Attack Surface Expanded by Extended Enterprise
Securing the Extended Enterprise
As corporations expand their reliance on the Internet and technology to conduct business, most work diligently to reduce their exposure to attack. Their efforts are focused primarily on protecting their enterprise assets, but could they be missing a very important aspect of their attack surface…. the extended enterprise?
The attack surface is defined as the exposure area that remains reachable and vulnerable to attack. This includes any accessible area where weakness provides an opportunity to exploit. As an analogy, when a martial artist squares off against an opponent, he positions himself in a way that best reduces his attack surface. He must consider his entire body as part of the attack surface. He shifts his stance, maintains balance, positions his arms and hands up in order to protect his vital points. While everyone has their fair share of vulnerabilities, those that are successful in protecting themselves, do a better job minimizing their exposure. As fighters move through the ring, they continually need to make adjustments to protect themselves. Defense requires diligence, persistence, and both a broad and deep view of potential exposure and compromise since even the most obscure weakness may cause harm.
When relating this concept to network security, engineers and managers must consider the entire extended enterprise network part of the attack surface. As depicted in the accompanying figure, this includes hardware, software, and people. The network security manager must know where they are susceptible to attack in order to protect themselves. This requires a good bit of visibility and understanding of both the enterprise and extended enterprise. While most corporations have emphasized enterprise security management over the last decade, they have often overlooked vulnerabilities incurred by partner’s, provider’s, supplier’s, vendor’s and customer’s networks, all of which must be considered when defining and protecting the extended enterprise. Your extended enterprise IS part of your attack surface.
The challenge with defense is you have to cover all possible weaknesses, while the attacker really only needs to find and exploit one.