What are the types of attack surfaces?

What is an attack surface?

Attack surfaces are the exposed points of a network that can potentially be a point of entry for a malicious attacker to gain access to a digital system. attack surfaces include unpatched or outdated software, security gaps in security controls, cloud misconfigurations, poor physical security, and errors in website coding.

As organizations increasingly migrate to the cloud and adopt hybrid work environments, attack surfaces, and specifically cloud attack surfaces, are becoming larger in size and complexity. In order to reduce attack surface, it’s important to perform attack surface analysis to understand the most common attack surfaces in cyber security.

Attack surfaces can be divided into three sub-categories: 

1. Digital Attack Surface

Digital Attack Surfaces expose a company’s network to any hacker with an internet connection. Common attack vectors in this category include 

• Weak passwords 
• Misconfiguration
• Software, operating system (OS), and firmware vulnerabilities
• Internet-facing assets: Web applications, web servers, and other resources that face the public internet are inherently vulnerable to attack
• Shared databases and directories
• Outdated or obsolete devices, data, or applications
• Shadow IT

“Shadow IT” is software, hardware, or devices—free or popular apps, portable storage devices, an unsecured personal mobile device—that employees use without the IT department’s knowledge or approval. Because it’s not monitored by IT or security teams, shadow IT may introduce serious vulnerabilities that hackers can exploit.

2. Physical attack surface

The physical attack surface exposes devices and data that are accessible only to users with authorized access to the organization’s physical office or network devices.

• Malicious insiders
• Device theft 
• Exposed USB drive

3. Social Engineering Attack Surface

Social engineering tricks people into paying money to criminals, sending information they shouldn’t transmit, installing software they shouldn’t download, visiting websites they shouldn’t visit, and other blunders that jeopardize their security or that of their organizations.

The most well-known and frequent social engineering assault method is phishing. In a phishing attack, con artists send voicemails, texts, or emails to trick their intended targets into divulging personal information, downloading malicious software, sending money or assets to the wrong individuals, or performing other harmful actions. Phishing messages are created by scammers to appear or sound as though they are from a reputable or trustworthy company or person, such as a well-known merchant, a governmental agency, or occasionally even a person the recipient knows personally.