In cybersecurity, an ‘attack surface’ is the total set of vulnerabilities, access points, and attack vectors that can be exploited to gain unauthorized access to an organization’s systems and data.
The attack surface is what bad actors target when they want to breach an organization’s defenses to disrupt systems, steal data, extort a ransom, or take any other kind of malicious action. This makes it a key area of concern for cybersecurity professionals.
The attack surface includes any vulnerability, ingress point, or method that can be used to break into the network or IT environment—any hardware or software, whether on premises, on the internet, or in the cloud.
For most organizations, the attack surface has three parts: a digital attack surface, a physical attack surface, and a social or human attack surface. A traditional approach to managing the attack surface is no longer sufficient. All of these surfaces need to be monitored continuously and proactively by leveraging cyber risk exposure management so threats can be discovered and stopped as early as possible.
In addition to defending the attack surface, most cybersecurity teams also try to make it as small as possible, limiting the opportunities for cybercriminals to break in and do harm. This can be hard to do because many organizations’ systems and IT environments are more interconnected and open than ever before.
Learn more about managing your attack surface.
Attack Surface vs. attack vector
Attack vectors are one aspect of the overall attack surface. They are the techniques bad actors use to illicitly access data and systems. Many vectors can be used against multiple parts of the attack surface, for example:
What should we know about our attack surface?
As previously mentioned, traditional attack surface management isn’t enough. Organizations and their cybersecurity teams need a cyber risk exposure management solution to compile a clear, full picture of the entire attack surface. Any attack surface analysis should include everything from network equipment, cloud servers, and internet of things (IoT) devices to user accounts, access privileges, and more.
It’s also important for organizations to know where all their data is stored, especially any data that is business-critical, private, confidential, classified, or sensitive.
Forming that picture and keeping it up to date requires a thorough mapping of the digital, physical, and social (human) parts of the attack surface, with changes tracked over time.
What are the main attack surface risks?
Each of the different parts of the attack surface (digital, physical, social) has its own risks that defenders need to be aware of and manage. These risks, which include specific attack vectors, are constantly changing as technologies and threats evolve. Below are some examples.
Digital attack surface risks
Any network or data resource that can be accessed externally—even if it’s protected by encryption, authentication, firewalls, or other measures—is part of the digital attack surface and vulnerable to:
- Cyberattacks: Ransomware, viruses, and other malware can be injected into corporate systems, allowing attackers to access networks and resources, exfiltrate data, hijack devices, and damage assets and data.
- Coding issues and misconfigurations: Misconfigurations of network and cloud technologies such as ports, access points, and protocols, leave ‘doors’ open for attackers and are a common cause of breaches.
- Exposed technologies: Any technology connected to the public internet is accessible to hackers and vulnerable to attack. This can include web applications, web servers, cloud servers and applications, and more.
- Out-of-date technologies and applications: Software, firmware, and device operating systems need to be coded correctly and patched against known vulnerabilities and threats, otherwise they can provide attackers with a way to breach an organization. Old devices that are still part of the IT environment but aren’t maintained or actively used can also provide convenient access points for attackers, since they are often not monitored.
- Shadow IT: Tools used by an organization’s employees that are not part of the known or sanctioned IT environment are considered ‘shadow IT’ and can create vulnerabilities precisely because the cybersecurity team doesn’t know about them. These include apps, portable storage devices, personal phones and tablets, and more.
- Weak passwords and encryption: Easy-to-guess passwords—either because they’re obvious, too simple, or reused for multiple accounts—can give bad actors access to an organization’s digital resources. Stolen credentials are also in high demand among cybercriminals for similar reasons. Encryption is meant to disguise information so that only authorized people can read it. If it’s not strong enough, hackers can extract data they can then use to launch larger-scale attacks.
Physical attack surface risks
The physical attack surface includes technologies that individuals have in their physical possession (such as laptops) or that can be accessed only at specific sites and facilities. Two big risks associated with the physical attack surface are:
- Burglary and device theft: Laptops and other devices are routinely stolen out of cars, from public places when left unattended, and even during break-ins into offices and other buildings. Once bad actors have those devices, they can use them and the credentials stored on them to get into the corporate network or access other resources.
- Baiting: With baiting attacks, criminals leave portable storage devices such as USBs lying out in public, hoping that someone will plug the device into a computer to see what’s on it. These ‘bait’ USBs are loaded with malware that then loads onto the user’s system and starts executing an attack.
Social or human attack surface risks
Human beings are often referred to as the ‘first line of defense’ in cybersecurity. That’s because their actions can directly help strengthen or weaken the attack surface. Cyberattacks that target human behavior are called social engineering attacks. The social or human attack surface is basically equal to the number of users whose cyber behavior could intentionally or unintentionally harm an organization.
Common risk include:
- Phishing schemes: These include scam emails, text messages, voice messages (and even, today, with AI-generated deepfakes, video calls) that deceive users and prompt them to take actions that compromise cybersecurity. That may be sharing sensitive information, clicking on links that lead to malware, releasing funds that shouldn’t be paid out, and more. AI has helped make phishing harder to detect and more targeted.
- Malicious insiders: Employees with a grudge against their organization or are blackmailed or bribed by bad actors can use their legitimate authorizations and access to exfiltrate company data, share credentials, install malware, damage company systems, or perform other harmful actions.
How can we shrink our attack surface?
No organization can eliminate the attack surface altogether, but it is possible to contain and minimize it. Once the attack surface has been mapped, cybersecurity teams can implement cyber risk management to continuously monitor for any changes and proactively predict potential emerging risks. This can reveal opportunities to reduce areas of vulnerability and exposure, including:
- Streamlining the environment, decommissioning any obsolete or unused software and devices, and limiting the number of endpoints.
- Partitioning the network and adding firewalls and other barriers to make it harder for attackers to move around once they gain access.
- Using the results of attack surface analysis to pinpoint and close gaps and weak spots, for example by mandating stronger passwords, eliminating outdated software and applications, reducing shadow IT, implementing targeted security policies and controls, and more.
- Strengthening security measures by adopting best practices including two-factor or multifactor authentication and zero-trust approaches. With zero trust, only the right people have limited access to specific data, applications, and resources as and when needed. Zero trust radically limits who can use which technology resources, when, and for how long. This both protects assets inherently and also makes it more obvious if a breach occurs.
- Boosting employee cyber-awareness through training, testing, and periodic refreshers. Training topics can include good password hygiene, how to follow company policies, how to stay alert to the risk of phishing schemes and other social engineering attacks, and actions to take if staff have concerns that security may be at risk.
What is attack surface management?
Attack surface management (ASM) is a traditional cybersecurity approach that aims to help organizations become stronger in defending their data and systems. It’s about knowing where risks exist, understanding their relative severity, and taking action to close security gaps related to people, processes, and technology. ASM allows security teams to reduce the number of pathways into the enterprise IT ecosystem and gain a view of emerging vulnerabilities and attack vectors.
ASM has become extremely important because enterprise IT environments are more dynamic and interconnected than ever before, making the attack surface larger and more varied. Traditional ASM, which offers asset discovery and monitoring approaches and single-purpose cybersecurity ‘point’ solutions can’t provide the full visibility, intelligence, or protection required. Today’s landscape requires continuous monitoring of entry points and prioritization of mitigation actions based on impact. This approach helps translate risks into business terms and predict threats, allowing for proactive risk neutralization before they materialize
Does the government play a role in managing the attack surface?
Authorities in many jurisdictions have created legislation, regulations, and public policies to set expectations for how organizations should keep their digital environments safe and secure. These include frameworks such as the U.S. National Institute of Standards and Technology’s Cyber Risk Scoring Framework, which it uses to assess and manage its own attack surface.
Good collaboration between industry and government on cybersecurity contributes to stronger cyber protections overall and promotes the sharing of best practices for effective attack surface management.
Who can help us manage our attack surface?
Simply managing the attack surface isn’t enough. Today’s risk landscape demands cyber risk exposure management capabilities to proactively predict, uncover, assess, and mitigate risks to significantly reduce your cyber risk footprint.
Trend Vision One™ offers a Cyber Risk Exposure Management (CREM) solution that takes a revolutionary approach by combining key capabilities—like External Attack Surface Management (EASM), Cyber Asset Attack Surface Management (CAASM), Vulnerability Management, and Security Posture Management—across cloud, data, identity, APIs, AI, compliance, and SaaS applications into one powerful, easy-to-use solution.
Learn more about Cyber Risk Exposure Management to go beyond managing the attack surface.