Blog Blog

Scaling Up? 4 Critical Questions to Manage Your Expanding Attack Surface

business expansion

Standing still is not an option for organizations that want to succeed. Companies must constantly strive for growth by expanding into new markets, launching new products and services, acquiring smaller companies, or even merging with other businesses.

For this reason, mergers and acquisitions (M&A) deals are expected to increase in volume in 2024, a testament to organizations’ need to evolve and grow.

However, as a business scales its operations, its attack surface also expands. An IBM survey of 720 executives from acquiring companies found that 33% experienced M&A-attributable data breaches during integration, while 20% experienced similar data breaches post-integration.

Indeed, scaling up is a risky business. But knowing how business expansions contribute to attack surface growth is winning half the battle. In this post, we’ll tackle four questions you should ask as your business expands.

What, Exactly, Are You Acquiring?

Bringing new companies into the fold often means integrating disparate IT systems, creating a complex network with potential security gaps, and inevitably expanding your attack surface. Knowing what assets, vulnerabilities, and even security incidents you’re inheriting from an M&A is thus crucial.

Take, for instance, the Marriott data breach that started with an unauthorized access to the Starwood network a few years before Marriot acquired the hotel chain in 2016. It appeared that Marriot inherited the insecurity, leading to the 2018 breach that possibly exposed the sensitive information of 327 million guests. 

Due diligence is crucial to avoid acquiring vulnerable legacy systems, unpatched IT assets, and inadequate cybersecurity measures that may make both the acquirer and target company prime targets. That begins with gaining visibility into every nook and cranny of a target’s attack surface, including assets that it may have overlooked, such as:

  • All domain names owned by the target company and the subdomains residing on them
  • SSL certificates issued for the domains
  • IP address resolutions of the domains and subdomains
  • Ports associated with the IP addresses
  • Accounts with cloud-based services
  • Email addresses associated with domains and cloud services

Knowing more about potential acquisition targets enables the acquiring company to detect and address risks before it is too late.

Can You See through the Cloud?

Business expansion does not only include M&A deals but also the all-too-familiar decision to use SaaS and IaaS resources for scalability and cost-effectiveness. In fact, cloud adoption has become a norm, as 83% of IT leaders use more than one cloud service, while 99% of organizations manage four or more cloud instances.

However, as the cloud adoption rate grows, so does the volume of an organization’s cloud assets. Cloud sprawl is a reality that can get out of hand. Getting cloud assets under control begins with gaining cloud visibility to minimize risks associated with:

  • Misconfigurations: Organizations must be able to detect misconfigurations in the cloud, including public cloud storage buckets with overly permissive access controls, unsecured cloud instances with open ports or outdated software, and misconfigured API gateways that could be exposing sensitive data. It only takes one cloud misconfiguration for attackers to infiltrate critical systems.
  • Shadow IT: The ease with which users can sign up for SaaS accounts drives up their number of shadow IT assets (i.e., resources outside IT oversight and protection). These assets inevitably expose systems to various cyber risks. Mitigating shadow IT risks requires organizations to regularly conduct employee security awareness training and monitor domains, subdomains, and IP addresses that could be associated with unauthorized cloud instances.

Does Your Digital Footprint Lead to Attack Paths?

As businesses expand, so does their digital footprint or the trail of data they leave on the Internet, like the domains and subdomains hosting their websites. Examining if any of these tracks lead to potential attack paths is essential. Whether the business is scaling up through digital transformation or M&A, a larger digital footprint translates to more potential attack entry points.

In addition, a large digital footprint can make managing and securing all assets difficult. For instance, subdomains may lead to open ports, outdated software services, and misconfigured cloud instances that can turn into weak links in your security posture. All these data trails leave organizations with increased attack surfaces, giving attackers more information sources for cyber reconnaissance.

That is where attack surface analysis comes in. Businesses have to understand:

  • If their digital footprint can lead attackers to asset and system security issues
  • How attackers can exploit such issues
  • What data attackers can access if their infiltration succeeds
  • The damages to their finances, operations, and reputation if their data gets compromised

What Can You Do?

Attack surface expansion has undoubtedly added to existing security burden, with 61% of CISOs saying that too much is expected of them. However, a proactive approach can help CISOs and security leaders effectively navigate the inevitable attack surface expansion that comes with business growth. That involves initiatives to:

  • Expand the scope of asset discovery: Move beyond traditional methods and leverage automated tools to discover all your Internet-facing assets, including cloud resources, shadow IT, and connected systems. Regularly conduct comprehensive scans to identify new assets and potential vulnerabilities.
  • Gain and maintain visibility over public-facing systems: Since growth means adopting new technologies, organizations must be able to maintain oversight of their external-facing tech stack, including the assets associated with each tool.
  • Monitor assets and systems for vulnerabilities: Once you have visibility over all your assets and technologies, automatically scan them for security issues and vulnerabilities for immediate prioritization and mitigation. This process should continue since new vulnerabilities pop up all the time. Meanwhile, new assets are added as businesses grow.
  • Leverage security automation: Automate routine security tasks (e.g., asset discovery, vulnerability scanning, access control enforcement, and log analysis) to free up security teams for more strategic initiatives like threat hunting and proactive risk management.

Attack surfaces are bound to expand as organizations continue to grow. However, asking the right questions can help security teams and leaders manage their business expansion effectively.

Find out how Attaxion can bring your EASM to a higher level with superior asset coverage and deep context.  Start your free trial now.