Attack Surface and Entry Vectors

The attack surface is the complete set of points through which an attacker can try to enter a system. The larger the surface, the more opportunities for exploitation.

What Makes Up the Attack Surface?

Common vectors:
- Open network ports (SSH, RDP, HTTP/S, exposed databases)
- Public APIs and undocumented endpoints
- Admin interfaces exposed to the internet
- Third-party dependencies (libraries, SDKs, plugins)
- User accounts and credentials (human and system)
- Email and social engineering
- Physical devices (USB drives, physical server access)

Example: Misconfigured Server

Initial state — wide surface:
- Port 22 (SSH) open to 0.0.0.0
- Port 3306 (MySQL) exposed to the internet
- Admin panel at /admin with no IP restriction
- 15 users with admin permission
- npm dependency with critical CVE

Improved state — reduced surface:
- SSH only via VPN or fixed IP
- MySQL only on internal network (127.0.0.1)
- /admin restricted to company IP block
- 2 admin users, rest without privilege
- Dependency updated or replaced

How to Map the Surface

Defensive reconnaissance tools:

# Port scan on your own server (with authorization)
nmap -sV -p- 192.168.1.10

# List services listening on the machine
ss -tlnp

# Check dependencies for known vulnerabilities
npm audit
pip-audit

Reduction Strategies

1. Disable what you don’t use — services, ports, accounts, features
2. Segment networks — databases should not be reachable from the internet
3. Manage dependencies — update, audit, remove what is unnecessary
4. Inventory assets — what is unknown cannot be protected
5. Monitor changes — new open port = new surface

Practical Rule

Every open port is a question:
"Does it need to be open? For whom? Why?"

If you can't answer, close it.

Digital Versus Physical Surface

Don’t forget the physical surface: an unlocked server room door, a computer without a lock screen, a USB drive left in the parking lot. Logical controls do not protect against unauthorized physical access.