Article

What is an attack surface?

Security
Time to read: 9 minutes

Attack surface definition

Attack surface is a term used to describe areas where an attacker can gain a foothold and includes an organization’s points of vulnerability to threats. An attack surface covers everything from operating infrastructure (e.g., hardware, software, cloud services, and applications) to those who run and use it (e.g., employees, IT and security staff, partners, and vendors). Cybercriminals consider an organization’s attack surface when seeking to gain unauthorized access to networks, systems, or data.

An attack surface is comprised of:

  1. Known assets
    These are the most manageable components of an attack surface, as known assets are inventoried and managed. Known assets include sanctioned user equipment (e.g., computers, laptops, mobile devices, printers), the organization’s website, servers, and software running on them.
  2. Rogue assets
    This is malicious infrastructure, such as malware or typosquatted domains.
  3. Unknown assets
    While not inherently malicious, unknown assets are a threat. Unknown assets range from user-installed printers or IoT (internet of things) devices to development or marketing websites created without IT’s knowledge.
  4. Third and fourth parties
    Any third party with access to internal systems is part of an attack surface. This includes all vendors and their sub-contractors, as well as partners and contractors.

The attack surface is split into two categories: digital and physical.

What is a digital attack surface?

The digital attack surface area includes known and unknown hardware and software an organization uses (e.g., applications, cloud services code, IoT devices, ports, servers, and websites. Additional components of a digital attack surface that are often overlooked include:

  1. Application programming interfaces (APIs)
  2. Configurations for network ports, channels, wireless access points, firewalls, and protocols
  3. Firmware
  4. Internet-facing assets, such as websites, web applications, and web servers
  5. Obsolete devices, data, or applications that remain connected to networks
  6. Operating systems (OS)
  7. Shadow IT
  8. Shared databases and directories
  9. Software
  10. Users’ credentials

What is a physical attack surface?

Much attention is paid to the digital attack surface, but the physical attack surface is equally important and often exploited by cybercriminals as it is easier to access. The physical attack surface includes:

  1. Discarded hardware
  2. Endpoint devices, such as desktop computers, hard drives, IoT devices, laptops, mobile devices, and USB (universal serial bus) drives
  3. Offices or workspaces where resources reside
  4. Paper notes with user’s credentials

Attack surfaces vs attack vectors

An attack surface and an attack vector are related, but different.

The size and complexity of an attack surface directly influences the potential attack vectors that could be utilized. A larger attack surface offers more opportunities and methods (i.e., vectors) for attackers to exploit. Reducing the attack surface is a proactive strategy to limit the number of available attack vectors.

Managing an attack surface involves identifying and securing multiple points of potential exposure, requiring a comprehensive and holistic approach to security. In contrast, guarding against an attack vector involves specific defenses tailored to specific types of threats.

Defining the attack surface

To define an attack surface, it is necessary to identify possible weaknesses and assess vulnerabilities. Determining user roles and privilege levels is another factor.

Considerations when defining an attack surface include the:

  1. Locations where data is stored on-premises and in cloud storage
  2. Paths that sensitive data can take in and out of the organization
  3. Physical and digital elements that comprise the attack surface
  4. Security controls in place to protect assets (e.g., access controls, authentication, authorization, activity logging, data validation, and encryption)
  5. Sensitive data that is collected, stored, and processed by the organization (e.g., financial information, intellectual property, critical business data, personally identifiable information (PII), and protected health information (PHI))
  6. Users who have access to what data and resources and the systems that have access

Entry points

Once the attack surface has been designed, it is helpful to use visualization tools to create a map of the attack surface. This should include all entry points along with information about who has authorized access and what security measures are in place.

Exploiting the attack surface

To defend an attack surface, it is important to understand how cyber attacks and social engineering are used to exploit it.

Cyber attacks

Cyber attacks target specific elements of an organization's attack surface to exploit vulnerabilities, access sensitive information, or disrupt operations. The following are several of the more common types of cyber attacks that exploit various parts of the attack surface:

  1. Advanced persistent threats (APTs)
  2. Cross-site scripting (XSS)
  3. Denial of service (DoS)
  4. Drive-by downloads
  5. Exploit attacks
  6. Malware
  7. Man-in-the-middle (MitM) attacks
  8. Password attacks
  9. Ransomware attacks
  10. SQL injection
  11. Zero-day exploits

Social engineering

Social engineering attacks human psychology rather than technical hacking techniques to exploit attack surfaces. Several common methods of social engineering attacks include:

  1. Baiting
  2. Phishing
  3. Pretexting
  4. Spear phishing
  5. Tailgating or piggybacking

Attack surface management

Attack surface management is executed with a combination of processes and technologies that are used to identify and mitigate vulnerabilities. Key components of attack surface management include the following.

Discovery and inventorying

Effective asset management is only possible with an accurate inventory of all resources (i.e., known and unknown). An attack surface management solution should regularly conduct discovery exercises and update inventory with newly discovered assets. Discovery should include all of an organization‘s internet-facing IT assets, including on-premises and cloud assets.

Continuous monitoring

An attack surface management solution should continuously monitor all inventoried resources in real-time to detect any vulnerabilities that could become an attack vector.

Assessment and prioritization

Attack surface management should include the assessment and prioritization of potential vulnerabilities. This can be done by assigning a score to assets based on their security risk and vulnerability to help prioritize mitigation and remediation.

Reduction and remediation

When vulnerabilities are detected, an attack surface management solution can help security teams take action to reduce the attack surface.

Best practices in attack surface reduction

One of the best ways to help secure an attack surface is to reduce it. Following are several approaches to reducing an attack surface.

Conduct regular vulnerability scans

Regular network scans and analysis can help reduce an attack surface by calling out vulnerabilities that require mitigation. Vulnerability scans can also support attack surface reduction efforts by helping to identify rogue or unknown resources that should be eliminated or brought under IT management.

Educate users about cyber threats and security protocols

Providing regular cybersecurity awareness training turns employees from risks to security champions. By educating them about how to adhere to and enforce security protocols as well as understand cyber threats and risks, users can help reduce an attack surface.

Implement a zero trust security model

A zero trust approach to security helps reduce an attack surface by limiting exposure. With zero trust, only users with demonstrated need and authorization can access resources, thereby minimizing access points that could be compromised.

Keep software updated

Create processes for installing patches and installing software updates regularly.

Leverage identity management

Identity management can help reduce an attack surface by providing visibility into who has access to what resources, then removing any unnecessary or unauthorized access.

Limit open ports

While it is necessary to have open ports, organizations often leave too many open. Taking care to close unused ports helps reduce an attack surface.

Segment networks

Network segmentation helps minimize an attack surface by creating protected “islands” that contain resources using firewalls and strategies like microsegmentation (i.e., dividing the network into smaller units).

Streamline systems and processes

Minimizing complexity goes a long way to reducing an attack surface. This includes refining management processes and security policies and reducing endpoints by disabling obsolete or unused software and devices.

Use strict access controls

Access controls should be implemented and tightly managed to limit access to sensitive data and resources internally and externally as well as track applications and data accessed by specific users. It is important to include physical access control measures.

Attack surfaces FAQ

What is an example of a human attack surface?

Human elements often represent the most unpredictable and vulnerable part of an organization's attack surface. Several examples of how humans can be exploited to compromise an attack surface include:

  1. Baiting
  2. Phishing attacks
  3. Pretexting
  4. Social engineering calls
  5. Tailgating
  6. Targeting potential malicious insiders
  7. Using weak passwords
  8. Watering hole attacks

What is a synonym for attack surface?

A synonym for attack surface is exposure footprint.

How do you identify the attack surface?

Identifying the attack surface involves pinpointing all possible vulnerabilities and entry points that attackers could exploit. Key steps in identifying the attack surface are:

  1. Inventory all assets.
  2. Document the network architecture.
  3. Identify all points of entry, including all external services and APIs that interact with systems.
  4. Consider physical access points to facilities that house critical systems and data.
  5. Review which users have access to critical systems and data and the level of access granted.
  6. Check for outdated or unsupported software, unpatched systems, and common vulnerabilities in the software being used.

Reduce attack surfaces and uplevel security

While understanding the scope of an attack surface can be daunting, most organizations can materially improve their cybersecurity postures by following best practices for attack surface management and attack surface reduction. As with other cybersecurity initiatives, the opportunity to uplevel security provides an overall positive impact.

Assess the strength of your identity security program

Research-backed, industry-specific benchmark data and a roadmap for driving business value

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief