Basics
Attack surface
What is an attack surface?
An attack surface is the sum of all the points through which someone could enter your IT: every reachable device, account, application and interface. Each of those points needs updates and supervision. The smaller the attack surface, the fewer places you have to defend.
In a small company the attack surface has more parts than a first glance suggests. It includes the internet connection with all its port forwarding rules, meaning the openings that let traffic from the internet reach a device inside the building, the remote access route into the office, the company website and any web shop, the mailbox of every member of staff, every cloud service that can be reached with a login from anywhere, the network storage device in the server room, printers and cameras with their own web interface, and private devices connected to the company network. Each of these parts runs software, and software contains flaws that become public sooner or later.
The attack surface grows during everyday work without anybody deciding on it. An engineer sets up remote access for a maintenance job and it stays in place afterwards. One department signs up for a cloud service nobody else knows about. A test system keeps running long after the project ended. The account of a former employee stays active. Access of this kind is rarely maintained and stands open to an attacker.
One question tells you whether you have a problem. Can anyone in your company say within a few minutes which systems are reachable from the internet and who is allowed to use them? If the answer stays vague, your attack surface is unknown. The sensible first step is a list of all devices, services and access routes. The second is the view from outside: which services answer on your public internet address? Whatever is no longer needed gets switched off. Whatever is needed gets current updates and a login with a second factor, meaning a second confirmation in addition to the password.
A review from inside and from outside makes the attack surface visible. The vetosec IT Check records the systems, access routes and openings that exist, covering 8 audit areas with more than 100 individual checks, and it includes a light penetration test that shows what can be reached from outside. Data capture on site is read-only, meaning we only read and document, and it runs without interruption. You receive the documented findings with an action plan ordered by urgency within 14 working days.
All terms in the knowledge base
Note: This entry reflects the state of knowledge to the best of our understanding and serves as general orientation. It is not legal advice. What counts is always the version currently in force at the responsible body, for example dsb.gv.at, nis.gv.at or enisa.europa.eu.
From the term to practice
Where does your business actually stand?
The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.