Industry News

Attack Vectors and Attack Surfaces explained

Attack Vectors and Attack Surfaces - what's the difference?

In IT Security, two industry terms deserve a bit of explaining. They are:

Attack Vector

Attack Surface

An “Attack Vector” is the industry’s term for describing the path that a hacker or a malware application might follow to compromise your data.

In the case of the Target credit card breach from 2013, the hackers gained exposure to Target’s corporate network by stealing the login details of air conditioning contractor which had been granted system-wide access. The Attack Vector was “Compromised Credentials in Network-trusted Third Parties”.

Ransomware follows an Attack Vector that touches on email networks and human fallibility. Typically, successful deployment requires the user to actively bypass security controls designed to limit exposure. The Attack Vector being exploited is “Phishing” where users are tricked into taking action they would normally avoid.

Malware contained in an app is often granted all the permission it needs at the point of installation. Apps downloaded from unofficial App stores are often laced with malware and lazy or greedy users who don’t verify their quality or who seek to avoid paying for apps are the targets. The Attack Vector is another form of phishing.

Your “Attack Surface” is all the publicly and privately-exposed nexus points between your company’s data and the human or software-driven interfaces of your company. In essence, it’s all your threat vectors put together.

It’s important to periodically map and take stock of your Attack Surface and to proactively take some steps to mitigate your exposure.

The alternative is losing a couple of days and maybe a few thousand dollars getting your data back from ransomware. Or worse, a loss of brand trust because your company is hacked and the breach is made public.

Mandatory data breach reporting seems inevitable and may be in place by the end of 2017. Our advice is to map out your Attack Surface now with an Information Security Audit from a trusted Managed Network Security provider.


Our Address


1300 667 871 or +61 7 3220 0352

Brisbane Office

Level 5, 488 Queen Street, Brisbane, QLD 4000

Sydney Office

Level 21, 133 Castlereigh Street, Sydney, NSW 2000

Melbourne Office

Level 28, 303 Collins Street, Melbourne, VIC 3000

Our Services

Industry Expertise