The attack surface of your organization is the total number of attack vectors that could be used as an entry point to launch a cyberattack or gain unauthorized access to sensitive data. This could include vulnerabilities in your people, physical, network, or software environments.
In simple terms, your attack surface is all the gaps in your security controls that could be exploited or avoided by an attacker. This includes software, operating systems, web applications, IoT and mobile devices, web servers, data centers, as well as physical controls like locks and your employees who can be vulnerable to social engineering attacks such as phishing, spear phishing, and whaling.
What are the Types of Attack Surfaces?
There are three main types of attack surfaces:
- Digital attack surface
- Physical attack surface
- Social engineering attack surface
Digital Attack Surface
Your digital attack surface is everything that lives outside of the firewall that is accessible through the Internet. It's often easier for cybercriminals to break into your organization by exploiting poor cybersecurity than it is through physical means.
Your digital attack surface includes:
- Known assets: Inventoried and managed assets such as your corporate website, servers, and the dependencies that run on them.
- Unknown assets: Also known as Shadow IT or orphaned IT that was stood up outside the purview of your security team such as forgotten websites, marketing sites, and employee installed software.
- Rogue assets: Malicious infrastructure spun up by threat actors such as malware, a typosquatted domain, or a website or mobile app that is impersonating your organization.
Today's businesses have attack surfaces that extend far beyond their internal network all the way to third-party managed services and data centers, which are out of scope for many traditional approaches to security such as penetration testing.
Exacerbating the problem is the high frequency with which the average organization’s network is being overhauled. IT infrastructures and cloud security tools, are constantly being replaced, but the security patching policies protecting these digital assets from unauthorized user access fail to keep up with the rate of changes.
Neglecting patch management during digital transformation leaves your endpoint devices vulnerable to hacker compromise.
Here are common potential vulnerabilities in your digital attack surface:
- Unnecessary open ports: An open port refers to a TCP or UDP port number that is configured to accept packets. In contrast, a closed port rejects connections or ignores the packets. While open ports aren't necessarily dangerous, they can be. Open ports can be dangerous when the service listening on the port is misconfigured, unpatched, vulnerable to exploits, or has poor network security rules. Of particular danger are wormable ports that are open by default on some operating systems. An example of such an interface is the SMB protocol which was exploited by a zero-day exploit called EternalBlue that resulted in the WannaCryransomware worm. You can read more about open ports here.
- Susceptibility to man-in-the-middle attacks: A man-in-the-middle attack (MITM attack) is a cyber-attack where an attacker relays and possibly alters the communication between two parties who believe they are communicating directly. This allows the attacker to relay communication, listen in, and even modify what each party is saying. Read more about MITM attacks here.
- Poor email security: A lack of SPF, DKIM, and DMARC can leave your organization open to email spoofing. Read our guide on email security and our email security checklist for more information.
- Susceptibility to domain hijacking: Domain hijacking is the act of changing the registration of a domain name without the permission of the original owner, or by abuse of privileges on domain hosting and domain registrar systems. Read more about domain hijacking here.
- Lack of DNSSEC: The Domain Name System Security Extensions (DNSSEC or DNS Security Extensions) is a set of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. Read more about DNSSEC here.
- Vulnerabilities: A vulnerability is a weakness that can be exploited by a cyber attack to gain unauthorized access to or perform unauthorized actions on a computer system. Vulnerabilities can allow attackers to run code, access a system's memory, install malware, and steal, destroy or modify sensitive data. Read more about vulnerabilities and vulnerability management here.
- Vulnerability to XSS attacks: Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users and may be used to bypass access control, such as the same-origin policy. Read more about XSS attacks here.
- Leaked credentials: Most organizations have exposed credentials due to the large number of third-party data breaches that occur. If employees don't change their passwords or reuse their passwords this can be one of the most damaging attack vectors into an organization.
- Data leaks: Due to the increasing proliferation of cloud storage, many organizations accidentally expose sensitive data in S3 buckets, GitHub repositories, Rsnyc servers, FTP servers, and more. For example, UpGuard was able to find data exposed by an AWS engineer in 30 minutes by using the technology behind UpGuard BreachSight. AWS was notified the same day and the repository was secured. You can read more about this AWS data leak here.
- Weak Passwords - Weak passwords leave on-premise assets, such as laptops, vulnerable to compromise if they’re stolen.
- Typosquatted domains: Typosquatting is a form of cybersquatting where someone sits on similar domain names to those owned by another brand or copyright, targeting Internet users who incorrectly type in a website address into their web browser, rather than using a search engine. Typosquatting is also known as URL hijacking, domain mimicry, a sting site, or a fake URL. Read more about typosquatting here.
All of the security risks outlined above are externally observable and attackers use a combination of penetration testing, web crawling, and automated scanning tools like Kali Linux, Backbox, Metasploit, or Nmap to find them in real-time.
The truth is any device that is exposed to the Internet is a potential access point into your organization. That's why security teams are increasingly investing in attack surface management tools like UpGuard BreachSight that continuously monitor your organization's security posture, as well as exposure to data breaches and data leaks.
What’s the Difference Between an Attack Vector and an Attack Surface?
An attack vector is a potential pathway into your private network that can be exploited by hackers. An attack surface is the total number of attack vectors across a digital region.
Physical Attack Surface
Beyond your digital attack surface, there are additional risks that occur when an attacker gets physical access to your office or a device. For one, if they have physical access it doesn't matter whether the device is connected to the Internet or not.
Think of your physical attack surface as all the security vulnerabilities in a given system that would be physically accessible to an attacker if they were able to get access to your office, server room, or other physical location.
Physical attack surfaces are typically exploited by insider threats (a type of cyber threat) such as rogue employees, social engineering ploys, untrusted or BYOD devices on secure networks, or simply intruders posing as service workers.
For reference, when an attacker gains physical access to a device, they may be able to:
- Map out all the networked devices, ports, and services the device has or is connected to.
- Inspect source code open on or running on the device.
- Check for databases containing sensitive information.
- Install malicious software designed to infect the operating system. This is particularly high-risk if other connected devices have wormable vulnerabilities.
- Use privilege escalation to gain unauthorized access to privileged areas or devices, which is why the principle of least privilege and defense in depth is important.
- Expose sensitive data that is on the computer
Many experts believe if physical security is not considered, a data breach is inevitable. Given that the average cost of a data breach is now nearly $4 million globally, invest in physical security designed to prevent data breaches.
This can include swipe bards and biometric access control systems to avoid tailgating, properly disposing of paper files and hardware, as well as a myriad of other physical security controls.
With that said, the most common way people gain physical access is through people.
Social Engineering Attack Surface
People are one of the most dangerous, and often overlooked parts of any organization's attack surface. Think of your social engineering attack surface as the total number of individuals who are susceptible to social engineering.
Social engineering exploits human psychology and susceptibility to manipulate victims into divulging confidential information and sensitive data or performing an action that breaks usual security standards.
In general, the success of social engineering relies on a lack of knowledge of the methods attackers use, as well as poor OPSEC. OPSEC or operational security is a process that identifies actions, such as posting to social media, that could be useful for a potential attacker if properly analyzed and grouped with other data.
This is why cybersecurity awareness training is the first line of defense in what is frequently the weakest link in otherwise secure organizations that employ sophisticated defense in depth strategies.
Examples of social engineering include:
- A whaling attack that targets someone in accounts payable
- Media drops where an infected USB is dropped in the lobby of a building and plugged into a computer by an unsuspecting employee
- Fake service people like janitors, repair people or electricians gaining access to server closets, computers, or routers
What is Attack Surface Analysis?
Attack surface analysis is the process of mapping out what parts of your organization are vulnerable and need to be tested for security vulnerabilities. It helps security teams understand risk areas, find vulnerable systems, and minimize attack vectors.
In the past, attack surface analysis was done by security architects and penetration testers. However, attack surface management software is an increasingly popular way of doing it as it is able to continuously monitor infrastructure for both changes and newly found vulnerabilities and misconfiguration.
Why is Attack Surface Analysis Important?
Attack surface analysis is important because it can:
- Identify what parts of your organization need to be reviewed and tested for security vulnerabilities
- Identify high-risk areas that require defense in depth
- Identify when you have made changes to your infrastructure which have changed your attack surface which may need to do included in the risk assessment process.
This process can help reduce, prevent, and mitigate risks that stem from:
- Legacy, IoT, and shadow IT assets
- Human mistakes and omissions such as phishing and data leaks
- Vulnerable and outdated software
- Unknown open-source software (OSS)
- Large-scale attacks on your industry
- Targeted cyber attacks on your organization
- Intellectual property infringement
- IT inherited from M&A activities
- Vendor managed assets
How to Define the Attack Surface of Your Organization
When defining your attack surface think of:
- All the paths sensitive data can take in and out of your organization
- All the security controls that protect those paths including resource connection, authentication, authorization, activity logging, data validation, and encoding
- All the valuable data that is used internally by your organization including secrets and keys, intellectual property, critical business data, personal information, PII, and PHI
- The security controls that protect this data including encryption, checksums, access auditing, data integrity, and operational security controls
How to Reduce Your Attack Surface
There are several ways to reduce your organization's attack surface. For a concise overview of the attack surface reduction process, watch the video below.
- Close unnecessary ports: While open ports aren't necessarily dangerous, they can be if the service listening on the port is misconfigured, unpatched, vulnerable to exploits, or has poor network security rules. Wormable ports such as the SMB protocol which was exploited by a zero-day exploit called EternalBlue that resulted in the WannaCry ransomware worm are particularly dangerous. Read more about open ports here.
- Mitigate man-in-the-middle attack risks: Check each publicly accessible domain has SSL enabled, doesn't have HTTP accessible, has its hostname match its SSL certificate, has a valid SSL certificate, enforces HSTS, doesn't use an insecure SSL/TLS version, doesn't have an SSL certificate that is expiring soon, uses secure cookies, doesn't have a weak SSL algorithm, is on the HSTS preload list, and uses the includeSubDomains HSTS header. You can read more about HSTS and SSL certificates here.
- Ensure you have adequate email security: Ensure that you use SPF, DKIM, and DMARC so that your organization is not susceptible to email spoofing. Read our guide on email security and our email security checklist for more information.
- Monitor your active domains and IP addresses: Most domain hijacking relies on your domain expiring, being flagged as inactive, being flagged for deletion. Consider enabling autorenewal, and enabling domain registrar detection, update, and transfer protection. Read more about domain hijacking here.
- Enable DNSSEC: The Domain Name System Security Extensions (DNSSEC or DNS Security Extensions) is a set of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. Read more about DNSSEC here.
- Use vulnerability management: Vulnerability management is the process of identifying, evaluating, prioritizing, remediating, and reporting on security vulnerabilities in web applications, computers, mobile devices, and software. Continuous vulnerability management is integral to cybersecurity and network security and is on the Center for Internet Security's (CIS) list of basic security controls, citing that organizations need to “continuously acquire, assess, and take action on new information in order to identify vulnerabilities, and to remediate and minimize the window of opportunity for attackers.” Read more about vulnerability management here.
- Monitor third-party data breaches: Reused passwords and exposed credentials in third-party data breaches are one of the most common, and potentially dangerous attack vectors. Consider investing in a tool like UpGuard BreachSight that can automatically discover exposed credentials and provide you with workflows to notified impacted employees.
- Monitor for data leaks: Like third-party branches, misconfigured S3 buckets, Rsync services, GitHub repositories, FTP servers, and a myriad of other cloud storage solutions can leak sensitive data. Consider investing in a data leak detection tool.
- Register potential typosquatting domains: There is no inherent danger to typosquatting. However, many owners of typosquatted domains are acting in bad faith like trying to install malware or ransomware such as WannaCry, monetize popups, steal credit card numbers, phish personal data or login credentials, or some other scam on the fake website. Invest in a typosquatting protection tool that can suggest potential domains to register, as well as highlight those that have already been registered by bad actors.
- Inspect your DNS records: Your DNS records can reveal a surprising amount of information about your organization, such as important subdomains, lack of email security, email service providers, and more.
- Run less code: When you reduce the amount of code that is running on your computer, server, or cloud infrastructure, you're also reducing the number of possible entry points that can be discovered and exploited. Where possible, turn off, disable, or remove unnecessary features and simplify your code. Less code means less chance of bugs and vulnerabilities and fewer security risks overall.
- Remove unnecessary software and services: Where possible stop running services that aren't in use. For example, do you really need to leave port 23 open if you aren't using telnet? Remember every piece of software, open port, and networked device is a possible attack vector. If you have an old computer running Microsoft Windows Vista on your network, consider updating or decommissioning it.
- Map out your subdomains: Use a subdomain scanning tool to help you map out your subdomains. You may find that you have unused or unpatched software running on them, or that what you thought was an internal subdomain is actually exposed to the Internet.
- Analyze your SSL certificates: Just because your organization uses SSL doesn't mean that the website is necessarily secure. Like any software, SSL can become outdated and there are many known vulnerabilities on CVE for old SSL/TLS versions.
- Segment your network: Keeping all your assets on a single network is one of the biggest mistakes you can make. By splitting and segmenting your network you can reduce the risk of infected or untrusted devices infecting your most at-risk assets. A simple thing you can do today is set up a network for guests that is separated from the network that is used by your employees.
- Invest in cybersecurity awareness training: While there is a big focus on technology-based solutions, the biggest risk many organizations face is its people. It doesn't matter how good your information security policy is if the people that are supposed to follow it don't know what it is. Phishing, spear phishing, whaling, and even simple tailgating are all things that your employees should know about.
- Monitor your third-party vendors: While you don't manage the assets of your vendors, they still represent part of your attack surface. Just look at how an infection that started with one of Target's HVAC subcontractors led to one of the biggest data breaches. Think about investing in a tool that can continuously monitor your third-party vendors for security issues, such as UpGuard Vendor Risk.
- Audit your software, network, and traffic: Auditing is one of the oldest techniques for finding indicators of compromise and attack surface reduction. Auditing can help you detect misconfiguration, outdated software, unprotected systems, and rogue employees.
- Use access control and authentication: Ensure that any sensitive data and systems are protected by an access control system with robust authentication, ideally with a strong password policy, biometric or two-factor authentication, and role-based access control.
- Don't expose information in headers: Where possible, avoid exposing server information, software versions, and X-Powered-By in headers. This gives attackers valuable information that they can use.
Why You Can't Solely Rely on Reducing Your Attack Surface
If you follow the best practices above, you will greatly reduce the attack surface of your organization. However, you won't be protected when things change, and as you know infrastructure changes constantly. Nor will it prevent security controls failures and misconfiguration.
If an attacker is able to find an exploit or vulnerability in your remaining Internet-facing assets before you do, they can still inflict damage by installing malware and ransomware or by causing data breaches.
This is why many organizations are investing in tools that provide real-time attack surface analysis and vulnerability management like UpGuard BreachSight. UpGuard BreachSight performs hundreds of individual checks each day and will notify you of any high-risk issues before attackers can exploit them.
Attack Surface Management Tools
There are many different attack surface management tools out there, some better than others:
- OWASP Attack Surface Detector: The Attack Surface Detector tool uncovers the endpoints of web applications, the parameters the endpoints accept, and the data type of those parameters. This includes the unlinked endpoints a spider won't find in client-side code or optional parameters that are unused by client-side code. It can also help calculate the changes in attack surface between two versions of an application. You can read more about this tool here.
- Sandbox Attack Surface Analysis Tools: Google's attack surface tool can help Windows users find the real attack surface of their operating system, services, and web applications. It performs an analysis of their operating system and extracts information to show the size of your attack surface by analyzing files, registry, network stack, ports, running processes, NT system calls, and objects. You can read more about Google's tool here.
- UpGuard BreachSight: UpGuard BreachSight is a popular attack surface management tool that continuously monitors your attack surface for changes and scans the open, deep, and dark web for known and unknown data breaches and data leaks. It will automatically find all your externally facing infrastructure, scan it for misconfigurations, assign each domain or IP a security rating, and provide a risk categorization of any identified risks.
- UpGuard Vendor Risk: UpGuard Vendor Risk is a third-party risk management tool that continuously monitors the attack surface of your vendors. You can find and monitor your vendors using our instant vendor search and track their security performance over time. If you're in the due diligence stage, you can use UpGuard Vendor Risk to benchmark multiple vendor's security postures against each other, so you can decide on which one has the most robust attack surface. It also has a risk dashboard that can help you prioritize at-risk vendors, remediation workflows to ensure risks are resolved, and multiple vendor risk assessment questionnaire templates.
How UpGuard Can Help You Manage Your Attack Surface
UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cybersecurity rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.
For the assessment of your vendors' attack surfaces, UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates. We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
Our expertise has been featured in the likes of The New York Times, The Wall Street Journal, Bloomberg, The Washington Post, Forbes, Reuters, and TechCrunch. You can read more about what our customers are saying on Gartner reviews!