What about outsourcing cyber security?
July 2023 by Patrick Houyoux LL.M. ULB, Brussels, Trinity College, Cambridge, UK. President – Director PT SYDECO
One of the fundamental principles of cyber security is to reduce the attack surface of an IT infrastructure as much as possible, in order to limit the target of a cyber attack and minimise, as far as possible, the damage that such an attack can cause to the infrastructure as a whole.
Each author has his own definition of the attack surface, but personally I opt for Phil Muncaster’s definition, which - even if it seems incomplete - unlike the other authors, defines it by its objective and not by its means. In essence, he writes that the attack surface "can be defined as the physical and digital assets of an organisation that could be compromised to facilitate a cyber attack "(1).
However, this definition seems to me to be incomplete, because the attack surface encompasses not only what could facilitate a cyber attack, but also and above all what could be targeted by the cyber attack or, in other words, what the attack could target, i.e. all the physical assets, such as hardware, and digital assets, such as software, of an organisation.
Just like a burglar, a hacker will always find a way to penetrate a system or a home, no matter how secure it is.
Hence the recommendation to limit the attack surface by creating micro-segmentation so that, in the event of an attack, it is not the whole system that is affected but only the part that is first targeted.
For example, if the German hospital which, during the pandemic, had to refuse to admit a sick patient because its entire computer system was down following a cyber attack, had protected its computer system by segmenting it, the patient would not have died.
This fundamental principle of cyber security is therefore clearly opposed to the introduction of elements that will only increase the attack surface.
So any cyber security solution applied to an infrastructure that requires the intervention of a third party only increases the attack surface of that infrastructure.
I’m thinking here of security systems sold as SaaS or based on the Cloud, which necessarily involve systems and software from outside the company, as well as physical people for operations and maintenance over which the customer has no control.
When you use a SaaS solution, you don’t necessarily know how secure it is. However well secured it may be, it is not immune to access by a privileged user from a compromised medium. In 2022, 3 leading companies fell victim to compromised SaaS solutions. I’m thinking here of Microsoft, Okta, and HubSpot.
Darktrace has observed a significant increase in the number of attacks against SaaS (2) platforms. It’s not hard to understand why, when you consider all the cyber-attack risks that are specific to a SaaS platform.
These risks may relate to a possible misconfiguration of the cloud, to the intervention of the platform itself as a third party, whose level of security we do not know, nor that of the physical people working on it, the level of protection of its API, the dangers that staff may run, intentionally or unintentionally, by exposing sensitive data or disrupting the service through their actions, data breaches, denial of service attacks... (3)
And what are we to think of SolarWinds and Kaseya, who offer their customers IT security as a SaaS service, when we know the irreparable damage these companies have caused them when they themselves have been the victims of a cyber attack?
In conclusion, it can be said that the cyber security of an IT infrastructure can never be delegated to a third party, be it a physical entity, a platform or the Cloud, without broadening the scope of attacks.
The best protection against cyber-attacks is one that is built in-house and in which you have personal control over all its components at every level.
The best protection against cyber-attacks is, in addition to the most advanced traditional means of defence, to segment your infrastructure to limit the attack surface, as ARCHANGEL 2.0 enables you to do. This new-generation firewall offers defence in depth with real-time control of the network and its components, and creates micro-segmentation within the network.
1. https://www.welivesecurity.com/fr/2021/09/15/surface-attaque-definition-reduction/
2. https://darktrace.com/blog/the-anatomy-of-a-saas-attack-two-threats-caught-and-investigated-by-ai
3. https://medium.com/@bryanlack.co/dont-get-hacked-the-10-most-common-saas-security-risks-e4b67eec489