Attack Surface

An attack surface is an area or point at which an attacker is most likely or most able to breach a network or account that contains any type of sensitive data, especially any point that contains an unpatched vulnerability or misconfiguration. An attack surface slightly differs from an attack vector, which is the method that the attacker employs to reach the data. Attack surfaces include:

Any devices which connect to a company’s network, whether directly or indirectly. This especially includes Internet of Things devices, which often don’t have dedicated security features.

Privileged access accounts. If an important or executive account isn’t secured with multiple factors of authentication, attackers can use stolen credentials to enter it. Privileged access management is a protocol for greatly reducing and protecting the access that employees have to sensitive data.

Employees who aren’t prepared or vigilant. Social engineering techniques are one of the most common attack vectors, and attackers are frighteningly successful when they send malicious, convincing-looking emails, phone calls, or other messages to employees even in large organizations.

A company’s physical location. Buildings aren’t as common for hackers to breach as they used to be, partly because large corporations have implemented security systems and protocols, but also because it’s so much easier to access company data through technology. However, it’s still possible that an attacker will ask an employee to hold the door or steal entry credentials to go inside the building and steal information.

Attack vectors, by which attackers will manipulate an attack surface, include:

  • Emails hackers craft messages that appear to be from a legitimate email address, often one within the company, to convince employees to click a link, give up personal data, or send them finances
  • Phone calls
  • Text messages
  • Third-party applications not all apps are trustworthy, and some high-profile companies have had data breaches due to a third-party application’s failure to handle information securely
  • Malicious links these can be sent through any message and download malware onto a device once clicked
  • Unsecured Wi-Fi connections attackers can easily eavesdrop on Internet sessions over public Wi-Fi
  • Cloud applications and services Those used without permission (“shadow IT“) and misconfigured cloud security are other avenues for possible cyber attack

Methods of securing attack surfaces

Implementing authentication protocols: companies should implement multi-factor authentication technology for high-level accounts and any platforms that host sensitive data. Every employee who tries to enter such an account should provide multiple forms of authentication.

Developing a least privilege approach: companies should always be aware of who is accessing their data and should regularly reassess who absolutely needs access. Data breaches often happen because an attacker entered a privileged access account. Often companies give too many employees access to accounts they don’t need to do their job, and that’s a liability.

Developing protocols for remote work: if employees are accessing company data from a distance, what rules should they use to protect their devices? Rules such as using a VPN rather than public Wi-Fi networks could apply.

Monitoring network traffic within the company: companies should be aware of how employees use company devices and Wi-Fi networks. If they’re frequenting suspicious websites, they’re more likely to click a malicious link or give their company email address to someone fraudulent.

Training employees to be aware of social engineering: businesses frequently receive suspicious emails with malicious links that appear to be from the company but aren’t. Falling prey to social engineering tactics could require some troubleshooting for an infected computer or, at worst, cost the company millions of dollars and their reputation.

Internet of Things as attack surface

The host of smart devices that now connect to the Internet unfortunately have not been designed with the same security protocols as phones and computers. They don’t access VPNs, and it’s harder to employ multi-factor authentication on a smart sensor, fo example. Smart devices include any item that can connect to Wi-Fi (or another smart device, such as lights, doors, or drink dispensers).

IoT devices are widely considered one of the banes of large companies as they try to crack down on security vulnerabilities. However, there are a few steps businesses can take to mitigate IoT risks. Testing IoT devices in a company-wide attempted hack would be a way to expose existing weaknesses; hiring a third-party hacking business provides good training and improvement opportunities. Companies should also develop a security plan for IoT devices in office (and out of office if a remote worker has unsecured IoT devices on the same Wi-Fi network as their work computer, for example).






Jenna Phipps
Jenna Phipps
Jenna Phipps is a writer for Webopedia.com, Enterprise Storage Forum, and CIO Insight. She covers data storage systems and data management, information technology security, and enterprise software solutions.

Related Articles

Special Character

A special character is one that is not considered a number or letter. Symbols, accent marks, and punctuation marks are considered special characters. Similarly,...

Software

Table of contents What is Software? History of Software Software vs. Hardware Software vs. Hardware Comparison Chart What Types of Software Exist? Saas vs....

Email Address

What is an Email Address? An email address is a designation for an electronic mailbox that sends and receives messages, known as email, on a...

Information Technology (IT) Architect

The information technology architect applies IT resources to meet specific business requirements. The role requires a high degree of technical expertise as well as...

Geotargeting

Geotargeting is a method of delivering data or content to users based on...

Agile Project Management

Agile project management enables business teams to approach their projects and tasks with...

Private 5G Network

A private 5G network is a private local area network (LAN) that utilizes...