Attack Surface vs. Attack Vector -
What’s the Difference?

Bad actors are always looking for opportunities. From rogue insiders to hostile nation states, vigilance is required to prevent hackers from exploiting vulnerabilities that act as a gateway to your network. For example, the recently publicized vulnerability in the widely used Log4j code offered hackers a way to access the servers of countless organizations.

The pandemic increased awareness of the challenges organizations face in identifying and protecting their entire attack surface to prevent data breaches. More and more organizations are turning to the identity-centered Zero Trust approach to security, which assumes that external and internal threats exist on the network at all times.

Read on to learn the difference between attack surfaces and attack vectors, and how to minimize risks to your network.

An attack surface is all possible access points a bad actor can use to enter, exploit or extract data from your system. Each organization has its own mix of access points that could be vulnerable to external forces and rogue insiders.

Typical access points include:

Applications, Software and Websites

Applications, software and websites can be deployed internally or externally, either off-the-shelf or as a custom solution. Developers often rely on open-source code to save time and money. This can be risky if there are vulnerabilities in the code.

Application Programming Interfaces (APIs) 

Client-side applications (e.g., mobile and web apps) communicate with the server-side of an application through an application programming interface (API). As with apps, software and websites, in-house and third-party developers may rely on open-source code to save time and money, or fail to properly test APIs for security vulnerabilities.

Networks

Your network and all points of interaction with a network can be vulnerable, including remote access, WiFi, Internet of Things (IoT), virtual private networks (VPNs), wide area networks (WANs), local area networks (LANs), cloud platforms, servers and ports.

Employees and Devices

Employees are often the target of hackers looking for credentials to get into a network, especially those users with privileged access to networks, apps and systems. In addition to credentials, bad actors also look for ways to steal personal and corporate devices.

An attack vector is a technique or path used by a bad actor to access or penetrate its target. Hackers have many attack vectors to choose from and often spend more time looking for vulnerabilities than IT departments have time to defend against them.

Common attack vectors include:

• Phishing attacks use social engineering to trick employees into sharing credentials with fraudsters by pretending to be trusted sources.

•  

• Credential stuffing is the automated injection of compromised username-password pairs into website login forms to fraudulently gain access to user accounts.

•  

• Account takeover attacks involve a fraudster using compromised credentials to take over a valid user’s account to access your network. This is especially problematic if the credentials are for a superuser account, giving fraudsters the ability to install malware or ransomware, take down the network or website, and cause other problems.

•  

• Business email compromise (BEC) is one of the most financially damaging online crimes, according to the FBI. Fraudsters can pretend to be a vendor or use malware to infiltrate the network to gain access to email threads about billing and invoices.

•  

• Brute-force/dictionary attacks against remote services such as SSH, are one of the most common forms of attack on the Internet that compromise servers.

•  

• Supply chain attacks are becoming a favorite method for bad actors to target multiple enterprises at the same time. The supply chain attack targeting IT management software company SolarWinds was one of the biggest cybersecurity attacks in years, with hackers gaining access to the networks of tens of thousands of organizations worldwide.

•  

• API attacks range from exploiting vulnerabilities missed during API development to using compromised credentials to enter systems without strong authentication and authorization practices in place. Gartner projects that by 2022, API attacks will become the most-frequent attack vector.

Recent years have seen a strong move towards cloud-based services and remote working for most companies. Although traditional controls such as firewalls are still important, identity is the new cornerstone of security in a world where network perimeters are increasingly blurred. The new security landscape calls for intelligent controls that minimize friction for end users while also ensuring they are acting in good faith at every step of their journey. This is the Zero Trust approach to security.

A true Zero Trust approach requires a wide range of controls, however a few of the key capabilities include:

Multi-factor Authentication (MFA)

Multi-factor authentication (MFA) requires users to provide proof of their identity using stronger mechanisms than just a password. By denying access to bad actors with compromised credentials, multi-factor authentication (MFA) defends against multiple attack vectors and is therefore one the single most effective security measures for protecting information systems. Leading security bodies such as OWASP, NIST, and the CSA all recommend MFA as key security control.

When exploring MFA solutions, be sure to consider factors such as the end user experience and the breadth of your environment a solution can cover (VPNs, servers, etc). For a more detailed look at key considerations for MFA solutions, see our MFA Buyers Guide.

API Security

API security  best practices includes API access control and privacy, detection and remediation of attacks on APIs through API reverse engineering and the exploitation of API vulnerabilities. API security encompasses network security concepts such as rate limiting and throttling, along with concepts from data security, identity-based security and monitoring/analytics.

Dynamic Authorization

Where authentication answers the question “Who are you?”, authorization answers the question “Are you allowed to do this?” Dynamic Authorization provides enhanced security when compared to traditional role-based controls by:

• Providing context-aware access control for data, services and transactions

• Improving agility via centralized integration and policy management

• Providing better visibility and higher assurance of alignment with organizational policy

While we covered some common attack surfaces and attack vectors in this blog, the threats are constantly evolving. To learn more about reducing your vulnerabilities, read our Security Leader's Guide to the Zero Trust Model.