Learn external attack surface, cybersecurity, and third-party risk terms with our A-Z glossary.
Acceptable risk is the level of risk a company is willing to tolerate based on the likelihood of exploitation, the value of the asset or data, and the strength of existing security controls. Acceptable risk thresholds are often tradeoffs. For example, a company may be willing to tolerate greater risk of data leakage if it’s too costly to implement additional security measures and the data at risk poses little harm to the organization if exposed.
Access control is a security measure that enables organizations to provide varying levels of access to systems, network resources, and data based on the user’s identity and the sensitivity of the system or data. For example, access control measures can limit access to valuable intellectual property to a few key executives while blocking access to all other users. Access to customer data may be limited to users from sales, marketing, and customer service departments, and access to employee performance data may be limited to users above a certain management level. Generally, access control aims to provide access to the minimum information and resources necessary for the user to perform their job duties.
An active asset is an attack surface element that is currently in use. Differentiating active assets from inactive assets is an essential practice when implementing attack surface reduction measures, ensuring that only inactive assets are depreciated or eliminated to avoid business disruption.
An application programming interface (API) is a set of rules and protocols that enable two applications to communicate with each other and share data. Application developers use APIs to integrate the functions of one application into another without coding those capabilities from scratch. Nearly every application makes use of at least one API today. However, their prevalence and exploitability make them appealing attack surface vectors for cyber attackers.
In the context of attack surface management, an asset is an IT element such as an application, code, website, server, or another element that provides a point of entry for a cyber attacker to breach a network, system, application, or device. The external attack surface comprises all internet-facing IT assets, both known and unknown. Assets exist in the cloud, on-premises, subsidiary networks, and vendors’ environments.
Asset discovery, also known as supply chain discovery, is the process of identifying the IT assets that make up the attack surface, including known and unknown assets, managed and unmanaged assets, as well as vendors’ assets, subsidiaries’ assets, and rogue (malicious) assets. The attack surface constantly expands as business needs change and new assets like systems, devices, and users are added. Therefore, asset discovery must be a continuous process to identify previously unknown and potentially malicious assets, their connections, and how they might impact first-party assets if breached.
Internet-facing IT assets do not all carry the same risk. Accurately identifying at-risk assets and determining the level of risk requires context, such as how, when, and where it’s used, who owns or manages the asset, and how it’s connected to other assets in the digital supply chain. At-risk assets are those with exploitable vulnerabilities.
Attack surface assessment is the process of evaluating assets to identify high-risk areas and vulnerabilities to understand the attack surface from an attacker’s perspective. The assessment considers factors such as where vulnerabilities exist, whether those vulnerabilities are exploitable, the connections between assets, and what consequences could result from a breach.
An attack surface element is an internet-facing asset that makes up part of a company’s attack surface. Attack surface elements include physical devices, networks, servers, websites, cloud, applications, and other internet-facing assets within a company’s ecosystem.
Attack surface inventory is the complete accounting of all assets or elements that make up a company’s attack surface and can include both first-party assets and assets that the company does not directly own or control. It’s the result of an asset discovery process.
Attack surface management is the overall processes and methods used to discover assets and map the attack surface, identify vulnerabilities and assess risk, prioritize vulnerabilities based on the risk level and likelihood of exploitation, and the remediation efforts to mitigate or eliminate attack surface risks. It also includes attack surface reduction measures. For example, if the asset discovery process identifies previously unknown assets that are no longer in use, eliminating these assets reduces the attack surface.
Attack surface monitoring is one component of attack surface management. It encompasses the methods and processes used to continuously scan an organization’s attack surface to identify previously unknown assets and detect abnormal behavior and vulnerabilities.
Attack surface reduction describes the decisions and actions an organization takes to remove potential points of entry on its attack surface or to bolster the security of assets to make them less vulnerable to attack. Attack surface reduction can involve many different techniques, such as removing redundant applications, eliminating user accounts that are no longer used or needed, and segmenting the company’s network, among others.
Effective attack surface management requires attack surface visibility. Companies gain attack surface visibility through supply chain discovery and attack surface monitoring, inventory, and assessment. Attack surface visibility means a company fully understands its assets, where they exist, their connections, and what vulnerabilities and risks exist.
An attack vector is a method a threat actor uses or the path they follow to exploit a vulnerability. Examples of attack vectors include poor encryption, exposed assets, weak passwords, malware, distributed denial of service (DDoS) attacks, phishing, and more.
Classification is a method of categorizing assets or vulnerabilities based on their potential impact, exploitability, the likelihood of a breach, and other factors. Classification enables businesses to prioritize remediation efforts, addressing the vulnerabilities and risks that present the most serious potential risks to the organization before addressing vulnerabilities with lesser potential impacts.
A cloud asset refers to any IT element used for cloud computing, such as virtual or physical servers and storage, databases, and SaaS applications. Most IT assets can be cloud assets depending on whether it contributes to operations in the cloud.
Common Vulnerabilities and Exposures (CVE) is a database of publicly disclosed IT security flaws and issues. It provides a central point of reference for entities to exchange information about vulnerabilities and exposures that might impact others. This database contains only publicly reported CVEs, however, and therefore isn’t a complete reference of all vulnerabilities and exposures in existence. It’s maintained by the National Cybersecurity FFRDC (Federally Funded Research and Development Center) and operated by the MITRE Corporation. CVE is sponsored by the U.S. Government with funding from the US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).
Continuous discovery is the process of constantly scanning the digital supply chain to identify previously unknown assets and vulnerabilities. It’s a necessary component of effective attack surface management.
Credential theft occurs when malicious actors steal login details and use them to access services or applications. Threat actors then steadily elevate their privileges or access bank accounts, e-commerce websites, and other platforms as a customer. Credential theft can cause significant financial losses for victims (both companies and the affected customers). When used in the healthcare industry, it can result in the loss of Protected Health Information (PHI). Hackers leverage several techniques to credential access, including brute force attacks, phishing, site spoofing, or injecting malicious code onto a login or checkout page.
Cyber risk is the potential exposure to harm through an enterprise’s online presence, which can be anything from a web service to communication tools to social media accounts. While cyber security includes the prevention of data breaches, it also protects the organization from monetary, intellectual, and reputational loss.
A cyber risk assessment evaluates an asset, vulnerability, or system as a whole to determine the likelihood of a breach and the potential consequences of an exploit.
Cyber risk quantification refers to the calculations and methods used to gauge the potential consequences of a data breach targeting a particular asset. It can be expressed in several ways, such as potential financial loss, business disruption, or severity of the risk, as long as it’s in relevant terms that both internal and external stakeholders understand.
A data breach exposes sensitive data to unauthorized users. Basically, any data accessed by an unauthorized audience is a data breach. For enterprises, data breaches can result in lost intellectual property and consumer trust, as well as millions of dollars in fines, depending on the severity.
Decommissioning is the process of removing an asset from a company’s network and properly disposing of it or recycling it while ensuring that no information can be retrieved from it. It’s a common practice when upgrading hardware components such as servers, laptops, and entire data centers. Failure to decommission an asset properly means it remains part of the company’s attack surface and leaves the business vulnerable to potential cyber attacks. Local, state, and federal regulations exist that specify proper decommissioning requirements for various types of IT assets.
Defense in depth is another term for layered security. It means implementing multiple layers of security controls so that if one fails, there’s another obstacle to prevent threat actors from accessing the network or system.
The Digital Supply Chain is the result of business processes and transactions migrating to web-based services and applications. These “products” are now digital, and the “suppliers” of the components deliver their products via APIs and embedded code. Internet connectivity – the heart of these Digital Supply Chains – has enabled the explosion of digital business models over the last few decades.
Encryption turns plain text into ciphertext that cannot be interpreted by anyone other than the intended user. It looks like a series of random numbers, letters, and characters to an unauthorized user who intercepts encrypted data or steals it from a company’s network and prevents attackers from using the data in any meaningful way. However, some data encryption algorithms are weak or have been cracked, and poorly encrypted data may be decrypted by malicious actors.
An exploit is a code, command sequence, or program that takes advantage of a security flaw or vulnerability to gain access to an application or network. Hackers use exploits to steal data, install malware, or cause other unintended behavior.
An exposure is a misconfiguration or a flaw in a software application that enables threat actors to gain unauthorized access to an application or network.
A false positive is a security alert indicating a threat or vulnerability that does not actually exist. IT security teams must investigate alerts to determine if it is legitimate and take appropriate action if so. A large number of false positives consumes significant time and resources, contributing to cybersecurity costs. Sometimes, dealing with many false positives causes security teams to miss more serious and legitimate threats.
Your enterprise is aware of the risks it assumes when working with a third-party vendor. But what about the vendors used by those third parties? They have their own digital supply chain of vendors, IT infrastructures, dependencies, and resources. And each element in these supply chains exposes you to more and more potential risk. Multiply that by the number of vendors you know of (and then the vendors you don’t know about), and you’ll discover your external attack surface extends farther than you imagine.
An inactive asset is an internet-facing IT element connected to first-party, active assets but is not currently used. Despite being inactive, these assets are part of the attack surface and can leave the door open to threat actors.
The Internet of Things (IoT) is a network of everyday objects interconnected via the internet to send and receive data. These objects are embedded with software or sensors to collect data and send it to other devices or software systems. IoT devices and systems contribute to the attack surface, and they can contain vulnerabilities that attackers can exploit. IoT is prevalent, and some companies add dozens to thousands of IoT assets to their networks that they may not assess or monitor effectively.
A known asset is an IT element in a company’s IT systems that the company knows exists. Most companies have many known assets that are part of the attack surface, but they can still pose risks if they fail to implement appropriate security.
Layered security is a cybersecurity approach that implements multiple layers of security controls. If an attacker manages to get past one security control, they have one or more additional security measures to evade if they’re targeting a system with layered security. Think of the additional security layers as fail-safes or backup measures. Layered security is also known as defense in depth.
Over time, new technologies emerge that provide more advanced software and computing functionality, leading businesses to invest in upgrading their applications and systems. Legacy IT refers to an outdated operating system or software application that’s still being used by an organization because it supports a critical business function. It includes applications that developers no longer update, maintain, or support (which may contain vulnerabilities), systems or applications that are no longer sold or utilize obsolete technologies, and hardware that can no longer support a company’s software systems. These factors can make legacy IT difficult and costly to maintain.
A malicious asset, also known as a rogue asset, is created by a threat actor or unauthorized user to target a company. Phishing websites or mobile applications designed to appear as those owned by the target company, typo-squatted domains, and stolen data sets shared or sold on the dark web are examples of malicious assets.
In mergers and acquisitions, two or more businesses are consolidated into one, either by combining two or more separate businesses into one new single entity or by one company purchasing and taking over the assets of another. M&A transactions expand the attack surface for the acquiring company or the newly formed entity, and many companies discover cybersecurity concerns during the M&A process. External attack surface management enables companies to conduct digital supply chain discovery and identify potential vulnerabilities before the transaction takes place, which helps inform decision-making and allows businesses to address security issues before merging or acquiring assets.
Misconfiguration is when an application’s or system’s settings are not selected or improperly implemented, which can leave the application or system vulnerable to unauthorized access. Misconfiguration can occur in a network, application, cloud infrastructure, and any component with settings.
In the context of cybersecurity, mitigation is a damage control process that does not completely eradicate a vulnerability or threat but minimizes the potential negative consequences that could occur with a breach.
Network penetration is the act of breaking through security controls and gaining unauthorized access to a network. It’s often used in the context of network penetration testing (or network pen testing), which simulates a real-world attack to identify potential vulnerabilities and entry points for attackers.
Network segmentation creates barriers between different areas of a network, allowing each subnetwork to function independently. It’s a strategy that helps to reduce the attack surface. If a threat actor manages to access one network segment, they could not access other segments or spread malware automatically throughout the entire network.
Nth parties pose the same risk to your enterprise as third parties but are significantly more difficult to track: they are the vendors, services, applications, and IT infrastructures of your vendors’ vendors. That’s right: they are connected to your organization by “nth” degrees of separation within your cyber supply chain.
Open source software is an application with publicly available source code that anyone can access, modify, and distribute based on the terms of the license. Many modern applications use some OSS components. Because anyone can modify or expand open source code, threat actors can inject malicious code into an OSS that otherwise appears safe. Malicious changes are often detected only after the application has been widely distributed throughout the digital supply chain, impacting millions of users. Hackers can also study open source code to identify potential vulnerabilities they can exploit.
Orphaned assets are IT assets that lack identifiable origins or connections and are not readily visible to security teams as a result. Examples include virtual machines that have no physical host and applications that have been abandoned and have no clear administrator or manager. These assets are often left exposed, making them ideal targets for malicious actors.
A penetration test is a type of security test that simulates a hacker breaking into a network or system to evaluate the strength of a company’s security controls.
The principle of least functionality is a strategy that limits an application’s functionality to only the essential capabilities, restricting or prohibiting the use of other functions, services, or ports that aren’t integral to the business’s use of the system.
The principle of least privilege is a strategy that limits the access and capabilities of a user to the minimum necessary to perform their job duties. If a threat actor tricks a user into revealing their credentials, they cannot access higher-level functionality or data than the victim’s privileges allow.
Public key infrastructure (PKI) is a set of processes, hardware and software components, and other elements involved in managing digital certificates and public-key encryption. SSL certificates, for instance, are managed by PKI. These certificates assure website visitors that they’re sending information to the intended recipient. Several problems associated with PKI can create vulnerabilities, such as weak encryption methods, lengthy certificate lifespans, and compromised certificates or certificates issued to the wrong party.
A red team comprises a group of IT professionals (either internal company employees or a third-party contractor) that simulates the potential actions of a threat actor to test a company’s cybersecurity posture. The individuals that compose a red team are also known as ethical hackers. Red teaming is the process of challenging every security control, policy, and system in every conceivable way to compromise a company’s system, network, or specific IT asset.
Regulatory compliance over information and cybersecurity ensures consumer information remains private or data stays away from malicious actors. Regulations may apply to government agencies and healthcare organizations, financial services companies, and other industries but can extend to the other companies that contract with these organizations. They’re issued by federal, state, and local governments and industry regulators and can apply to companies doing business in specific geographic regions or those operating in a specific industry.
Remediation is the elimination of a risk or threat. It goes hand-in-hand with mitigation, which is the process of limiting the potential damage of a threat. Mitigation is often a temporary solution until the threat is remediated.
Reputational risk is any risk your company takes that can damage brand loyalty resulting in loss of sales. While that sometimes includes customer service failures and environmental impact, enterprises lose customers when they lose customer data. In an effort to regain trust, companies spend millions of dollars to put in new security measures, revisit marketing campaigns, and hire new executives.
Not only is a cybersecurity risk assessment an essential part of any security practice, but some organizations must also perform a risk assessment to meet regulatory compliance standards. These assessments point out security deficiencies, failures in best practices, and potential loopholes waiting for hackers to exploit. A risk assessment can vary in scope and purpose, but the broader, the better when it comes to cybersecurity.
Security teams use metrics called risk indicators or key risk indicators (KRIs) to measure the company’s cyber risk and prioritize remediation and mitigation efforts. Risk indicators include things like common vulnerabilities and exposures (CVEs), invalid certificates, previously unknown shadow IT, credential exposure, non-compliance with security policies, compromised files, instances of malware, TLS/SSL certificate misconfigurations, weak encryption methods, and any other factor that contributes to the company’s risk profile.
Cyber risk management involves all the actions IT professionals take to prioritize cybersecurity within an organization and reduce vulnerabilities across the business. Part of risk management may be compliance with industry regulatory agencies and spreading awareness of operational risks across all departments when working online.
Risk mitigation reduces the potential damage an organization will suffer when a breach occurs. While some risks will always be present when operating online, mitigation procedures are intended to reduce any damage that occurs when those risks turn into exploits. Part of a cybersecurity risk mitigation plan might also include communications and marketing procedures to avoid the reputational risk caused by a data breach.
Security professionals often face many more issues than they can realistically mitigate immediately. They use risk prioritization to determine which risks pose the most serious consequences based on the assets impacted, their connections, exploitability, and other factors.
Risk scoring is a method security professionals often use to compare and prioritize the severity or exploitability of vulnerabilities. Quantifying the level of risk based on a rating scale provides a more objective way to determine which vulnerabilities to address first. Attack surface management solutions use risk scoring and other methods to prioritize risks and inform security teams of the most serious risks.
Businesses always face some level of risk. Risk tolerance is the amount of risk the company is willing to accept. The risk tolerance threshold varies depending on factors such as the assets involved and the value of the data at risk.
Also known as a malicious asset, a rogue asset is an asset created by a threat actor or an asset stolen by and under the control of a threat actor.
Software-as-a-Service is a software delivery method. Users access SaaS via the internet rather than downloading and installing a software application on a device. SaaS products typically are sold on a subscription basis rather than a one-time purchase.
Security controls are safeguards and countermeasures implemented to monitor systems, reduce the attack surface, detect vulnerabilities, prevent cyber attacks, and mitigate risks.
Security monitoring is the process of continuously scanning a company’s IT systems and maintaining real-time or near-real-time awareness of the activities and events occurring within those systems. Security monitoring solutions alert security teams when abnormal activity is discovered, allowing them to investigate and respond to vulnerabilities and threats before they escalate into an incident that causes significant harm.
According to the National Institute of Standards and Technology, a cyber security risk assessment identifies the risk to your organization’s operations, assets, users, and more through the use of information technology. Since risk is always present in business, a thorough assessment tests the protection in place to effectively mitigate risk.
Shadow IT comprises information technology systems, such as devices, software, services, and applications employees are using without the explicit approval of the company’s IT department. It’s not being actively managed and monitored by the company’s security team, meaning shadow IT can introduce serious security vulnerabilities. Vulnerability scanners only scan what is known — the sources the company feeds the system for scanning — so they overlook shadow IT because the company isn’t aware it exists. On the other hand, attack surface management solutions identify shadow IT through comprehensive digital supply chain discovery.
Social engineering is a sophisticated cyber attack method that uses manipulation and deception tactics to trick the victim into divulging sensitive information or providing access to information systems containing sensitive data. Social engineering comprises various attack methods such as phishing, ransomware, pretexting, and baiting, among others.
Spear phishing campaigns are a type of social engineering attack that targets specific people in an organization. These malicious actors research high-value targets (for example, people with advanced permissions on the platform or account managers for celebrities) and send trustworthy emails to request money or information. To make their emails look trustworthy, they use domains similar to the organization they’re targeting, maybe with one letter in the middle as the only difference. Sometimes, a valid domain of the organization can be hijacked, allowing the malicious actor to send an email with a legitimate domain.
Subsidiary assets are owned or managed by a company’s subsidiaries outside of the company’s networks. They may be known or unknown. In mergers and acquisitions, subsidiary assets are a prominent concern for parent companies. Attack surface management solutions offering robust digital supply chain discovery identify subsidiary assets, their connections, and any associated risks or vulnerabilities.
Digital supply chain risk management focuses on the security risks and vulnerabilities in all the components of the digital supply chain. As organizations deploy more and more services and applications online, the greater the likelihood that they’ve incorporated code, data, or other functionality from a third party into that application. The challenge is identifying the risk those third parties represent for your organization, including potential financial or reputation damages if a breach should occur.
Third-party security protects an organization from the risk associated with third-party vendors. Companies have traditionally spent time and money securing their perimeter and on-premise systems but have given little focus to the security practices of their vendors.
A threat vector, also known as an attack vector, is the method a cyber attacker uses to gain unauthorized access to IT systems to exploit vulnerabilities, introduce malware or steal sensitive data.
Third-party risk management (TPRM) includes all the best practices to control the risks of working with outside vendors and subcontractors. The goal of TPRM is to protect your intellectual property, operational systems, financial records, customer data, and other sensitive information from malicious actors.
An unknown asset is an element that exists within a company’s IT infrastructure without the company’s knowledge. Attack surface management solutions identify unknown assets, such as shadow IT, subsidiary assets, and orphaned apps.
A vendor-managed asset is an element of a company’s IT infrastructure controlled and managed by a vendor, so the company has no direct control over the asset. These assets may be known or unknown, and they can introduce serious vulnerabilities into the company’s network. Attack surface management solutions provide visibility into vendor-managed assets, how they’re connected to first-party assets, whether there are vulnerabilities, and how an exploit could impact the company’s first-party assets.
Vendor risk management ensures the business is not at risk for a data breach, operational outage, or other negative impacts due to its connections with third-party vendors and suppliers. These vendors are critical for day-to-day operations and efficiencies but can be a massive risk without monitoring risk from every angle.
A vulnerability is a weakness in a company’s systems that provides opportunities for cyber attackers to gain unauthorized access and carry out successful cyber attacks. Vulnerabilities can exist in security policies, security controls, application configurations, code, open ports, and every other area of a company’s information systems.
A vulnerability assessment is an evaluation of a discovered vulnerability to determine the level of risk it poses to the organization, such as how easily threat actors can exploit it and the sensitivity of the data that they can access. Vulnerability assessment is used to determine risk scores and prioritize risks.
Vulnerability management includes processes and solutions to continuously monitor a company’s IT systems, identify potential vulnerabilities, prioritize risks, mitigate risks, and report on incidents.
Vulnerability patching is the process of applying fixes to applications or systems that remediate a discovered vulnerability. They may be implemented as temporary mitigation efforts and incorporated into the next software release, or they may be permanent fixes that eradicate the vulnerability. Regularly checking for updates and installing the most current, secure software versions and patches released by the developers is part of the vulnerability management process.
Vulnerability scanning is an ongoing process of monitoring a company’s IT networks, systems, and software to identify potential security risks. Vulnerability scanning solutions automate this process and report on abnormal behavior discovered so security teams can take immediate action to remediate or mitigate vulnerabilities.
Zero Trust is a cybersecurity framework that assumes the company is always at risk from internal and external threats. All users, applications, and activities are considered potential threats rather than implicitly trusted. A Zero Trust model requires continuous authentication and validation at every stage of a transaction and operates on the principle of least privilege. This is in contrast to previous security models, which would assume that a user or entity is trustworthy once their identity is validated through their credentials. In these models, a threat actor could have unilateral access to all sensitive areas of a company’s network, especially if it hasn’t implemented access control, network segmentation, and other measures to restrict access to sensitive data.