QOTD on Attack Surface & Risk

The attack surface of a target is not influenced by changes in the operating environment, attack tactics, attacker strategy, or attacker operational capability. These things will change the risk of whether or not something may be attacked and the impact of that attack but the attack surface has been there the whole time as the same thing as always. In our work [OSSTMM], the attack surface is the quantity of points of interactions with a target (or asset). These include interactions necessary for operations. The only means of changing the attack surface is by adding or removing controls over the interactions, changing the quantity of points of interactions, or by changing the scope to include previously unknown targets.

Many things will influence attacker motives, capabilities, and style but that only represents what they do and not the surface of what they can attack. So if you clone a military base it has the same attack surface at home and in a war zone or on the moon and the Earth. What is different is risk and not what can be attacked. The points of interaction remain the same. That's the nice thing about measuring an attack surface- it's pretty static in terms of the things you can't control so it's in your power to address the operations you want and the interactions you don't want. So that means while you can be pretty sure that any change in environment, tactical ability, or motives will bring about changes in risk to the point where it seems to benefit whomever responds to it first (attacker or defender) the attack surface will stay the same.
-- Pete Herzog, Managing Director, ISECOM - Institute for Security and Open Methodologies

Src: Security Metrics mailing list. Posted with the permission of the author

No comments: