External attack surface management is a proactive security measure that identifies the potential vulnerabilities a threat actor could exploit. It’s an organized approach that helps your security team identify every known and unknown attack vector and take steps to remediate it, giving IT the visibility and control to protect your business from the threats you can and can’t see.
What Is External Attack Surface Management?
External attack surface management (EASM) is one part of your cybersecurity strategy. It’s the identification, management, and securing of external entry points (your attack surface) that bad actors could use to hack into your systems.
Think of it like this. When you leave your house, you probably lock the doors and windows and maybe turn the alarm on. But what happens if you forget to check all the windows and one is unlocked or open? Or it turns out the side door isn’t monitored by the alarm company? Those are the external attack surfaces a burglar could use to break into your house.
While a brick-and-mortar business locks its doors and windows, it also needs to secure its digital entry points. Anything that’s publicly accessible from the internet, like the website or third-party software that’s hosted in the cloud, represents an attack surface. Any surface that’s vulnerable — say, it’s lacking the latest security patch or is improperly configured — can be exploited by bad actors.
How Internal and External Attack Surfaces Are Related
Businesses also have internal attack surfaces. Internal attack surfaces are generally inaccessible to the public, like your internal databases, onsite printers, and even company desktops. Because these attack vectors are internal, they are generally less likely to be attacked by a bad actor, but having vulnerable external attack surfaces makes it more likely your internal attack surfaces can be compromised.
For example, a threat actor scans your company’s website and discovers that one of the third-party applications you use (an external attack surface) doesn’t have the most recent security patch that remediates a known vulnerability. The threat actor exploits this vulnerability and gains access to your internal network. Now, they can access stored credentials and use those to access other internal systems, like your customer database. Even if that information is encrypted, the fact that your customer information was breached due to an external attack surface can damage your reputation and result in lost customers, not to mention you may have to pay regulatory penalties.
Common Attack Surfaces and Vectors
An organization’s external attack surface will vary based on the specifics of its system, like what operating system it uses, how often it updates applications, and the number of third-party application integrations. But anything that’s exposed outside of the company’s internal system represents a possible attack surface that should be secured.
Below are some of the more common external attack surfaces a business may have and what could make it vulnerable to attack.
Third-Party Applications
Companies of all sizes use third-party applications to help them run their business. Booking tools, customer service managers, and internal messaging apps are all third-party apps that may be installed and used directly on an endpoint or kept in the cloud.
In either case, vendors release updates and patches to keep the application secure from attacks and running smoothly. But it’s often up to the business to check for and install these updates, and failing to do so can make that application vulnerable to attack. That said, even when the application is kept up to date through an automated patch manager, something as simple as a weak password can broaden an organization’s external attack surface.
Remote Access Tools
It’s rare for a company to have all of their employees in the same location at the same time. Some companies are fully remote or offer hybrid work. Large companies that are 100% in-person may have employees at satellite offices, while smaller companies may outsource their IT matters to an offsite freelancer.
The one thing these companies have in common is that they’re likely using a remote access tool to make endpoint management easier. These tools allow someone from IT to access a user’s computer without needing physical access to that endpoint. While remote access tools make it easier to manage a device because they require an internet connection to work, they also create an external attack surface.
Misconfigured Cloud Storage
Given the sheer amount of data companies collect and maintain, many opt to store it in the cloud. While that frees up space on company computers and servers, it also creates another external attack surface. For example, if the storage is accidentally misconfigured and left public, anyone who finds it can access and download the information.
Development and Test Environments
Developers create and use staging or test environments to make sure the changes and updates they’re making work properly before applying those changes to the “live” environment, like the company’s website or product. It’s a common and critical step that ensures the company doesn’t deploy a buggy update.
Properly testing these updates means staging environments are on the internet. While these sites are hidden from public view, they are still an external attack surface. Someone looking hard enough can find your staging site, or it can be accidentally exposed if someone shares the wrong link.
Publicly Accessible APIs
Application programming interfaces (API) are used across web and mobile apps to share data and functionality across products. A booking app that lets someone schedule an oil change or an online ordering system at a restaurant are examples of how businesses integrate APIs into their workflow.
However, APIs are another external attack surface. When a request is sent to the API (someone wants to see available appointment dates), the API retrieves and returns the information (displaying open dates and times). These exchanges happen across the internet, and APIs that aren’t secure are vulnerable to attack.
How Are External Attack Surfaces Created?
External attack surface management can help a company keep track of and secure all of its external attack surfaces. Without a robust program, lack of documentation, moving quickly, and mistakes can all increase your organization’s external attack surface. Some of the more common ways external attack surfaces are created include:
- Shadow IT. Sometimes, employees or departments deploy tools without informing IT they exist. For example, testing a new client relationship manager that doesn’t work out but isn’t disconnected from the system.
- Mergers and acquisitions. When companies merge, the acquired company likely has its own infrastructure, tools, and integrations, which may not be well-documented, leading to knowledge gaps and blind spots.
- Rapid development cycles. Companies that move quickly may create testing environments that are overlooked or forgotten when the team moves to the next project.
- Misconfigured access. The team may think access is properly configured or secured when it isn’t.
- Lack of centralized asset management. Not tracking every asset can increase an organization's attack surface. Subdomains and IP addresses are often overlooked in asset tracking but can be leveraged as an attack surface.
- Vendor-hosted assets. Your vendors may host the application on their server, so you don’t have to, but these are still external facing assets that present a risk to your external and internal attack surfaces if the vendor uses weak security measures.
Why External Attack Surface Management Is Critical
Companies with fewer digital assets or that don’t have a very active website may seem to be at less of a risk for hacking. However, attack surfaces aren’t static. As a business grows, changes, or integrates new tools, the organization’s external attack surface changes, too. Without an external attack surface management plan, the company’s attack surface may be larger than it realizes.
For example, a company that used a third-party appointment scheduling integration may have abandoned it for something built in-house. While all employees were required to switch to the new system, not everyone followed the procedure, and some staff forgot to deactivate the third-party integration. Over time, the integration remained on some endpoints, but the app wasn’t updated, creating an external attack surface that can be exploited by bad actors.
What’s more, hackers and other bad actors are constantly scanning the internet for potential vulnerabilities. Implementing an external attack surface management program means your security team continuously monitors your company’s security posture, identifying every external attack surface and giving IT time to secure them before they’re exploited.
An external attack surface management program does more than identify attack vectors. It also helps the team assess and prioritize the severity of the attack surface so they can work more efficiently and effectively.
For example, let’s say the team identifies a staging website on a subdomain that wasn’t shut down after the developers finished the project. Assessing the severity of this attack surface, the team finds:
- It’s public. Anyone with the URL can access it without login credentials.
- It’s not up to date. Because people forgot about this site, it hasn’t been updated in a long time.
- It has sensitive data. The site used real data that wasn’t anonymized.
- There’s a known exploit. The current version of the software on this site has a known exploit that current threat intelligence reports say hackers are targeting.
Because this site is public, contains sensitive information, and has a known vulnerability that’s being actively exploited, IT would likely categorize this attack vector as critical and take immediate steps to secure it (take the site down, remove the data). If any of the findings were different (the site didn’t have sensitive data, the current software, while old, doesn’t have any known exploits that are being actively targeted), the team might deprioritize taking the site down in favor of securing other external facing assets.
Using Automated Patch Management in External Attack Surface Management
Automated patch management tools, like Adaptiva’s OneSitePatch, fix known and potential vulnerabilities by deploying and applying critical updates and security patches to endpoints. However, an external attack surface management program is only effective when you know where every vulnerability is. Integrating an automated patch management tool into your overall external attack surface management program helps you close the loop from identification to remediation, reducing the risk your external-facing digital assets become external attack surfaces.
Schedule a demo today and learn how Adpativa can help your team secure endpoints and protect your network.
