What is an Attack Surface?

May 26, 2022

Cyberattacks are on the rise, especially among small and mid-sized businesses: one report found that 70% of smaller enterprises have experienced an attack.

Many small and mid-sized businesses are unprepared for the increase in security threats. In fact, 45% of these businesses report having insufficient security measures to prevent cyberattacks. This article discusses one potential weak point: attack surfaces in software applications.

Small to medium-sized businesses can map potential weaknesses and implement an attack surface management program to reduce vulnerability and enhance cybersecurity. Ultimately, implementing an attack surface management plan protects the sensitive data of customers and other valuable assets from cyberattacks.

Attack Surface of a Software Application

An attack surface is the sum of all possible security risk exposures in an organization’s software environment. Put another way, it is the collective of all potential vulnerabilities (known and unknown) and controls across all hardware, software and network components.

Attack surfaces can be categorized into three basic types:

  • Digital attack surface. The digital attack surface encompasses the entire network and software environment of an organization. It can include applications, code, ports and other entry and exit points.
  • Physical attack surface. Physical attack surfaces include all of an organization’s endpoint devices: desktop systems, laptops, mobile devices and USB ports.
  • Social engineering attack surface. Social engineering attacks prey on the vulnerabilities of human users. The most common types of attacks against organizations include spear phishing, pretexting and other manipulative techniques used to trick individuals into providing access to sensitive information.

While organizations should be aware of all potential vulnerabilities, here we focus on the attack surface of software applications. This refers to all the possible functions in any code in a software environment that can be accessed by an unauthenticated user or piece of malware.

Identifying an Application’s Attack Surface

Identifying the attack surface of a software application requires mapping all the functions that need to be reviewed and tested for vulnerabilities. This means attending to all the points of entry or exit in the application’s source code. The bigger the attack surface of a software application, the easier it will be for an attacker or piece of malware to access and run code on a targeted machine.

Implementing Attack Surface Management

Attack surface management in software applications aims to detect weaknesses in a system and reduce the number of exploitable vulnerabilities. The point of analyzing the attack surface is to make developers and security specialists aware of all the risk areas in an application. Awareness is the first step in finding ways to minimize risk.

Ultimately, businesses can use attack surface analysis to implement what is known as Zero Trust security through core concepts such as network segmentation and similar strategies.

2022 CrowdStrike Global Threat Report

Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.

Download Now

Primary Attack Surfaces

Attack surfaces constantly fluctuate as a business adds new components such as websites, cloud and mobile apps, hosts, etc. However, generally the types of vulnerability remain the same.

Locating Software Vulnerabilities

Creating an attack surface model is one of the first steps in improving cybersecurity. It will reveal the most vulnerable points of a specific software application, which will vary significantly from business to business.

Watch out for these common software vulnerabilities:

  • Access control issues. Access control is difficult when employees have different means for accessing the system (in office and remotely, for example). Often software developers end up inserting rules in multiple locations in the code — flaws that can be easily exposed and exploited. Attacking access control vulnerabilities can allow hackers to change or delete content or even take over site administration.
  • Injection flaws. Injection flaws include calls to the operating system and calls to backend databases via SQL. Injection attacks occur frequently via input fields that communicate with databases and directories. Often these fields lack an input filter, which makes them vulnerable to attacks.
  • Authentication issues. When app functions related to session management and authentication are improperly implemented, attackers can gain access to a system with the same permissions as targeted users. They can then compromise keys, passwords, etc.
  • XML external entity issues. Weak configuration of the XML parsers that process XML input containing references to external entities can lead to issues such as exposure of confidential information and denial of service (DoS).
  • Custom APIs. APIs add vulnerability through broken user authentication, broken object level authorization, excessive data exposure and other issues.
  • Web forms. Adding web forms provides more ways to send data directly to your server. One common web form threat is cross-site scripting (XSS) attacks, in which an attacker gets a malicious script to run in a user’s browser. Another is cross-site request forgery attacks, where attackers trick a user into sending a request unwillingly.
  • Backwards compatibility. The more versions of a software are out there, the easier it is to introduce vulnerabilities.

Identifying Common Primary Attack Surfaces

Generally, the most common primary attack surfaces in software applications are remote entry and exit points. These high-risk points include interfaces with outside systems and the internet, especially where the system allows anonymous access:

  • Autonomous system numbers (ASNs)
  • IP address and IP blocks
  • SSL Certificates and Attribution
  • WHOIS records, contacts and history
  • TCP/IP ports
  • Public and private cloud
  • Domains and subdomains
  • Web server services such as emails and databases

Attack Surfaces vs Attack Vectors

To achieve adequate threat intelligence, it’s necessary to understand the difference between the attack surface and attack vectors. With this understanding, businesses can create an attack surface management plan to protect against cyberattacks.

Defining Attack Vectors

Attack vectors are all the methods by which unauthorized users can gain access to data. Successful application of attack vectors by a malicious actor can result in a data breach or worse.

Attack vectors can be grouped into two different types: passive and active attacks.

Passive attack vectors are pathways exploited to gain access to the system without affecting system resources. They include eavesdropping techniques such as session capture, port scanning or traffic analysis.

Active attack vectors are exploited pathways that affect the operation of a system. They include ransomware, phishing attacks and distributed denial of service (DDoS) attacks.

Distinguishing the Attack Surface from Attack Vectors

Put simply, the attack surface is the total of all the points that a malicious actor could exploit in an application (or, more broadly, a system). An attack vector is the method by which a malicious actor exploits one of these individual points.

Mapping an attack surface provides a broad overview of all the potential weaknesses of a software application. Analyzing individual attack vectors provides the security team information on what needs to be fixed or reinforced.

Identifying Attack Surfaces and Attack Vectors

The digital attack surface is constituted by two types of assets: known factors and unknown factors. Known factors are those assets that developers are aware of and monitor. These include subdomains and general security processes.

Unknown factors, also called shadow IT assets, are unsanctioned applications and devices connected to an organization’s network. They can include physical devices (such as users’ smartphones and tablets), messaging apps, cloud storage and workplace efficiency apps. Since these assets haven’t been formally onboarded or vetted by IT departments, they fall beneath the security radar of developers, leaving systems vulnerable.

Attack surface management is important for businesses to discover all factors on the attack surface, both known and unknown.

Reducing the Attack Surface eBook

Public cloud services have become a necessary component for most organizations’ long-term strategic growth plans. Learn five ways organizations can reduce risk within a multi-cloud environment.

Download Now

Manage Physical and Digital Attack Surfaces

Reducing an attack surface requires first knowing what the attack surface is. An attack surface analysis will turn up all the known and unknown factors that constitute the potential vulnerabilities of an organization’s software environment.

One principle to keep in mind: when it comes to security, it’s easier to be proactive and defensive in warding off potential attacks than it is to clean up the mess afterward.

Reducing Attack Surfaces

When it comes to reducing the attack surface, start systematically with the most basic security solutions. For instance, since open TCP/IP ports are vulnerable, make sure a firewall is in place to limit the number of accessible TCP/IP ports. Apply relevant security updates and patches, and use encryption with HTTPS and SSL certificates.

But there are more specific things you can do, depending on the software environment that needs to be protected.

For instance, limit the amount of code that is exposed. All code has vulnerabilities that can potentially be exploited, and the more code, the more potential for flaws. Minimizing the amount of code, then, is a good way for businesses to reduce the attack surface. As your software application matures and you add features, your key modules might add more and more functionality. Hide unused parameters to provide fewer things for malicious actors to target. And if you’re not using the parameter, ask yourself if it could be removed. Carefully review each module to identify any dead code.

Along the same lines, generally third-party applications can be dangerous because their widely available source code increases the attack surface. If you use third-party applications, review and test their code carefully. To shield their code, you might also try renaming them or otherwise concealing their identity.

Minimizing Available Entry Points

You should also carefully consider which features can be accessed by unauthenticated users. For instance, since online demos make all your code available, limit access to customers or registered users. Also limit access to administration or content-management modules, as well as intranet or extranet modules. Enforce IP restrictions, use obscure ports and client certificates, and move administration modules to a separate site.

In addition, consider taking the following measures to limit access to entry points:

  • Validate and sanitize web form inputs. This protects against SQL injection attacks.
  • Only collect the data you need and anonymize where possible.
  • Create secure file uploads by limiting types of uploadable files, validating file type and allowing only authenticated users to upload files.
  • Increase cloud security with cloud workload protection, which offers breach protection for workloads, containers and Kubernetes.

Turning Off Unnecessary Functionality

Typically, new digital assets such as servers and operating systems arrive unconfigured. By default, all application services are turned on and all ports are open. What’s more, these applications and ports typically haven’t been updated. As such, they present a source of vulnerability. Part of security procedures, then, should be to review these digital assets and disable unnecessary applications, functions and services. Again, the less attack surface there is, the less likely it will be that a malicious actor can gain a foothold.

For more on how to protect your company against cyberattacks, check out our Cybersecurity 101 database. Or contact CrowdStrike to help improve your cybersecurity.