{{short description|Software environment vulnerable to attack}} {{for|the 2020 science fiction novel|Cory Doctorow#Fiction}} The '''attack surface''' of a [[software]] environment is the sum of the different points (for "[[attack vector]]s") where an unauthorized user (the "attacker") can try to enter data to, extract data from, or control a device or critical software in an environment.<ref name=OWASP>{{cite web|title=Attack Surface Analysis Cheat Sheet|url=https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html|publisher=Open Web Application Security Project|access-date=30 October 2013}}</ref><ref name=Manadhata>{{cite book|last=Manadhata|first=Pratyusa|title=An Attack Surface Metric|year=2008|url=http://reports-archive.adm.cs.cmu.edu/anon/2008/CMU-CS-08-152.pdf|access-date=2013-10-30|archive-date=2016-02-22|archive-url=https://web.archive.org/web/20160222045620/http://reports-archive.adm.cs.cmu.edu/anon/2008/CMU-CS-08-152.pdf|url-status=live}}</ref> Keeping the attack surface as small as possible is a basic security measure.<ref>{{Cite journal|last1=Manadhata|first1=Pratyusa|last2=Wing|first2=Jeannette M.|title=Measuring a System's Attack Surface|url=https://www.cs.cmu.edu/afs/cs/usr/wing/www/publications/ManadhataWing04.pdf|journal=|access-date=2019-08-29|archive-date=2017-03-06|archive-url=https://web.archive.org/web/20170306210801/http://www.cs.cmu.edu/afs/cs/usr/wing/www/publications/ManadhataWing04.pdf|url-status=live}}</ref>

== Elements of an attack surface == {{More citations needed section|date=October 2021}} Worldwide digital change has accelerated the size, scope, and composition of an organization's attack surface. The size of an attack surface may fluctuate over time, adding and subtracting assets and digital systems (e.g. [[website|websites]], [[Web hosting service|hosts]], cloud and mobile apps, etc.). Attack surface sizes can change rapidly as well. Digital assets eschew the physical requirements of traditional network devices, servers, data centers, and on-premise networks. This leads to attack surfaces changing rapidly, based on the organization's needs and the availability of digital services to accomplish it.

Attack surface scope also varies from organization to organization. With the rise of digital supply chains, interdependencies, and globalization, an organization's attack surface has a broader scope of concern (viz. vectors for cyberattacks). Lastly, the composition of an organization's attack surface consists of small entities linked together in digital relationships and connections to the rest of the internet and organizational infrastructure, including the scope of third-parties, [[digital supply chain]], and even adversary-threat infrastructure.

An attack surface composition can range widely between various organizations, yet often identify many of the same elements, including: * [[Autonomous system (Internet)|Autonomous System Numbers (ASNs)]] * [[IP Address]] and IP Blocks * [[Domain name|Domains]] and [[Subdomain|Sub-Domains]] (direct and third-parties) * [[Public key certificate|SSL Certificates]] and Attribution * [[WHOIS]] Records, Contacts, and History * Host and Host Pair Services and Relationship * [[Port (computer networking)|Internet Ports]] and Services * [[NetFlow]] * [[Web framework|Web Frameworks]] ([[PHP]], Apache, Java, etc.) * [[Web Server]] Services (email, database, applications) * [[Cloud computing|Public and Private Cloud]]

== Understanding an attack surface == Due to the increase in the countless potential vulnerable points each enterprise has, there has been increasing advantage for hackers and attackers as they only need to find one vulnerable point to succeed in their attack.<ref name=":0">{{Cite web|url=https://www.skyboxsecurity.com/sites/default/files/Attack%20Surface%20Visualization.pdf|title=Attack your Attack Surface|last=Friedman|first=Jon|date=March 2016|website=skyboxsecurity.com|access-date=March 6, 2017|archive-date=March 6, 2017|archive-url=https://web.archive.org/web/20170306025153/https://www.skyboxsecurity.com/sites/default/files/Attack%20Surface%20Visualization.pdf|url-status=dead}}</ref>

There are three steps towards understanding and visualizing an attack surface:

'''Step 1: Visualize.''' Visualizing the system of an enterprise is the first step, by mapping out all the devices, paths and networks.<ref name=":0" />

'''Step 2: Find indicators of exposures.''' The second step is to correspond each indicator of a vulnerability being potentially exposed to the visualized map in the previous step. Indicators of exposures (IOEs) include "missing [[security controls]] in systems and software".<ref name=":0" />

'''Step 3: Find indicators of compromise.''' This is an indicator that an attack has already succeeded.<ref name=":0" />

== Surface reduction== One approach to improving [[information security]] is to reduce the attack surface of a system or software. The basic strategies of attack surface reduction include the following: reduce the amount of [[software|code]] running, reduce entry points available to untrusted users, and eliminate services requested by relatively few users. By having less code available to unauthorized actors, there tend to be fewer failures. By turning off unnecessary functionality, there are fewer [[security risk]]s.

Although attack surface reduction helps prevent security failures, it does not mitigate the amount of damage an attacker could inflict once a vulnerability is found.<ref>{{cite web|last=Michael|first=Howard|title=Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users|url=http://msdn.microsoft.com/en-us/magazine/cc163882.aspx|publisher=Microsoft|access-date=30 October 2013|archive-date=2 April 2015|archive-url=https://web.archive.org/web/20150402070607/https://msdn.microsoft.com/en-us/magazine/cc163882.aspx|url-status=live}}</ref>

== Regulatory implications == Regulatory frameworks address attack surface management by requiring organizations to identify and control potential points of unauthorized access. The [[Health Insurance Portability and Accountability Act]] (HIPAA) Security Rule requires covered entities to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of [[electronic protected health information]] (45 CFR 164.308(a)(1)(ii)(A)) and to implement access controls that restrict access to authorized users (45 CFR 164.312(a)(1)).{{cite web |title=45 CFR § 164.312 - Technical safeguards |url=https://www.law.cornell.edu/cfr/text/45/part-164/subpart-C |publisher=Legal Information Institute |access-date=April 1, 2026}} The December 2024 HIPAA Security Rule [[Notice of proposed rulemaking|NPRM]] proposed requiring regulated entities to maintain a comprehensive asset inventory and network map documenting all technology assets that create, receive, maintain, or transmit ePHI, effectively mandating attack surface documentation.{{cite web |title=HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information |url=https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information |publisher=Federal Register |date=January 6, 2025 |access-date=April 1, 2026}}

[[NIST Special Publication 800-53]] addresses attack surface reduction through multiple control families, including CM-7 (Least Functionality), which requires organizations to restrict system capabilities to only essential functions, and SA-11 (Developer Testing and Evaluation), which addresses security testing during the system development lifecycle.{{cite web |title=NIST SP 800-53 Rev. 5: Security and Privacy Controls |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final |publisher=National Institute of Standards and Technology |date=September 2020 |access-date=April 1, 2026}} The [[Cybersecurity and Infrastructure Security Agency]] (CISA) [[Binding Operational Directive]] 23-01 requires federal agencies to maintain a complete inventory of networked assets and identify vulnerabilities across their attack surface.{{cite web |title=Binding Operational Directive 23-01 |url=https://www.cisa.gov/news-events/directives/binding-operational-directive-23-01 |publisher=Cybersecurity and Infrastructure Security Agency |date=October 2022 |access-date=April 1, 2026}}

== See also == *[[Vulnerability (computing)]] *[[Computer security]] *[[Attack Surface Analyzer]] *[[Vulnerability management]] *[[Vulnerability scanner]]

==References== {{Reflist}}

[[Category:Computer security software]] [[Category:Mobile security]]