What is
an Attack Surface?

An attack surface is all of an organization's IT assets that are exposed to a potential attacker.

These assets may have physical or digital vulnerabilities that an unauthorized user can leverage to gain access to a corporate network and extract data. People themselves can also be an attack surface when they are targeted with phishing emails and other types of social engineering.

Types of Attack Surfaces


Anything or anyone that holds or has access to the sensitive data, business data, or personally identifiable information in an enterprise is a potential part of its attack surface. We can break this down into three types of attack surfaces.

Digital Attack Surface

Every computer and device exposed to the internet is exposed to a cyber attack. A company's digital attack surface could be targeted by hackers from around the globe. Here is an idea of what would be included in a company’s digital attack surface:

  • Websites
  • Servers
  • Databases
  • Laptops
  • Operating systems
  • Applications
  • Cloud resources/workloads
  • Third-party providers

The more devices that connect to a company's network, the larger the software environment of the company becomes, increasing a company’s attack surface and potential entry points for attackers.

Device Attack Surface

The physical attack surface of a business includes all the company’s hardware and physical devices as well as any employee devices that are allowed to connect to the corporate network.

The physical attack surface includes:

  • Workstations
  • Laptops
  • Mobile devices
  • TVs
  • Printers
  • Routers
  • Switches
  • Security Cameras

Once an attacker gets access to a device, he may infiltrate the corporate network to move laterally to gain access to other devices or servers. From there, the hacker can gain access to sensitive information or damage systems and data.

Social Engineering Attack Surface

People can be one of the biggest security risks in a company if they aren't educated about potential threats. Attackers don't have to go through the trouble of hacking into an organization's network if they can use social engineering to trick an employee into giving them access.

Social engineering takes advantage of human psychology to trick a person into doing something they normally wouldn't do. There are a variety of ways social engineering can be used by an attacker to access a company’s assets.

  • An email phishing attack, where an employee is tricked into opening an email attachment or clicking a malicious link that downloads malware
  • Impersonating a service person like a janitor or repair person, an attacker may gain physical access to company assets
  • Media drops where an infected USB is planted in a company and inadvertently plugged into a computer by an employee

Attack Vectors


An attack vector is the path that an attacker uses to breach your network. These can take many forms, including malware, phishing, man-in-the-middle attacks, and compromised credentials. Some attack vectors target weaknesses in security and infrastructure, while others target weaknesses in the people that have access to your network.

Attack Surface Analysis


Attack surface analysis draws a map of what assets and applications are vulnerable to attack and need to be tested for security issues. An attack surface analysis gives your security team a guide for making the network more secure and less vulnerable to a breach.

This starts with a knowledge of the type of attack vectors attackers could use to access a corporate network. Common attack vectors include:

  • Compromised credentials: As the most common way to access information, usernames and passwords that fall into the wrong hands can let attackers into your network. Typically, this happens when employees become the victims of phishing attempts and enter their logins on fake websites. Once the credentials have been captured, it can be easy for attackers to access your network. This is why two-factor authentication is such an important security precaution.
  • Weak passwords: Passwords that are weak or reused often make it easy for attackers to obtain login credentials. To counter this, organizations can enforce password strength requirements and discourage the repeat use of passwords.
  • Malicious insiders: When an employee intentionally exposes confidential company information or exposes vulnerabilities, they are a malicious insider. If you notice an unhappy employee, it may be a good idea to monitor their data and network access.
  • Unencrypted or poorly encrypted data: When data isn’t encrypted, it can be intercepted and read by attackers. It is important to keep data encrypted at every stage: at rest, in-transit, and in processing. Networks can’t rely solely on compliance measures to keep data secure — the data needs to be encrypted.
  • Ransomware: Under a ransomware attack, users are unable to access their data until they pay ransom. You can prevent ransomware attacks by keeping systems patched and up-to-date. Never install software unless you know exactly what it is.
  • Phishing software: Phishing occurs when an employee is contacted by email, phone, or text by someone who is posing as a legitimate individual or organization. The attacker hopes to gain access to personal or company information by posing as a boss or fellow employee of your organization. Educate your employees on the signs of a phishing attack and coach them to double check before responding to any suspicious communications.
  • Viruses: If a virus is able to infect a device on your network, it is possible for that virus to spread to the entire network. Viruses can destroy valuable data and crash software. Using anti-virus software is a good first step, but organizations need to rely on additional security measures like micro-segmentation.
  • Misconfiguration of a firewall or publicly-facing workload: When a firewall or publicly-facing workload is misconfigured, there could be vulnerabilities in the network. Make sure you know all the permissions of your cloud service and integrate any security features. A regular audit of your firewall and publicly-facing workloads is also a good way to ensure your network is secure.

How to Reduce the Attack Surface


Once an organization has completed an attack surface analysis, they will have a good idea of where security is lacking and how to improve it. The following tools and methods are commonly used to reduce the attack service of a business.

  • Modifying overly-permissive access rules so that employees only have access to IT assets they need to get work done
  • Implementing segmentation to ensure that attackers cannot move laterally if they gain access
  • Training employees on social engineering techniques so they don't fall victim to phishing and other types of attacks
  • Call on cloud security posture management to address misconfigurations that leave cloud resources vulnerable
  • Increasing encryption levels and adding encryption where it is currently not being used
  • Installing antivirus software to prevent known virus threats
  • Increasing the security on web servers
  • Increasing or enforcing password complexity requirements
  • Implement multi-factor authentication to backstop username and passwords
  • Scheduling regular security scans and software updates to address vulnerabilities more quickly
  • Enabling internet content filtering to prevent employees from visiting unsafe sites

Conclusion


An attack surface is the entire network and software environment that is exposed to potential remote or local attacks. Mapping an attack surface through attack service analysis will give an organization a game plan to reduce it. This is done through higher security standards, security training, and security software.

Learn More


Learn how to reduce your attack surface to decrease exposure, limit an attacker's mobility, and minimize the impact of a breach by identifying and protecting your high-value assets and vulnerabilities.