Attack surfaces are any way that we can get into a system. Something that an attacker might use to get into a system. So today's objectives are to discuss what attack surfaces are, learn how to find them and learn how to mitigate them as well. Systems generally have hardware, software, users, location. All of these could be attack surfaces. Each area of a system might be under attack depending on all those different variables. So let me explain a little bit about how attack surfaces are mitigated. Think about your home for example. A typical home has windows. It has doors. It has maybe a garage door which has an interior door as well. Maybe your front door has a screen door on it. So those are points of entry into the home. What about vents. You probably didn't think about those either. All of these are ways that either attackers could get in or something else could get in. Let's say wind or dirt or snow, whatever. How do we seal up those cracks? How do we make sure that snow doesn't get in our house while we close the front door? Same thing in systems. So attack surfaces are any way to get into a system. So if we leave passwords or we have weak passwords in the system, that's like the front door. A password is protecting a system or service from attack so people can't get in. Updates are another way that we're closing that gap on attackers. If somebody leaves your front door open, or somebody leaves your window open at your home. Do we go around every night and check to make sure everything is closed up? I know I do. Takes me a few minutes but I go around make sure that front door is locked, make sure the inside door is locked. But we need to do the same thing with our systems. We need to have a constant auditing of our systems to make sure all those points of entry are closed. Common areas of intrusion: insecure passwords. If somebody has a weak password. Like I said it's like the front door. They can enter that service. So every year there's a list that comes out of the top most insecure passwords. For years it's been one two three four five six and followed by one two three four five six seven or one two three four five six seven eight or password or admin or let me in. Or there's there's all kinds of passwords. But those are weak passwords. We need to make strong passwords to make sure that somebody doesn't get in. Think about how, we again, secure a front door if we have a cardboard door for our front door. Is it easy for somebody to kick it in? So making a strong password is like protecting your front door. What about management ports? Management ports I would consider like Windows in your home. So there are ways to let things in and out. They allow breezes to come in and out of your house. Think about a mysql server with port 3 3 0 6 support 3 3 0 6 allows us to communicate to the server on mysql. Allows database transactions to happen between systems. If we don't secure that port and lock it down to what we only need access to, certain systems for example, and let it out to the world, how large is that attack surface? If I open my entire window can an attacker enter? Probably. But what if I just open a little crack and have something above that allows us to mitigate that attack? Configuration pages are also a problem. Let's say that we're installing a service on a Linux system and we forget to take down the installation page. That installation page has a lot of sensitive information on it. So if we leave that page up and don't delete it out of the directory after installation, that's a way for an attacker to get in. Vulnerable services also are another way. So patching your systems regularly alleviates some of that attack surface. Finally users that have more access than they should. This goes into least privilege. Only allowing users to access things that they should have access to limits the overall area where they have to exploit the system. Maybe they do it intentionally. Maybe they do it unintentionally. But it's still a risk, it's still an attack surface. We have three different kinds of attacks surfaces. We have the network attack services which really looks at ports and we could mitigate that with firewalls. Software attack surfaces, like vulnerabilities we can mitigate that with software patches. And the human aspect as well. Social engineering, if we train our users how to become more vigilant in security, that is mitigating our attack surface. So in conclusion attack surfaces can be numerous. We need to be looking at things constantly, just like you look at your home constantly for security. Making sure that things are always locked up, always secure. Making sure that the front doors only unlocked when we need it to be unlocked is a best practice at your home. Why wouldn't you do that to your systems? So let me end with a story. So several years ago we had a server that was providing enterprise video. We actually forgot about it. And it was let outside the firewall because it needed to be let outside the firewall. And we have firewall logs for everything. So when we didn't see that system we forgot about it. Well when that service was decommissioned, there was still the vulnerable system out there. And what happened is one day we realized, hey, we're using a lot of bandwidth here and we dug down and noticed there's this thing sitting out there that is vulnerable. And of course it was compromised. And so we took that off the network. And what did that do? It immediately alleviated our attack surface, because now we have something that was causing us problems and was vulnerable. Now we've mitigated it to decrease our attack surface.
