Acceptable risk is the level of risk a company is willing to tolerate based on the likelihood of exploitation, the value of the asset or data, and the strength of existing security controls. Acceptable risk thresholds are often tradeoffs. For example, a company may be willing to tolerate greater risk of data leakage if it’s too costly to implement additional security measures and the data at risk poses little harm to the organization if exposed.
Access Control (or Access Management)
Access control is a security measure that enables organizations to provide varying levels of access to systems, network resources, and data based on the user’s identity and the sensitivity of the system or data. For example, access control measures can limit access to valuable intellectual property to a few key executives while blocking access to all other users. Access to customer data may be limited to users from sales, marketing, and customer service departments, and access to employee performance data may be limited to users above a certain management level. Generally, access control aims to provide access to the minimum information and resources necessary for the user to perform their job duties.
An active asset is an attack surface element that is currently in use. Differentiating active assets from inactive assets is an essential practice when implementing attack surface reduction measures, ensuring that only inactive assets are depreciated or eliminated to avoid business disruption.
Application Programming Interface (API)
An application programming interface (API) is a set of rules and protocols that enable two applications to communicate with each other and share data. Application developers use APIs to integrate the functions of one application into another without coding those capabilities from scratch. Nearly every application makes use of at least one API today. However, their prevalence and exploitability make them appealing attack surface vectors for cyber attackers.
In the context of attack surface management, an asset is an IT element such as an application, code, website, server, or another element that provides a point of entry for a cyber attacker to breach a network, system, application, or device. The external attack surface comprises all internet-facing IT assets, both known and unknown. Assets exist in the cloud, on-premises, subsidiary networks, and vendors’ environments.
Asset discovery, also known as supply chain discovery, is the process of identifying the IT assets that make up the attack surface, including known and unknown assets, managed and unmanaged assets, as well as vendors’ assets, subsidiaries’ assets, and rogue (malicious) assets. The attack surface constantly expands as business needs change and new assets like systems, devices, and users are added. Therefore, asset discovery must be a continuous process to identify previously unknown and potentially malicious assets, their connections, and how they might impact first-party assets if breached.
At-Risk Asset (or Asset Risk)
Internet-facing IT assets do not all carry the same risk. Accurately identifying at-risk assets and determining the level of risk requires context, such as how, when, and where it’s used, who owns or manages the asset, and how it’s connected to other assets in the digital supply chain. At-risk assets are those with exploitable vulnerabilities.
Attack Surface Assessment
Attack surface assessment is the process of evaluating assets to identify high-risk areas and vulnerabilities to understand the attack surface from an attacker’s perspective. The assessment considers factors such as where vulnerabilities exist, whether those vulnerabilities are exploitable, the connections between assets, and what consequences could result from a breach.
Attack Surface Element
An attack surface element is an internet-facing asset that makes up part of a company’s attack surface. Attack surface elements include physical devices, networks, servers, websites, cloud, applications, and other internet-facing assets within a company’s ecosystem.
Attack Surface Inventory
Attack surface inventory is the complete accounting of all assets or elements that make up a company’s attack surface and can include both first-party assets and assets that the company does not directly own or control. It’s the result of an asset discovery process.
Attack Surface Management
Attack surface management is the overall processes and methods used to discover assets and map the attack surface, identify vulnerabilities and assess risk, prioritize vulnerabilities based on the risk level and likelihood of exploitation, and the remediation efforts to mitigate or eliminate attack surface risks. It also includes attack surface reduction measures. For example, if the asset discovery process identifies previously unknown assets that are no longer in use, eliminating these assets reduces the attack surface.
Attack Surface Monitoring
Attack surface monitoring is one component of attack surface management. It encompasses the methods and processes used to continuously scan an organization’s attack surface to identify previously unknown assets and detect abnormal behavior and vulnerabilities.
Attack Surface Reduction
Attack surface reduction describes the decisions and actions an organization takes to remove potential points of entry on its attack surface or to bolster the security of assets to make them less vulnerable to attack. Attack surface reduction can involve many different techniques, such as removing redundant applications, eliminating user accounts that are no longer used or needed, and segmenting the company’s network, among others.
Attack Surface Visibility
Effective attack surface management requires attack surface visibility. Companies gain attack surface visibility through supply chain discovery and attack surface monitoring, inventory, and assessment. Attack surface visibility means a company fully understands its assets, where they exist, their connections, and what vulnerabilities and risks exist.
An attack vector is a method a threat actor uses or the path they follow to exploit a vulnerability. Examples of attack vectors include poor encryption, exposed assets, weak passwords, malware, distributed denial of service (DDoS) attacks, phishing, and more.