WEBVTT 1 00:00:00.000 --> 00:00:01.260 In this lesson, 2 00:00:01.260 --> 00:00:05.160 we will learn about the Operational Attack Surface. 3 00:00:05.160 --> 00:00:07.230 The operational attack surface 4 00:00:07.230 --> 00:00:09.690 encompasses the vulnerabilities 5 00:00:09.690 --> 00:00:12.630 that arise from day-to-day operations 6 00:00:12.630 --> 00:00:16.380 and human factors within an organization. 7 00:00:16.380 --> 00:00:21.380 Operational attack surface concepts include user factors, 8 00:00:21.420 --> 00:00:25.530 the enumeration and discovery of unsanctioned assets, 9 00:00:25.530 --> 00:00:30.360 and the enumeration and discovery of unsanctioned accounts. 10 00:00:30.360 --> 00:00:34.500 User factors involve the potential risks introduced 11 00:00:34.500 --> 00:00:37.560 by users, such as weak passwords, 12 00:00:37.560 --> 00:00:41.940 phishing susceptibility, or the misuse of privileges. 13 00:00:41.940 --> 00:00:45.510 The enumeration and discovery of unsanctioned assets 14 00:00:45.510 --> 00:00:50.510 involves identifying unauthorized or unmanaged devices 15 00:00:50.730 --> 00:00:54.870 within the network that could be exploited by an attacker. 16 00:00:54.870 --> 00:00:56.640 Similarly, the enumeration 17 00:00:56.640 --> 00:00:59.370 and discovery of unsanctioned accounts 18 00:00:59.370 --> 00:01:02.280 focuses on identifying unauthorized 19 00:01:02.280 --> 00:01:05.610 or orphaned user accounts that could be used 20 00:01:05.610 --> 00:01:09.960 by malicious actors to gain access to sensitive systems. 21 00:01:09.960 --> 00:01:12.690 Let's learn more about user factors, 22 00:01:12.690 --> 00:01:16.620 the enumeration and discovery of unsanctioned assets, 23 00:01:16.620 --> 00:01:21.300 and the enumeration and discovery of unsanctioned accounts. 24 00:01:21.300 --> 00:01:24.180 First, we have user factors. 25 00:01:24.180 --> 00:01:28.500 User factors represent risks introduced by employees 26 00:01:28.500 --> 00:01:32.730 or users interacting with an enterprise network. 27 00:01:32.730 --> 00:01:36.180 Common vulnerabilities include weak passwords, 28 00:01:36.180 --> 00:01:38.670 susceptibility to phishing attacks, 29 00:01:38.670 --> 00:01:41.220 or the misuse of privileges. 30 00:01:41.220 --> 00:01:43.500 These human-related risks 31 00:01:43.500 --> 00:01:46.410 often form the first line of exposure 32 00:01:46.410 --> 00:01:49.560 in an organization's security posture. 33 00:01:49.560 --> 00:01:53.430 For example, an employee using a weak password 34 00:01:53.430 --> 00:01:56.100 that is easily guessable by attackers 35 00:01:56.100 --> 00:01:58.980 can inadvertently create a gateway 36 00:01:58.980 --> 00:02:01.920 into an otherwise secure system. 37 00:02:01.920 --> 00:02:05.760 Or phishing attacks may capitalize on human error 38 00:02:05.760 --> 00:02:09.540 by tricking users into revealing sensitive information 39 00:02:09.540 --> 00:02:12.420 or downloading malicious attachments. 40 00:02:12.420 --> 00:02:17.420 So, user factors are often the weakest link in security. 41 00:02:17.490 --> 00:02:19.830 And unlike technical systems 42 00:02:19.830 --> 00:02:22.320 that can be patched or configured, 43 00:02:22.320 --> 00:02:25.050 user behavior is unpredictable 44 00:02:25.050 --> 00:02:27.810 and susceptible to manipulation. 45 00:02:27.810 --> 00:02:29.820 In a large organization, 46 00:02:29.820 --> 00:02:33.450 even a single user falling for a phishing attack 47 00:02:33.450 --> 00:02:36.570 can lead to a significant security breach, 48 00:02:36.570 --> 00:02:39.600 potentially compromising sensitive data 49 00:02:39.600 --> 00:02:43.740 or allowing attackers to move laterally within the network. 50 00:02:43.740 --> 00:02:47.190 Additionally, users with elevated privileges, 51 00:02:47.190 --> 00:02:50.130 such as administrators or executives, 52 00:02:50.130 --> 00:02:53.550 can unintentionally misuse their access, 53 00:02:53.550 --> 00:02:57.240 causing security incidents that affect multiple layers 54 00:02:57.240 --> 00:03:00.090 of the organization's infrastructure. 55 00:03:00.090 --> 00:03:04.380 For example, an administrator with elevated privileges 56 00:03:04.380 --> 00:03:07.980 might accidentally modify firewall settings, 57 00:03:07.980 --> 00:03:11.700 inadvertently leaving sensitive parts of the network 58 00:03:11.700 --> 00:03:14.460 exposed to external threats. 59 00:03:14.460 --> 00:03:17.970 So, to mitigate risks from user factors, 60 00:03:17.970 --> 00:03:22.620 organizations should deploy multi-factor authentication 61 00:03:22.620 --> 00:03:26.070 and enforce strong password policies. 62 00:03:26.070 --> 00:03:29.760 Security-awareness training is also a must. 63 00:03:29.760 --> 00:03:32.280 This is because educating employees 64 00:03:32.280 --> 00:03:35.130 about phishing and social-engineering tactics 65 00:03:35.130 --> 00:03:38.550 at onboarding and at least annually after that 66 00:03:38.550 --> 00:03:41.220 will help protect our network. 67 00:03:41.220 --> 00:03:44.850 Next, tools like phishing simulators can be used 68 00:03:44.850 --> 00:03:48.540 to send realistic training phishing emails to users, 69 00:03:48.540 --> 00:03:52.170 tracking who opens them or clicks on suspicious links 70 00:03:52.170 --> 00:03:54.540 to assess vulnerabilities, 71 00:03:54.540 --> 00:03:57.360 while user-activity monitoring tools 72 00:03:57.360 --> 00:04:00.000 can be used to track login locations 73 00:04:00.000 --> 00:04:02.130 and unusual access times 74 00:04:02.130 --> 00:04:05.220 to detect potential risky behaviors. 75 00:04:05.220 --> 00:04:08.940 Finally, implementing role-based access control 76 00:04:08.940 --> 00:04:11.880 can be used to limit users' permissions 77 00:04:11.880 --> 00:04:15.480 to only those necessary for their roles, 78 00:04:15.480 --> 00:04:19.860 reducing the potential impact of privilege misuse. 79 00:04:19.860 --> 00:04:22.320 Second, we have the enumeration 80 00:04:22.320 --> 00:04:25.650 and discovery of unsanctioned assets. 81 00:04:25.650 --> 00:04:29.370 The enumeration and discovery of unsanctioned assets 82 00:04:29.370 --> 00:04:34.200 involves identifying unauthorized or unmanaged devices 83 00:04:34.200 --> 00:04:37.110 connected to an organization's network. 84 00:04:37.110 --> 00:04:40.710 These assets could range from forgotten laptops 85 00:04:40.710 --> 00:04:43.680 to unauthorized personal devices, 86 00:04:43.680 --> 00:04:46.530 all of which can create vulnerabilities 87 00:04:46.530 --> 00:04:50.790 because they're not managed by the organization's IT team 88 00:04:50.790 --> 00:04:54.480 and may not be properly hardened and secured. 89 00:04:54.480 --> 00:04:56.190 Unmonitored devices 90 00:04:56.190 --> 00:04:59.760 often lack standardized security configurations, 91 00:04:59.760 --> 00:05:03.570 meaning they often operate without updates, patches, 92 00:05:03.570 --> 00:05:06.360 or even antivirus software. 93 00:05:06.360 --> 00:05:08.910 If these assets go unnoticed, 94 00:05:08.910 --> 00:05:12.300 they can easily become entry points for attackers 95 00:05:12.300 --> 00:05:15.090 looking to infiltrate the network. 96 00:05:15.090 --> 00:05:16.800 In enterprise networks, 97 00:05:16.800 --> 00:05:20.880 unsanctioned assets pose a substantial security risk 98 00:05:20.880 --> 00:05:24.090 because they exist outside regular monitoring 99 00:05:24.090 --> 00:05:26.070 and management processes. 100 00:05:26.070 --> 00:05:28.620 For example, an employee might bring 101 00:05:28.620 --> 00:05:32.610 an unauthorized personal laptop into the workplace 102 00:05:32.610 --> 00:05:35.040 and connect it to the corporate WiFi. 103 00:05:35.040 --> 00:05:38.190 This device, if infected with malware, 104 00:05:38.190 --> 00:05:41.790 now bypasses the network security defenses, 105 00:05:41.790 --> 00:05:44.820 since it is directly connected to the network, 106 00:05:44.820 --> 00:05:47.520 potentially spreading malicious software 107 00:05:47.520 --> 00:05:49.530 throughout the organization. 108 00:05:49.530 --> 00:05:51.510 Furthermore, unmanaged assets 109 00:05:51.510 --> 00:05:54.120 complicate incident-response efforts 110 00:05:54.120 --> 00:05:57.750 because security teams are unaware of their presence 111 00:05:57.750 --> 00:05:59.610 and potential risks. 112 00:05:59.610 --> 00:06:02.700 So, to address unsanctioned assets, 113 00:06:02.700 --> 00:06:05.700 organizations should use network discovery 114 00:06:05.700 --> 00:06:10.700 and inventory tools like Nmap, Nessus, and SolarWinds. 115 00:06:11.010 --> 00:06:13.170 These tools can scan the network 116 00:06:13.170 --> 00:06:16.080 to identify all connected devices, 117 00:06:16.080 --> 00:06:19.890 allowing IT teams to identify, monitor, 118 00:06:19.890 --> 00:06:22.110 and secure each asset. 119 00:06:22.110 --> 00:06:26.760 Additionally, implementing network access control solutions 120 00:06:26.760 --> 00:06:29.340 can prevent unauthorized devices 121 00:06:29.340 --> 00:06:31.320 from connecting to the network 122 00:06:31.320 --> 00:06:34.860 by enforcing policies that require devices 123 00:06:34.860 --> 00:06:38.580 to meet specific security and health standards 124 00:06:38.580 --> 00:06:41.340 before gaining network access. 125 00:06:41.340 --> 00:06:46.020 Finally, regularly updating asset inventories ensures 126 00:06:46.020 --> 00:06:49.980 that newly-connected devices are properly identified 127 00:06:49.980 --> 00:06:53.880 and secured, reducing the attack surface. 128 00:06:53.880 --> 00:06:58.260 Third and last, we have the enumeration and discovery 129 00:06:58.260 --> 00:07:00.690 of unsanctioned accounts. 130 00:07:00.690 --> 00:07:04.230 The enumeration and discovery of unsanctioned accounts 131 00:07:04.230 --> 00:07:08.130 involves identifying unauthorized, orphaned, 132 00:07:08.130 --> 00:07:13.130 or unmanaged user accounts within an organization's systems. 133 00:07:13.560 --> 00:07:15.300 Such accounts might result 134 00:07:15.300 --> 00:07:17.880 from employees leaving the company, 135 00:07:17.880 --> 00:07:21.420 temporary accounts created for short-term projects, 136 00:07:21.420 --> 00:07:24.600 or accounts created without approval. 137 00:07:24.600 --> 00:07:27.720 These accounts are prime targets for attackers, 138 00:07:27.720 --> 00:07:31.500 since they retain access to sensitive data or systems 139 00:07:31.500 --> 00:07:35.280 without anyone actively monitoring their activity. 140 00:07:35.280 --> 00:07:39.000 In an enterprise environment, unsanctioned accounts 141 00:07:39.000 --> 00:07:43.140 directly create opportunities for unauthorized access. 142 00:07:43.140 --> 00:07:46.650 For instance, if an employee's account remains active 143 00:07:46.650 --> 00:07:49.320 after they leave the organization, 144 00:07:49.320 --> 00:07:51.930 a malicious actor could exploit that 145 00:07:51.930 --> 00:07:55.020 to access restricted areas of the network. 146 00:07:55.020 --> 00:07:59.010 Furthermore, unmanaged accounts are rarely updated 147 00:07:59.010 --> 00:08:01.230 with stronger security measures, 148 00:08:01.230 --> 00:08:05.850 making them easier to compromise and providing a backdoor 149 00:08:05.850 --> 00:08:09.120 into otherwise well-protected systems. 150 00:08:09.120 --> 00:08:13.770 So, to mitigate the risks posed by unsanctioned accounts, 151 00:08:13.770 --> 00:08:17.670 organizations should implement periodic account audits 152 00:08:17.670 --> 00:08:21.480 and remove or deactivate inactive accounts. 153 00:08:21.480 --> 00:08:24.960 Tools like Microsoft Azure Active Directory 154 00:08:24.960 --> 00:08:28.440 or Okta can assist in tracking account status 155 00:08:28.440 --> 00:08:31.740 and enforcing deactivation policies. 156 00:08:31.740 --> 00:08:36.120 Additionally, using automated identity governance solutions, 157 00:08:36.120 --> 00:08:39.990 such as SailPoint or Oracle Identity Governance, 158 00:08:39.990 --> 00:08:44.340 enables IT teams to detect orphaned accounts quickly 159 00:08:44.340 --> 00:08:46.290 and ensure account provisioning 160 00:08:46.290 --> 00:08:48.900 follows established protocols. 161 00:08:48.900 --> 00:08:52.377 Finally, establishing a standardized onboarding 162 00:08:52.377 --> 00:08:55.800 and offboarding process for user accounts 163 00:08:55.800 --> 00:08:58.980 reduces the likelihood of unsanctioned accounts 164 00:08:58.980 --> 00:09:00.990 going unnoticed. 165 00:09:00.990 --> 00:09:03.150 So, remember, 166 00:09:03.150 --> 00:09:07.260 the operational attack surface includes vulnerabilities 167 00:09:07.260 --> 00:09:11.130 that emerge from everyday actions and human factors 168 00:09:11.130 --> 00:09:13.440 within an organization. 169 00:09:13.440 --> 00:09:17.550 Key areas for consideration are user factors, 170 00:09:17.550 --> 00:09:21.540 unsanctioned assets, and unsanctioned accounts, 171 00:09:21.540 --> 00:09:24.900 each posing distinct security risks. 172 00:09:24.900 --> 00:09:29.610 First, user factors involve potential risks from employees, 173 00:09:29.610 --> 00:09:32.370 such as the use of weak passwords 174 00:09:32.370 --> 00:09:34.950 or susceptibility to phishing, 175 00:09:34.950 --> 00:09:39.030 making human error a common entry point for attackers. 176 00:09:39.030 --> 00:09:43.020 Next, unsanctioned assets refer to unauthorized 177 00:09:43.020 --> 00:09:45.870 or unmanaged devices on the network, 178 00:09:45.870 --> 00:09:48.480 which, lacking proper security, 179 00:09:48.480 --> 00:09:52.800 can open the door for attackers if left undetected. 180 00:09:52.800 --> 00:09:56.850 And finally, unsanctioned accounts are unauthorized 181 00:09:56.850 --> 00:10:01.530 or orphaned user accounts that could grant attackers access 182 00:10:01.530 --> 00:10:04.620 to sensitive areas within the network. 183 00:10:04.620 --> 00:10:07.500 These key areas for consideration 184 00:10:07.500 --> 00:10:10.500 represent gaps that attackers can exploit 185 00:10:10.500 --> 00:10:13.740 to bypass standard security measures. 186 00:10:13.740 --> 00:10:18.270 So, by identifying and managing these vulnerabilities, 187 00:10:18.270 --> 00:10:22.833 organizations can reduce exposure to potential attacks.