Reduce the attack surface
So far in this post we’ve discussed that you must control access, provide awareness education and training, and put processes into place to secure data. However, there’s a further and final need within the NIST framework to deploy protective technology to ensure you’re maintaining cyber resilience. Remember, circumventing your protective solutions is bread and butter to cyber attackers who are increasingly smart, operating from countries that lack the resources to tackle cybercrime and increasingly sell their know-how to less-skilled criminals. As others in your industry, including competitors, become more cyber resilient, you don’t want to be the weak one that’s preyed upon. Just as in nature, cyber attackers usually focus on the slowest and most vulnerable in the herd.
It’s crucial that you deploy the correct technical security focused on removing single points of failure and reducing the ‘attack surface’: (the total sum of vulnerabilities that can be exploited to carry out a security attack). Put another way, the attack surface is the sum of the different points (the “attack vectors”) where an unauthorised user (the “attacker”) can try to enter data to or extract data from your IT environment. Keeping the attack surface as small as possible is a basic security measure. To successfully reduce your attack surface, your IT department should adopt the principle of least functionality or another approach they deem appropriate. In very practical terms this means configuring your IT systems to provide only essential capabilities and restricting external connections and interfaces to, from, and between specific machines. In certain cases, it can also require disabling wireless access and continuously monitoring endpoints to detect, and respond to, indicators of attack.
Adopting the above recommendations within the protect function greatly strengthens your company’s ability to limit and contain the impact resulting from a cybersecurity event. Critically, it will also allow you to more rapidly identify the occurrence of a cybersecurity event by monitoring to detect anomalies and investigating to see if response is needed.