Threat Vector Categories β All 11
| Vector | Method | Key Risk | Defense |
|---|---|---|---|
| Message-Based | Email, SMS (smishing), IM/DM β phishing links, malware attachments, social engineering | Most common initial access vector; SVG images can embed executable JavaScript | Email security gateway, anti-phishing training, MFA, attachment sandboxing |
| Image-Based | SVG files β XML format can embed HTML injection or JavaScript; renders in browsers | Visually indistinguishable from benign images; code executes on render | Browser input validation, SVG content sanitization, block SVG attachments from email |
| File-Based | PDFs (scripts/objects), ZIP/RAR archives, Office macros, browser extensions | Malware hidden in trusted-looking document types; macros auto-execute | Disable macros by default, restrict browser extensions, sandbox file analysis, password-protected archive inspection |
| Voice Call | Vishing (phone social engineering), SPIT (automated VoIP spam), war dialing, call tampering | Bypasses technical controls entirely; exploits human social compliance | Callback verification procedures, staff training, VoIP security, analog line inventory |
| Removable Device | USB malware delivery, HID keyboard emulation attacks, data exfiltration | Bypasses all network-based defenses; bridges air-gapped networks; undetectable exfiltration | USB port lockdown, device whitelisting, disable autorun, DLP on endpoints |
| Vulnerable Software | Client-based (installed apps with known/unknown CVEs); agentless (server-side, affects all clients simultaneously) | Agentless: one compromised server exposes entire user population at login | Patch management, vulnerability scanning, defense in depth, software inventory |
| Unsupported Systems | End-of-life OS/firmware β no patches available for new CVEs discovered after EOL | Permanent, unfixable vulnerability accumulation; single entry point can compromise whole network | Asset inventory, regular network scanning, upgrade/isolate/accept risk with compensating controls |
| Unsecure Networks | Wireless (WEP/WPA protocols, open/rogue APs), wired (no 802.1X), Bluetooth (recon, implementation vulns) | Unauthorized network access; traffic interception; rogue AP man-in-the-middle | WPA3 for wireless, 802.1X for wired and wireless authentication, Bluetooth policies |
| Open Service Ports | TCP/UDP listening ports β each service is a potential vulnerability or misconfiguration | More services = larger attack surface; forgotten services often have weak configurations | Minimize running services, firewall allow rules only for justified services, regular port audits |
| Default Credentials | Factory-set usernames/passwords never changed β any attacker can look them up online | Full administrator access with no technical exploit; routerpasswords.com lists thousands of defaults | Change all defaults immediately on deployment; include credential audit in onboarding procedures |
| Supply Chain | Compromised vendors/contractors, MSP access, tampered hardware/software, build pipeline injection | Bypasses perimeter by entering through trusted relationships; MSP compromise = all customers compromised | Vendor risk management, least privilege for third-party access, hardware authenticity verification |
Attack Surface: More Services = More Risk
WHAT IS ATTACK SURFACE?
Attack surface is the total set of different points (attack vectors) where an unauthorized user can try to enter data to or extract data from an environment. Every service, port, protocol, application, user account, and network interface contributes to the attack surface.
The relationship is direct: every additional service running on a system = at least one additional port = at least one additional attack vector. Each service has its own vulnerability history, its own patch cadence, and its own potential for misconfiguration.
THE ACCUMULATION PROBLEM
Attack surface grows over time and is rarely cleaned up. Services are added for projects that end but the service stays running. Firewall rules are added for temporary access and never removed. Test environments persist into production. Vendor access accounts accumulate.
The result: an organization's actual attack surface is almost always larger than anyone believes. Regular audits β port scans, firewall rule reviews, access account reviews β are required to maintain an accurate picture of current exposure.
MINIMIZING ATTACK SURFACE
Disable unnecessary services: If a service doesn't need to run, stop it. A service that isn't running cannot be exploited.
Close unused ports: Firewall rules should explicitly deny all traffic except what is documented and justified.
Principle of least functionality: Systems should be configured to provide only the minimum capabilities required for their intended purpose β no more.
Remove unused software: Installed applications with no current use are attack surface with no benefit.
CLIENT-BASED vs. AGENTLESS
Client-Based Software: Installed locally on the endpoint. Vulnerabilities affect that specific device. Defense: patch the installed application on each device. Requires pushing updates across all endpoints.
Agentless Software: No local installation β client connects to a server session. Vulnerabilities live on the server. If the server is compromised, every client connecting to it is affected simultaneously β the entire user population, often without individual warning. Defense: secure the server; the client has nothing to patch.
Supply Chain Attack Flow
The ultimate target organization has strong perimeter defenses, mature security controls, and rapid detection capabilities. Direct attack attempts are likely to fail or be detected quickly. The attacker looks for a softer path in.
Attacker maps the target's vendor relationships, contractors, MSPs, and software dependencies. Looks for an entity with privileged access to the target that has weaker security β HVAC vendor, IT service provider, software update server, hardware manufacturer.
Attack the weaker link β phish the vendor's employees, exploit unpatched systems, inject code into the vendor's software build pipeline, or intercept hardware during shipping and install backdoors. The third party becomes the attacker's staging point.
Use the compromised third-party's legitimate, authenticated access to reach the ultimate target. The connection arrives from a trusted source β a known vendor's IP, a signed software update, a contractor's authorized credentials. Perimeter controls allow the traffic because it looks legitimate.
From the initial foothold (vendor network segment, software update infrastructure), move laterally toward the actual target systems β POS terminals (Target breach), domain controllers, intellectual property repositories, or critical infrastructure.
Execute the mission: steal payment card data (Target 2013), install surveillance backdoors in thousands of organizations (SolarWinds 2020), cause physical damage (Stuxnet via USB to air-gapped network). Often undetected for months because the access path appeared legitimate throughout.
Wireless Security Protocol Progression
| Protocol | Status | Security | Action Required |
|---|---|---|---|
| WEP | Deprecated (broken ~2001) | Critically weak β crackable in minutes with freely available tools | Replace immediately β no compensating controls are sufficient |
| WPA | Deprecated (replaced 2004) | Weak β TKIP protocol has known vulnerabilities | Replace immediately |
| WPA2 | Still widely deployed | Reasonably secure β KRACK vulnerability (2017) requires patching; PMKID attack possible | Upgrade to WPA3 where possible; ensure all clients/APs are patched |
| WPA3 | Current standard | Strong β SAE (Simultaneous Authentication of Equals) replaces PSK; resistant to offline dictionary attacks | Deploy on all new wireless infrastructure; migrate existing where supported |