Amid so many recent high-profile hacks and data breaches, security experts are fond of pointing out that there's no such thing as perfect security. It's true! But it also invites the question: Why doesn't literally everything get hacked all the time? The answer has to do with the relative incentives and the costs of infiltrating a given network. And one of the concepts underlying that calculus is the idea of an "attack surface."
Here's an example. Imagine if someone asked you to get inside two buildings, one after the other. The first is a hotel, so you just walk through the main entrance, or maybe through the bar, or up from the parking garage, or from the pool in back. The second is a concrete cube with no visible windows or doors; time to break out the jackhammer.
That's the idea behind "attack surface," the total number of points or vectors through which an attacker could try to enter an environment. In cybersecurity, the concept applies to ways an attacker could send data to and/or extract data from a network. Just like it's easier to get into the hotel than the bunker, it's easier for attackers to find vulnerabilities in the defenses of a network that has a lot of data interfaces than a network that only has a few very controlled access points.
"All software has attackable places depending on what access the attacker has and is able to gain," says Brook S. E. Schoenfield, principle engineer at Intel Security and the author of Securing Systems: Applied Security Architecture and Threat Models. "But if you design it well and design it defensively, at least they’re limited to the channels you give them that you know about."
Attack surface awareness is no security panacea, but understanding how a network's exposure relates to its risk of being breached gives a lot of valuable context. It can be hard to tell what's really going on with any given security incident. But just by considering the victim’s potential attack surface---how secure the network probably was (or wasn’t) to begin with, how many ways in there would have been for an attacker, and how likely a successful breach would be overall---you can formulate ideas about what happened.
Take the "Vault 7" CIA data Wikileaks released this week. Assuming it is legitimate, it originated from a network that presumably has a very small attack surface. Wikileaks expressly claims that the data is from "an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina," and experts agree that seems likely. And knowing that CIA networks are probably secure and defended supports the notion that the the data was either leaked by someone with inside access, or stolen by a well-resourced hacking group. It's far less likely that a random low-level spammer could have just casually happened upon a way in.
On the other side of the spectrum sits Yahoo and its many breaches. A huge company naturally has a broad and diverse attack surface---places where an attacker could attempt to access internal networks from the outside. That scale of potential exposure combined with reports that Yahoo grossly under-prioritized security for years gives you a pretty good sense of why attackers hit Yahoo so many times and, with such devastating results.
Making these back-of-the-napkin assessments helps contextualize news, but it has a more practical purpose too: It can help you assess the vulnerability of your own home network. Analyzing the digital attack surface of your personal life is a surprisingly easy way to make secure decisions. Think of your home network: Any device you own that connects to the internet expands your attack surface. Each creates one more entry point an attacker could potentially find a vulnerability in, compromise, and use as a jumping off point to wreak havoc.
"The term attack surface applies to everyone," says David Kennedy, a penetration tester and CEO of the security firm TrustedSec. "As attackers, we commonly go after anything that is a part of your electronic or internet surface. In the context of home users, devices on your network such as door bells that have internet connectivity, smart TVs, routers, cameras---all of these devices provide an elevated surface for attackers in order to gain access to your home network."
That doesn't mean you should stay off the internet altogether; the threat of a break-in doesn't mean you board up all your windows. But it should give you pause when acquiring more and more gadgets that talk to each other, company servers, and who knows what else online. You need a modem and router, and probably have a number of smartphones, computers, tablets, digital media streaming boxes, and ereaders. That's fine! It's just a lot to keep updated, manage, and defend.
Adding a slew of other devices like smart home hubs, network lightbulbs, connected thermostats, fitness monitors, and internet-enabled shower heads expands your attack surface even more, so it's important to add these devices to your life selectively with that understanding in mind. It might be worth it to you to have an Amazon Echo, but if you're not using the "smart" features of your smart TV, go ahead and disconnect it from Wi-Fi. "Plainly, if you have a ton of [IoT] stuff in your home, your attack surface is drastically increased," Kennedy says.
The same goes for your data, and online accounts held by institutions. Creating accounts and storing information in them, like photos or credit card numbers, should be a conscious, intentional choice. If you send flowers to people a lot go ahead and make an account with a florist. But that one time you send a box of Florida oranges you're better off checking out as a guest. See? You're getting it already.
