Attack surface definition
Attack surface is a term used to describe areas where an attacker can gain a foothold and includes an organization’s points of vulnerability to threats. An attack surface covers everything from operating infrastructure (e.g., hardware, software, cloud services, and applications) to those who run and use it (e.g., employees, IT and security staff, partners, and vendors). Cybercriminals consider an organization’s attack surface when seeking to gain unauthorized access to networks, systems, or data.
Also referred to as attack vectors, an attack surface is comprised of:
- Known assets
These are the most manageable components of an attack surface, as known assets are inventoried and managed. Known assets include sanctioned user equipment (e.g., computers, laptops, mobile devices, printers), the organization’s website, servers, and software running on them. - Rogue assets
This is malicious infrastructure, such as malware or typosquatted domains. - Unknown assets
While not inherently malicious, unknown assets are a threat. Unknown assets range from user-installed printers or IoT devices to development or marketing websites created without IT’s knowledge. - Third and fourth parties
Any third party with access to internal systems is part of an attack surface. This includes all vendors and their sub-contractors, as well as partners and contractors.
The attack surface is split into two categories: digital and physical.
What is a digital attack surface?
The digital attack surface area includes known and unknown hardware and software an organization uses (e.g., applications, cloud services code, Internet of Things (IoT) devices, ports, servers, and websites. Additional components of a digital attack surface that are often overlooked include:
- Application programming interfaces (APIs)
- Configurations for network ports, channels, wireless access points, firewalls, and protocols
- Firmware
- Internet-facing assets, such as websites, web applications, and web servers
- Obsolete devices, data, or applications that remain connected to networks
- Operating systems (OS)
- Shadow IT
- Shared databases and directories
- Software
- Users’ credentials
What is a physical attack surface?
Much attention is paid to the digital attack surface, but the physical attack surface is equally important and often exploited by cybercriminals as it is easier to access. The physical attack surface includes:
- Discarded hardware
- Endpoint devices, such as desktop computers, hard drives, IoT devices, laptops, mobile devices, and USB drives
- Offices or workspaces where resources reside
- Paper notes with user’s credentials
Attack surfaces vs attack vectors
An attack surface and an attack vector are related, but different. An attack surface is an area or vulnerability that a cybercriminal exploits to gain unauthorized access. An attack vector is the tactic that a cyber criminal employs to gain unauthorized access.
| Attack Surface Examples | Attack Vector Examples |
| Cloud systems and storage Computers Mobile devices Networks Removable media Servers Supply chains User credentials | Compromised passwords Malware Man-in-the-middle attacks Open ports Out-of-date or unpatched software Phishing Ransomware Weak encryption Wireless attacks |
Defining the attack surface
To define an attack surface, it is necessary to identify possible weaknesses and assess vulnerabilities. Determining user roles and privilege levels is another factor.
Considerations when defining an attack surface include the:
- Locations where data is stored on-premises and in cloud storage
- Paths that sensitive data can take in and out of the organization
- Physical and digital elements that comprise the attack surface
- Security controls in place to protect assets (e.g., access controls, authentication, authorization, activity logging, data validation, and encryption)
- Sensitive data that is collected, stored, and processed by the organization (e.g., financial information, intellectual property, critical business data, personally identifiable information (PII), and protected health information (PHI))
- Users who have access to what data and resources and the systems that have access
Once the attack surface has been designed, it is helpful to use visualization tools to create a map of the attack surface.
Attack surface management
Attack surface management is executed with a combination of processes and technologies that are used to identify and mitigate vulnerabilities. Key components of attack surface management include the following.
Discovery and inventorying
Effective asset management is only possible with an accurate inventory of all resources (i.e., known and unknown). An attack surface management solution should regularly conduct discovery exercises and update inventory with newly discovered assets. Discovery should include all of an organization‘s internet-facing IT assets, including on-premises and cloud assets.
Continuous monitoring
An attack surface management solution should continuously monitor all inventoried resources in real-time to detect any vulnerabilities that could become an attack vector.
Assessment and prioritization
Attack surface management should include the assessment and prioritization of potential vulnerabilities. This can be done by assigning a score to assets based on their security risk and vulnerability to help prioritize mitigation and remediation.
Reduction and remediation
When vulnerabilities are detected, an attack surface management solution can help security teams take action to reduce the attack surface.
Best practices in attack surface reduction
One of the best ways to help secure an attack surface is to reduce it. Following are several approaches to reducing an attack surface.
Conduct regular vulnerability scans
Regular network scans and analysis can help reduce an attack surface by calling out vulnerabilities that require mitigation. Vulnerability scans can also support attack surface reduction efforts by helping to identify rogue or unknown resources that should be eliminated or brought under IT management.
Educate users about cyber threats and security protocols
Providing regular cybersecurity awareness training turns employees from risks to security champions. By educating them about how to adhere to and enforce security protocols as well as understand cyber threats and risks, users can help reduce an attack surface.
Implement a zero trust security model
A zero trust approach to security helps reduce an attack surface by limiting exposure. With zero trust, only users with demonstrated need and authorization can access resources, thereby minimizing access points that could be compromised.
Keep software updated
Create processes for installing patches and installing software updates regularly.
Leverage identity management
Identity management can help reduce an attack surface by providing visibility into who has access to what resources, then removing any unnecessary or unauthorized access.
Limit open ports
While it is necessary to have open ports, organizations often leave too many open. Taking care to close unused ports helps reduce an attack surface.
Segment networks
Network segmentation helps minimize an attack surface by creating protected “islands” that contain resources using firewalls and strategies like microsegmentation (i.e., dividing the network into smaller units).
Streamline systems and processes
Minimizing complexity goes a long way to reducing an attack surface. This includes refining management processes and security policies and reducing endpoints by disabling obsolete or unused software and devices.
Use strict access controls
Access controls should be implemented and tightly managed to limit access to sensitive data and resources internally and externally as well as track applications and data accessed by specific users. It is important to include physical access control measures.
Reduce attack services and uplevel security
While understanding the scope of an attack surface can be daunting, most organizations can materially improve their cybersecurity postures by following best practices for attack surface management and attack surface reduction. As with other cybersecurity initiatives, the opportunity to uplevel security provides an overall positive impact.
