Trust No One: New Technology Platforms Expand the Attack Surface
Next year, AT&T, Verizon and T-Mobile all plan to shut down their 3G networks, even as 5G rollouts continue around the country and around the world. And 5G isn’t just about making movie downloads and video calls faster for end consumers – it has the potential to enable entirely new classes of applications, including self-driving cars.
“The introduction of 5G into the IoT ecosystem will dramatically increase the overall surface area for attack,” said Dan Petro, lead researcher at Bishop Fox, a security testing firm.
The complexity of the overall surface area will also increase, he added.
“When no longer resource-constrained to being simple, devices will expand in complexity indefinitely,” he told Data Center Knowledge. “This is generally a recipe for security problems.”
Meanwhile, work-from-home is rapidly turning into the new normal, cloud adoption is accelerating, and APIs are proliferating.
Cyber attackers are embracing the opportunities
The expanded attack surface provides unbounded opportunities for attackers to create havoc.
Employees working from home, for example, are more vulnerable to attacks than if they were in offices, behind corporate firewalls.
And, according to a report released earlier this month by PhishLabs, phishing volume is up nearly 32{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} year-over-year, with over 8{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} of corporate emails being reported as potentially malicious.
And attackers are getting more creative. Vishing attacks – using phone calls and voice messages – have more than doubled for the second consecutive quarter. Organizations are also reporting an increase of 82{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} in social media attacks since the start of the year.
Over the past 12 months, 92{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} of executives said that their companies experienced a cyber attack, according to a Forrester survey released earlier this fall – and 67{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} said that these attacks targeted remote workers.
In fact, 80{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} of security and business leaders said that enabling a remote workforce increased their security risks.
Meanwhile, as applications continue to become more distributed, attackers are also going after corporate APIs, usually using automation.
According to a global survey of more than 28,000 developers released last month by API platform vendor Postman, the number of APIs requests grew by 56{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} over the past year and 56{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} of organizations said that they plan to increase their investment in APIs over the next 12 months, while 38{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} said they’ll keep investment level, and only 7{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} said they’ll reduce it.
Since APIs are designed to connect machines with machines, and are often exposed to the Internet, they are prime targets for automated malicious attacks.
In a report released late last month by Atomik Research and cyber security firm Kasada, 80{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} of companies said that bots were becoming more sophisticated and difficult for their security tools to detect and 85{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} reported their bot mitigation solution became ineffective within a year after initial deployment.
“We’ve seen that APIs present a tempting attack surface, and there have been a number of high profile breaches and reported vulnerabilities due to insufficiently protected APIs,” said Sandy Carielli, principal analyst at Forrester Research.
According to Salt Security, API attacks increased 348{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} in the first six months of this year, and 94{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} of companies had an API-related security incident in the past 12 months.
Gartner recently predicted that API attacks will become the most-frequent attack vector by 2022.
Compromised APIs played a role in the SolarWinds attack last year, and companies including Facebook, Venmo, the US Postal Service, Equifax, Instagram, Amazon, PayPal and T-Mobile have all experienced API-related breaches.
Carielli recommended that data center cyber security managers refer to the OWASP Top 10 API to understand the possible issues and work with application owners and security teams to ensure that the right controls are in place.
“It’s not simply a matter of configuring your web application firewall,” she said.
The application attack surface is also expanding dramatically.
Containers, micro-services, cloud functions – these technologies allow applications to be broken up into larger numbers of smaller pieces. As development cycles shorten, they change faster than ever before. In addition, the container model allows for the rapid scaling of applications.
“Containers often have very short lifespans – many are deployed for no more than a few minutes,” Carielli said.
Hence, traditional security management approaches no longer work. She recommended that data center cyber security managers add container security monitoring tools to look for issues like permission changes and unexpected traffic flows.
A perfect storm
This past year and a half has been a “perfect storm” for cyber security, according to the Ernst & Young Global Information Security Survey released this summer.
More than three-quarters (77{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add}) of companies said that they have seen an increase in the number of disruptive attacks over the last 12 months, up from 59{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} the year before, while 81{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} said that COVID-19 forced organizations to bypass cyber security processes.
As a result, just 9{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} of boards were extremely confident that the cyber security risks and mitigation measures presented to them could protect the organization from major cyber attacks – down from 20{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} last year.
As the scale, complexity, and severity of cyber attacks keep escalating – and nation states continue to offer safe havens for attackers – security managers will need to step up their game dramatically to keep up.
The top recommendation from security experts? Shift away from a perimeter-based security approach to a zero-trust strategy.
In May, US President Biden signed an executive order instructing the federal government to adopt zero trust and to require zero trust from external cloud service providers.
In a survey released by Microsoft in July, 96{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} of security decision-makers said that zero trust was critical to their organization’s success and 76{18fa003f91e59da06650ea58ab756635467abbb80a253ef708fe12b10efb8add} said that they were in the process of implementing it.
Zero trust addresses many of the issues created by the expanding attack surface. The approach can help secure devices, applications, communications, and remote users.
In an Osterman Research survey released last week, more than 90 percent of IT and security decision makers reported that their organization plans to deploy a zero trust architecture within multiple business units – or even enterprise-wide.
The respondents expect that the efficacy of their cyber security protections will double as a result.