Attack vectors make up the attack surface
To blow up a balloon, you need to put air in it, as it is only by adding air that the balloon expands.
This is analogous to the relationship between attack vectors and attack surfaces. You’re not going to have an attack surface unless you have attack vectors, which contain all your organization’s devices as well as the pathways hackers use to access your environment. If you have a small number of attack vectors, that means your attack surface will be small. As your attack vectors grow in size and number, so does the size of your attack surface area.
True attack surface visibility is critical
In my experience, that’s where security breaks down for most organizations. Managers, directors and CISOs receive information from the data network on their attack vectors, including how many devices of each type they have and whether or not they are secure. It can instill a false notion that “we are okay because we see we are compliant.” But often, miscommunication and misrepresentation from the data network occur.
There’s a misunderstanding of what comprises an attack vector. Most feel it is some “secret sauce” or pieces of the network that have important security devices, such as a firewall, intrusion protection system, or infrastructure to block attacks. But it’s all your devices, services, and connections. You may think your attack vectors don’t appear to be getting bigger even though more devices and connections are coming on board, but the size and number of attack vectors have likely grown, expanding the size of the attack surface area.
Understand your threat landscape
Attackers approach with the intention of either destroying data and systems, disrupting services, or stealing data and placing a financial burden on the organization. Attack vectors are vulnerable to disruption of the devices and services that are wrapped within them.
With cloud computing, and especially the recent expansion of the perimeter of the corporate environment, managing – and protecting – specific devices has gone beyond organizations’ control. If users are connected on a VPN, it could be extending to a home office or a Starbucks, plus there are the other devices sitting behind that VPN that could be listening in on conversations.
Since the size of the attack vectors (i.e., the number of devices throughout the environment), affects the size of the attack surface, the expectation is that the more devices you have, the more the attack surface is going to expand. But its expansion may not necessarily correlate directly.
For example, if you have an attack vector that contains 20 devices, all the connections with those devices to and from external sources such as cloud computing, storage, or VPN connectivity are like veins in a body leading to the heart. They are connections to all your organization’s systems. New connections can spring up anywhere, and as new connections are made, they start proliferating. A user connecting from a home office could have an Xbox and iPad connected to the home network via an unsecured Wifi connection and become part of the organization’s extended attack surface. Bad actors look for these relatively insignificant but less secure connections because they are the easiest way to gain unauthorized access inside the organization.
This illustrates how an organization’s attack vectors – and thus its attack surface – can expand and become problematic because they don’t know about all the devices contained in the attack vectors.