Skip to content ↓ | Skip to navigation ↓

In the first article in this series, we discussed a little about Understanding Attack Surface Analytics, and in this second installment we will examine exactly what constitutes your attack surface.

Put simply, your attack surface is the sum of your security risk exposure. Put another way, it is the aggregate of all known, unknown and potential vulnerabilities and controls across all software, hardware, firmware and networks. A smaller attack surface can help make your organization less exploitable, reducing risk.

A typical attack surface has complex interrelationships among three main areas of exposure: software attack sur­face, network attack surface and the often-overlooked human attack surface.

The Software Attack Surface

The software attack surface is com­prised of the software environment and its interfaces. These are the applications and tools available to authorized (and unauthorized) users.

The software attack surface is calcu­lated across a lot of different kinds of code, including applications, email services, configurations, compliance policy, databases, executables, DLLs, web pages, mobile apps and device OS, etc.

The Network Attack Surface

The network attack surface presents exposure related to ports, protocols, channels, devices (from routers and firewalls to laptops and smart phones), services, network applications (SaaS) and even firmware interfaces.

Depending on your infrastructure, you may need to include cloud servers, data, systems and processes to your network attack surface.

The Human Attack Surface

Humans have range of complex vulner­abilities that are frequently exploited. One of the great strengths of highly secure organizations is their emphasis on communicating security awareness and safety principles to their employees, partners, supply chain and even their customers (as when using the web to gain secure access to bank or 401K accounts).

Many breaches begin with an exploit directed at humans and it’s very clear that malicious intent, inadvertent errors and misplaced trust can all be exploited to cause great harm. Examples of successful attacks vary widely, (most notably phishing and spear phishing), but a comprehensive index should include processes, physical security, and privileges (including the ability to attach, read or write to removable devices).

In summary, to accurately determine your attack surface risk, all three of these attack surfaces must be considered. Using existing and emerging ASA technologies can pro­vide improved insight and visibility to your organization’s security posture in each of these areas, as well as provide the underlying basis for the score.

For more information, check out the whitepaper Understanding Your Attack Surface: The First Step in Risk-Based Security Intelligence, and feel free to contact me at

In the next article in this three article series, we will examine Effectively Communicating Attack Surface Analytics… Stay tuned!


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Title image courtesy of ShutterStock

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • Phil Agcaoili

    So far this looks a lot like the risk management approaches found in International Organization for Standardization (ISO)
    31000:2009, ISO/IEC 27005:2011, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-39, and the Electricity Subsector Cybersecurity Risk Management Process (RMP) guideline.

    I eagerly await the next installment.

    • Kat_Brock

      Hi Phil, yes, you're right of course – due to wide ranging readership we try to keep it relevant but not overly technical. As you definitely know, these are so fundamental that they have broad applicability across all these standards.

      I might note per your reference to the Electricity Subsector Cybersecurity RMP that right now I'm digging deeply into critical infrastructure protection and NERC CIP standards. Even here it all reduces to some variation on these three components. that It's a bit surreal how large an understanding gap exists within power/electric organizations about risk fundamentals. Gads – here's a quote from NERC's May 2013 Compliance Analysis Report re CIP-007 violations – "The local Windows password age was 1706 days at the time of discovery, meaning that it had not been changed in 4.5 years." Hmmmm feeling safer?

  • Natalie Diaz

    I really liked the software that you have reviewed here. I appreciate the combination of the apps and tools to authorize the users. It’s really awesome read!!

<!-- -->