SlideShare a Scribd company logo

Outpost24 webinar: best practice for external attack surface management

Download as PPTX, PDF
Outpost24
Outpost24

This document discusses best practices for external attack surface management. It explains how digital acceleration has increased organizations' attack surfaces and defines external attack surface management. The document outlines how to categorize and assess risk for web applications and common attack vectors in retail, finance and healthcare. It concludes with recommended best practices, which include discovering all external assets, categorizing them, monitoring for changes, and implementing controls like patching, access management and security assessments.

1 of 31
Best Practice for External Attack Surface Management Stephane Konarkowski Technical Consultant @Outpost24 29th Sept 2021
Helping customers improve security posture since 2001 Full stack security assessment Over 2,000 customers in all regions of the world Really good at breaking technology
Agenda • Digital Acceleration • External Attack surface Management? • Debunking Web Application attack surface • Retail, Finance, Healthcare most common attack vectors • Best Practices
Digital Acceleration
Digital & Acceleration • 1995 – migration of data from FTP and Usenet to web pages • 2006 – Cloud computing (data services and architecture should be on servers) • Today – SaaS, PaaS, IaaS, Hybrid, API, etc…
Digital & Acceleration • Worldwide digital change has accelerated the size, scope, and composition of an organization’s attack surface. Source
EASM (External Attack Surface Management)
EASM (External Attack Surface Management) Gartner defines EASM as “the processes, technology and professional services deployed to discover external-facing enterprise assets and systems that may present vulnerabilities.” Before Now
EASM (External Attack Surface Management) External Attack Surface Management
What's an External Attack Surface EAS IP Addresses Domains Certificates Ports & Services Web Frameworks APIs WHOIS & Attack Vectors Infrastructure Apps Endpoints IOT Cloud Supply Chain Weak Passwords Phishing Unpatched Vuln Misconfiguration Spam Social Engineering Domain takeover Poor Encryption Brute Force Session Hijacking
EASM (External Attack Surface Management) Continuous • Discovery • Inventory • Categorization • Prioritize • Monitoring Simple…?
Debunking Web Application attack surface
Categorize Web Applications • Static • Dynamic • E-commerce • Portals • CMS • Progressive
Business Criticality • Is this application revenue generating? • Is this application hosting sensitive information and customer data (PII) Update Frequency • No application updates • Application updates occur once a year • Application updates occur several times a year • Updates occur continuously Complexity Level • Application with a high number of pages • Application with dynamic content • Application with multiple inputs (forms) Criticality Updates Complexity ARS (Application Risk Score) Debunking Web Application attack Surface
Debunking Web Application attack Surface 7v Simple…?
Retail, Finance, Healthcare most common attack vectors
Outpost24 webinar: best practice for external attack surface management
Insurance Of these applications identified are found to be using old components containing known vulnerabilities that could be exploited 143 # Average # of old components used which can carry vulnerabilities if software is unpatched and can lead to increased risk of data breach
Retail 8 % Of these applications are suspicious applications (test, dev, etc.) Of Top 10 EU retailers are running out of date jQuery 90 %
US Credit Unions 17.4 # Average # of open port 80 which can be vulnerable to exploit if unpatched, misconfigured, or poor network security rules 10 % Of these applications identified are found to be using old components containing known vulnerabilities that could be exploited
Healthcare 15% Of Applications need Hygiene +150 And counting have login forms not encrypted Report will be ready soon
What we have discovered • Unpatched servers • Remote access • Misconfigurations • Insufficient credential, access and key management • Open ports • Overly permissive access rights • Lack of multi-factor authentication • Insecure storage containers • Insecure APIs • Inadequate change control
Best Practices
Outpost24 webinar: best practice for external attack surface management
External Attack Surface Hygiene
Discover  Third Parties  Unknowns  Left Overs  Connect to  Entry Points
Categorize
Monitor  Digital Foot Print  What’s open  Changes  Configurations
Controls  Right Level of Assessment  Fix / Patch  Accept  Red Team  Threat hunting
Web Application - Scenario • Web attack surface management best practice • Application discovery and inventory • Attack surface assessment and classification • Actionable risk scoring • Continuous application security monitoring
Stephane Konarkowski Technical Consultant sk@outpost24.com Questions? GET A FREE Attack Surface Assessment

More Related Content

Outpost24 webinar: best practice for external attack surface management

  • 1. Best Practice for External Attack Surface Management Stephane Konarkowski Technical Consultant @Outpost24 29th Sept 2021
  • 2. Helping customers improve security posture since 2001 Full stack security assessment Over 2,000 customers in all regions of the world Really good at breaking technology
  • 3. Agenda • Digital Acceleration • External Attack surface Management? • Debunking Web Application attack surface • Retail, Finance, Healthcare most common attack vectors • Best Practices
  • 5. Digital & Acceleration • 1995 – migration of data from FTP and Usenet to web pages • 2006 – Cloud computing (data services and architecture should be on servers) • Today – SaaS, PaaS, IaaS, Hybrid, API, etc…
  • 6. Digital & Acceleration • Worldwide digital change has accelerated the size, scope, and composition of an organization’s attack surface. Source
  • 7. EASM (External Attack Surface Management)
  • 8. EASM (External Attack Surface Management) Gartner defines EASM as “the processes, technology and professional services deployed to discover external-facing enterprise assets and systems that may present vulnerabilities.” Before Now
  • 9. EASM (External Attack Surface Management) External Attack Surface Management
  • 10. What's an External Attack Surface EAS IP Addresses Domains Certificates Ports & Services Web Frameworks APIs WHOIS & Attack Vectors Infrastructure Apps Endpoints IOT Cloud Supply Chain Weak Passwords Phishing Unpatched Vuln Misconfiguration Spam Social Engineering Domain takeover Poor Encryption Brute Force Session Hijacking
  • 11. EASM (External Attack Surface Management) Continuous • Discovery • Inventory • Categorization • Prioritize • Monitoring Simple…?
  • 12. Debunking Web Application attack surface
  • 13. Categorize Web Applications • Static • Dynamic • E-commerce • Portals • CMS • Progressive
  • 14. Business Criticality • Is this application revenue generating? • Is this application hosting sensitive information and customer data (PII) Update Frequency • No application updates • Application updates occur once a year • Application updates occur several times a year • Updates occur continuously Complexity Level • Application with a high number of pages • Application with dynamic content • Application with multiple inputs (forms) Criticality Updates Complexity ARS (Application Risk Score) Debunking Web Application attack Surface
  • 15. Debunking Web Application attack Surface 7v Simple…?
  • 16. Retail, Finance, Healthcare most common attack vectors
  • 18. Insurance Of these applications identified are found to be using old components containing known vulnerabilities that could be exploited 143 # Average # of old components used which can carry vulnerabilities if software is unpatched and can lead to increased risk of data breach
  • 19. Retail 8 % Of these applications are suspicious applications (test, dev, etc.) Of Top 10 EU retailers are running out of date jQuery 90 %
  • 20. US Credit Unions 17.4 # Average # of open port 80 which can be vulnerable to exploit if unpatched, misconfigured, or poor network security rules 10 % Of these applications identified are found to be using old components containing known vulnerabilities that could be exploited
  • 21. Healthcare 15% Of Applications need Hygiene +150 And counting have login forms not encrypted Report will be ready soon
  • 22. What we have discovered • Unpatched servers • Remote access • Misconfigurations • Insufficient credential, access and key management • Open ports • Overly permissive access rights • Lack of multi-factor authentication • Insecure storage containers • Insecure APIs • Inadequate change control
  • 26. Discover  Third Parties  Unknowns  Left Overs  Connect to  Entry Points
  • 28. Monitor  Digital Foot Print  What’s open  Changes  Configurations
  • 29. Controls  Right Level of Assessment  Fix / Patch  Accept  Red Team  Threat hunting
  • 30. Web Application - Scenario • Web attack surface management best practice • Application discovery and inventory • Attack surface assessment and classification • Actionable risk scoring • Continuous application security monitoring