Security Laboratory

Security Laboratory

Security Laboratory: Defense In Depth Series

Other Related Articles in Security Laboratory: Defense In Depth Series

The Attack Surface Problem

By Stephen Northcutt
One of the most important things to understand about defense in depth is attack surface. We can define attack surface as our exposure, the reachable and exploitable vulnerabilities that we have. The best word picture I know of is the depiction of the Spartan Phlanx depicted in Warner Brothers' tale of the Battle of Thermopylae, based on Frank Miller's '300'.[1] As you can see in the picture below, from the front at least, attacking warriors arranged in the Phlanx formation was a tough problem, the shields and spears make it hard to reach the vulnerable humans.

Figure 1.1
[Figure 1.1]

Examples of attack surface in the real world include:

  • Open ports on outward facing web and other servers, code listening on those ports
  • Services available on the inside of the firewall
  • Code that processes incoming data, email, XML, office documents, industry-specific custom data exchange formats (EDI)
  • Interfaces, SQL, web forms
  • An employee with access to sensitive information is socially engineered
When considering attack surface to develop a defense-in-depth architecture, there are three basic interrelated considerations that develop from our examples:
  • Network Attack Surface, the attack will often be delivered via a network
  • Software Attack Surface, with a primary focus on web applications
  • Human Attack Surface, social engineering, errors, trusted insider, death and disease
Network Attack Surface
Consider this fragment of a post by Paul Howell, "As a client operating system, Windows Vista will be widely deployed and as such is an important topic for security research. We studied the following protocols and technologies: LLTD, IPv4, IPv6, Teredo, TCP, SMB2 named pipes, MS-RPC, and the Windows Firewall. We also studied ARP, NDP, IGMP, MLD, ICMPv6, and UDP." Symantec engaged in a comprehensive investigation and released a comprehensive report to discuss their findings.[2,3] One example in the report is Teredo, a protocol to help with the tranistion from IPv4 to IPv6. Teredo tunnels may allow attackers to bypass IPv4 devices that are not Teredo aware, including firewalls and intrusion prevention devices. This could be particularly important for the US Government which is trying to accelerate its IPv6 deployment. As a management tip, go visit your networking folks and ask them if they have any tunnels running on your network; expect the initial answer to be no. Then ask them if there is any secure shelll (TCP port 22) traffic running. The answer will probably be yes if you have any Unix/Linux devices. Point out to them that it is almost certainly a tunnel. So are Point to Point Protocol (PPP) and VPNs of every ilk."The basic idea behind network tunneling is that you can take non-routable data packets and encapsulate them inside routable packets for transmission over the Internet. Then, at the destination the encapsulation will be stripped off and the original data will enter the private network as if it had come from a local source."[4] The security problem, however, is that it is very hard to know what is running inside of the tunnels; it makes it possible for attackers to work covertly and is particularly an issue related to the Data Loss Prevention problem. Other examples of Network Attack Surface are from our real world examples list: open ports on outward facing web and other servers, code listening on those ports, and services available on the inside of the firewall. Taking the time to get your network engineers to understand and begin thinking about the Network Attack Surface is a valuable investment.

Software Attack Surface
The software development community has their own definitions, here is Wikipedia's take: The attack surface of a software environment is the scope of functionality that is available to unauthenticated users. In other words, how much can a piece of software do in its default configuration by unauthorized users.[4]

The community is quickly starting to understand this is an issue, but the understanding is a bit behind the threat level. Consider the following:
  • We are spending more money to develop an increasing number of web applications that are often misson cricical.
  • At the same time attackers are getting better at exploitation of web applications.
  • At the same time companies like Ameritrade and TJX have suffered massive data breaches leading to class action lawsuits and potentially, another wave of government regulations
So we can see that software attack surface, especially web application software, is a significant problem. There are some things we can do, run an assessment tool such as CORE Impact or Webinspect and prioritize sites, determining which are of consequence and at risk. At the software level itself, I picked this up from an MSDN article:
  • Reduce the amount of code executing, turn off features
  • Reduce the volume of code that is accessible to users, a form of least privilege
  • Limit the damage if the code is exploited[5]
Human Attack Surface
It doesn't make a lot of sense to repeat how important security awareness training is; we all know that, it is just hard to create a good program. Other things to consider are errors; how much damage could a user do to us with an inadverdant error? Here is a great story that combines both awareness and a mistake:

Vice President Stephen Kilgroff at the Minnesota-based Supervalu grocery chain nearly lost millions to a pair of phishing attacks. Between Feb 27 and March 3, 2007, emails purporting to be from employees at two separate Supervalu suppliers requested that Supervalu send payments to new bank accounts. Over the course of the following week, Supervalu made transfers of more than US $10.3 million into the two accounts; several days later, the company realized it had been duped and contacted the FBI.[6]

Other examples include a trusted insider who uses their credentials to steal or destroy information, or the loss of the availability of employees due to retirement, taking other jobs, death and disease.

The bottom line: Being able to clearly identify an organization's attack surface is critically important to developing a threat vector based defense-in-depth architecture.[7]