Computer attack surface and consequent vulnerabilities remains a major cause of cybersecurity concerns. The overall digital ‘attack surface’ is perpetually growing and will continue to significantly increase as we move closer and closer to everything being connected to everything else in the future.
What Is Attack Surface?
The attack surface of a computer system and software environment is the sum of the different points (the “attack vectors”) where an unauthorized user (the “attacker”) can try to enter data to or extract data from an environment.
In simple terms an attack surface refers to all the ways your apps can possibly be exploited by attackers. This includes not only software, operating systems, network services and protocols, but also domain names and SSL certificates, and even authentication and access control protocols.
Every computing device needs an operating system or OS, a system software that manages computer hardware, software resources, and provides common services for third party computer programs or applications. OS provides users the services to run various programs and an environment to execute it. Such OS services, which were necessary for legitimate users to run programs of their choice, eventually became vulnerability points that unauthorized users or bad actors used to enter data, or to extract data from the OS environment. These possible attack entry points on an OS are collectively termed as “attack surface”.
An attack vector is a path or means by which a hacker can gain access to a computer or network server in order to deliver a payload for malicious outcome. In most cases attack vectors enable hackers to exploit system vulnerabilities. Examples of attack vectors include user input fields, protocols, interfaces, and services. However, in case of authentication or access control vectors, there may not necessarily be a vulnerability.
The attack surface of a computer system represents all the possible attack entry points. It is common security practice to decrease the attack surface of the OS as much as possible by disabling all unused services.
Exploiting the attack surface became increasingly common after the birth of Internet in 1990 when more and more computers got connected. This gave birth to an entirely new malware / cybercrime industry.
Cybercrime: The Greatest Transfer Of Wealth In Human History
As reported by Cybersecurity Ventures in their 2019 Annual Cybercrime Report, the magnitude of the impact on society by cybercrime represents the greatest transfer of economic wealth in history, and will be more profitable than the global trade of all major illegal drugs combined.
Computer Without An Attack Surface: IMPOSSIBLE!
Through the history of computer science, we have come to live with the fact that if there is a computing device there has to be an “attack surface” exposed to bad actors. In well over half a century that operating systems have made it possible for genuine programs to run on computers, they have also reluctantly kept the same door open for bad actors. Closing that door would mean making the computer useless, as even honest and credible programs would not install. The history of computers teaches us that -“attack surface is a necessary evil,” that we have come to live with, although it makes computers vulnerable to trillions worth security breaches.
Attack Surface Types
Attack surface may be broadly divided into two broad categories:
i) OS Dependent (OSD) attack surface, or internal attack surface:
OSD or Internal Attack surface or vulnerabilities may be Primary or Secondary depending on whether the point of attack is OS directly, or an authorized application installed on the OS.
Primary vulnerability or attack surface is the one directly originating from the OS. Secondary vulnerability or attack surface originates from software, hardware, or protocols that use OS resources to interface with the OS either directly or indirectly via a software or hardware bridge.
ii) OS Independent (OSI) attack surface, or external attack surface, or authentication / access control attacks.
OSI can also be termed as Authentication attack surface or Access Control attack surface. Authentication function isn’t exactly the same as access control, wherein former identifies the user and confirms that they are who they say they are, and latter determines whether the user is allowed to carry out the action that they are attempting to perform. In OSI attack surface, the attacker obviously does not target the OS / app vulnerabilities but deploys password guessing strategies or some such techniques as dictionary attacks, brute force attacks, spoofed logon screens, man-in-the-middle (MITM) attacks, so on and so forth.
Dictionary attacks: These are programs with built in dictionaries. The attackers use all dictionary words to attempt and find the correct password, in the hope that a user would have used a standard dictionary word.
Brute force: This type of attack is attempting to break the password by trying all possible combination of alphabets. The software can be set to start from 2 combination letter and keep keep going to 3 combinations, and then 4 and so on. The program attempts all possible combinations. However, combination beyond 8 letters are not worth attempting as most current generation computers will take a very long time exhausting all possibilities.
Spoofed logon screens: The last access control attack is to implement a fake logon screen, and when a user attempts to login, the logon screen will send the username and password to the hacker.
The Attack Surface & Vulnerabilities
The common approach to improving information security is to reduce the attack surface of a system or software. The basic strategies of attack surface reduction include the following:
i) reduce the amount of code running,
ii) reduce entry points available to untrusted users, and
iii) eliminate services requested by relatively few users.
By having less code available to unauthorized actors, there tend to be fewer vulnerabilities and failures. By turning off unnecessary functionality, there will be fewer security risks. Although attack surface reduction helps prevent security failures, it does not mitigate the amount of damage an attacker could inflict once vulnerability is found. New software deployment opens cyber-threat vectors and makes security operations more complex and vulnerable. The available statistics provide no reprieve from escalated cyber threats in the future.
Since the advent of the Internet and the birth of the cybercrime industry the attack surface has been perpetually growing with no possibility of slow down in the near future.
The Attack Surface / Vulnerabilities Keep Growing
The “attack surface” is simply the total digital resources that are exposed to threats across the enterprise, and that attack surface is growing faster than ever before. Not only the attack surface but also the severity of vulnerability or CVE (common vulnerabilities & exposure) is growing.
There are 115 organizations from 22 countries participating as CNAs (CVE Numbering Authorities). NVD (National Vulnerability Database) provides qualitative severity rankings of Low, Medium & High depending on CVSS (Common Vulnerabilities Scoring System) as defined in the CVSS v3.0 specification,
Low 0.1–3.9 (9%)
Medium 4.0–6.9 (55.30%)
High High7.0–8.9 (22.6%),
Critical 9.0–10.0 (13.1%)
Of the total 123,454 vulnerabilities reported last year, 91% were medium to critical and only 9% were with low CVSS score.
In 2019, of the top 50 software products reporting total number of distinct vulnerabilities, 44 were directly pertaining to OS, and the remaining 6 indirectly via applications installed on the OS. In other words operating systems were directly or indirectly responsible for 100% of the vulnerabilities reported during 2019.
Open Source Components Increase Attack Surface / Vulnerabilities & Exploit Speed
The use of open source components in development of new applications increases the attack surface and therefore vulnerabilities as a consequence. Code reusing is a common practice in software development due to its various benefits. Such a practice, however, may also cause large-scale security issues since one vulnerability may appear in many different software due to cloned code fragments.
Today’s software development strategy largely relies on building up software solutions using open source components from diverse sources. The trend has been on the rise, and has become one of the major reasons for constantly expanding attack surface in the past decade. Findings from a DevSecOps community survey show that breaches related to open source components increased by 71% between 2014 and 2017. This trend is expected to grow in the years that follow as the open source components retain their popularity among the developer community.
Zhang et al recently demonstrated many seemingly unrelated software applications indeed share significant common attack surface.This effect is particularly amplified in mobile app industry, where growth in new mobile apps is enormously higher compared to desktop computers.
On top of the software development trends that lead to increasing attack surface, the DevSecOps are facing another challenge from hackers — The Exploit Speed.
The speed of exploits has shortened by 93%. Now it is only 3 days before a vulnerability is exploited as against 45 days in 2006. This means the professional cybercriminals can exploit a new CVE as soon as it is released by just going back to their catalog, and figuring out which systems are likely vulnerable to that particular CVE. This has given rise to increase in zero-day vulnerabilities. Zero-day vulnerability is a software security flaw that is known to the software vendor but doesn’t have a patch in place to fix the flaw.
Cybersecurity To Get Worse
With all the statistics available on rate of increase in prevalence of vulnerabilities and software development trends, it is clear that Cybersecurity is all set to get worse. A latest report on cybersecurity market forecasts a surge at a 12.6% CAGR by 2027. Another report from Cyber Security Ventures, predicts that:
Zero-day cyber-attacks on businesses are expected to rise from one per week to one per day by 2021.
A recent Cybersecurity Futures 2025 Insights and Findings Report, jointly tabled by UC Berkley’s Center for Long Term Cybersecurity (CLTC) and CNA, presenting opinions of experts, decision-makers, firms, and societies around the world on emerging cybersecurity challenges, envisions: “new vulnerabilities that cybercriminals will keep exploiting in the future.”
No futurist, including the legendary futurist Ray Kurzweil envision a future without computer viruses and software vulnerabilities as evident from his interview with a Forbes cybersecurity expert:
“We have a system between all the security protocols and the antivirus software and cybersecurity companies where we’re constantly scouting for new threats. When one’s found, it’s reverse engineered, partly with human intelligence and partly with computer intelligence, an antidote is coded, and it’s distributed virally, getting the patches to the antiviral programs.”
There seems to be a consensus that overall digital ‘attack surface’ will significantly increase as we move closer and closer to everything being connected to everything else in the future.