All services

What is an External Attack Surface Assessment and why is it important?

Are you aware of the data leaks and passwords from your organization that are out there on the internet or dark web?

Do you know what legacy applications and IoT devices are connected to the internet? Pay attention, because these exposed assets may pose a threat to your digital security.

You'd be surprised

Many companies are surprised to discover what can be found about them from sources on the internet. Whether you are a public organization, or a business, hackers are trying to get access to your network, and they use anything they can find.

Gartner estimates that less than 1% of organizations have a proper visualization of their exposed assets [1].

System hacked

Exposed assets may pose a threat to your digital security

Passwords, unsecured databases and more

Not only hacked passwords and unmanaged or legacy applications pose a threat to your digital security.

Often we find forgotten, hardcoded passwords in repositories such as Github, or sensitive information in Amazon S3 buckets.

Or we notice the use of unsecured APIs or exposed databases without proper authentication.

All those exposures and sensitive information are a treasure trove for attackers seeking to find a hole in your network defense. That's why you need External Attack Surface Management.

Also watch this presentation on External Attack Surface Management.

What is External Attack Surface Management?

External Attack Surface Management (EASM) is the process of discovering and mitigating vulnerabilities in systems that are connected to the internet. This includes assets like websites, management interfaces, IoT devices, web applications, payment gateways and cloud services.

You can reduce the risk of cyber attacks by proactively identifying and addressing vulnerabilities in these external-facing systems. This will help to improve your cyber resilience.

What does Attack Surface Management mean for you?

Penetration tests and password updates are not enough to keep your organazation safe from hackers. The game has changed.

That's why you should proactively scan for weaknesses, exposures and vulnerabilities on the perimeter of your organization, and beyond that.

With EASM you can:

  • Reveal hidden cybersecurity exposures  outside of your organization, so you can mitigate them.
  • Know your weaknesses and prioritize actually exploitable vulnerabilities.
  • Raise your cyber resilience.
Secura EASA External Attack Surface Assessment

Four areas of focus in External Attack Service Management

Four areas of focus in Attack Surface Management

As part of an External Attack Surface Assessment (EASA), you should investigate four main areas:

Asset discovery 01

1. Asset Discovery

Discover what assets in your organization are accessible by external parties through the internet. We will assess the risks associated with those assets.

  • IP Ranges
  • Hosts, subdomains
  • Notable Services
  • Login pages/authenticated services

Credentials 01

2. Credentials Scan

Search on the internet and on the dark web what credentials are dumped, traded or for sale for your organization. How were those usernames and passwords obtained? You might have to disable specific endpoints or users.

  • Password dumps
  • Dark web
  • Credential stuffing/password spraying (optional)

Please note we will only execute actual password guessing exercises after explicit permission to do so.


Exposures2 01

3. Exposures Scan

Perform a scan for exposures and data leaks. Examples include:

  • Open S3 buckets on Amazon Web Services.
  • Exposed management interfaces, like login pages for administrators or SSH interfaces.
  • Exposed databases without proper authentication.
  • Unsecured APIs.
  • Hard coded passwords and administrator keys in repositories such as Github.
  • Unsecured IoT devices

Vulnerabilities 01

4. Vulnerabilities Scan

Scan for common vulnerabilities in external infrastructure. Examples include:

  • Missing patches/outdated software
  • Exploitable Common Vulnerabilities and Exposures (CVE’s )
  • Configuration issues

How to get started with Attack Surface Management

By now, you should be aware of the risks of sensitive information on the internet or dark web, exposures and vulnerabilities. And the need to take action proactively.

But how do you get started? The way to do this is by first performing our  External Attack Surface Assessment (EASA).

One time full-scope scan

Secura will do a full-scope scan of the external attack surface of your company’s domains. We will investigate all four areas: assets, credentials, exposures and vulnerabilities. We use a combination of external data sources and manual scans and tests.

The assessment will give you insight into your full external attack surface. This enables you to formulate a risk mitigation strategy and reduce the risk of cyber attacks.

How we support you

Secura has been a cyber security company for over twenty years. We help large and medium sized companies and organizations all over Europe to raise their cyber resilience. Our security experts originate from over 23 countries, since digital attacks, and protection against them, know no boundaries.

Secura is part of the Bureau Veritas Group, a listed company and world leader in testing, inspection and certification services.

External Attack Surface Assessment First Step

Take the first step today

Take the first step today by assessing your external attack surface, and raise your cyber resilience.

Please book a free consultation with one of our experts by filling out the form below. One of our experts will contact you within one business day.

Book your free consultation by filling out the form below.
Thank you for your interest. We will contact you within one business day.

Fact sheets

External Attack Surface Assessment Fact Sheet

Download fact sheet file_download
Secura Contact Shape
Partners of Secura

Cybersecurity is more than technology alone. Secura collaborates with partners in compliance and risk management, integrated application security, privacy, IT- and internet law and certification.