![\"Knowing](\"https:\/\/www.vaadata.com\/blog\/wp-content\/uploads\/2020\/03\/Attack-Surface-1024x512.jpg\")
<\/figure><\/div>\n\n\n\nWhat does it tell us? That preparation is key.\u00a0 An attack surface consists of all elements that might be attacked to cause a security incident. <\/p>\n\n\n\n There are generally two types of attack surface considered: the digital and the physical attack surface.<\/strong> In this article, we focus on the attack surface of an information system. Mapping the attack surface of your information system is a task that requires to think about all your different assets and about the value they have or they can enable to access to.<\/p>\n\n\n\n To create a global mapping, it involves to: <\/p>\n\n\n\n You can download this overview of the main elements to list and to secure<\/a> when you\u2019re mapping your attack surface. This overview is only a non-exhaustive base, as each context has specific elements to take into account.<\/p>\n\n\n\n There are various tools and search engines that exist to help you with the mapping: shodan.io<\/a>, censys.io<\/a>, crt.sh<\/a>\u2026 Knowing its attack surface is sometimes more complicated than expected because of shadow IT. Shadow IT<\/strong> refers to the IT devices and tools used by employees without the knowledge and approval of the IT department. These solutions are therefore not controlled, in particular, regarding their security, and can bring vulnerabilities to the information system or cause a data breach. Once you know your attack surface, you can manage it and assess the associated risks. When the attack surface is important, the inventory also helps you to prioritise the elements to protect.<\/p>\n\n\n\n The aim of knowing your attack surface is to then be able to reduce it (when possible) and put in place relevant protection. To reduce your attack surface, general advice is:<\/p>\n\n\n\n Once the mapping and reduction of the attack surface have been done, the following step, as important as the previous ones, is to keep it up to date, in order to continue to monitor and to protect it.<\/p>\n\n\n\n In order to do this, it is necessary to follow the new services implemented, the evolution of the infrastructure, but also to monitor the release of vulnerabilities, patches, fixes\u2026 in order to apply them when changes concerning your assets are required. Abraham Lincoln (repeating a woodsman) would have answered the question: what would you do if you had just six hours to chop down a tree? I would spend the first four hours sharpening my axe. What does it tell us? That preparation is key.\u00a0You cannot protect what you don\u2019t know, therefore knowing your attack surface<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,13],"tags":[],"class_list":{"0":"post-2667","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-solutions","7":"category-solutions-fr"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.vaadata.com\/blog\/wp-json\/wp\/v2\/posts\/2667","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.vaadata.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.vaadata.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.vaadata.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.vaadata.com\/blog\/wp-json\/wp\/v2\/comments?post=2667"}],"version-history":[{"count":10,"href":"https:\/\/www.vaadata.com\/blog\/wp-json\/wp\/v2\/posts\/2667\/revisions"}],"predecessor-version":[{"id":3297,"href":"https:\/\/www.vaadata.com\/blog\/wp-json\/wp\/v2\/posts\/2667\/revisions\/3297"}],"wp:attachment":[{"href":"https:\/\/www.vaadata.com\/blog\/wp-json\/wp\/v2\/media?parent=2667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.vaadata.com\/blog\/wp-json\/wp\/v2\/categories?post=2667"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.vaadata.com\/blog\/wp-json\/wp\/v2\/tags?post=2667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
You cannot protect what you don\u2019t know, therefore knowing your attack surface<\/strong> is the first essential step to protect it efficiently.\u00a0<\/p>\n\n\n\n\n\n\n\nWhat is an Attack Surface?<\/strong><\/h2>\n\n\n\n
While the digital attack surface comprises, for example, web services, network, communication protocols, domain names\u2026 the physical attack surface involves the physical points of attacks against a company, such as the windows of buildings, production facilities, or even a fire\u2026
These two attack surfaces are overlapping and interconnected; it is equally important to secure both of them.<\/p>\n\n\n\n
It can be divided in two: <\/p>\n\n\n\nHow to Know Your Attack Surface?<\/strong><\/h2>\n\n\n\n
![\"Mapping](\"https:\/\/www.vaadata.com\/blog\/wp-content\/uploads\/2020\/11\/Mapping-Attack-Surface-scaled.jpg\")
<\/a><\/figure><\/div>\n\n\n\n
For example, shodan.io enables to verify which of your devices of your network are available from the internet (servers, routers, printers\u2026), whereas crt.sh can find from a url all certificates related to a name or a brand.<\/p>\n\n\n\n
Some shadow IT elements can be traced back during the mapping of the attack surface (connected devices connected to the network without authorisation for example), but other elements, such as web services, are harder to detect.<\/p>\n\n\n\nHow to Reduce your Attack Surface?<\/strong><\/h2>\n\n\n\n
Having the less possible attack points allows focusing the protection efforts and therefore strengthening their security.<\/p>\n\n\n\nKeeping the Attack Surface Up To Date<\/strong><\/h2>\n\n\n\n
An IT Asset Management tool can help you to centralise and monitor information about your attack surface.<\/p>\n","protected":false},"excerpt":{"rendered":"