Attack Surface

An attack surface is an area or point at which an attacker is most likely or most able to breach a network or account that contains any type of sensitive data, especially any point that contains an unpatched vulnerability or misconfiguration. An attack surface slightly differs from an attack vector, which is the method that the attacker employs to reach the data. Attack surfaces include:

Any devices which connect to a company’s network, whether directly or indirectly. This especially includes Internet of Things devices, which often don’t have dedicated security features.

Privileged access accounts. If an important or executive account isn’t secured with multiple factors of authentication, attackers can use stolen credentials to enter it. Privileged access management is a protocol for greatly reducing and protecting the access that employees have to sensitive data.

Employees who aren’t prepared or vigilant. Social engineering techniques are one of the most common attack vectors, and attackers are frighteningly successful when they send malicious, convincing-looking emails, phone calls, or other messages to employees even in large organizations.

A company’s physical location. Buildings aren’t as common for hackers to breach as they used to be, partly because large corporations have implemented security systems and protocols, but also because it’s so much easier to access company data through technology. However, it’s still possible that an attacker will ask an employee to hold the door or steal entry credentials to go inside the building and steal information.

Attack vectors, by which attackers will manipulate an attack surface, include:

  • Emails hackers craft messages that appear to be from a legitimate email address, often one within the company, to convince employees to click a link, give up personal data, or send them finances
  • Phone calls
  • Text messages
  • Third-party applications not all apps are trustworthy, and some high-profile companies have had data breaches due to a third-party application’s failure to handle information securely
  • Malicious links these can be sent through any message and download malware onto a device once clicked
  • Unsecured Wi-Fi connections attackers can easily eavesdrop on Internet sessions over public Wi-Fi
  • Cloud applications and services Those used without permission (“shadow IT“) and misconfigured cloud security are other avenues for possible cyber attack

Methods of securing attack surfaces

Implementing authentication protocols: companies should implement multi-factor authentication technology for high-level accounts and any platforms that host sensitive data. Every employee who tries to enter such an account should provide multiple forms of authentication.

Developing a least privilege approach: companies should always be aware of who is accessing their data and should regularly reassess who absolutely needs access. Data breaches often happen because an attacker entered a privileged access account. Often companies give too many employees access to accounts they don’t need to do their job, and that’s a liability.

Developing protocols for remote work: if employees are accessing company data from a distance, what rules should they use to protect their devices? Rules such as using a VPN rather than public Wi-Fi networks could apply.

Monitoring network traffic within the company: companies should be aware of how employees use company devices and Wi-Fi networks. If they’re frequenting suspicious websites, they’re more likely to click a malicious link or give their company email address to someone fraudulent.

Training employees to be aware of social engineering: businesses frequently receive suspicious emails with malicious links that appear to be from the company but aren’t. Falling prey to social engineering tactics could require some troubleshooting for an infected computer or, at worst, cost the company millions of dollars and their reputation.

Internet of Things as attack surface

The host of smart devices that now connect to the Internet unfortunately have not been designed with the same security protocols as phones and computers. They don’t access VPNs, and it’s harder to employ multi-factor authentication on a smart sensor, fo example. Smart devices include any item that can connect to Wi-Fi (or another smart device, such as lights, doors, or drink dispensers).

IoT devices are widely considered one of the banes of large companies as they try to crack down on security vulnerabilities. However, there are a few steps businesses can take to mitigate IoT risks. Testing IoT devices in a company-wide attempted hack would be a way to expose existing weaknesses; hiring a third-party hacking business provides good training and improvement opportunities. Companies should also develop a security plan for IoT devices in office (and out of office if a remote worker has unsecured IoT devices on the same Wi-Fi network as their work computer, for example).

Jenna Phipps
Jenna Phipps is a contributor for websites such as and Enterprise Storage Forum. She writes about information technology security, networking, and data storage. Jenna lives in Nashville, TN.

Top Articles

The Complete List of 1500+ Common Text Abbreviations & Acronyms

From A3 to ZZZ we list 1,559 SMS, online chat, and text abbreviations to help you translate and understand today's texting lingo. Includes Top...

Windows Operating System History & Versions

The Windows operating system (Windows OS) refers to a family of operating systems developed by Microsoft Corporation. We look at the history of Windows...

How to Create a Website Shortcut on Your Desktop

Website Shortcut on Your Desktop reviewed by Web Webster   This Webopedia guide will show you how to create a website shortcut on your desktop using...

Generations of Computers (1st to 5th)

Reviewed by Web Webster Learn about each of the 5 generations of computers and major technology developments that have led to the computing devices that...


What is Pardot? Pardot is a B2B marketing automation (MA) solution by Salesforce that...


Veeam Software is a global vendor...


Akamai Technologies is a global web technology company specializing in content...