What is
an Attack Surface?

An attack surface is all of an organization's IT assets that are exposed to a potential attacker.

These assets may have physical or digital vulnerabilities that an unauthorized user can leverage to gain access to a corporate network and extract data. People themselves can also be an attack surface when they are targeted with phishing emails and other types of social engineering.

Types of Attack Surfaces


Anything or anyone that holds or has access to the sensitive data, business data, or personally identifiable information in an enterprise is a potential part of its attack surface. We can break this down into three types of attack surfaces.

Digital Attack Surface

Every computer and device exposed to the internet is exposed to a cyber attack. A company's digital attack surface could be targeted by hackers from around the globe. Here is an idea of what would be included in a company’s digital attack surface:

  • Websites
  • Servers
  • Databases
  • Laptops
  • Operating systems
  • Applications
  • Cloud resources/workloads
  • Third-party providers

The more devices that connect to a company's network, the larger the software environment of the company becomes, increasing a company’s attack surface and potential entry points for attackers.

Device Attack Surface

The physical attack surface of a business includes all the company’s hardware and physical devices as well as any employee devices that are allowed to connect to the corporate network.

The physical attack surface includes:

  • Workstations
  • Laptops
  • Mobile devices
  • TVs
  • Printers
  • Routers
  • Switches
  • Security Cameras

Once an attacker gets access to a device, he may infiltrate the corporate network to move laterally to gain access to other devices or servers. From there, the hacker can gain access to sensitive information or damage systems and data.

Social Engineering Attack Surface

People can be one of the biggest security risks in a company if they aren't educated about potential threats. Attackers don't have to go through the trouble of hacking into an organization's network if they can use social engineering to trick an employee into giving them access.

Social engineering takes advantage of human psychology to trick a person into doing something they normally wouldn't do. There are a variety of ways social engineering can be used by an attacker to access a company’s assets.

  • An email phishing attack, where an employee is tricked into opening an email attachment or clicking a malicious link that downloads malware
  • Impersonating a service person like a janitor or repair person, an attacker may gain physical access to company assets
  • Media drops where an infected USB is planted in a company and inadvertently plugged into a computer by an employee

Attack Surface Analysis


Attack surface analysis draws a map of what assets and applications are vulnerable to attack and need to be tested for security issues. An attack surface analysis gives your security team a guide for making the network more secure and less vulnerable to a breach.

This starts with a knowledge of the type of attack vectors attackers could use to access a corporate network. Common attack vectors include:

  • Compromised credentials
  • Weak passwords
  • Malicious insiders
  • Unencrypted or poorly encrypted data
  • Ransomware
  • Phishing software
  • Viruses
  • Misconfiguration of a firewall or publicly-facing workload

How to Reduce the Attack Surface


Once an organization has completed an attack surface analysis, they will have a good idea of where security is lacking and how to improve it. The following tools and methods are commonly used to reduce the attack service of a business.

  • Modifying overly-permissive access rules so that employees only have access to IT assets they need to get work done
  • Implementing segmentation to ensure that attackers cannot move laterally if they gain access
  • Training employees on social engineering techniques so they don't fall victim to phishing and other types of attacks
  • Call on cloud security posture management to address misconfigurations that leave cloud resources vulnerable
  • Increasing encryption levels and adding encryption where it is currently not being used
  • Installing antivirus software to prevent known virus threats
  • Increasing the security on web servers
  • Increasing or enforcing password complexity requirements
  • Implement multi-factor authentication to backstop username and passwords
  • Scheduling regular security scans and software updates to address vulnerabilities more quickly
  • Enabling internet content filtering to prevent employees from visiting unsafe sites

Conclusion


An attack surface is the entire network and software environment that is exposed to potential remote or local attacks. Mapping an attack surface through attack service analysis will give an organization a game plan to reduce it. This is done through higher security standards, security training, and security software.

Learn more


Learn how to reduce your attack surface to decrease exposure, limit an attacker's mobility, and minimize the impact of a breach by identifying and protecting your high-value assets and vulnerabilities.