Conventional penetration tests, such as Nessus or QualysGuard, do a terrific job of detecting vulnerabilities on servers. Regular use of these tools has become a best practice, with good reason.

Unfortunately, in the same way that rust never sleeps, malicious actors are constantly looking for new ways to get into your systems. Now that hacking has become big business, malicious researchers have plenty of resources to devote to discovering new methods.

What Is an Attack Surface?

An attack surface assessment addresses many of these new approaches. The classic definition of an attack surface is the sum of the different points where an unauthorized user can try to enter data to or extract data from a software environment. Penetration testing covers some of these points, but an attack surface assessment’s scope is broader.

For example, a recent assessment we did with our partners Hacker Target revealed several interesting items we would not otherwise have encountered. One was an old website that the client had previously used. While no domain name pointed to it, it was still on the internet. It was using a now very old version of a content management system, which meant it was full of unpatched vulnerabilities.

It’s possible to argue that an old site isn’t important but think what could be there. There could be old username/password combinations that were reused in the new site. There could be old data that had not been removed but which was still revealing. Possibly, there might be email addresses listed in plain text. A diligent hacker could find out many things to apply to the new website and the broader organization.

We might have caught this using nmap, but it’s easy to simply assume that the client knows the IP addresses of all the endpoints exposed to the internet. Better to check.

Who Has Your Email Address?

Speaking of email addresses, this is another area where some additional research, such as that in an attack surface assessment, can help. A great number of email addresses have been captured by malicious hackers in previous adventures. These are often listed in databases and other places on the dark web. Sites like haveibeenpwned.com and others keep track of some of the emails that have been harvested. Other sites do as well.

Once somebody has your email address, they can send you spam, or they can send you phishing messages. They can use email enumeration to identify sites where your email addresses is a valid username, then they can use brute-force password attacks to find out your password.

A good attack surface assessment will identify which of your email addresses are available to malicious hackers.

Bypassing Your Firewall

Another thing the assessment found was that the website’s application firewall could be bypassed by working from discovered endpoints.
I could go on, but this is becoming too long. Suffice to say that there are several more interesting things attack surface assessments turn up that a traditional penetration test may not find. Do some internet research about it. You may have found a new security tool.