Types of Attack Surfaces
Anything or anyone that holds or has access to the sensitive data, business data, or personally identifiable information in an enterprise is a potential part of its attack surface. We can break this down into three types of attack surfaces.
Digital Attack Surface
Every computer and device exposed to the internet is exposed to a cyber attack. A company's digital attack surface could be targeted by hackers from around the globe. Here is an idea of what would be included in a company’s digital attack surface:
- Websites
- Servers
- Databases
- Laptops
- Operating systems
- Applications
- Cloud resources/workloads
- Third-party providers
The more devices that connect to a company's network, the larger the software environment of the company becomes, increasing a company’s attack surface and potential entry points for attackers.
Device Attack Surface
The physical attack surface of a business includes all the company’s hardware and physical devices as well as any employee devices that are allowed to connect to the corporate network.
The physical attack surface includes:
- Workstations
- Laptops
- Mobile devices
- TVs
- Printers
- Routers
- Switches
- Security Cameras
Once an attacker gets access to a device, he may infiltrate the corporate network to move laterally to gain access to other devices or servers. From there, the hacker can gain access to sensitive information or damage systems and data.
Social Engineering Attack Surface
People can be one of the biggest security risks in a company if they aren't educated about potential threats. Attackers don't have to go through the trouble of hacking into an organization's network if they can use social engineering to trick an employee into giving them access.
Social engineering takes advantage of human psychology to trick a person into doing something they normally wouldn't do. There are a variety of ways social engineering can be used by an attacker to access a company’s assets.
- An email phishing attack, where an employee is tricked into opening an email attachment or clicking a malicious link that downloads malware
- Impersonating a service person like a janitor or repair person, an attacker may gain physical access to company assets
- Media drops where an infected USB is planted in a company and inadvertently plugged into a computer by an employee