Attack Vectors and Attack Surfaces explained
In IT Security, two industry terms deserve a bit of explaining. They are:
An “Attack Vector” is the industry’s term for describing the path that a hacker or a malware application might follow to compromise your data.
In the case of the Target credit card breach from 2013, the hackers gained exposure to Target’s corporate network by stealing the login details of air conditioning contractor which had been granted system-wide access. The Attack Vector was “Compromised Credentials in Network-trusted Third Parties”.
Ransomware follows an Attack Vector that touches on email networks and human fallibility. Typically, successful deployment requires the user to actively bypass security controls designed to limit exposure. The Attack Vector being exploited is “Phishing” where users are tricked into taking action they would normally avoid.
Malware contained in an app is often granted all the permission it needs at the point of installation. Apps downloaded from unofficial App stores are often laced with malware and lazy or greedy users who don’t verify their quality or who seek to avoid paying for apps are the targets. The Attack Vector is another form of phishing.
Your “Attack Surface” is all the publicly and privately-exposed nexus points between your company’s data and the human or software-driven interfaces of your company. In essence, it’s all your threat vectors put together.
It’s important to periodically map and take stock of your Attack Surface and to proactively take some steps to mitigate your exposure.
The alternative is losing a couple of days and maybe a few thousand dollars getting your data back from ransomware. Or worse, a loss of brand trust because your company is hacked and the breach is made public.
Mandatory data breach reporting seems inevitable and may be in place by the end of 2017. Our advice is to map out your Attack Surface now with an Information Security Audit from a trusted Managed Network Security provider.