Visibility is of paramount importance in cyber security. We cannot secure what we cannot see.
Is it acceptable to let things die on the vine?
Enterprises invest a lot of time, money, and effort getting services launched. From research to deployment there are processes to help get projects off the ground. But, much like the space junk we have in orbit, there is often little thought given to what happens once these services have served their purpose.
This seemingly innocuous behaviour poses significant security risk. Unlike grapes on a vine, the risk doesn’t just wither away, it gets worse over time.
While there is a wide variety of causes, one thing is certain – legacy services and their related exposed surfaces become more vulnerable over time.
Legacy services can vary depending on the type of business the enterprise is pursuing. Examples of legacy services can include: allowing a customer to access their business account online, providing updatable health records in a web application, mobile banking services, offering a public online gaming community database, or providing an internal web-client for access to servers and databases for developers.
If we are not aware that the service has been allowed to die on the vine, we may not be adequately protecting a critical asset. Allowing old services to persist is not playing it safe – it is introducing your organization to a larger window of exposure and in most cases, completely unnecessary risk. Sometimes it’s not possible to end-of-life (EOL) a legacy service, so then countermeasures need to be deployed.
The best option is to shut down legacy services when they are no longer needed and provide a re-introduction request option for when the business requires it.
The second option – if a true business need currently persists – is to knowingly allow the service to be exposed and agree on an end-of-life schedule. It can then be shut down when it makes business sense while effectively managing risk in the meantime.
What Can You Do Right Now if You Simply Do Not Know What is Live?
If your management of archived assets has been less than stellar – and most enterprises do NOT have a good handle on this – you should perform a discovery audit of your entire attack surface. There are now dedicated automated solutions to perform this task continuously. These scanned results should be verified by in-house security experts or as part of hybrid solution with your Vulnerability Management provider.
Once you have an accurate picture of your Attack Surface exposures, you can begin coordinating with business line managers to ensure that your decisions balance both business and security requirements. Ideally any new technology or service will be deployed with an end-of-life plan in place. You should have a plan in place for retiring this technology even if it’s years in the future. Working with known managed risk instead of flying blind is fundamental in preventing significant negative events.
If you would like to learn more about External Attack Surface Management.