WEBVTT

1
00:00:00.120 --> 00:00:01.890
In this section of the course,

2
00:00:01.890 --> 00:00:05.310
we're going to discuss attack surface determination.

3
00:00:05.310 --> 00:00:07.260
The attack surface determination section

4
00:00:07.260 --> 00:00:09.960
of the course focuses on domain one,

5
00:00:09.960 --> 00:00:14.550
governance, risk and compliance, specifically objective 1.4.

6
00:00:14.550 --> 00:00:17.670
Objective 1.4 states that given a scenario,

7
00:00:17.670 --> 00:00:21.120
you must be able to perform threat modeling activities.

8
00:00:21.120 --> 00:00:24.120
Thoroughly assessing an organization's attack surface

9
00:00:24.120 --> 00:00:27.150
enables the identification of specific vulnerabilities

10
00:00:27.150 --> 00:00:28.980
to protect key assets.

11
00:00:28.980 --> 00:00:31.710
The attack service includes various dimensions

12
00:00:31.710 --> 00:00:34.950
such as the organization's technical infrastructure,

13
00:00:34.950 --> 00:00:38.430
operational processes and cloud-based services.

14
00:00:38.430 --> 00:00:41.820
Each attack surface carries with it distinct risks.

15
00:00:41.820 --> 00:00:44.430
As organizations expand and adapt,

16
00:00:44.430 --> 00:00:46.080
these dimensions can shift,

17
00:00:46.080 --> 00:00:47.970
introducing new vulnerabilities

18
00:00:47.970 --> 00:00:51.000
that require ongoing evaluation and management.

19
00:00:51.000 --> 00:00:53.130
Whether securing established systems

20
00:00:53.130 --> 00:00:55.020
or planning for new deployments,

21
00:00:55.020 --> 00:00:57.900
a detailed approach to attack surface determination

22
00:00:57.900 --> 00:01:00.960
is crucial for proactively mitigating threats.

23
00:01:00.960 --> 00:01:02.550
As we go through this section,

24
00:01:02.550 --> 00:01:04.470
we will cover many topics related

25
00:01:04.470 --> 00:01:06.450
to attack surface determination,

26
00:01:06.450 --> 00:01:08.850
including technical attack surface,

27
00:01:08.850 --> 00:01:12.510
operational attack surface, organizational attack surface,

28
00:01:12.510 --> 00:01:16.800
cloud attack surface, organizational change attack surface,

29
00:01:16.800 --> 00:01:19.050
modeling with an existing system

30
00:01:19.050 --> 00:01:22.320
and modeling without an existing system.

31
00:01:22.320 --> 00:01:25.830
First, we will look at the technical attack surface.

32
00:01:25.830 --> 00:01:27.840
The technical attack surface is the sum

33
00:01:27.840 --> 00:01:29.520
of all potential entry points

34
00:01:29.520 --> 00:01:32.700
within an organization's technology infrastructure

35
00:01:32.700 --> 00:01:35.010
that could be exploited by an attacker.

36
00:01:35.010 --> 00:01:37.680
Technical attack service concepts include

37
00:01:37.680 --> 00:01:40.260
architecture reviews, data flows,

38
00:01:40.260 --> 00:01:42.900
trust boundaries and code reviews.

39
00:01:42.900 --> 00:01:45.900
Architecture reviews involve evaluating the design

40
00:01:45.900 --> 00:01:49.290
and structure of a system to identify weaknesses

41
00:01:49.290 --> 00:01:50.910
or misconfigurations

42
00:01:50.910 --> 00:01:53.430
that could be targeted by a threat actor,

43
00:01:53.430 --> 00:01:55.920
and data flows are examined to understand

44
00:01:55.920 --> 00:02:00.180
how information moves within and between network systems.

45
00:02:00.180 --> 00:02:03.570
Understanding normal data flows enables the assurance

46
00:02:03.570 --> 00:02:06.510
that sensitive data can be adequately protected

47
00:02:06.510 --> 00:02:09.420
and does not cross insecure channels

48
00:02:09.420 --> 00:02:11.580
or inadvertent trust boundaries.

49
00:02:11.580 --> 00:02:13.680
Trust boundaries define the points

50
00:02:13.680 --> 00:02:17.310
where data transitions from one level of trust to another.

51
00:02:17.310 --> 00:02:20.490
Understanding trust boundaries enables the implementation

52
00:02:20.490 --> 00:02:24.150
and management of strict boundary security controls.

53
00:02:24.150 --> 00:02:27.000
Code reviews involve the detailed examination

54
00:02:27.000 --> 00:02:29.490
of source code to detect vulnerabilities.

55
00:02:29.490 --> 00:02:31.380
Code reviews may detect vulnerabilities

56
00:02:31.380 --> 00:02:33.900
such as insecure coding practices,

57
00:02:33.900 --> 00:02:36.990
logic flaws and inserted back doors.

58
00:02:36.990 --> 00:02:39.750
In practice, during an architecture review,

59
00:02:39.750 --> 00:02:42.270
a team might identify that sensitive data

60
00:02:42.270 --> 00:02:44.580
crosses an insecure trust boundary.

61
00:02:44.580 --> 00:02:46.920
This discovery could lead to a code review

62
00:02:46.920 --> 00:02:49.890
that uncovers an insecure data handling function.

63
00:02:49.890 --> 00:02:51.900
This vulnerability can then be corrected

64
00:02:51.900 --> 00:02:54.540
to reduce the technical attack surface.

65
00:02:54.540 --> 00:02:58.440
Next, we will explore the operational attack surface.

66
00:02:58.440 --> 00:03:01.440
The operational service encompasses the vulnerabilities

67
00:03:01.440 --> 00:03:03.840
that arise from day-to-day operations

68
00:03:03.840 --> 00:03:06.570
and human factors within an organization.

69
00:03:06.570 --> 00:03:10.260
Operational attack service concepts include user factors,

70
00:03:10.260 --> 00:03:13.440
the enumeration and discovery of unsanctioned assets,

71
00:03:13.440 --> 00:03:17.760
and the enumeration and discovery of unsanctioned accounts.

72
00:03:17.760 --> 00:03:20.850
User factors involve the potential risks introduced

73
00:03:20.850 --> 00:03:24.960
by users such as weak passwords, phishing susceptibility,

74
00:03:24.960 --> 00:03:27.150
or the misuse of privileges.

75
00:03:27.150 --> 00:03:30.390
The enumeration and discovery of unsanctioned assets

76
00:03:30.390 --> 00:03:32.580
involves identifying unauthorized

77
00:03:32.580 --> 00:03:35.220
or unmanaged devices within the network

78
00:03:35.220 --> 00:03:37.500
that could be exploited by an attacker.

79
00:03:37.500 --> 00:03:39.450
Unauthorized and unmanaged assets

80
00:03:39.450 --> 00:03:41.850
often lack proper security controls

81
00:03:41.850 --> 00:03:44.490
leading to exploitable vulnerabilities.

82
00:03:44.490 --> 00:03:45.570
Similarly,

83
00:03:45.570 --> 00:03:48.960
the enumeration and discovery of unsanctioned accounts

84
00:03:48.960 --> 00:03:51.390
focuses on identifying unauthorized

85
00:03:51.390 --> 00:03:54.210
or orphaned user accounts that could be misused

86
00:03:54.210 --> 00:03:57.930
by malicious actors to gain access to sensitive systems.

87
00:03:57.930 --> 00:04:01.140
For example, during an operational security assessment,

88
00:04:01.140 --> 00:04:04.230
a team might discover several unsanctioned devices

89
00:04:04.230 --> 00:04:06.780
and accounts that were not being monitored.

90
00:04:06.780 --> 00:04:09.840
This would prompt immediate action to secure these devices

91
00:04:09.840 --> 00:04:13.350
and accounts to reduce the operational attack surface.

92
00:04:13.350 --> 00:04:14.310
After that,

93
00:04:14.310 --> 00:04:17.010
we will look at the organizational attack surface.

94
00:04:17.010 --> 00:04:19.410
The organizational attack surface encompasses

95
00:04:19.410 --> 00:04:21.510
the vulnerabilities associated

96
00:04:21.510 --> 00:04:24.570
with an organization's external relationships

97
00:04:24.570 --> 00:04:27.480
and its public-facing digital footprint.

98
00:04:27.480 --> 00:04:30.360
Organizational attack surface concepts include

99
00:04:30.360 --> 00:04:33.780
the enumeration and discovery of third-party connections

100
00:04:33.780 --> 00:04:36.030
and the enumeration and discovery

101
00:04:36.030 --> 00:04:39.030
of an organization's public digital presence.

102
00:04:39.030 --> 00:04:42.360
The enumeration and discovery of third-party connections

103
00:04:42.360 --> 00:04:46.020
involves identifying and assessing all external entities

104
00:04:46.020 --> 00:04:49.650
that have access to the organization's systems or data.

105
00:04:49.650 --> 00:04:53.940
These can include vendors, partners and service providers.

106
00:04:53.940 --> 00:04:57.120
The enumeration and discovery of public digital presence

107
00:04:57.120 --> 00:05:00.570
focuses on mapping the organization's online assets,

108
00:05:00.570 --> 00:05:03.210
including websites, social media accounts,

109
00:05:03.210 --> 00:05:05.250
and publicly accessible systems,

110
00:05:05.250 --> 00:05:07.590
and identified potential exposure points

111
00:05:07.590 --> 00:05:09.780
that could be targeted by an attacker.

112
00:05:09.780 --> 00:05:13.380
For example, during an organizational security review,

113
00:05:13.380 --> 00:05:16.710
a company might discover that an outdated vendor connection

114
00:05:16.710 --> 00:05:18.600
is still active and accessible

115
00:05:18.600 --> 00:05:22.020
along with a neglected public-facing web application,

116
00:05:22.020 --> 00:05:25.740
both of which could be exploited if not secured.

117
00:05:25.740 --> 00:05:29.220
Next, we will explore cloud attack surface.

118
00:05:29.220 --> 00:05:32.130
The cloud attack surface consists of the vulnerabilities

119
00:05:32.130 --> 00:05:35.820
and entry points associated with an organization's internal

120
00:05:35.820 --> 00:05:38.040
and external cloud infrastructure.

121
00:05:38.040 --> 00:05:40.890
Cloud attack surface concepts include the enumeration

122
00:05:40.890 --> 00:05:43.740
and discovery of internally facing assets,

123
00:05:43.740 --> 00:05:47.010
the enumeration and discovery of externally facing assets,

124
00:05:47.010 --> 00:05:48.720
cloud services discovery,

125
00:05:48.720 --> 00:05:51.240
and malicious cloud services and daemons.

126
00:05:51.240 --> 00:05:54.630
The enumeration and discovery of internally facing assets

127
00:05:54.630 --> 00:05:58.410
involves identifying and assessing cloud-based resources

128
00:05:58.410 --> 00:06:01.680
that are accessible only within the organization's network.

129
00:06:01.680 --> 00:06:05.550
These assets include internal databases, virtual machines,

130
00:06:05.550 --> 00:06:08.190
application servers, storage systems,

131
00:06:08.190 --> 00:06:10.830
Application Programming Interface endpoints

132
00:06:10.830 --> 00:06:13.020
and internal communication tools

133
00:06:13.020 --> 00:06:15.990
like messaging services or internet portals.

134
00:06:15.990 --> 00:06:19.740
The enumeration and discovery of externally facing assets

135
00:06:19.740 --> 00:06:23.190
focuses on cloud resources that are publicly accessible.

136
00:06:23.190 --> 00:06:25.710
These assets include web applications,

137
00:06:25.710 --> 00:06:29.520
Application Programming Interfaces, public storage buckets,

138
00:06:29.520 --> 00:06:33.390
Content Delivery Networks, Domain Name Systems servers,

139
00:06:33.390 --> 00:06:36.330
email servers and publicly accessible databases,

140
00:06:36.330 --> 00:06:37.830
or data lakes.

141
00:06:37.830 --> 00:06:40.680
Cloud services discovery involves identifying,

142
00:06:40.680 --> 00:06:44.640
mapping and cataloging all cloud services in use

143
00:06:44.640 --> 00:06:46.710
to identify potential vulnerabilities

144
00:06:46.710 --> 00:06:49.860
or misconfigurations that could be exploited.

145
00:06:49.860 --> 00:06:52.530
Cataloging all cloud services and daemons

146
00:06:52.530 --> 00:06:56.310
may also reveal maliciously installed services in daemon.

147
00:06:56.310 --> 00:06:58.890
Services and daemons are background processes

148
00:06:58.890 --> 00:07:01.230
and programs that run continuously

149
00:07:01.230 --> 00:07:02.970
to manage system function.

150
00:07:02.970 --> 00:07:04.830
Malicious services and daemons can lead

151
00:07:04.830 --> 00:07:08.130
to unauthorized access, persistent back doors,

152
00:07:08.130 --> 00:07:11.370
or the execution of harmful actions within the system,

153
00:07:11.370 --> 00:07:13.890
allowing attackers to maintain control

154
00:07:13.890 --> 00:07:16.740
or disrupt operations without detection.

155
00:07:16.740 --> 00:07:18.480
These malicious services or daemons

156
00:07:18.480 --> 00:07:21.420
might masquerade as legitimate processes,

157
00:07:21.420 --> 00:07:24.300
making them difficult to identify and remove.

158
00:07:24.300 --> 00:07:25.440
Following that,

159
00:07:25.440 --> 00:07:28.710
we will look at the organizational change attack surface.

160
00:07:28.710 --> 00:07:31.340
The organizational change attack surface refers

161
00:07:31.340 --> 00:07:34.890
to vulnerabilities introduced during periods of transition.

162
00:07:34.890 --> 00:07:38.220
Organizational change attack surface concepts include

163
00:07:38.220 --> 00:07:43.050
staffing changes, mergers, acquisitions, and divestitures.

164
00:07:43.050 --> 00:07:46.470
Staffing changes like onboarding or offboarding of employees

165
00:07:46.470 --> 00:07:48.720
can lead to gaps in access control

166
00:07:48.720 --> 00:07:51.060
if accounts are not properly managed.

167
00:07:51.060 --> 00:07:53.910
An example of a staffing change vulnerability is

168
00:07:53.910 --> 00:07:56.610
an orphaned account that could be misused.

169
00:07:56.610 --> 00:07:59.400
Mergers and acquisitions involve the consolidation

170
00:07:59.400 --> 00:08:01.800
of companies or assets through various types

171
00:08:01.800 --> 00:08:03.330
of financial transactions

172
00:08:03.330 --> 00:08:06.930
where one company either merges with or acquires another.

173
00:08:06.930 --> 00:08:09.090
Mergers and acquisitions often involve

174
00:08:09.090 --> 00:08:11.880
integrating disparate systems and networks.

175
00:08:11.880 --> 00:08:14.700
This integration can introduce new vulnerabilities

176
00:08:14.700 --> 00:08:17.070
if security practices are not aligned.

177
00:08:17.070 --> 00:08:18.030
Conversely,

178
00:08:18.030 --> 00:08:21.210
a divestiture is the process of a company selling

179
00:08:21.210 --> 00:08:23.640
or separating a portion of its business,

180
00:08:23.640 --> 00:08:25.890
assets or subsidiaries.

181
00:08:25.890 --> 00:08:28.500
Divestitures may leave sensitive data

182
00:08:28.500 --> 00:08:30.990
or assets insufficiently protected

183
00:08:30.990 --> 00:08:33.090
during the separation process.

184
00:08:33.090 --> 00:08:35.190
For example, during a merger,

185
00:08:35.190 --> 00:08:37.440
an organization might inadvertently grant

186
00:08:37.440 --> 00:08:40.380
excessive access to newly acquired employees,

187
00:08:40.380 --> 00:08:42.735
potentially allowing them to access sensitive systems

188
00:08:42.735 --> 00:08:45.210
or data they should not have,

189
00:08:45.210 --> 00:08:48.390
or an organization might fail to properly secure

190
00:08:48.390 --> 00:08:52.950
or decommission IT resources from a divested business unit,

191
00:08:52.950 --> 00:08:57.950
leaving behind crucial data exposed to unauthorized access.

192
00:08:58.380 --> 00:09:02.310
Then we will explore modeling with an existing system.

193
00:09:02.310 --> 00:09:05.010
Modeling with an existing system evaluates

194
00:09:05.010 --> 00:09:07.050
potential threats and vulnerabilities

195
00:09:07.050 --> 00:09:09.870
specific to the current organizational environment

196
00:09:09.870 --> 00:09:11.940
to determine what can be exploited

197
00:09:11.940 --> 00:09:15.360
and what security controls are necessary to mitigate them.

198
00:09:15.360 --> 00:09:17.970
This process includes identifying threats

199
00:09:17.970 --> 00:09:19.560
that are particularly relevant

200
00:09:19.560 --> 00:09:22.860
to the existing system's architecture and operations.

201
00:09:22.860 --> 00:09:24.150
Based on this assessment,

202
00:09:24.150 --> 00:09:27.930
an organization can select appropriate mitigating controls.

203
00:09:27.930 --> 00:09:31.950
Mitigating controls may include Multi-factor Authentication

204
00:09:31.950 --> 00:09:34.590
to protect against unauthorized access,

205
00:09:34.590 --> 00:09:37.470
deploying encryption to safeguard sensitive data,

206
00:09:37.470 --> 00:09:39.600
or setting up intrusion detection systems

207
00:09:39.600 --> 00:09:41.820
to monitor for suspicious activity.

208
00:09:41.820 --> 00:09:42.990
For example,

209
00:09:42.990 --> 00:09:46.770
if a legacy system is susceptible to SQL injection attacks,

210
00:09:46.770 --> 00:09:50.280
the organization might implement input validation controls

211
00:09:50.280 --> 00:09:53.790
and web application firewalls to prevent exploitation.

212
00:09:53.790 --> 00:09:54.630
Finally,

213
00:09:54.630 --> 00:09:57.780
we will look at modeling without an existing system.

214
00:09:57.780 --> 00:10:00.030
Modeling without an existing system

215
00:10:00.030 --> 00:10:02.550
assesses potential threats and vulnerabilities

216
00:10:02.550 --> 00:10:06.360
for systems that are not yet fully developed or deployed.

217
00:10:06.360 --> 00:10:08.880
Modeling without an existing system is done

218
00:10:08.880 --> 00:10:11.100
to preemptively identify risks

219
00:10:11.100 --> 00:10:12.960
and implement security controls.

220
00:10:12.960 --> 00:10:14.790
This approach requires envisioning

221
00:10:14.790 --> 00:10:16.590
how the system will function,

222
00:10:16.590 --> 00:10:19.320
considering what types of data it will handle,

223
00:10:19.320 --> 00:10:21.570
the expected user interactions

224
00:10:21.570 --> 00:10:25.410
and the anticipated integration points with other systems.

225
00:10:25.410 --> 00:10:27.630
Based on this hypothetical model,

226
00:10:27.630 --> 00:10:30.600
an organization can identify potential threats

227
00:10:30.600 --> 00:10:33.690
such as data breaches or unauthorized access

228
00:10:33.690 --> 00:10:37.920
and then select the appropriate controls such as encryption,

229
00:10:37.920 --> 00:10:40.860
access management and network segmentation

230
00:10:40.860 --> 00:10:42.240
to mitigate these risks

231
00:10:42.240 --> 00:10:44.700
before the system goes into production.

232
00:10:44.700 --> 00:10:45.780
For example,

233
00:10:45.780 --> 00:10:47.910
if an organization is planning to deploy

234
00:10:47.910 --> 00:10:51.900
a new cloud-based customer relationship management system,

235
00:10:51.900 --> 00:10:54.210
they might model potential attack vectors

236
00:10:54.210 --> 00:10:57.930
by analyzing common threats in similar cloud environments.

237
00:10:57.930 --> 00:11:00.300
This could reveal potential vulnerabilities

238
00:11:00.300 --> 00:11:03.330
such as unauthorized access to customer data

239
00:11:03.330 --> 00:11:06.390
or application programming interface abuse.

240
00:11:06.390 --> 00:11:07.770
Based on this analysis,

241
00:11:07.770 --> 00:11:09.180
the organization may decide

242
00:11:09.180 --> 00:11:12.600
to implement multi-factor authentication for all users,

243
00:11:12.600 --> 00:11:15.870
encrypt customer data, both at rest and in transit,

244
00:11:15.870 --> 00:11:18.240
and set strict access controls

245
00:11:18.240 --> 00:11:20.820
for application programming interface endpoints

246
00:11:20.820 --> 00:11:22.320
to prevent abuse.

247
00:11:22.320 --> 00:11:24.960
These proactive measures would help secure

248
00:11:24.960 --> 00:11:27.180
the customer relationship management system

249
00:11:27.180 --> 00:11:28.530
before deployment,

250
00:11:28.530 --> 00:11:32.490
reducing the risk of data breach and unauthorized access.

251
00:11:32.490 --> 00:11:33.750
To finish things off,

252
00:11:33.750 --> 00:11:35.790
we'll take a short quiz to see what you learned

253
00:11:35.790 --> 00:11:37.710
during this section of the course,

254
00:11:37.710 --> 00:11:41.220
and we will review each of those quiz questions fully

255
00:11:41.220 --> 00:11:44.070
to ensure you can explain why the right answers were right

256
00:11:44.070 --> 00:11:45.720
and the wrong answers were wrong.

257
00:11:45.720 --> 00:11:49.500
So let's get ready to dive into attack surface determination

258
00:11:49.500 --> 00:11:51.693
in this section of the course.