A attack surface (or attack surface refers to theall the potential entry points through which an attacker could attempt to gain access to a system, network, application or organisation. These are all the weak points or vulnerabilities that could be exploited to compromise security.
It encompasses all hardware, software, human and procedural access that could be targeted by threats.
🔑 Types of attack surfaces
Physics :
- Access to servers, computers, peripherals (e.g. USB ports, access badges)
- Example: An unsecured server in a room accessible to the public.
Software :
- Applications, APIs, operating systems, microservices.
- Example: An unauthenticated API exposed on the Internet.
Network :
- Entry points such as open ports VPNthe firewalls incorrectly configured.
- Example: An SSH port opened with a weak password.
Human :
- Users likely to click on phishing or disclose sensitive information.
- For example: an employee sharing their login details by mistake.
Cloud :
- Poorly configured data storage (e.g. public S3 buckets), cloud management interfaces.
- Example: an AWS bucket exposed without access restrictions.
Other classification :
- External surface Points exposed to the Internet (websites, APIs, emails)
- Internal surface : vulnerabilities within the local network (e.g. insecure file sharing)
- Social area: risks related tosocial engineering (scams, psychological manipulation)
🔑 Key elements
- Entry points :
- This includes open ports, web applications, online services, connected devices, user interfaces, etc.
- Anything that can be accessed from outside or inside a network is a potential entry point.
- Vulnerabilities :
- Security flaws in software, incorrect configurations, weak passwords, human error, etc. are all vulnerabilities that increase the attack surface.
- Scope:
- The attack surface can vary considerably depending on the complexity and size of a system.
- The more complex and interconnected a system, the wider its attack surface.
- Attack Surface Management (ASM) :
- ASM is a continuous process of identifying, analysing, managing and reducing an organisation's attack surface.
- This involves monitoring assets, detecting vulnerabilities, prioritising risks and implementing appropriate security measures.
Main issues
- Complexity The more extensive a system (IoT, cloud, third-party partners), the greater the attack surface.
- Constant evolution updates, new software and connected devices create new vulnerabilities
- Costs a poorly managed attack surface increases the risk of data breaches, leading to financial and reputational losses
👉 Examples
- A web application :
- Vulnerabilities: login form, SQL injection, cookies unsecured
- A teleworking employee :
- Risks: connection via unencrypted public Wi-Fi, unpatched personal device
- A connected object (IoT) :
- Entry points: vulnerable firmware, default management interface
Strategies for reducing the attack surface area
- Minimisation :
- Disable unnecessary services, close unused ports
- Apply the least privilege (limit access)
- Continuous monitoring :
- Use tools such as vulnerability scanners (Nessus, OpenVAS) or the SIEM (e.g. Splunk)
- Analyse logs to detect suspicious activity
- Regular updates :
- Correcting vulnerabilities through patches software and hardware
- Segmenting the network :
- Isolate critical areas (e.g. server network vs. users)
- User training :
- Raising awareness of the risks of phishing and good security practices
Management tools
- Risk mapping software such as Microsoft Attack Surface Analyzer
- Pentesting Intrusion tests to identify weak points
- Vulnerability management platforms such as Tenable.io and Qualys
Historical case
- Target piracy (2013) :
- The attack surface included an HVAC system connected to the internal network, used as a gateway to steal 40 million credit cards.
Attack surface vs. attack vector
- Attack surface : tll vulnerable points a system (e.g. ports, users, APIs)
- Attack vector : mspecific method used to exploit a vulnerability (e.g. phishing, SQL injection)
