Jun 02 2026

Corporate Visibility as an Attack Surface: Managing Risk in the AI Era

Category: AI Risk,Cyber Attack,Security Risk Assessmentdisc7 @ 9:12 am

Corporate visibility has become a business requirement rather than a marketing choice. Organizations publish employee profiles, leadership pages, technical blogs, social links, and recruiting content to build trust, attract talent, and improve customer confidence. However, every piece of public information expands the organization’s attack surface and creates intelligence opportunities for adversaries. The challenge is no longer whether to be visible, but how to operate securely while visible.

Security risks from corporate visibility are primarily reconnaissance-driven. Public information allows threat actors to identify key employees, map reporting structures, discover technology stacks, and understand operational processes before ever touching the network perimeter. Modern attacks increasingly target people and workflows rather than infrastructure vulnerabilities, making visibility management a core risk management function rather than just a branding consideration.

Corporate websites typically expose much more than organizations realize. Common examples include employee names, job titles, leadership bios, headshots, email address patterns, social media links, customer references, technology disclosures in job postings, project announcements, and partner ecosystems. Even seemingly harmless details such as organizational charts or department structures help attackers prioritize targets and craft convincing attack paths. Exposure becomes particularly problematic when public data can be correlated with breached credential repositories or social media activity.

This information becomes weaponized through open-source intelligence (OSINT) aggregation. Attackers combine public corporate data with social media, breach datasets, and AI-assisted analysis to create personalized phishing campaigns, helpdesk impersonation attempts, credential attacks, and business email compromise scenarios. The effectiveness comes from context: an email referencing a real manager, recent project, conference appearance, or customer relationship appears legitimate because the attacker already understands the organization. Personalized phishing and social engineering campaigns consistently outperform generic attacks because they exploit trust rather than technical weaknesses.

The rise of generative AI significantly accelerates this process. What previously required days or weeks of manual reconnaissance can now be automated in hours. AI systems can scrape websites, correlate identities, summarize relationships, generate targeted phishing content, and even imitate communication styles. This lowers attacker costs while increasing scale, meaning organizations should assume adversaries can rapidly build highly accurate organizational profiles from publicly available information.

The 2023 attack against MGM Resorts International demonstrates how corporate visibility intersects with operational failure. Threat actors associated with Scattered Spider reportedly used publicly available employee information and social engineering techniques to impersonate staff members during helpdesk interactions. By manipulating identity verification processes, attackers gained elevated access that eventually disrupted casino operations, digital services, and hotel operations, creating an estimated $100 million business impact. The attack highlighted that the primary weakness was not public information itself, but weak verification controls around sensitive processes.

The lesson from MGM is that identity assurance matters more than secrecy. Many security practitioners and incident observers noted that helpdesk workflows, MFA recovery procedures, and privileged account processes became the real attack surface. Attackers exploited human workflows because those controls failed under realistic social engineering pressure. Organizations often invest heavily in technology stacks while underinvesting in identity proofing, helpdesk security, and process resilience.

Operating securely when visibility is unavoidable requires layered controls. Organizations should assume attackers already possess employee names, reporting structures, and technology information. Recommended controls include phishing-resistant MFA, stronger helpdesk identity verification, out-of-band approval processes, role-based exposure reviews, periodic OSINT assessments, monitoring for credential exposure, and security awareness programs focused specifically on personalized social engineering. Security programs should shift from “prevent exposure” to “operate securely despite exposure.”

My perspective as a security risk professional is that corporate risk in the AI era is shifting from perimeter defense toward identity, trust, and context protection. AI amplifies attacker capabilities by making reconnaissance, impersonation, and influence operations faster and cheaper. Organizations that still treat public visibility as a branding problem rather than a risk management problem are underestimating how quickly AI-enabled adversaries can build organizational intelligence. The future control objective is not reducing visibility to zero; it is building security architectures, governance processes, and human workflows that remain resilient when attackers already know who your people are, what technologies you use, and how your business operates.

Four risks, three frameworks, and what real-world mapping across ISO 27001, ISO 42001, and NIST 800-53 Rev. 5 actually looks like

The AI Governance Quick-Start: Defensible in 10 Days, Not 4 Quarters

DISC InfoSec is an active ISO 42001 implementer and PECB Authorized Training Partner specializing in AI governance for B2B SaaS and financial services organizations.

AI Attack Surface ScoreCard

AI Vulnerability Scorecard: Discover Your AI Attack Surface Before Attackers Do

Your Shadow AI Problem Has a Name-And Now It Has a Score

Most AI Security Tools Won’t Pass an Audit. Here’s a 15-Minute Way to Find Out.

AIMS and Data Governance – Managing data responsibly isn’t just good practice—it’s a legal and ethical imperative

Schedule a consultation or drop a note below: info@deurainfosec.com

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security

Tags: Attack Surface, Managing Risk

Dec 11 2023

How Well Do You Know Your Attack Surface? Five Tips to Reduce the Risk of Exposure

Category: Cyber Attackdisc7 @ 8:16 am

It’s no secret the attack surface is expanding at an unprecedented rate. We’ve hand-picked our top tips to reduce your exposure.

https://www.crowdstrike.com/blog/five-tips-to-shield-from-exposures/?

In an increasingly connected digital landscape, the security of your organization’s data and publicly facing assets is more critical than ever. According to the CrowdStrike 2023 Threat Hunting Report, more than 20% of all interactive intrusions are associated with the exploitation of public-facing applications. As an organization’s attack surface expands and cyberthreats proliferate, it is imperative IT and security teams take a proactive approach to safeguarding their digital footprint. This starts with implementing a strong exposure management program across the entire enterprise that drastically reduces all attack surface risks.

Do You Really Know Your Organization’s Attack Surface?

To stop an attack before it begins, you must first understand where critical exposures exist. You can think of your organization’s external attack surface as all of the doorways through which an attacker might attempt to sneak in. This includes anything from domain names, SSL certificates and protocols to operating systems, IoT devices and network services. These assets are scattered across on-premises environments, cloud environments, subsidiaries and third-party vendors, and they represent many of the easiest entry points to internal networks and the sensitive data they contain. 

Building a Successful Exposure Management Strategy with EASM

In an age where unknown entryways can lead to invaluable troves of information, external attack surface management (EASM) can find doors that may be left open. CrowdStrike Falcon® Exposure Management finds those potential access points before adversaries do. 

Our EASM technology, as part of Falcon Exposure Management, uses a proprietary engine to continuously scan the entire internet, enabling organizations to see their attack surface from an adversary’s perspective. The digital footprint of an organization is simple to generate, using only a company’s root domain. Once generated, it gives security teams a complete view of all of their internet-facing assets, including those on-premises and in the cloud. All exposed assets are automatically classified, analyzed and rated with a contextualized risk score, allowing teams to fix first what matters most.  

Reducing the size of your attack surface can minimize the risk of a breach. By following the five tips below, organizations can reduce the number of opportunities an adversary has, strengthen their cybersecurity posture and proactively  protect valuable assets from malicious actors. 

Top Tips to Reduce External Attack Surface Exposures

  1. Do not allow Remote Desktop Protocol (RDP) connections from outside your organization’s networks

There are plenty of products and open source solutions offering remote access to company resources. When RDP is opened to the internet, it is often not monitored and is susceptible to attacks.

How: 

  • Stand up a server that sits outside of your network perimeter
  • Install nmap or any other network scanner you’re comfortable with
  • Grab a list of your IP ranges
  • Set up a cron job to scan continuously for port 3389
  • Grab the logs weekly 
  • Use this list to figure out the person inside your organization who owns or is responsible for each host that has responded on port 3389
    • Clues:
      • Domain name (if applicable)
      • IPAM IP range notes
      • Login banners
  • For any hosts that MUST have RDP exposed to the internet, enable multifactor authentication (MFA), remove them from your scan script above and continue the process of scanning
  • Use Network Level Authentication, a Remote Desktop Services feature that requires a user to authenticate before connecting to the server
  1. Avoid allowing directory listing on your web servers 

Directory listings expose the server to traversal attacks and a large variety of vulnerabilities. Moreover, the web server may contain files that shouldn’t be exposed through links on the website. Ensure your server does not expose directory listings, and if it must, make sure the directories do not contain sensitive information. 

How: 

  • Stand up a server that sits outside of your network perimeter 
  • Install nmap or any other network scanner you are comfortable with
  • Grab a list of your IP ranges
  • Set up a cron job to scan continuously for open HTTP 
  • Grab the logs weekly 
  • For every host answering on an HTTP or HTTPS port, use this list as an input for your web app scanning tool of choice (such as nikto or dirsearch)
  • For any host allowing directory traversal, figure out the person inside your company who owns or is responsible for this website
    • Clues:
      • Domain name (if applicable)
      • IPAM IP range notes
      • Login banners
      • Other website info
  1. Place test environments behind a VPN 

Ensure none of your development, staging or test environments is exposed to the internet. These environments are often not well-secured and in many cases have access to restricted resources.

How: 

  • Identify all of your production environments:
    • Have a clear list of domains and IP ranges from IT admin, content delivery network providers and web application firewall providers
    • Query whois reverse search under your organization name (there are multiple vendors and open source tools for this) 
  • All other environments (domains, subdomains and machines with external-facing IPs) should be protected with a VPN and MFA
  1. Avoid hostile subdomain takeovers 

Confirm none of your subdomains is expired or points to third-party pages and accounts that no longer exist, as it might be vulnerable to hostile subdomain takeovers. If you find such subdomains, reconfigure the DNS settings or remove the DNS entry pointing to the external service.

How: 

  • Talk to your IT admin team and get access to your DNS (may be route53, may be self-hosted)
  • Do a zone transfer on all of the domains your organization owns
  • Get a list of all of your IP ranges
  • Parse the IP addresses against your known IP range list
  • For any IPs that aren’t part of your infrastructure, figure out who they belong to (whois lookup, published list of cloud provider IP ranges)
  • Determine if they are pointing at anything you know you own
  • Any unused subdomain should be retired properly:
    • Use “Null MX” record
    • Use DMARC configuration to prevent any email from being sent on behalf of the sub/domain
  1. Enforce input validation

Enforce input validation on all internal and external inputs to prevent injection attacks. Input validation best practices include: predefining input size limitation per field and type (str/int if applicable), applying maximum retries for password and user fields, and enforcing backend strict logic to prevent injections (prepared statements with parameterized queries, stored procedures, escaping all user inputs, etc.).

How: 

  • Forms fields
  • Uniform resource identifiers (URIs)
  • APIs
  • Attachments
  • And more

Bonus Tip: Continuously monitor your attack surface

Securing an expanding attack surface is challenging. The dynamic nature of most modern IT ecosystems means secure assets can suddenly become exposed unknowingly due to an error, misconfiguration or simple oversight. This category of forgotten assets can grow for many reasons: employees with revoked access, engineers with lingering cloud token permissions, or unmaintained databases that should have never been exposed in the first place. Moreover, there are instances of abandoned assets that remain unused or unclassified for extended periods, leaving IT departments without records and, consequently, unable to secure them. Regardless of their origin, these assets present significant security risks.

Having an effective exposure management program enables teams to stay vigilant and proactively  monitor and secure entire IT ecosystems, which  is essential in safeguarding an entire  attack surface. You need to add a scalable way to monitor your internet-facing assets and discover your unknown exposures and risks in real time.

Additional Resources

Mastering Attack Surface Management: A Comprehensive Guide To Learn Attack Surface Management

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Attack Surface

Mar 23 2023

Cybersecurity 101: What is Attack Surface Management?

Category: Cyber Attack,cyber securityDISC @ 9:39 am
Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.

ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.

Understanding Attack Surface Management

Here are some key terms in ASM:

  • Attack vectors are vulnerabilities or methods threat actors use to gain unauthorized access to a network. These vulnerabilities include vectors such as malware, viruses, email attachments, pop-ups, text messages and social engineering. 
  • An attack surface is the sum of attack vectors that threat actors can potentially use in a cyberattack. In any organization, all internet-connected hardware, software and cloud assets add to the attack surface. 
  • Shadow IT is any software, hardware or computing resource being used on a company’s network without the consent or knowledge of the IT department. Quite often, shadow IT uses open-source software that is easy to exploit. 
  • Attackers use sophisticated computer programs and programming techniques to target vulnerabilities in your attack surface, like shadow IT and weak passwords. These cyber criminals launch attacks to steal sensitive data, like account login credentials and personally identifiable information (PII)

Read the Threat Index

Why is Attack Surface Management Important?

Security teams can use ASM practices and tools to prevent risks in the following ways:

  • Reduce blind spots to get a holistic view of your IT infrastructure and understand which cloud or on-premise assets are exposed to attackers.
  • Eliminate shadow IT to remove unknown open-source software (OSS) or unpatched legacy programs.
  • Minimize human error by building a security-conscious culture where people are more aware of emerging cyber threats. 
  • Prioritize your risk. You can get familiar with attack patterns and techniques that threat actors use.

How Attack Surface Management Works

There are four core processes in attack surface management: 

  1. Asset discovery is the process of automatically and continuously scanning for entry points that threat actors could attack. Assets include computers, IoT devices, databases, shadow IT and third-party SaaS apps. During this step, security teams use the following standards:
    • CVE (Common Vulnerabilities and Exposures): A list of known computer security threats that helps teams track, identify and manage potential risks.
    • CWE (Common Weakness Enumeration): A collection of standardized names and descriptions for common software weaknesses.
  2. Classification and prioritization is the process of assigning a risk score based on the probability of attackers targeting each asset. CVEs refer to actual vulnerabilities, while CWEs focus on the underlying weaknesses that may cause those vulnerabilities. After analysis, teams can categorize the risks and establish a plan of action with milestones to fix the issues.
  3. Remediation is the process of resolving vulnerabilities. You could fix issues with operating system patches, debugging application code or stronger data encryption. The team may also set new security standards and eliminate rogue assets from third-party vendors.
  4. Monitoring is the ongoing process of detecting new vulnerabilities and remediating attack vectors in real-time. The attack surface changes continuously, especially when new assets are deployed (or existing assets are deployed in new ways).  

You can learn more about the four core processes and how attack surface management works on the IBM blog. 

How to Get a Job in Attack Surface Management

Anyone who works in attack surface management must ensure the security team has the most complete picture of the organization’s attack vectors — so they can identify and combat threats that present a risk to the organization.

Hiring companies look for people with a background and qualifications in information systems or security support. The minimum expectations typically include the following:

  • Strong technical security skills
  • Strong analytical and problem-solving skills
  • Working knowledge of cyber threats, defenses and techniques
  • Working knowledge of operating systems and networking technologies
  • Proficiency in scripting languages, like Perl, Python or Shell Scripting
  • Experience with attack surface management and offensive security identity technologies.

What’s Next in Attack Surface Management?

Cyber Asset Attack Surface Management (CAASM) is an emerging technology that presents a unified view of cyber assets. This powerful technology helps cybersecurity teams understand all the systems and discover security gaps in their environment.

There is no one-size-fits-all ASM tool — security teams must consider their company’s situation and find a solution that fits their needs. 

Some key criteria include the following:

  • Easy-to-use dashboards
  • Extensive reporting features to offer actionable insights
  • Comprehensive automated discovery of digital assets (including unknown assets, like shadow IT)
  • Options for asset tagging and custom addition of new assets
  • Continuous operation with little to no user interaction
  • Collaboration options for security teams and other departments.

With a good ASM solution, your security team can get a real cyber criminal’s perspective into your attack surface. You can find, prioritize and solve security issues quickly and continuously. Ultimately, a diligent attack surface management strategy helps protect your company, employees and customers. 

Side view of young businessman using laptop in office. Male professional sitting at conference table working on laptop computer.

Operationalizing Threat Intelligence: A guide to developing and operationalizing cyber threat intelligence programs

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Attack Surface, Cyber Threat, Threat Intelligence