What is Attack Surface?

Attack surface. First thing I start thinking is the surface area, or the exposed area that is susceptible to a cyber onslaught by threat actors, or bad people with malicious intent.

According to Wikipedia:

“The attack surface of a software environment is the sum of the different points (for “attack vectors”) where an unauthorized user (the “attacker”) can try to enter data to or extract data from an environment. Keeping the attack surface as small as possible is a basic security measure.”

via Wikipedia

“KEEPING THE ATTACK SURFACE AS SMALL AS POSSIBLE IS A BASIC SECURITY MEASURE.” **clap, clap**

Does that last line stick out to anyone else??

It should. Let’s examine. The smaller the attack surface, then the less potential, or less possible, or fewer ways of exploitation. It’s like the adage that complexity is the enemy of security, because complexity opens up MORE surface attack area, but nature of the fact that we are increasing the options available to users. With more options available to the user, comes also more vulnerabilities available to a threat actor (i.e. the very bad person with malicious intentions that you seem to keep forgetting about).

Generally, ease-of-use and security tend to be at odds with each other. Meaning, we can make things easier for the user with more options (think added complexity), but at the cost of security.

• Biblio:
  • Wikipedia–https://en.wikipedia.org/wiki/Attack_surface