What is the Attack Surface?
The attack surface is all possible points or attack vectors, in short, all areas open to attackers, where an unauthorized user can access a system and cause a data breach.
How to Perform Attack Surface Analysis?
Attack surface analysis is about mapping which parts of a system need to be reviewed and tested for vulnerabilities. The purpose of attack surface analysis is to understand the areas of risk in an application/system, to make developers and security professionals aware of which parts of the application/system are vulnerable to attack, to find ways to minimize the areas that may create risk, and to understand when and how the attack surface changes, what this means from a risk perspective. is to analyze it.
Digital traces, digital assets, technologies used, versions, secret keys, and execution routes increase the attack surface and risks. The large number of digital assets and traces in question means that the attack surface expands, and this means that the threat factors increase.
What is the Importance of the Attack Surface in terms of KVKK?
The purpose of the KVKK (Personal Data Protection Law), which was published in the official newspaper numbered 29677 on April 7, 2016, is to protect the privacy of private life, which is one of the basic human rights. Obligations of companies that process personal data and the rules they must comply with are outlined by this law, and the issues are detailed in the guides published in order to provide clarity in practice, without causing interpretation.
KVKK When the section related to Technical and Administrative Measures of the Personal Data Security Guide is examined, it is determined that the framework of the measures to be taken in order to prevent cyber attacks and prevent possible violations will be maintained. We can say that it is drawn around the realization of controls.
KVKK regarding the issues that the necessary applications in the protection layer will not be sufficient as a precaution, keeping them up-to-date and regularly checking the attack surface for points that may create vulnerability against possible attacks and 3.1 of the Administrative Actions Guide. Article on Ensuring Cyber Security;
“The view that full security can be achieved with the use of a single cyber security product to ensure personal data security is not always true. Because threats are expanding their spheres of influence by changing their size and nature day by day.
In this context, the recommended approach is the implementation of a number of measures that are complementary to many principles and that are regularly checked.”
says.
3.2 of the guide. In the Article on the Monitoring of Personal Data Security;
“d) Establishing a formal reporting procedure for employees to report security vulnerabilities in systems and services or threats using them,”
It's called . digital traces, digital assets, technologies used, versions, secret keys and application paths that constitute the above-mentioned attack surface font-weight: 400;">the mentioned “system and services” constitutes a large part of it.
4.1. Technical measures that can be taken by data controllers are shown in the Summary Table of Technical Measures.
KVKK Technical Measures
- Authority Matrix
- Authority Control
- Access Logs
- User Account Management
- Network Security
- Application Security
- Encryption
- Penetration Test
- Intrusion Detection and Prevention Systems
- Log Records
- Data Masking
- Data Loss Prevention Software
- Backup
- Firewalls
- Current Anti-Virus Systems
- Deletion, Destruction, or Anonymization
- Key Management
The mapping, tracking and reporting of the attack surface with the help of tools that automate the process and regular penetration tests means that technical measures have been taken for most of the items in the table.
In summary; Considering the possibility of all possible attacks to cause a data breach, the detection of the attack surface touches an important part of the technical measures to be taken within the scope of KVKK.
What Can Be Done to Reduce the Attack Surface?
- Enforce Zero Trust Policies
ZTNA ensures that only the right people have access to the right resources at the right level at the right time. This strengthens the entire infrastructure of the organizations and reduces the number of entry points by guaranteeing that only authorized persons can access the networks.
- Eliminate Complexity
Unnecessary complexity can lead to poor management and policy errors that enable cybercriminals to gain unauthorized access to corporate data. Organizations should disable unnecessary or unused software and devices and reduce the number of endpoints used to simplify their networks.
For example, complex systems can cause users to access resources they are not using, expanding the attack surface a hacker can use.
- Regularly Scan for Vulnerabilities
Regular network scans and analytics enable organizations to quickly identify potential issues. Therefore, it is vital to master all attack surface detection to prevent problems with cloud and on-premises networks and ensure that only approved devices can access them. A full scan should not only identify vulnerabilities but also show how endpoints can be exploited.
- Segment the Network
Network segmentation allows organizations to minimize the size of their attack surface by blocking attackers with a set of sets. These include tools such as firewalls and strategies such as microsegmentation that divides the network into smaller units.
- Train Employees
Employees are the first line of defense against cyber attacks. Giving them regular cybersecurity awareness training will help them understand best practices and spot the obvious signs of an attack through phishing emails and social engineering.
