This is continuation of my previous post on Defending Information Assets by Reducing the Attack Sutface
Identify and Reduce Attack Surface in Applications
An application’s “Attack Surface” is the areas where an application is vulnerable and can be exploited.
As per Wikipedia definition, "Attack surface in a software environment is the scope of functionality that is available to unauthenticated users. In other words, how much can a piece of software do in its default configuration by unauthorized users".
An attack surface comprise of application entry points, program code, other vulnerable applications installed on the same server etc. A malicious user can use any of the above to exploit an application.
An entry point for an application can be an open socket (not a port) or an application console or a RPC. If there are multiple applications installed on the same server, then vulnerability on one application can compromise all other applications installed on the same server.
Identify Attack Surface in Applications
There are many things that we can do to identify and reduce the attack surface in applications.
To identify the attack surface of an application, we can run application security scanners. The new complex web applications are built on Web 2.0 technologies so traditional scanners might not be able to discover all the new web application vulnerabilities. This should also be taken into consideration while selecting an application security scanner. There are web application security scanners like HP Webinspect which can scan complex web applications.
We need to proactively scan internet facing applications for vulnerabilities before they are deployed into Production Network.
If there are vulnerabilities found at code level, then those should be reported to the application vendor so that they can develop a patch or hotfix to address those vulnerabilities.
Before we deploy an application into production, we first need to have a clear understanding about which application features are really used in the corporate environment. Any unwanted /unused features should be disabled or uninstalled.
We should also provide different level of privileges to users based on there functional role. For applications which are using service accounts to start services should only be using a least privilege account for the same. If an application is running with high privileges, then its attack surface for that application would be very huge.
It is always recommended to have a dedicated server for critical applications. If there are more programs which are running, then the running code in the memory will be more and it would be easy for a malicious user to find vulnerabilities in the running applications.
These are not the complete list but all of the above mentioned steps will help to reduce the attack surface though it can not be fully eliminated.
Among the methodology mentioned in this article, I also take a close look at the protocol itself. By capturing the network packets when testing the authentication challenge and response, weaknesses can be discovered in the way the raw data is transmitted which may give clues as how to decode or even circumvent the security mechanisms implemented.
Posted by: Mark Pelkoski, CISSP, CEH | 03 August 2009 at 03:39 PM