Introduction

To relate the concept of an attack surface in cybersecurity to the physical security of a house, we can use the analogy of a house with various entry points, such as doors and windows. This comparison helps to visualize how vulnerabilities in a digital environment can be like the physical vulnerabilities of a home.  An intruder breaking into your home is looking to steal your possessions.   This same analogy applies to your Cyber assets, that makes up your attack surface.  As the definition of cyber assets evolve, so does your attack perimeter. 

Understanding Perimeters

The types of perimeters can be associated again to our home types.  Imagine a fortress home with thick walls and a guarded gate. The idea is that once you’re inside the fortress, you’re safe, but the focus is on keeping intruders out. Traditional perimeter security focuses on protecting the network by creating a secure boundary around it. This usually involves using firewalls, intrusion detection systems, and other security measures to protect the network’s edge. 

Picture a smart home with various sensors and smart devices that monitor and control activities inside and outside the home. Security is not just about the walls but also about the integrated systems that provide continuous feedback and adaptability to threats. In this model, security is more about managing access and ensuring that all devices and users are authenticated and monitored. The modern perimeter approach recognizes that the traditional boundary is no longer sufficient due to mobile devices, remote work, and cloud services. It involves a more dynamic and adaptive security model that includes identity management, endpoint security, and continuous monitoring.

Think of community living, like a neighborhood or apartment complex, where the security isn’t just about your individual home but also about the collective security of the entire community. Each home might have its own security measures, but there’s also a focus on communal surveillance and shared security resources. The idea is that security needs to adapt to a broader and more interconnected environment, where everyone contributes to and benefits from the overall security. The expanding perimeter concept acknowledges that the network boundary is fluid and extends beyond the traditional boundaries. It involves a broader security approach that includes not just the network but also the interactions and data exchanges that occur beyond it, such as in the cloud and with third-party services.

Here is a diagram illustrating the exposure.

Diagram 1

We must also recognize how these software-defined assets and identities influence one another. The interconnections between assets, identities, and their relationships are equally crucial to security as the assets themselves. The insights and business context derived from understanding these connections form the foundation for effective attack surface management. By considering both assets and identities, Oracle can help you better identify vulnerabilities and strengthen your overall security posture.

Home attacks can be viewed as ways an intruder might attempt to break in.  In cybersecurity the term used is attack vectors, which are the specific methods or pathways that attackers use to infiltrate the attack surface. 

The attack surface represents the range of potential vulnerabilities and points of access, while attack vectors are the specific methods used to exploit those vulnerabilities. Both are integral to a comprehensive security strategy, as understanding and managing them helps to better protect systems and data from malicious threats.  When we understand this concept with our home, we setup the necessary security.   It could be surveillance cameras, alarm systems and other devices to ensure our safety of our assets. 

The Modern-Day Approach is Zero Trust

Zero-trust dictates that we trust no one.  To help customers protect their data from unauthorized administrative access or tampering, Oracle provide several no charge programs:

  • Cyber Resilience Program: A non-chargeable, collaborative program which typically take between two and four weeks from initiation to readout completion. The deliverable of the program is a detailed report, outlining alignment with the best practices relative to resiliency of a given OCI Tenancy.
  • Maturity Acceleration Program Greenfield: Security Workshops and design sessions help organizations to deploy a scalable new tenancy that complies with CIS OCI Foundation Benchmark
  • Maturity Acceleration Program Brownfield: Security Workshops and design sessions help organizations to deploy foundational security capabilities and secure operations of existing OCI tenancies.
  • Database Shield: A practical review focused on identifying areas of risk and recommending strategies to mitigate those risks.  Focus is on the database but also reviews surrounding system components associated to the database.

Attack Vector and Key Identities

Another part of the attack vector is Identity.   In the context of cybersecurity, identities encompass a variety of types beyond just users. Understanding these different identities is crucial for effective security management. Here are the key types of identities:

  • Human Identities: These represent individual users and include attributes such as usernames, passwords, email addresses, and personal identification details. Human identities are essential for authenticating users and managing their access to systems and resources.
  • Service Accounts: These are non-human accounts used by applications or services to interact with other applications or systems. Service accounts often require elevated privileges to perform automated tasks, such as running scripts or accessing APIs. Proper management of service accounts is critical, as they can be targeted by attackers seeking to exploit their permissions.
  • Application Identities: These identities are associated with specific applications and are used to authenticate and authorize application interactions. They often include credentials like API keys and tokens that allow applications to communicate securely with each other. Managing application identities is vital to ensure that only authorized applications have access to sensitive data and services.
  • Machine Identities: These refer to the digital identities of devices and machines within a network. Examples include servers, IoT devices, and virtual machines. Machine identities often utilize certificates (like TLS/SSL) to establish secure connections and verify their authenticity. As the number of connected devices grows, managing machine identities becomes increasingly important to prevent unauthorized access.
  • Cloud Identities: In cloud environments, identities can be tied to specific cloud services or resources. Cloud identities facilitate access control and permissions management for users and applications interacting with cloud-based resources. They often include multi-factor authentication (MFA) mechanisms to enhance security.
  • Non-Human Identities: This category includes various automated processes and tools, such as bots and robotic process automation (RPA) workloads. These identities perform tasks without human intervention and rely on credentials to access resources. Securing non-human identities is essential to prevent exploitation by attackers.
  • Third-Party Identities: These identities represent external entities, such as vendors, contractors, or partners, who require access to an organization’s resources. Managing third-party identities involves ensuring that they have appropriate access rights while minimizing security risks.

Attack Surface

Access to our homes could be with a key or biometric authentication.  These provide security for immediate family.  What happens when you invite a stranger in, the plumber, the electrician, housekeeping.  Do you keep a close eye on every move they make?   Plumber says he needs something from his vehicle.   He walks through your living room unattended and sees a small item and takes it.   How long before you notice it gone.   You’re on vacation and have a maintenance person do some work on your home, you ask the neighbor if they can let them in.   The neighbor comes in and raids your fridge and drinks a beer and makes a sandwich while the maintenance man is there, or better yet lets the maintenance man in and tells them to lock up when there done.   What took place in your home?

Organizations understand the user identities.  These are associated to Human Resources through an HR system which is referred as the source of truth for these identities.  Just like giving the neighbor access to your home, we refer to this as Privileged Access or Account.   This type of account has elevated permissions or access rights beyond the standard user.  The purpose of a privileged account is to manage and maintain systems or applications.  Due to their elevated access, privileged accounts are critical for system administration but pose a higher security risk if misused or compromised.  An identity Governance tool is used to provision these users to the various applications assigning roles and entitlements to perform the application tasks.  The use of a Directory provides a centralized Access Control of passwords and can also associate users to groups which applications can attach and use.

The other identities are the attack vectors that hackers are focused on.  Many organizations have not assigned oversight, so you find these identities lingering in applications or directories. Many of these can have Privileged Account Access.   HR doesn’t want these Identities in their application so how they are set up and managed provides that open door for hackers.   There have been many cases of such attacks where the lack of management of these identities have led to serious breaches.

Steps to Reduce the Attack Surface

Understanding the risks and mitigating them before we have the neighbor come in unattended, ensures we are reducing the attack surface.  A Risk Assessment is targeted to understanding the Identities and how they are used in an organization.  Oracle can provide recommendations around using the current Directory to create the necessary Directory Information Tree or using another Directory product such as Oracle Universal Directory to manage the other types of Identities.  This Directory can then be used as a source of truth for all other Identity types to provision to the applications.

Oracle Identity Governance or Oracle Access Governance are applications designed to help organizations manage access rights and ensure compliance across various applications and systems.  By establishing ownership of each of these identities, the manager of the identities can setup Certification/Attestation campaigns to ensure that identities who no longer require access are revoked.   This helps to maintain an up-to-date view of who has access to what resource and ensure that rouge identities are not created and out of date identities are revoked and removed.

Conclusion

The analogy of securing a house helps to explain the concept of an attack surface in cybersecurity and how it evolves with modern security practices. Just as a house has multiple entry points that need to be secured, digital environments have various vulnerabilities and access points that must be protected. The traditional approach to cybersecurity, similar to securing a fortress-like home, focuses on maintaining a strong perimeter to keep intruders out. However, as technology advances, the traditional boundaries are no longer sufficient.

Modern security strategies, akin to the smart home or community living models, involve more dynamic and integrated approaches. These strategies address the complexities of mobile devices, remote work, and cloud services by incorporating continuous monitoring, identity management, and adaptable security measures. The Zero Trust model epitomizes this modern approach by assuming that no entity—inside or outside the network—should be trusted by default.

Unlike providers that leave gaps and require you to piece together disparate security technologies, Oracle offers a defense-in-depth strategy with a suite of best-in-class, integrated security components that seamlessly protect your data everywhere.