The efficacy of an organization’s cybersecurity program is proportional to the level of awareness of its attack surface. Overlooking just one internet-facing asset could establish an attack vector leading to a devastating data breach.
To learn how to ensure all of your internet-facings IT assets are accounted for in your cyber risk program, read on.
Why Identifying All Internet-Facing Assets is Important
Awareness of all internet-facing assets is important because they serve as potential pathways between threat actors and your internal sensitive information. One of the unavoidable by-products of digital transformation is that every new digital solution you implement introduces new potential attack vectors that slightly expand your attack surface. These potentially exploitable pathways could arise from software vulnerabilities, insecure APIs, cloud security misconfigurations, etc.
An organization’s attack surface is the sum of all potential access points that could lead to a data breach if exploited.
Being digital, each IT asset will likely experience some form of vulnerability during its lifecycle; and because each asset usually connects to internal data sources and the internet, they establish a bridge between cyber criminals and your sensitive data if these vulnerabilities are discovered and exploited.
Ensuring security teams have complete awareness of all external facing assets in your IT ecosystem should, therefore, be a primary metric in your cybersecurity program.
The criticality of this requirement in the context of data breach prevention has given rise to a dedicated field of cybersecurity known as attack surface management.
Attack surface management is the discipline of continuously discovering and addressing security risks across an organization's attack surface. If you’re unfamiliar with this cybersecurity field, the following video offers a very clear and concise overview:
Examples of Internet-Facing Assets
Some examples of internet-facing assets that should be accounted for in attack surface management efforts include:
- Web servers: These are servers that host websites or web applications that can be accessed over the internet using a web browser.
- Cloud services: These are services that are hosted in the cloud and can be accessed over the internet, such as software-as-a-service (SaaS) platforms, infrastructure-as-a-service (IaaS) resources, and platform-as-a-service (PaaS) offerings.
- VPN gateways: These are gateways that allow secure Virtual Private Network (VPN) connections to a network over the internet.
- Firewalls: These are security devices that filter traffic between networks and can be deployed at the network perimeter to protect against internet-based attacks.
- DNS servers: These servers translate domain names into IP addresses and can be targeted by attackers to disrupt network access or redirect traffic.
- Email servers: These servers handle email traffic and can be targeted by attackers to steal sensitive data or compromise user accounts.
- Web applications: These are applications accessed through a web browser over the internet and can be targeted by attackers to gain unauthorized access or steal sensitive data.
- Remote desktop access services: These services allow remote access to desktops or servers over the internet and can be targeted by attackers to gain control of systems.
- Domain controllers: These servers authenticate and authorize user access to network resources and can be targeted by attackers to gain control of user accounts or sensitive data.
- IP addresses: These are numerical identifiers assigned to devices on a network that allow them to communicate with each other over the internet.
Three Ways to Identify All of Your Internet-Facing Assets
Identifying your digital assets, a subset of digital mapping, is laborious, given that mid-market companies see an average of one new domain operating in their footprint daily.
With the following methods in your toolkit, the process of identifying all of your internal and external assets will become significantly easier
1. Use an Attack Surface Monitoring Solution
The fastest way to identify all internet-facing assets within your organization (also known as your asset inventory) is to use an Attack Surface Management (ASM) solution like UpGuard. An ASM solution is the best method of automatically identifying your internet-facing assets.
We will use the UpGuard platform to illustrate this process.
Internet-facing assets are identified as linked IP addresses. With an ASM solution, all live IP addresses in your network can be discovered with fingerprinting techniques, such as:
- Active and passive DNS.
- Web archives
When upcoming public IP addresses are not yet known, specifying an IP address range will program your ASM to start monitoring these subdomains or IPs when they become active. This technique is an excellent method of helping IT teams become aware of unknown assets indicative of likely shadow IT practices.
Once completed, this will establish a baseline for monitoring changes in your asset inventory. Enabling notification for newly discovered domains on the UpGuard platform will inform your security teams of any asset inventory additions in real-time.
An attack surface monitoring solution with a vulnerability scanner will also detect any vulnerabilities associated with these assets that could be exploited to achieve a data breach.
A vulnerability scanning tool can detect the following types of attack vectors:
- Open ports
- Unmaintained assets likely running outdated software containing CVEs.
- Any security risks associated with third-party cloud services.
2. Use Risk Assessments
For a more manual and in-depth approach, risk assessments (or security questionnaires) can be used to discover all on-premises and external assets. With a custom questionnaire builder, such as the one available on the UpGuard platform, asset discovery questions can easily be added to existing due diligence assessments or designed as separate assessments.
Some examples of asset discovery questions to include in security questionnaires are:
- How do you identify internet-facing assets, such as web servers, FTP servers, or email servers?
- How do you confirm the positioning of assets on your network, including servers, routers, and other devices?
- How do you identify all public-facing systems, including web applications, databases, and other internet-connected resources?
- How do you organize and access the discovery data you gather, such as IP addresses, domain names, and other relevant information?
- What tools do you use to determine your cloud attack surface, including virtual machines, containers, and other cloud-based assets?
- How do you ensure that your internet-facing assets are correctly configured and secured, such as using firewalls, access controls, and other protective measures?
- How do you monitor your internet-facing assets for potential security threats, such as malware infections, hacking attempts, or other attacks?
- What measures are in place to respond to security incidents involving your internet-facing assets, such as isolating compromised systems, conducting forensic analysis, and notifying affected parties?
- How often do you conduct internet-facing asset discovery scans, and what types of information do you gather during these scans?
- What policies and procedures are in place to ensure that your internet-facing assets are regularly reviewed, updated, and maintained to address emerging security threats and vulnerabilities?
- How do you incorporate the results of your internet-facing asset discovery efforts into your overall asset management program, including tracking inventory, monitoring changes, and assessing risk?
3. Use An Internet-Facing Asset Search Engine
Search engines like Shodan allow you to find virtually any device connected to the internet, including endpoints and IoT devices. Hackers commonly use these types of search engines during the reconnaissance phase of a cyberattack.
These search engines extract insights about internet-facing assets by “knocking” on all possible ports associated with an IP address. When an open port is discovered, packets of information (known as a banner) are sent back to the search engine, containing the following data fields:
- The name of the connected device.
- The IP address of the connected device.
- The location of the server associated with the IP address.
- The port number the devices uses to connect to the internet.
- The organization the IP space belongs to - could either be the name of a business or its Internet Service Provider.
These search engines are also helpful in establishing a prioritization system for discovered critical assets to achieve an efficient vulnerability management program.
Learn how UpGuard helped Spaceship streamline its vulnerability management program.
How UpGuard Can Help
UpGuard offers an attack surface management solution that automatically detects all web-facing assets, ensuring complete cybersecurity control over your entire digital footprint.
By also including vulnerability management and remediation tools, UpGuard addresses the entire lifecycle of Vendor Risk Management, helping you achieve a healthy security posture that’s resilient to data breach attempts.