The “attack surface” definition is pretty straightforward (and a little mathematical!): it's the sum total of all the ways a cybercriminal could potentially access your systems, data, or network. It’s a hacker’s view of your digital footprint. 

But here's where it gets tricky: your attack surface isn't just your computers and servers. It includes everything connected to your network: mobile devices, IoT gadgets, cloud applications, remote workers' home connections and networks, and even that fish tank in the lobby (yes, really).

The attack surface's meaning is more complex than an inventory count, though. It's about understanding every possible vulnerability that could be exploited across your attack surface entry points. This includes:

• Physical assets: Servers, laptops, smartphones, operational technology systems, and any hardware connected to your network

• Software components: Operating systems, applications, databases, and third-party integrations

• Human elements: Employees who could fall victim to social engineering attacks

• Network connections: WiFi networks, VPNs, and internet-facing services

Your attack surface is like a map of all possible entry points, while an attack vector is the specific route a hacker takes to break in.

Let’s use our house analogy again:

• An attack surface is every door, window, chimney, garage, pet door, and basement entrance. 

• An attack vector is the specific technique used to get through one of those entry points, like picking the lock on the front door or breaking a window.

Examples of vulnerable attack surface entry points include:

• Unpatched software on employee laptops

• Weak passwords on admin accounts

• Misconfigured cloud storage buckets

• Employees' personal devices accessing the company email

• Internet exposed RDP

• VPN connections without MFA

• End-of-Life (EOL) operating systems

An attack vector, on the other hand, would be the actual method used to compromise one of these vulnerabilities. There are endless possibilities, but a few common tactics are phishing, brute forcing, session hijacking, or exploiting zero day vulnerabilities.

Cybersecurity pros typically break down attack surfaces into five main categories. Understanding these helps you take a systematic approach to securing your organization:

1. Digital attack surface

This includes all your digital points that an attacker can compromise: servers, operating systems, applications, websites, and code. 

2. Physical attack surface

Hardware and physical locations where that hardware lives. This covers everything from USB ports on workstations to server rooms that might not be properly secured.

3. Human attack surface

Your employees, contractors, and anyone else with access to your systems. Humans are often the easiest target because attackers know how to trick them into handing over sensitive information. 

4. Cloud attack surface

This is a unique and complex part of your attack surface that includes vulnerable cloud infrastructure, services, and configurations. 

5. Internal attack surface

The potential vulnerabilities and entry points on internal networks and systems that can be exploited after an attacker has breached the perimeter.

An attack tree is a visual tool for mapping out exploitable parts of your attack surface. It’s similar to a family tree, but instead of showing relationships between people, it shows relationships between vulnerabilities and potential attack paths.

The top of the tree is the attacker's ultimate goal, like accessing a customer database or the CEO’s inbox. Below that, you branch out into all the different ways that attackers could reach the goal, breaking them down into smaller and smaller steps.

For example:

• Goal: Access customer database

• Path 1: Compromise admin account

• Phish admin's password

• Exploit weak password policy

• Path 2: Exploit database vulnerability

• Find unpatched database software

• Use a known public exploit

This visualization helps you prioritize which vulnerabilities to fix first and understand how different parts of your attack surface connect.

Let's look at some real-life attack surface examples:

The remote work explosion
When COVID-19 sent everyone home, organizations suddenly had devices from hundreds of home networks connected to their corporate systems. Each home router, personal device, and family member using the same WiFi became part of the company's attack surface.

The smart office
Modern offices are full of connected devices: smart thermostats, security cameras, printers with network connections, and voice assistants. Each one represents a potential entry point for attackers.

The cloud migration
Moving to cloud services expands your attack surface in new ways. Misconfigured cloud services or applications, overprivileged user accounts, and integration points between different cloud services all create new vulnerabilities that weren’t on your bingo card.

Let’s dig into strategies designed to scale down your attack surface:

Start with asset discovery

You can't secure what you don't know exists. Use automated tools to scan your network and track every device, application, and service you find. Scope out the hidden assets and bring them to the surface.

Roll out the principle of least privilege

Don’t give people and systems more access than needed to do their jobs. The summer intern doesn't need admin rights on the entire network, and neither does that IoT sensor on the office fridge.

Stay patched and updated

Attack surface management (ASM) is largely about staying on top of patches and updates. Set up automated patching where you can, and have a process for quickly installing critical security updates.

Remove what you don't need

Go Marie Kondo on your attack surface. Get rid of unused applications, services, and user accounts because they’re potential vulnerabilities. And that doesn’t spark joy for anyone but hackers. Make sure to run regular audits to remove unnecessary components to keep your attack surface in check. 

Train your team

Understanding your attack surface is like getting a detailed map of your security landscape. Once you know where you're vulnerable, you can start making strategic decisions about where to invest your security resources.

Start small. Pick one category of your attack surface and do a thorough assessment. You might be surprised by what you find, but you'll definitely be better prepared to defend against it!