Attack surface

Last updated December 05, 2023

The attack surface of a software environment is the sum of the different points (for "attack vectors") where an unauthorized user (the "attacker") can try to enter data to, extract data, control a device or critical software in an environment.^[1]^[2] Keeping the attack surface as small as possible is a basic security measure.^[3]

Elements of an attack surface

Worldwide digital change has accelerated the size, scope, and composition of an organization's attack surface. The size of an attack surface may fluctuate over time, adding and subtracting assets and digital systems (e.g. websites, hosts, cloud and mobile apps, etc.). Attack surface sizes can change rapidly as well. Digital assets eschew the physical requirements of traditional network devices, servers, data centers, and on-premise networks. This leads to attack surfaces changing rapidly, based on the organization's needs and the availability of digital services to accomplish it.

Attack surface scope also varies from organization to organization. With the rise of digital supply chains, interdependencies, and globalization, an organization's attack surface has a broader scope of concern (viz. vectors for cyberattacks). Lastly, the composition of an organization's attack surface consists of small entities linked together in digital relationships and connections to the rest of the internet and organizational infrastructure, including the scope of third-parties, digital supply chain, and even adversary-threat infrastructure.

An attack surface composition can range widely between various organizations, yet often identify many of the same elements, including:

Autonomous System Numbers (ASNs)
IP Address and IP Blocks
Domains and Sub-Domains (direct and third-parties)
SSL Certificates and Attribution
WHOIS Records, Contacts, and History
Host and Host Pair Services and Relationship
Internet Ports and Services
NetFlow
Web Frameworks (PHP, Apache, Java, etc.)
Web Server Services (email, database, applications)
Public and Private Cloud

Understanding an attack surface

Due to the increase in the countless potential vulnerable points each enterprise has, there has been increasing advantage for hackers and attackers as they only need to find one vulnerable point to succeed in their attack.^[4]

There are three steps towards understanding and visualizing an attack surface:

Step 1: Visualize. Visualizing the system of an enterprise is the first step, by mapping out all the devices, paths and networks.^[4]

Step 2: Find indicators of exposures. The second step is to correspond each indicator of a vulnerability being potentially exposed to the visualized map in the previous step. IOEs include "missing security controls in systems and software".^[4]

Step 3: Find indicators of compromise. This is an indicator that an attack has already succeeded.^[4]

Surface reduction

One approach to improving information security is to reduce the attack surface of a system or software. The basic strategies of attack surface reduction include the following: reduce the amount of code running, reduce entry points available to untrusted users, and eliminate services requested by relatively few users. By having less code available to unauthorized actors, there tend to be fewer failures. By turning off unnecessary functionality, there are fewer security risks. Although attack surface reduction helps prevent security failures, it does not mitigate the amount of damage an attacker could inflict once a vulnerability is found.^[5]

Related Research Articles

Computer security, cyber security, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

Supervisory control and data acquisition (SCADA) is a control system architecture comprising computers, networked data communications and graphical user interfaces for high-level supervision of machines and processes. It also covers sensors and other devices, such as programmable logic controllers, which interface with process plant or machinery.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec up until 2007. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

In computer security, an attack vector is a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security. The term was derived from the corresponding notion of vector in biology. An attack vector may be exploited manually, automatically, or through a combination of manual and automatic activity.

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.

In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. The isolation metaphor is taken from the idea of children who do not play well together, so each is given his or her own sandbox to play in alone. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as storage and memory scratch space. Network access, the ability to inspect the host system, or read from input devices are usually disallowed or heavily restricted.

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to any computer that the attacker chooses.

SAINT is computer software used for scanning computer networks for security vulnerabilities, and exploiting found vulnerabilities.

Secure coding is the practice of developing computer software in such a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

A software-defined perimeter (SDP), also called a "black cloud", is an approach to computer security which evolved from the work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative around 2007. Software-defined perimeter (SDP) framework was developed by the Cloud Security Alliance (CSA) to control access to resources based on identity. Connectivity in a Software Defined Perimeter is based on a need-to-know model, in which device posture and identity are verified before access to application infrastructure is granted. Application infrastructure is effectively “black”, without visible DNS information or IP addresses. The inventors of these systems claim that a Software Defined Perimeter mitigates the most common network-based attacks, including: server scanning, denial of service, SQL injection, operating system and application vulnerability exploits, man-in-the-middle, pass-the-hash, pass-the-ticket, and other attacks by unauthorized users.

The following outline is provided as an overview of and topical guide to computer security:

Cyber threat intelligence (CTI) is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. The term has become established to demonstrate the technological and functional differences between traditional information technology (IT) systems and industrial control systems environment, the so-called "IT in the non-carpeted areas".

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

Data center security is the set of policies, precautions and practices adopted at a data center to avoid unauthorized access and manipulation of its resources. The data center houses the enterprise applications and data, hence why providing a proper security system is critical. Denial of service (DoS), theft of confidential information, data alteration, and data loss are some of the common security problems afflicting data center environments.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

References

↑ "Attack Surface Analysis Cheat Sheet". Open Web Application Security Project. Retrieved 30 October 2013.
↑ Manadhata, Pratyusa (2008). An Attack Surface Metric (PDF). Archived (PDF) from the original on 2016-02-22. Retrieved 2013-10-30.
↑ Manadhata, Pratyusa; Wing, Jeannette M. "Measuring a System's Attack Surface" (PDF). Archived (PDF) from the original on 2017-03-06. Retrieved 2019-08-29.{{cite journal}}: Cite journal requires |journal= (help)
1 2 3 4 Friedman, Jon (March 2016). "Attack your Attack Surface" (PDF). skyboxsecurity.com. Archived from the original (PDF) on March 6, 2017. Retrieved March 6, 2017.
↑ Michael, Howard. "Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users". Microsoft. Archived from the original on 2 April 2015. Retrieved 30 October 2013.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[OWASP-1] "Attack Surface Analysis Cheat Sheet". Open Web Application Security Project. Retrieved 30 October 2013.

[Manadhata-2] Manadhata, Pratyusa (2008). An Attack Surface Metric (PDF). Archived (PDF) from the original on 2016-02-22. Retrieved 2013-10-30.

[3] Manadhata, Pratyusa; Wing, Jeannette M. "Measuring a System's Attack Surface" (PDF). Archived (PDF) from the original on 2017-03-06. Retrieved 2019-08-29.{{cite journal}}: Cite journal requires |journal= (help)

[:0-4] 1 2 3 4 Friedman, Jon (March 2016). "Attack your Attack Surface" (PDF). skyboxsecurity.com. Archived from the original (PDF) on March 6, 2017. Retrieved March 6, 2017.

[5] Michael, Howard. "Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users". Microsoft. Archived from the original on 2 April 2015. Retrieved 30 October 2013.

[1]

[2]

[3]

[4]

[5]