Avoiding malicious hackers: How to reduce your personal attack surface

Last week, one of my favourite services—Plex—was hacked. I'm sure that I am not alone here, either — the recent Twilio hack compromised more than 130 organisations (and who knows how many people). 

It got me thinking: Am I doing enough to protect myself from hacks? 

There's one sure-fire way to figure that out: attack surface. 

What is attack surface?

Attack surface is the sum of all possible ways someone could breach, expose, or access your data.

Usually we think about attack surface in terms of entire organisations, companies, or network operators — not individuals. But as we all spend more and more time online, defining and managing your attack surface is an increasingly important life admin task.

By reducing your attack surface, you can reduce the likelihood you are impacted by a data breach or hack and make it more difficult for a cyber attacker to target you. 

Calculating your attack surface

You need to approximate what your attack surface is before you can reduce it! There are two main categories to consider: physical and digital. 

Physical attack surface

While the digital world might seem like the most relevant part for determining your attack surface, it's important to consider the physical aspect too. 

The most important part of determining your physical attack surface is your devices: 

• How many devices do you actually have? (more devices could mean more likelihood one is lost, stolen, or breached)

• Where are they stored? (in your home, office, are they mobile and move around?)

• Who has access to them? (just you, co-workers, friends and family)

• Are they secured? (encrypted hard drive, password protected)

When people think 'devices', they usually think laptops and phones — but make sure to consider IoT (Internet of Things) devices as well, like smart TVs and smart cameras.

Because of the advent of cloud storage, it's possible (or even likely) that one device being compromised could mean that a lot of data and information is exposed. This means it's also really important that you are mindful when disposing of a device. Got a new phone? Great — just make sure to clear the old one. 

It's also important to consider other information which may be stored physically, including things like passwords written in notebooks.

Digital attack surface

Because of the nature of the internet and cloud services, figuring out what your digital attack surface looks like is a lot more complex. 

It's worth thinking about things like: 

• What software or applications do you use?

• What services do you use?

• What websites you access

This can be really difficult, because it's hard to know where information is really being stored or if a service you're using is relying on third-party services you're not aware of. For example, most Signal users probably wouldn't have considered the possibility of a Twilio hack putting their account at risk.

How to reduce attack surface

If you're thinking about how to prevent hacks from impacting you, reducing your attack surface could help.

1. Reduce requirement of trust

Trust is a beautiful thing. It makes the world go round. But you don't want to give away your trust too freely. When you use centralised services, you place a lot of trust in one provider not to mess up (or just...sell out) and expose your sensitive information. 

By using decentralised (or 'trustless') services, you don't need to place all your faith in one company, service, or (in some cases) person. 

2. Reduce the burden on yourself

Do yourself a favour — make life easy for yourself. Cut out toxic companies that don't respect your privacy, whether it be by making you opt-in to bare-minimum protections like encryption or just flat-out selling your data. 

Instead, try shifting towards platforms that have privacy-by-default policies. 

3. Eliminate unnecessary vulnerabilities

A lot of us have left platforms like Facebook behind, but is Meta still storying your data? Just because you're not using a service, doesn't mean your data isn't being stored. 

If you're ditching a service or taking a break, consider getting in touch with them to request they delete your personal data. The last thing you'd want is to get pwn'd by a data leak years later. 

4. Add barriers

In the instance you are targeted by an attack, you might be able to stop the attackers in their tracks by setting up access barriers. 

For example, using a password manager to set different passwords for all your online accounts will stop one password leak from compromising everything. Things like 2FA and end-to-end encryption can also help provide protection in the case of a breach. 

5. Stay up-to-date

When I say 'up-to-date' there are a few layers, staying up-to-date with: 

• New versions of software that you use

• New technology or methods to preserve your privacy and security

• News about leaks or hacks that might effect you (or help you better prepare in the case you are targeted)

Staying up-to-date might be the most important takeaway from this entire article. At its heart, security is a cat-and-mouse game — and it's important to keep in mind that the space is changing all of the time. 

Did this help?

Attack surface is a super deep, complex topic — but we all have to start somewhere. Because so much of our lives are happening online, it's important to think about how we can make sure that our security and privacy is maintained — especially for people who do a lot of sensitive work online, like journalists and activists. 

Let us know on socials if this article helped!