Wait… my attack surface is how big?
I’ve heard this question - or some variation - over and over throughout my career. With the ubiquity of cloud platforms, as well as legacy (sometimes forgotten) servers, we can sometimes lose track of our areas for entry. Let’s not forget remote workers and shadow IT! When we don’t know what we need to protect, how successful can our information security programs, practices, and people possibly be? Some of the naughty (and completely unknown) findings we’ve provided to customers tells us “not very”. With an ever-expanding attack surface due to experiments, merger and acquisition, and misconfiguration, how can we possibly know what we don’t know?
As a supplement to this presentation, we are also working on the Attack Surface Management Saga at our blog: https://blog.theblueteam.io