Home Topics Attack surface What is an attack surface?
Explore IBM's attack surface solution Subscribe to security topic updates
Illustration with collage of pictograms of clouds, mobile phone, fingerprint, check mark
What is an attack surface?

An organization’s attack surface is the sum of vulnerabilities, pathways, or methods—sometimes called attack vectors—that hackers can use to gain unauthorized access to the network or sensitive data, or to carry out a cyberattack.

As organizations increasingly adopt cloud services and hybrid (on-premises/work-from-home) work models, their networks and associated attack surfaces are becoming larger and more complex by the day. According to Randori's The State of Attack Surface Management 2022, 67% of organizations have seen their attack surfaces grow in size over the past two years. Industry analyst Gartner named attack surface expansion the No. 1 security and risk management trend for 2022 (link resides outside ibm.com).

Security experts divide the attack surface into three sub-surfaces: The digital attack surface, the physical attack surface, and the social engineering attack surface.

IBM Security X-Force Threat Intelligence Index

Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.

Related content

Register for the Cost of a Data Breach report

Digital attack surface

The digital attack surface potentially exposes the organization’s cloud and on-premises infrastructure to any hacker with an internet connection. Common attack vectors in an organization’s digital attack surface include:

  1. Weak passwords
  2. Misconfiguration
  3. Software, operating system (OS), and firmware vulnerabilities
  4. Internet-facing assets
  5. Shared databases and directories
  6. Outdated or obsolete devices, data, or applications
  7. Shadow IT
  • Weak passwords: Passwords that are easy to guess—or easy to crack via brute-force attacks—increase the risk that cybercriminals can compromise user accounts to access the network, steal sensitive information, spread malware and otherwise damage infrastructure. According to IBM's Cost of a Data Breach Report 2021, compromised credentials were the most commonly used initial attack vector in 2021.

  • Misconfiguration: Improperly configured network ports, channels, wireless access points, firewalls, or protocols serve as entry points for hackers. Man-in-the-middle attacks, for example, take advantage of weak encryption protocols on message-passing channels to intercept communications between systems.

  • Software, OS, and firmware vulnerabilities: Hackers and cybercriminals can take advantage of coding or implementation errors in third-party apps, OSs, and other software or firmware to infiltrate networks, gain access to user directories, or plant malware. For example, In 2021, cybercriminals took advantage of a flaw in Kaseya's VSA (virtual storage appliance) platform (link resides outside ibm.com) to distribute ransomware, disguised as a software update, to Kaseya's customers.

  • Internet-facing assets: Web applications, web servers and other resources that face the public internet are inherently vulnerable to attack. For example, hackers can inject malicious code into unsecured application programming interfaces (APIs), causing them to improperly divulge or even destroy sensitive information in associated databases.

  • Shared databases and directories: Hackers can exploit databases and directories that are shared between systems and devices to gain unauthorized access to sensitive resources or launch ransomware attacks. In 2016, the Virlock ransomware spread (link resides outside ibm.com) by infecting collaborative file folders that are accessed by multiple devices.

  • Outdated or obsolete devices, data, or applications: Failure to consistently apply updates and patches creates security risks. One notable example is the WannaCry ransomware, which spread by exploiting a Microsoft Windows operating system vulnerability (link resides outside ibm.com) for which a patch was available. Similarly, when obsolete endpoints, data sets, user accounts, and apps are not uninstalled, deleted, or discarded, they create unmonitored vulnerabilities cybercriminals can easily exploit.

  • Shadow IT: "Shadow IT" is software, hardware, or devices—free or popular apps, portable storage devices, an unsecured personal mobile device—that employees use without the IT department’s knowledge or approval. Because it’s not monitored by IT or security teams, shadow IT may introduce serious vulnerabilities that hackers can exploit.

Physical attack surface

The physical attack surface exposes assets and information typically accessible only to users with authorized access to the organization’s physical office or endpoint devices (servers, computers, laptops, mobile devices, IoT devices, or operational hardware).

  • Malicious insiders: Disgruntled or bribed employees or other users with malicious intent may use their access privileges to steal sensitive data, disable devices, plant malware or worse.

  • Device theft: Criminals may steal endpoint devices or gain access to them by breaking into an organization's premises. After they are in possession of the hardware, hackers can access data and processes that are stored on these devices. They might also use the device's identity and permissions to access other network resources. Endpoints used by remote workers, employees' personal devices, and improperly discarded devices are typical targets of theft. 

  • Baiting: Baiting is an attack in which hackers leave malware-infected USB drives in public places, hoping to trick users into plugging the devices into their computers and unintentionally downloading the malware.

Social engineering attack surface

Social engineering manipulates people into making mistakes that compromise their personal or organizational assets or security through various ways, such as:

  • sharing information that they shouldn’t share
  • downloading software that they shouldn’t download
  • visiting websites that they shouldn’t visit
  • sending money to criminals 

Because it exploits human weaknesses rather than technical or digital system vulnerabilities, social engineering is sometimes called ‘human hacking’.

Learn more about social engineering

An organization‘s social engineering attack surface essentially amounts to the number of authorized users who are unprepared for or otherwise vulnerable to social engineering attacks.

Phishing is the best-known and most-prevalent social engineering attack vector. In a phishing attack, scammers send emails, text messages, or voice messages that try to manipulate recipients into sharing sensitive information, downloading malicious software, transferring money or assets to the wrong people, or taking some other damaging action. Scammers craft phishing messages to look or sound like they come from a trusted or credible organization or individual—a popular retailer, a government organization, or sometimes even an individual the recipient knows personally.

According to IBM's Cost of a Data Breach 2021 report, social engineering is the second-leading cause of data breaches.

Attack surface management

Attack surface management (ASM) refers to processes and technologies that take a hacker‘s view and approach to an organization’s attack surface—discovering and continuously monitoring the assets and vulnerabilities that hackers see and attempt to exploit when targeting the organization. ASM typically involves:

Continuous discovery, inventory, and monitoring of potentially vulnerable assets. Any ASM initiative begins with a complete and continuously updated inventory of an organization‘s internet-facing IT assets, including on-premises and cloud assets. Taking a hacker’s approach ensures discovery not only of known assets, but also shadow IT applications or devices. These applications or devices might have been abandoned but not deleted or deactivated (orphaned IT). Or assets that are planted by hackers or malware (rogue IT), and more—essentially any asset that can be exploited by a hacker or cyberthreat.

Once discovered, assets are monitored continuously, in real time, for changes that raise their risk as a potential attack vector.

Attack surface analysis, risk assessment and prioritization. ASM technologies score assets according to their vulnerabilities and security risks that they pose, and prioritize them for threat response or remediation.

Attack surface reduction and remediation. Security teams can apply their findings from attack surface analysis and red teaming to take various short-term actions to reduce the attack surface. These might include enforcing stronger passwords, deactivating applications and endpoint devices no longer in use, applying application and OS patches, training users to recognize phishing scams, instituting biometric access controls for office entry, or revising security controls and policies around software downloads and removable media.

Organizations might also take more structural or longer-term security measures to reduce their attack surface, either as part of or independent of an attack surface management initiative. For example, implementing two-factor authentication (2fa) or multifactor authentication can reduce or eliminate potential vulnerabilities that are associated with weak passwords or poor password hygiene.

On a broader scale, a zero trust security approach can significantly reduce an organization’s attack surface. A zero trust approach requires that all users, whether outside or already inside the network, be authenticated, authorized, and continuously validated to gain and maintain access to applications and data. Zero trusts principles and technologies—continuous validation, least-privileged access, continuous monitoring, network microsegmentation—can reduce or eliminate many attack vectors and provide valuable data for ongoing attack surface analysis.

Learn more about attack surface management

Related solutions
Vulnerability management services

Adopt a vulnerability management program that identifies, prioritizes, and manages the remediation of flaws that might expose your most-critical assets.

Explore vulnerability management services
IBM Security® Discover and Classify

Get accurate, scalable and integrated discovery and classification of structured and unstructured data across all environments.

Explore Discover and Classify
Resources What is social engineering?

Social engineering compromises personal or enterprise security using psychological manipulation rather than technical hacking.

What is malware?

Malware is software code written to damage or destroy computers or networks, or to provide unauthorized access to computers, networks or data.

What is zero trust?

A zero trust approach requires that all users, whether outside or already inside the network, be authenticated, authorized and continuously validated in order to gain and maintain access to applications and data.

What are insider threats?

Insider threats occur when users with authorized access to a company's assets compromise those assets deliberately or accidentally.

What is cloud security?

A guide to securing your cloud computing environment and workloads.

What is data security?

Data security is the practice of protecting digital information from theft, corruption. or unauthorized access throughout its lifecycle.

Take the next step

Learn how the IBM Security Guardium family of products can help your organization meet the changing threat landscape with advanced analytics, real-time alerts, streamlined compliance, automated data discovery classification and posture management.

Explore Guardium Book a live demo