An organisation’s attack surface is generally everything that an attacker could potentially target. Every internet-facing service, web application, API endpoint, login portal, email gateway, remote access solution, employee device, and cloud resource can be considered part of an organisation’s attack surface.
The attack surface is generally divided into two areas.
- The external attack surface covers all assets that are directly reachable from the internet, whether intentionally published or not, such as:
- forgotten subdomains
- development servers left publicly accessible
- cloud storage buckets with misconfigured permissions
- legacy VPN appliances all form part of it.
- The internal attack surface covers systems that become accessible once an attacker has gained access inside the network, either through a compromised endpoint, a phishing attack, or physical access.
Reducing the attack surface is a key principle of security management as every unnecessary service, port, or application that is exposed can increase the number of potential entry points an attacker could exploit. Organisations that expand rapidly through acquisition, cloud adoption, or through shadow IT often end up with an attack surface that is significantly larger than anyone internally realises.
A significant proportion of successful breaches involve assets that the organisation did not know were exposed. This is partly why external attack surface management has become an important discipline by continuously discovering and monitoring internet-facing assets, rather than relying on a static inventory that quickly becomes out of date.
External penetration testing and vulnerability assessments are the practical methods for evaluating the security of your attack surface. Understanding the scope of what is exposed is the first step to making meaningful improvements.