Browse Definitions :
Definition

attack surface

Contributor(s): Matthew Haughn

An attack surface is the total sum of vulnerabilities that can be exploited to carry out a security attack. Attack surfaces can be physical or digital. The term attack surface is often confused with the term attack vector, but they are not the same thing. The surface is what is being attacked; the vector is the means by which an intruder gains access. 

Both physical and digital attack surfaces should be limited in size to protect surfaces from anonymous, public access. Organization can analyze and reduce its physical and digital attack surfaces by taking the following measures:

  • Identify physical and digital assets.
  • Conduct an attack surface analysis.
  • Review asset management policies.
  • Eliminate complexity by reducing unused, redundant or overly permissive rules.
  • Prioritize strengthening most vulnerable attack points first.
  • Continually seek ways to make attack surfaces smaller.

Digital attack surfaces

In a computing , a network attack surface is the totality of all vulnerabilities in connected hardware and software. In order to keep the network secure, network administrators must proactively seek ways reduce the number and size of attack surfaces. There is a law of computing that states that the more code you have running on a system, the greater the chance that the system will have an exploitable security vulnerability. This means that one of the most important steps information technology (IT) administrators can take to secure a system is to reduce the amount of code being executed, which helps reduce the software attack surface.

One popular approach to limiting the size of attack surfaces is a strategy called microsegmentation . With microsegmentation , the data center is divided into logical units, each of which has its own unique security policies. The idea is to significantly reduce the surface available for malicious activity and restrict unwanted lateral (east-west) traffic once the perimeter has been penetrated. Policies are tied to logical segments, so any workload migration will also move the security policies.

Network microsegmentation isn't new, but its adoption has been sparked by software-defined networking (SDN) and software-defined data center (SDDC) technologies. Traditional firewalls remain in place to maintain north-south defenses, while microsegmentation significantly limits unwanted communication between east-west workloads within the enterprise.

Physical attack surfaces

In computing, a physical attack surface includes access to all endpoint devices, including desktop systems, laptops, mobile devices, USB ports and improperly discarded hard drives. Once an attacker has accessed a computing device physically, the intruder will look for digital attack surfaces left vulnerable by poor coding, default security setting or poorly-maintained software that has not been updated or patched. The physical attack surface is exploitable through inside threats such as rogue employees, social engineering ploys and intruders posing as service workers, especially in public companies. External threats include password retrieval from carelessly discarded hardware, passwords on sticky notes and physical break-ins.

Physical security has three important components: access control, surveillance and testing. Obstacles should be placed in the way of potential attackers and physical sites should be hardened against accidents, attacks or environmental disasters. Such hardening measures include fencing, locks, access control cards, biometric access control systems and fire suppression systems. Second, physical locations should be monitored using surveillance cameras and notification systems, such as intrusion detection sensors, heat sensors and smoke detectors. Third, disaster recovery policies and procedures should be tested regularly to ensure safety and to reduce the time it takes to recover from disruptive man-made or natural disasters.

 

 

This was last updated in February 2019

Continue Reading About attack surface

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

Extensions de fichiers et formats de fichiers

Motorisé par:

SearchCompliance

  • compliance framework

    A compliance framework is a structured set of guidelines that details an organization's processes for maintaining accordance with...

  • regulatory compliance

    Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business...

  • privacy compliance

    Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or ...

SearchSecurity

SearchHealthIT

  • telemedicine (telehealth)

    Telemedicine is the remote delivery of healthcare services, such as health assessments or consultations, over the ...

  • Project Nightingale

    Project Nightingale is a controversial partnership between Google and Ascension, the second largest health system in the United ...

  • medical practice management (MPM) software

    Medical practice management (MPM) software is a collection of computerized services used by healthcare professionals and ...

SearchDisasterRecovery

  • crisis management plan (CMP)

    A crisis management plan (CMP) outlines how to respond to a critical situation that would negatively affect an organization's ...

  • disaster recovery (DR) test

    A disaster recovery test (DR test) is the examination of each step in a disaster recovery plan as outlined in an organization's ...

  • business continuity plan (BCP)

    A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue ...

SearchStorage

  • kilobyte (KB or Kbyte)

    A kilobyte (KB or Kbyte) is a unit of measurement for computer memory or data storage used by mathematics and computer science ...

  • megabytes per second (MBps)

    Megabytes per second (MBps) is a unit of measurement for data transfer speed to and from a computer storage device.

  • zettabyte

    A zettabyte is a unit of measurement used by technology professionals and the general public to describe a computer or other ...

Close