Req 4f — Attack Surface
Your attack surface is every possible point where an attacker could try to get into your digital life. Think of it as all the doors, windows, and vents in a building — the more entry points, the harder the building is to secure. Most people have a much larger attack surface than they realize.
What Makes Up Your Attack Surface?
Your attack surface includes everything that connects you to the digital world. Let’s walk through the major categories.
Devices
Every device you own or use regularly is part of your attack surface:
- Your smartphone
- Laptop or desktop computer
- Tablet
- Gaming console (Xbox, PlayStation, Nintendo Switch)
- Smart watch or fitness tracker
- Any other connected device (smart speaker, streaming stick, etc.)
Each device has its own operating system, its own apps, its own vulnerabilities. An attacker who compromises any one of them gains a foothold into your digital life.
Online Accounts
Think about every account you have ever created — and be honest, because the number is probably higher than you think:
- Email accounts
- Social media (Instagram, Snapchat, TikTok, Discord, X, Reddit)
- Gaming platforms (Steam, Epic Games, PlayStation Network, Xbox Live)
- Shopping sites (Amazon, eBay)
- School accounts (Google Classroom, Canvas, Schoology)
- Streaming services (Netflix, Spotify, YouTube, Disney+)
- Cloud storage (Google Drive, iCloud, Dropbox)
- Any forums, communities, or websites with a login
Each account is a potential target. If any two share the same password, compromising one compromises both.
Apps and Software
Every app installed on your devices is part of your attack surface:
- How many apps are on your phone right now? Check — it is probably more than 50.
- Each app has permissions (camera, microphone, location, contacts) that could be exploited
- Apps you installed and forgot about are especially risky — they may not be getting security updates
Home Network
Your home network is its own attack surface:
- Wi-Fi router (is the admin password still the default one printed on the sticker?)
- Connected devices — smart TVs, smart speakers, security cameras, thermostats
- Guest networks — who else has your Wi-Fi password?
- IoT devices (you will explore these more in Req 7)
Personal Information Already Online
Some parts of your attack surface already exist whether you want them to or not:
- Information others have posted about you (photos, mentions, tagged posts)
- Public records (some states make certain records publicly searchable)
- Data from breaches of companies you have done business with
- Your digital footprint from Req 1b
Creating Your List
Here is how to systematically map your attack surface:
Attack Surface Inventory
Go through each category and list everything
- Devices: List every device you use regularly, including shared family devices.
- Accounts: Open your email and search for “welcome” or “verify your email” to find accounts you may have forgotten.
- Apps: Go through your phone and computer app lists. Include browser extensions.
- Home network: List your router and every smart or connected device in your home.
- Shared access: Note any accounts where you share passwords with friends or family.
- Old accounts: Include accounts you no longer use but never deleted — these are often the most vulnerable.
What Your List Tells You
Once you see your full attack surface, you will likely be surprised by its size. The goal is not to eliminate everything — you cannot live without digital tools. The goal is to reduce your attack surface where possible and strengthen the parts you keep.
Quick Wins to Shrink Your Attack Surface
- Delete apps you do not use. Every unused app is an unmonitored entry point.
- Close old accounts. That MySpace account from 2008? Close it. That free game you tried once? Delete the account.
- Remove unnecessary permissions. Apps that do not need your location, microphone, or contacts should not have access.
- Change default passwords on your router and any IoT devices.
- Use unique passwords for every account (a password manager helps — covered in Req 5c).
