Attack Surface - All Possible Entry Points
About 2 min read
The attack surface (Attack Surface) refers to the totality of all points an attacker can exploit to break into a system or steal data. Everything that looks like an "entry point" from the attacker's perspective is part of the attack surface, from publicly exposed web services, API endpoints, and employees' social media accounts to the physical entrances of an office. A basic principle of security is to keep this attack surface as small as possible. Even if a vulnerability exists, the narrower the attack surface, the significantly lower the probability that it will be exploited.
The Three Categories of Attack Surface
The attack surface is classified into three areas according to its nature. Comprehensive defense requires a thorough understanding of all of these areas.
- Public web services and APIs
- Cloud infrastructure (S3, VMs)
- Mail servers
- VPN gateways
- DNS records
- Office access control
- Server rooms
- USB ports and devices
- IoT devices
- Discarded media
- Employees' social media posts
- Public profiles
- Job postings (exposing the tech stack)
- Conference presentation materials
- Supply chain partners
Attackers make full use of OSINT (open-source intelligence) to gather this information and attempt to break in through the most vulnerable point. If a job posting says "we use Apache Struts 2.x," an attacker will immediately research the known vulnerabilities of that version.
The Rise of ASM Tools
ASM (Attack Surface Management) is a security discipline for continuously discovering, monitoring, and assessing an organization's attack surface. Whereas a traditional penetration test is a snapshot-style assessment, ASM tools automatically scan internet-exposed assets around the clock and notify you in real time of newly discovered assets and configuration changes. As cloud environments have become widespread and developers can now build infrastructure without going through the IT department, the number of unaccounted-for public assets (shadow IT-like infrastructure) has grown, rapidly increasing the importance of ASM.
The Attack Surface Reduction Process
The Relationship with Zero Trust
Zero Trust is a security model built on the premise of "never trust, even inside the network." In the traditional perimeter-defense model, the inside of the firewall was regarded as a trusted zone, but with the shift to the cloud and remote work, the perimeter itself has become blurred. By making every access attempt subject to verification, Zero Trust applies individual defenses to each point of the attack surface. As a result, it achieves a structure in which damage is unlikely to spread laterally even if one point is breached.
Common Misconceptions
The belief that "if you block external access with a firewall, the attack surface is zero" is mistaken. There are many attack paths that bypass the network perimeter, such as physical intrusion, social engineering, and attacks through the supply chain. Moreover, the VPNs and remote desktops used by legitimate users are themselves part of the attack surface, and if their authentication is breached, they permit intrusion into the internal network.cybersecurity books on Amazon are recommended for systematic study.
Real-World Use Cases
"On the very first day we introduced an ASM tool, it discovered an EC2 instance that had been spun up for a campaign three years earlier and then left running. It was running an old version of WordPress with multiple known vulnerabilities. We shut it down immediately and were able to prevent a major incident before it happened."
We explain building an organization's security foundation in detail in the startup security checklist, the attack surface of IoT environments in the IoT device security article, and measures for remote work environments in the remote work security article.
Was this article helpful?