The Attack Surface is Just a Convenient Metaphor: It Doesn’t Exist
The idea of a cyber attack surface has been rigorously sold to organizations by cybersecurity companies and experts. Dark Reading is about to have a full webinar about it. The webinar has attracted speakers from cybersecurity giants such as Palo Alto.
The most common definition of an attack surface is a collection of ways through which someone could gain unauthorized access to a resource. The resource could be a server, file, directory, or any other resource that needs to be protected.
Does an attack surface really exist though?
Cybersecurity has been, for the longest time, about establishing the character and intention of an attacker while they are trying to gain access to their target resource. It has been proven and time and time again that the attackers are always a step ahead. That’s why cybersecurity incident never stop happening.
An organization could map out what they think are their security vulnerabilities todays, and put in all the necessary measures needed to prevent attacks through those vulnerabilities. Attackers always re-invent themselves and find new ways to attack and gain access to protected resources.
When the attackers come up with new attack methods, organizations cannot protect themselves against the new methods because they don’t know they exist.
From that perspective, it is fair to say that notion of an attack surface is an illusion. It is a convenient metaphor that organizations use to envision their security vulnerabilities, but it really exists.
So, how can organizations protect their resources?
Maybe focus should move from what trying to establish the character and intention of those trying to gain access, to finding out who is really trying to gain access.
Knowing with measurable certainty who is trying to gain access to protected resources can help ensure only authorized people get the access. It would eliminate the need to map out non-existent attack surfaces.
The solution is measurably reliable digital identities.
What are Measurably Reliable Digital Identities?
We’ve mentioned that the biggest challenge to cybersecurity is it’s difficult to identify new vulnerabilities until after an attack has happened. That’s is a result of inauthenticity on the internet. Inauthenticity, as in there is no way to reliably identify internet users.
That problem can be solved by bringing AUTHENTICITY to the internet.
Authenticity is achieved through digital signatures that are made possible by measurably reliable identity certificates.
Watch this video for a better perspective.
As the video alludes, the problem is there is no accountability on the internet. Bad actors know they can hide and escape accountability for their actions. Authenticity offers accountable anonymity. That means users have privacy, but their trail on the internet can be followed through measurably reliable digital identities. That means they can be identified and held accountable for their actions is need be.
Digital signatures of accountable real human beings should become the threshold for any interaction or communication online.
Imagine this;
If you receive and email, and the digital signature on it cannot be confirmed, or has low quality score, then the contents of the email cannot be trusted.
That means phishing, spear phishing, malicious attachments, and malicious links would dry up when all it takes is an invalid signature to call them out. These methods of attack are what most organizations consider their attack surface. All it would take for the organizations to avoid them is to verify digital signatures of real human beings.
If someone is trying to get into a privileged account, they should be required to have a high identity score. Through measurably reliable digital identities, an organization would be able to gauge the trustworthiness of those it interacts with online.