As technology evolves, the number of attack targets grows exponentially at each major developmental stage. We also see a corresponding growth in attack vectors. This expansion in both attack targets and vectors combines into an explosion of the attack surface and presents a complex challenge for cybersecurity teams. While we intuitively understand the impact of attack vector sprawl, it can be challenging to comprehend the full magnitude of attack surface growth and evolution.
The New Frontiers of Cybersecurity is a three-part thought-leadership series investigating the big picture problems and potential solutions within the cybersecurity industry. In the first post, we explored the reasons malicious actors have been able to dramatically enhance their ability to execute and profit from attacks. For our second installment, we’ll look into what’s behind this attack surface explosion.
From Millions to Many Billions of Physical Systems
In the dawn of cybersecurity, when the Internet was becoming popular in the early 1990s, the primary attack targets were large monolithic servers. These servers were located on premises or in dedicated data centers and were connected to the big pipes of the early Internet. Every large company that could be a target had servers, but there were less than a few hundred of these servers. Attackers back then had to use dial-up modems and relatively sparse connectivity options. For any attacker who wanted more power, gaining control of a server was the goal. A few servers spewing denial of service (DoS) traffic could block access to competitors, send out spam emails, or be used as a base to launch other types of attacks. In these scenarios, cybersecurity was relatively easier because there were fewer servers to protect and monitor, with fewer access capabilities.
From the server era in the early 1990s, we transitioned to the era of personal computers (PCs) connected to home broadband networks. According to the United States Bureau for Labor Statistics, the percentage of U.S. households with PCs grew from 15% to 35% between 1990 and 1997. Later, global shipments for PCs reached a plateau of 300 million annual units, including laptops. Overall, billions of PCs entered service from 1990 through 2022. This does not count the PCs or small Linux hardware systems embedded in medical instruments, factor machinery control systems, transportation systems, and many other areas where local compute power was important.
Faster Data, Smartphones, IoT & Cloud
The number of addressable targets grew exponentially as PCs and embedded computing took off. As the Internet became more popular, users wanted faster connections to utilize the new medium better. This meant moving from dial-up modems to broadband connections. Those broadband connections required more powerful modems and enabled more potent cyberattacks launched from individual endpoints or coordinated botnets.
Next, broadband went from the wire to the air. In the early 2000s, the Wi-Fi wireless data protocol became popular. Usage grew rapidly, making it possible for attackers to break into vulnerable networks without physical access. Wi-Fi networks exposed multiple devices running on the network to attacks, either on work or home networks.
The rise of Wi-Fi also drove a rapid expansion of Wi-Fi-enabled devices. Printers, televisions, security cameras, baby monitors, scales, tablets, and many other devices became predominantly connected to the Internet via Wi-Fi. As of January 2021, over 18 billion Wi-Fi-enabled devices had shipped globally since the late 2000s. According to the Wi-Fi Alliance, over four billion of these devices shipped in 2021 alone. This tally does not include cars that now often have embedded wireless data connectivity and in-car Wi-Fi for passengers.
Alongside the rise of Wi-Fi networks and connected devices came smartphones, which connect over increasingly fast and high-capacity wireless networks. The iPhone of 2007 was the first broadly successful smartphone. In 2021, roughly 1.37 billion smartphones were shipped according to IDC, each one with the potential for high-speed connectivity, either via Wi-Fi or fast wireless networks running over LTE, 4G, or 5G transfer protocols.
Both Wi-Fi and 5G are now used for Industry 4.0. To capture and analyze real-time data, factories added sensors to all types of machines and equipment. Many of these sensors were linked via Wi-Fi connections. In smart cities, governments placed wireless sensors in thousands of locations to provide real-time data about traffic congestion, public transportation status, trash collection, road and bridge deterioration, and more.
Simultaneously, with the rise of wireless everything came the astronomical growth of cloud computing. First with virtualization software and later with containers, cloud computing providers were able to cut physical servers into smaller and smaller units of logical computing. Each unit came with a full networking stack and connection to the Internet.
The process of virtualization and atomization continued down to generating units of functionality—serverless processes—that could also be connected to the Internet. Cloud computing transformed the world of IT infrastructure from millions of large boxes to billions and billions of containers. Each might be running its own application and have its own business logic. And each unit became a potential target for breach or takeover, even further expanding the attack surface.
Beyond the Numbers Growth: Embedded Systemic Risks
This massive expansion of physical and logical attack surface alone exponentially expanded the responsibilities and risks faced by cybersecurity teams. But additional challenges are nested within this expansion.
No Economic Incentive for Secure Features
Embedded operating systems in billions of cheap consumer or business devices are poorly secured. Most are shipped with plain-vanilla Linux operating systems that are not designed to be secure. This decision is driven by economics. If the profit margin on cheap connected security cameras or speakers or routers is already slim, then the manufacturer has little interest in paying extra for security, particularly since they bear none of the downstream costs of a breach or attack. Even more expensive gear, like connected televisions, often lack truly secure real-time operating systems designed for secure embedded use. Robust embedded security features generally require a bigger and more expensive processing unit, more memory, and a higher-capacity battery. So manufacturers are reluctant to pay for the security that customers are not willing to pay extra for.
Insecure by Default
Perhaps the most serious problem is the lack of basic, out-of-the-box configuration security for so many connected systems. Millions of connected devices ship from factories with insecure default passwords and usernames. Customers open the box and connect the system but are not prompted to change these configurations. Nor would they want to; no one wants to spend an hour locking down a $40 Amazon security camera. And few want to add multi-factor-authentication for every single connected device they own. For most Linux systems that are shipped, there is a secondary admin level of access and control. Those passwords are frequently insecure, even though that level of admin access allows even greater malicious activity by providing more control over the underlying Linux system. Even the most basic evidence of security we have in browsers—the little padlock indicating encryption is working—is lacking in connected devices. There is no padlock when you talk to a smart speaker or log into a remote security camera.
IoT Sensors Running On Top of Ancient Software
On the majority of Internet of Things (IoT) and Industry 4.0 systems, sensors are added to legacy control systems that are often decades old. We frequently see factory equipment controllers or medical device controllers operating on antiquated Windows operating systems. These older operating systems were never designed for security against modern threats and may no longer be supported with patches by the software maker. Most are not intended to be directly exposed to the Internet, but security teams find increasingly that attackers are accessing these systems through lateral traversal or when these older systems are inadvertently exposed. The reality of IoT and Industry 4.0 is that we will have to continue securing these older systems for many decades because factory equipment replacement cycles are long.
Work from Everywhere Exposes Everyone
Any remaining vestige of the distinction between operating inside and outside of a secure perimeter has disappeared in the past few years. In fact, it’s safe to say that virtually no one properly segregates work and personal usage. It used to be a simple process. You arrive at your office, log into the office networks on an approved laptop and that’s it. Today, setting up proper segregation is challenging even if someone wants to put in the effort—creating different VLANs to access and putting connected devices on a different VLAN than the network used for primary browsing or shopping, with still another VLAN for work-only communication. Because all communication is mixed up and any boundaries between work and personal are removed, cybersecurity teams are forced to cover a much broader range of devices with a wider range of behaviors and exposures.
Next: Potential Solutions to Attack Surface Explosion
We are in the early stages of putting together comprehensive solutions to the problems outlined above. Some of the solutions will emerge from a systemic change at the software level, driven by government mandates. Some solutions will come from changes in how we approach trust and security in the enterprise.
At the software level, the U.S. government and many other governments are now mandating the use of software bill of materials (SBOMs). SBOMs will allow for better tracking of all software and programmatic security at a level of granularity and accuracy previously unheard of. In terms of changing our approach to security, we are rapidly moving to a state of continuous verification and assessment of the security of hardware and software. This is sometimes referred to as zero trust, but that term does not fully encompass the nature and depth of organically emerging changes.
Stay tuned for our next post in the series, in which we will cover these two broad shifts and how security leaders should consider applying them to their organizations