What is an attack surface?

An attack surface is the sum of an organization's vulnerabilities to cyberattack.

Person sitting at office desk and using laptop computer
What is an attack surface?

An organization’s attack surface is the sum of vulnerabilities, pathways or methods—sometimes called attack vectors—that hackers can use to gain unauthorized access to the network or sensitive data, or to carry out a cyberattack.

As organizations increasingly adopt cloud services and hybrid (on-premises/work-from-home) work models, their networks and associated attack surfaces are becoming larger and more complex by the day. According to Randori's The State of Attack Surface Management 2022  (link resides outside ibm.com)(Randori is a subsidiary of IBM Corp.), 67 percent of organizations have seen their attack surfaces grow in size over the past two years. Industry analyst Gartner named attack surface expansion the No. 1 security and risk management trend for 2022 (link resides outside ibm.com).

Security experts divide the attack surface into three sub-surfaces: The digital attack surface, the physical attack surface, and the social engineering attack surface.


Digital attack surface

The digital attack surface potentially exposes the organization’s cloud and on-premises infrastructure to any hacker with an internet connection. Common attack vectors in an organization’s digital attack surface include:

  • Weak passwords: Passwords that are easy to guess—or easy to crack via brute-force attacks—increase the risk that cybercriminals can compromise user accounts to access the network, steal sensitive information, spread malware and otherwise damage infrastructure. According to IBM's Cost of a Data Breach Report 2021, compromised credentials were the most commonly exploited initial attack vector in 2021.

  • Misconfiguration: Improperly configured network ports, channels, wireless access points, firewalls or protocols serve as entry points for hackers. Man-in-the-middle attacks, for example, take advantage of weak encryption protocols on message-passing channels to intercept communications between systems.

  • Software, operating system (OS) and firmware vulnerabilities: Hackers and cybercriminals can take advantage of coding or implementation errors in third-party apps, OSs and other software or firmware to infiltrate networks, gain access to user directories, or plant malware. For example, In 2021, cybercriminals took advantage of a flaw in Kaseya's VSA (virtual storage appliance) platform (link resides outside ibm.com) to distribute ransomware, disguised as a software update, to Kaseya's customers.

  • Internet-facing assets: Web applications, web servers and other resources that face the public internet are inherently vulnerable to attack. For example, hackers can inject malicious code into unsecured application programming interfaces (APIs), causing them to improperly divulge or even destroy sensitive information in associated databases.

  • Shared databases and directories: Hackers can exploit databases and directories shared between systems and devices to gain unauthorized access to sensitive resources or launch ransomware attacks. In 2016, the Virlock ransomware spread (link resides outside ibm.com) by infecting collaborative file folders accessed by multiple devices.

  • Outdated or obsolete devices, data, or applications: Failure to consistently apply updates and patches creates security risks. One notable example is the WannaCry ransomware, which spread by exploiting a Microsoft Windows operating system vulnerability (link resides outside ibm.com) for which a patch was available. Similarly, when obsolete endpoints, data sets, user accounts, and apps are not appropriately uninstalled, deleted, or discarded, they create unmonitored vulnerabilities cybercriminals can easily exploit.

  • Shadow IT: "Shadow IT" is software, hardware or devices—free or popular apps, portable storage devices, an unsecured personal mobile device—that employees use without the IT department’s knowledge or approval. Because it’s not monitored by IT or security teams, shadow IT may introduce serious vulnerabilities that hackers can exploit.


Physical attack surface

The physical attack surface exposes assets and information typically accessible only to users with authorized access to the organization’s physical office or endpoint devices (servers, computers, laptops, mobile devices, IoT devices, operational hardware).

  • Malicious insiders: Disgruntled or bribed employees or other users with malicious intent may use their access privileges to steal sensitive data, disable devices, plant malware or worse.

  • Device theft: Criminals may steal endpoint devices or gain access to them by breaking into an organization's premises. Once in possession of the hardware, hackers can access data and processes stored on these devices. They may also use the device's identity and permissions to access other network resources. Endpoints used by remote workers, employees' personal devices, and improperly discarded devices are typical targets of theft. 

  • Baiting: Baiting is an attack in which hackers leave malware-infected USB drives in public places, hoping to trick users into plugging the devices into their computers and unintentionally downloading the malware.


Social engineering attack surface

Social engineering manipulates people into sharing information they shouldn’t share, downloading software they shouldn’t download, visiting websites they shouldn’t visit, sending money to criminals, or making other mistakes that compromise their personal or organizational assets or security.

Because it exploits human weaknesses rather than technical or digital system vulnerabilities, social engineering sometimes called ‘human hacking.’

Learn more about social engineering

An organization‘s social engineering attack surface essentially amounts to the number of authorized users who are unprepared for or otherwise vulnerable to social engineering attacks.

Phishing is the best-known and most-prevalent social engineering attack vector. In a phishing attack, scammers send emails, text messages or voice messages that try to manipulate recipients into sharing sensitive information, downloading malicious software, transferring money or assets to the wrong people, or taking some other damaging action. Scammers craft phishing messages to look or sound like they come from a trusted or credible organization or individual—a popular retailer, a government organization, or sometimes even an individual the recipient knows personally.

According to IBM's Cost of a Data Breach 2021 report, social engineering is the second-leading cause of data breaches.


Attack surface management

Attack surface management (ASM) refers to processes and technologies that take a hacker‘s view and approach to an organization’s attack surface—discovering and continuously monitoring the assets and vulnerabilities that hackers see and attempt to exploit when targeting the organization. ASM typically involves:

Continuous discovery, inventory and monitoring of potentially vulnerable assets. Any ASM initiative begins with a complete and continuously updated inventory of an organization‘s internet-facing IT assets, including on-premises and cloud assets. Taking a hacker’s approach ensures discovery not only of known assets, but also shadow IT (see above), applications or devices that have been abandoned but not deleted or deactivated (orphaned IT), assets planted by hackers or malware (rogue IT), and more—essentially any asset that can be exploited by a hacker or cyberthreat.

Once discovered, assets are monitored continuously, in real time, for changes that raise their risk as a potential attack vector.

Attack surface analysis, risk assessment and prioritization. ASM technologies score assets according to their vulnerabilities and security risks they pose, and prioritize them for threat response or remediation.

Attack surface reduction and remediation. Security teams can apply their findings from attack surface analysis and red teaming to take a variety of short-term actions to reduce the attack surface. These might include enforcing stronger passwords, deactivating applications and endpoint devices no longer in use, applying application and OS patches, training users to recognize phishing scams, instituting biometric access controls for office entry, or revising security controls and policies around software downloads and removable media.

Organizations might also take more structural or longer-term security measures to reduce their attack surface, either as part of or independent of an attack surface management initiative. For example, implementing two-factor authentication (2fa) or multifactor authentication can reduce or eliminate potential vulnerabilities associated with weak passwords or poor password hygiene.

On a broader scale, a zero trust security approach can significantly reduce an organization’s attack surface. A zero trust approach requires that all users, whether outside or already inside the network, be authenticated, authorized and continuously validated in order to gain and maintain access to applications and data. Zero trusts principles and technologies—continuous validation, least-privileged access, continuous monitoring, network microsegmentation—can reduce or eliminate many attack vectors and provide valuable data for ongoing attack surface analysis.

Learn more about attack surface management


Related solutions