An attack surface is an area or point at which an attacker is most likely or most able to breach a network or account that contains any type of sensitive data, especially any point that contains an unpatched vulnerability or misconfiguration. An attack surface slightly differs from an attack vector, which is the method that the attacker employs to reach the data. Attack surfaces include:
Any devices which connect to a company’s network, whether directly or indirectly. This especially includes Internet of Things devices, which often don’t have dedicated security features.
Privileged access accounts. If an important or executive account isn’t secured with multiple factors of authentication, attackers can use stolen credentials to enter it. Privileged access management is a protocol for greatly reducing and protecting the access that employees have to sensitive data.
Employees who aren’t prepared or vigilant. Social engineering techniques are one of the most common attack vectors, and attackers are frighteningly successful when they send malicious, convincing-looking emails, phone calls, or other messages to employees even in large organizations.
A company’s physical location. Buildings aren’t as common for hackers to breach as they used to be, partly because large corporations have implemented security systems and protocols, but also because it’s so much easier to access company data through technology. However, it’s still possible that an attacker will ask an employee to hold the door or steal entry credentials to go inside the building and steal information.
Attack vectors, by which attackers will manipulate an attack surface, include:
- Emails hackers craft messages that appear to be from a legitimate email address, often one within the company, to convince employees to click a link, give up personal data, or send them finances
- Phone calls
- Text messages
- Third-party applications not all apps are trustworthy, and some high-profile companies have had data breaches due to a third-party application’s failure to handle information securely
- Malicious links these can be sent through any message and download malware onto a device once clicked
- Unsecured Wi-Fi connections attackers can easily eavesdrop on Internet sessions over public Wi-Fi
- Cloud applications and services Those used without permission (“shadow IT“) and misconfigured cloud security are other avenues for possible cyber attack
Methods of securing attack surfaces
Implementing authentication protocols: companies should implement multi-factor authentication technology for high-level accounts and any platforms that host sensitive data. Every employee who tries to enter such an account should provide multiple forms of authentication.
Developing a least privilege approach: companies should always be aware of who is accessing their data and should regularly reassess who absolutely needs access. Data breaches often happen because an attacker entered a privileged access account. Often companies give too many employees access to accounts they don’t need to do their job, and that’s a liability.
Developing protocols for remote work: if employees are accessing company data from a distance, what rules should they use to protect their devices? Rules such as using a VPN rather than public Wi-Fi networks could apply.
Monitoring network traffic within the company: companies should be aware of how employees use company devices and Wi-Fi networks. If they’re frequenting suspicious websites, they’re more likely to click a malicious link or give their company email address to someone fraudulent.
Training employees to be aware of social engineering: businesses frequently receive suspicious emails with malicious links that appear to be from the company but aren’t. Falling prey to social engineering tactics could require some troubleshooting for an infected computer or, at worst, cost the company millions of dollars and their reputation.
Internet of Things as attack surface
The host of smart devices that now connect to the Internet unfortunately have not been designed with the same security protocols as phones and computers. They don’t access VPNs, and it’s harder to employ multi-factor authentication on a smart sensor, fo example. Smart devices include any item that can connect to Wi-Fi (or another smart device, such as lights, doors, or drink dispensers).
IoT devices are widely considered one of the banes of large companies as they try to crack down on security vulnerabilities. However, there are a few steps businesses can take to mitigate IoT risks. Testing IoT devices in a company-wide attempted hack would be a way to expose existing weaknesses; hiring a third-party hacking business provides good training and improvement opportunities. Companies should also develop a security plan for IoT devices in office (and out of office if a remote worker has unsecured IoT devices on the same Wi-Fi network as their work computer, for example).