31 Tips For Reducing External Attack Surface Risks

31 Tips For Reducing External Attack Surface Risks


Share on linkedin
Share on facebook
Share on twitter

We’ve asked Reposify’s cybersecurity experts to share 31 of their best tips for reducing attack surface risks.

Download the Checklist and share it with your colleagues today.

1. Harden HTTP Headers (CWE-346)
Don’t make it easy for attackers – Hide your server platform and version details from the server header. That way, attackers will have trouble identifying the system and won’t be able to detect CVEs that could be exploited against it.

2. Monitor your cloud accounts (CWE-264)
Continuously monitor your AWS S3, Google Cloud and Microsoft Azure storage accounts and verify that none of them are publicly accessible (unless they should be).

3. Sensitive Subdomain Exposure (CWE-200)
Monitor your exposed subdomains on your SSL certificates and remove the sensitive ones from the certificate to avoid sensitive information exposure.

4. Avoid Hostile Subdomain Takeovers (CWE 16)
Avoid hostile subdomain takeovers. Verify that none of your subdomains are pointing to 3rd party pages and accounts that no longer exist as they might be vulnerable to hostile subdomain takeovers. If you find such subdomains, reconfigure the DNS settings or remove the DNS entry pointing to the external service.

5. Patch your VPNs (CWE-285)
Avoid the exploitation of potential VPN vulnerabilities that can lead attackers to gain access into your systems. Ensure all of your VPN servers are patched and up-to-date.

6. Monitor your Github Accounts (CWE-538)
Monitor your company’s source code on Github on a daily basis and verify that no API Keys leaked.

7. Remove Old Web Pages (CWE-79)
Research your company’s old website pages and make sure they are no longer linked to static HTML pages that might contain buggy JS and could lead to a cross-site scripting attack (XSS).

8. Hide your Google Maps API Key (CWE-200)
Check your company’s Google Maps API Key and block unauthorized usage. If not blocked, attackers can use it and cause financial damage to the company as well as leverage it to carry out a denial of service attack if any limitation of maximum bill control settings exists in the Google account.

9. Place Test Environments Behind a VPN (CWE-264)
Verify that none of your development and test environments are exposed to the external internet.

10. Hide Origin IP Address on DNS Records (CWE 346)
Using Cloudflare? check your DNS records to verify that your origin IP address is not exposed. An attacker can use an exposed origin IP to attack it directly and bypass the Cloudflare WAF.

11. Less is More (CWE-200)
Don’t open ports that you don’t need to use. You can Monitor your exposed ports in your firewall.

12. Enable NLA Security (CWE-285)
Check that the NLA security is enabled on your RDP. This way others will not be able to see and access your RDP login page.

13. Sometimes Sharing isn’t Caring (CWE-200)
Verify that none of your internal and sensitive documents are accidentally exposed to the internet.

14. Disable Anonymous Logins(CWE-284)
Check if your FTP server allows anonymous logins. We recommend disabling anonymous FTP logins as they allow users without accounts to have restricted access to certain directories on the system.

15. Check Access Permissions(CWE-284)
Using Grafana?Check if an attacker can bypass the SSO by going directly to the path “/signup”. Ensure that your access permission is properly configured.

16. Patch Vulnerabilities on Time (CWE-200)
Remember the server that the marketing team used back in 2014 for a campaign that is long gone? It’s time to check it and ensure it did not accumulate any vulnerabilities.

17. Prevent Unauthorized Access to Kubernetes Service (CWE-284)
The HTTP service on 2379/TCP is the default etcd service for Kubernetes instances. Deny access by default and allow traffic only explicitly using firewall rules which will prevent unauthorized access.

18. Restrict Access to Directory Listing Servers (CWE-285)
Directory listings may contain files that shouldn’t be exposed through links on the website. Ensure that the directory does not contain sensitive information and consider restricting directory listings from the webserver configuration.

19. Avoid using Telnet & Disable Port 23 (CWE-16)
Check if you have a Telnet service running on port 23. If you are not using this service, it is recommended to disable it. Otherwise, replace it with SSH.

20. Remove PHP Info Pages (CWE-200)
The details appearing on an exposed PHP info page could be valuable for an attacker. It’s best to remove this file from production systems.

21. Deny default access to API interface for Kubernetes (CWE-284)
The HTTPS service on 10250/TCP is the default management API interface for Kubernetes clusters. Deny access by default and allow traffic only explicitly using firewall rules which will prevent unauthorized access.

22. Limit port discoverability (CWE-284)
Verify that your database port isn’t discoverable outside of your network perimeter.

23. Avoid SAP Login Page Exposure
Using SAP? verify that the login page isn’t exposed to the external network. If exposed, an attacker can access it anonymously through the “/sap/public/info” path.
We recommend installing the corresponding SAP security note.

24. Block SMB at the Network Boundary (CWE-16)
Legacy versions of SMB protocols could allow remote attackers to obtain sensitive information from affected systems. Block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

25. Protect Sensitive Login Panels (CWE-284)
Credential theft and brute force attacks are on the rise.
Place sensitive login panels behind a VPN
Enforce a strong password policy
Require two-factor authentication when available

26. Follow the Principle of Least Privilege
Always challenge the level of access granted to employees and third parties to your systems and data, and reduce it to the bare minimum.

27. Consider Network Segmentation (CWE-284)
When it comes to critical development systems such as Jenkins, Nexus and others, consider network segmentation in order to limit access to only those that require it.

28. Avoid Port Mapper Exposure (CWE-284)
Verify that your portmapper is not exposed on port 111. An exposed port mapper service means that anyone can query this information without having to authenticate. It can be very useful for attackers to know which services you are running. The RPC service has a history of security vulnerabilities. We recommend blocking it on the firewall altogether.

29. Secure Access to MongoDB Express (CWE-284)
Check that your MongoDB Express isn’t remotely accessible and access is secured. MongoDB Express must be secured by implementing proper authentication, access control, and encryption.

30. Create and Maintain an IP Master List (CWE-200)
Search for your company’s public IP addresses on RDAP, whois, and other data sources, and make sure that you are aware of them.

31. Continuously Monitor your External Attack Surface (CWE-200)
The dynamic nature of most IT ecosystems today means that what is offline can suddenly become online. You need a scalable way to monitor your internet-connected assets and discover your unknown exposures and risks in real-time.

How Reposify can help?

The above-listed tips are just some of the tasks which can be automated by using Reposify’s external attack surface management platform. In order to truly secure your attack surface, you need to first ensure you have complete visibility and the insights needed to quickly eliminate risks. 

Reposify’s attack surface management platform helps leading organizations world wide to discover and eliminate unknown internet exposures in real time. 

See what your attack surface looks like right now – book a personalized demo with one of our experts.

New call-to-action

Reposify is an attack surface management platform delivering autonomous 24/7 discovery of exposed assets across all environments and the supply chain. Leading enterprises worldwide use Reposify to gain unparalleled visibility of their internet-facing assets and actionable security insights for eliminating shadow IT risks in real-time


Share on linkedin
Share on facebook
Share on twitter

Ready to discover your External Attack Surface?

Read Next

Why Only EASM can provide the protection necessary to guard against RCE threat

In April, VMware issued a series of patches to guard against vulnerabilities in a number of products. Among the most critical is CVE-2022-22954, a remote code execution RCE threat that puts organizations at risk of cyber attack. Only EASM can provide thorough cybersecurity protection against remote code execution hacks, with real-time asset monitoring and identification and clear, actionable insights for immediate intervention.

Detect to protect: Reposify’s EASM flags exposed assets vulnerable to Microsoft SMB (CVE-2022-26809)

Microsoft covered more than 100 vulnerabilities in April's security update, among them patches to critical remote code execution (RCE) vulnerabilities located in Microsoft’s SMB. In response Reposify's EASM platform scanned and identified 800,000+ nodes with open SMB protocol on both patched and unpatched systems. Read our latest blog and learn how Reposify's EASM can detect unknown exposed assets vulnerable to Microsoft’s SMB.

Security teams: here’s why you should choose EASM over Shodan?

If you are using Shodan to search for your company’s assets or perform reconnaissance as part of blue or red teams routines - you need to keep reading.