External attack surface: which company services are exposed to the Internet?

External attack surface: which company services are exposed to the Internet?
Table of contents

Many businesses protect what they know: servers, users, firewalls, antivirus, backups, internal networks and core applications. However, a significant part of the risk may sit outside that visible inventory.

An old VPN, a forgotten subdomain, a published remote desktop, an administration panel accessible from the Internet or a firewall rule that nobody remembers can become an entry point.

This is what we call the external attack surface: everything a company exposes to the Internet and that could be detected, analysed or attacked from outside.

This is not only a problem for large companies. Any business with remote working, connected sites, external suppliers, cloud services, firewalls, IP PBXs, NAS devices, web applications or remote access has an attack surface that should be reviewed regularly.

What is the external attack surface?

The external attack surface is the set of digital assets belonging to a company that are visible or accessible from the Internet.

It includes all the elements an attacker could discover without being inside the corporate network: public IPs, domains, subdomains, published services, certificates, open ports, VPNs, administration panels, APIs, remote desktops or legacy applications.

Put simply, the external attack surface answers a very specific question:

What can someone see from outside your company?

If the answer is not clear, the business has a visibility problem. And in cybersecurity, you cannot properly protect what you do not know exists.

Why many companies are more exposed than they think

External exposure does not usually appear overnight. It normally builds up over the years as the company grows, changes suppliers, adopts new tools or adapts its infrastructure.

One day, a VPN is opened for remote working. Later, an application is published for employees. Then a subdomain is created for testing. At another point, remote access is enabled for a supplier. Over time, some of these elements remain active even though there is no longer a clear need for them.

Each individual decision may make sense. The problem appears when nobody keeps an overall view.

Some common causes include:

  • “Temporary” published services that are never removed.
  • Inherited firewall rules.
  • Old subdomains that remain active.
  • Supplier remote access with no expiry date.
  • Devices or applications that are no longer maintained.
  • Cloud migrations that leave duplicated services behind.
  • Lack of an up-to-date inventory.
  • Urgent technical changes with no subsequent documentation.
  • No periodic review of exposed ports and services.

These situations do not always come from an obvious bad practice. Very often, they are simply the result of years of activity, incidents, urgent changes and technical decisions that have not been consolidated into a single inventory.

Common examples of services exposed to the Internet

To understand the issue better, it helps to look at specific examples. These are some of the cases that may appear during an external attack surface review.

Old or poorly maintained VPNs

VPNs are still necessary in many companies, especially for remote working, remote support or site-to-site connectivity.

The risk appears when a VPN runs outdated firmware, obsolete protocols, users who should no longer have access or configurations without MFA. The fact that a VPN works does not necessarily mean it is properly protected.

A proper review should check active users, access policies, versions, authentication methods, permissions and connection logs.

Published remote desktops

RDP access or remote desktops published directly on the Internet remain one of the most sensitive points.

Even when protected by a password, they can be detected and attacked automatically. In many cases, this type of access should sit behind a VPN, a secure gateway, a Zero Trust solution or a system with multi-factor authentication.

If a company needs remote access, it must have a secure architecture. Simply opening a port and trusting that nobody will find it is not enough.

Firewalls and routers accessible from outside

The firewall is a key defence layer, but it can also become a risk if its administration is exposed.

Management panels accessible from the Internet, unpatched firmware or inherited configurations can make it easier to attack the security infrastructure itself.

A perimeter security strategy for businesses should include filtering rules, control of administrative access, device updates and regular configuration reviews.

NAS devices, cameras, PBXs and auxiliary devices

Not all exposed assets are traditional servers.

Many companies have auxiliary devices connected to the Internet: NAS devices, IP cameras, recorders, telephone systems, advanced printers, control systems or network devices.

These devices are often left out of the main inventory, but they may contain data, credentials or internal access. In addition, some of them do not receive updates as frequently as a corporate server.

If they remain published for years, they can become a weak point that is hard to detect until it is too late.

Old web applications or supplier-managed platforms

It is also common to find custom web applications, customer portals, internal tools or platforms maintained by external suppliers.

The risk appears when these applications remain published even though they are no longer actively used, are not updated or depend on old technologies.

In some cases, the supplier published an access point for support or testing and that access remained open long after the project had ended.

Forgotten subdomains

Subdomains are another common exposure point.

Addresses such as test.company.com, vpn.company.com, demo.company.com, app.company.com or support.company.com may still exist even though the original project has ended.

A forgotten subdomain can reveal information, point to old services or create configuration errors in cloud environments.

What risks does an unmanaged external attack surface create?

Having services visible on the Internet is not necessarily bad. Many companies need to publish services in order to operate normally.

The problem is not exposure itself, but unmanaged exposure.

When a company does not know exactly what it has published, the likelihood of vulnerabilities, unnecessary access or insecure configurations increases.

Exploitation of known vulnerabilities

Attackers do not always need sophisticated techniques. Many intrusions begin by exploiting known vulnerabilities in published services.

If a firewall, VPN, web server or application is outdated, it can be detected and attacked automatically.

That is why combining inventory, maintenance and continuous updates is so important.

Credential theft

Exposed services are usually protected by credentials. If there is no MFA, login attempt control, strong password policy or user review, the risk increases.

A valid login can be more dangerous than a technical vulnerability, because it allows the attacker to enter using an apparently legitimate account.

Ransomware

Many ransomware attacks begin with insecure remote access, compromised credentials or exposed services.

Once inside, the attacker tries to move laterally, escalate privileges and affect servers, backups or critical data.

Reducing the external attack surface does not eliminate all risk, but it does reduce many opportunities for entry.

Information leakage

A misconfigured service may expose usernames, software versions, internal paths, documents, administration panels or information that is useful for preparing an attack.

Even when there is no direct access to critical data, information visible from outside can support later stages of an attack.

Disruption of critical services

A business may also suffer operational impact even if no data is stolen.

An exposed service can be affected by denial-of-service attacks, exploitation, blocking, manipulation or downtime. If that service is linked to customers, employees, production or communications, the impact can be immediate.

How to review which company services are exposed

An external attack surface review should be structured. It is not just about running a tool and generating a list of ports.

The important part is understanding what exists, what purpose it serves, who manages it and what risk it represents for the business.

1. Identify domains, subdomains and public IPs

The first step is to build a map of external presence.

This includes main domains, subdomains, IP ranges, cloud services, sites, suppliers, remote connections and any asset associated with the company.

In many organisations, this phase already discovers elements that nobody had inventoried.

2. Detect open ports and services

The next step is to review which services respond from the Internet.

Not all open ports are insecure, but every open port must have a justification. An open port with no owner, no documentation or no clear business need should be reviewed.

This is where an ICT systems audit can provide an objective view of the real environment, beyond what appears in internal documentation.

3. Review versions, configurations and certificates

Once the services have been identified, their status should be analysed.

This includes software versions, TLS configuration, digital certificates, authentication methods, exposed administration panels and possible obsolete technologies.

An expired certificate may seem like a minor issue, but in certain services it can cause downtime, trust errors or security problems.

4. Validate remote access and active users

Remote access requires a specific review.

It is important to check who can access, from where, with what permissions, whether MFA is enabled, whether old accounts exist and whether external suppliers still have access that is no longer needed.

This point is especially important for companies with external support, distributed sites, mobile staff or tools published for third parties.

5. Prioritise risks

Not all findings have the same level of criticality.

An administration panel exposed without MFA is not the same as a properly maintained corporate website. A forgotten test service does not carry the same risk as a critical application that is monitored and updated.

The key is to prioritise according to impact, exposure, asset criticality and ease of exploitation.

6. Fix, close or protect

Once risks have been prioritised, action is required.

Common measures include:

  • Closing unnecessary services.
  • Restricting access by IP.
  • Enabling MFA.
  • Updating firmware and software.
  • Removing obsolete firewall rules.
  • Retiring old subdomains.
  • Protecting administration panels.
  • Migrating insecure access to more robust solutions.
  • Documenting owners and the purpose of each service.

Reducing the external attack surface is not about switching off services without criteria. It is about keeping only necessary services published and protecting them properly.

7. Monitor changes

The external attack surface is not static.

Every new site, application, supplier, cloud migration, firewall rule or temporary project can modify it. That is why the review should not be carried out once and then forgotten.

A 24×7 IT maintenance service helps detect incidents, changes and anomalous behaviour before they become a bigger problem.

The relationship between attack surface, IT inventory and compliance

The external attack surface is directly linked to the IT inventory.

If a company does not know which assets it has, it will struggle to protect them. And if it does not know which assets are exposed to the Internet, it cannot properly assess its risk.

This point is also linked to cybersecurity regulations and frameworks. The NIS2 Directive and technical guidance published by ENISA reinforce the importance of managing risks, protecting assets, applying appropriate technical measures and improving organisational resilience.

Not all companies have the same regulatory obligations, but all can benefit from a basic principle: knowing, classifying and protecting critical technology assets.

As an external reference, the National Cyber Security Centre defines External Attack Surface Management as the process of identifying, monitoring and reducing vulnerabilities in assets accessible from the Internet. You can consult its official guide on External Attack Surface Management.

For companies that need to strengthen technical governance, a combination of inventory, external review, access policies and business cybersecurity helps reduce risk progressively and in a controlled way.

The role of firewall, DNS, VPN and cloud

The external attack surface does not depend on a single tool. It is the result of many layers working together.

The firewall controls what comes in and what goes out. DNS defines how services are located. The VPN enables remote access. Certificates provide trust. Monitoring detects downtime or anomalous behaviour. The inventory shows what exists. And security policies define what is allowed and what is not.

When these pieces are not coordinated, grey areas appear.

For example, a firewall rule may remain active even though the service is no longer used. A subdomain may point to an old application. A VPN may keep users who no longer work for the company. A supplier may retain remote access with no expiry date.

This also happens in cloud environments. When services are migrated to the cloud, published resources, open rules, duplicated applications or temporary configurations may remain. That is why any cloud computing project for businesses should include security, inventory and continuous review criteria.

How Inmove IT can help reduce external exposure

At Inmove IT, we help companies review, organise and protect their technology infrastructure with a practical approach.

Reducing the external attack surface is not simply about closing ports. It requires understanding how the company works, which services it needs, which access points are essential and which risks should be prioritised.

From our systems, communications, maintenance and cybersecurity areas, we can help with tasks such as:

  • Reviewing services published on the Internet.
  • Analysing firewall rules.
  • Reviewing VPN access and external users.
  • Identifying exposed assets.
  • Validating critical configurations.
  • Reviewing firmware and versions.
  • Monitoring infrastructure.
  • Documenting services and owners.
  • Planning security improvements.

The goal is not to block operations, but to reduce risk without slowing down day-to-day work.

A company may need remote access, published applications or cloud services. The important point is that they are properly protected, updated, documented and monitored.

The external attack surface is one of the most important and, at the same time, most overlooked areas of business cybersecurity.

Many companies believe their exposure is under control because they have a firewall, antivirus or backups. But if there are published services that nobody reviews, old access points, forgotten subdomains or outdated applications, the risk remains.

The key question is not only whether your company is protected.

The question is: do you know exactly what an attacker can see when looking at your company from the Internet?

If you do not have a clear answer, it is a good time to review your external attack surface and make it part of your security strategy.

At Inmove IT, we can help you identify exposed services, review configurations and define an improvement plan adapted to your company’s reality. Discover our perimeter security solutions for businesses, ICT systems audits and business cybersecurity services to reduce risks before they become incidents.

Frequently asked questions about the external attack surface

Below we answer some common questions about the external attack surface and its importance in business security.

What is a company’s external attack surface?

It is the set of services, systems, domains, IPs, applications and access points that a company has visible or accessible from the Internet. It includes websites, VPNs, firewalls, remote desktops, cloud applications, subdomains, APIs and other published services.

Why is it important to review Internet-exposed services?

Because any service visible from the Internet can be analysed by attackers. If it is outdated, misconfigured or protected with weak credentials, it can become an entry point into the corporate network.

How often should the external attack surface be reviewed?

It depends on the size and activity of the company, but it should be reviewed regularly and whenever there are relevant changes: new sites, cloud migrations, firewall changes, application publishing, supplier onboarding or new remote access deployments.

What is the difference between an external audit and an internal security review?

An internal review analyses the infrastructure from inside the corporate network. An external review analyses what can be seen from the Internet. Both are complementary, but the external review helps understand the perspective of a potential attacker.

Is it dangerous to have a VPN published on the Internet?

Not necessarily. Many companies need VPNs for remote working, support or site-to-site connectivity. The risk appears when the VPN is not updated, does not have MFA, keeps old users or uses insecure configurations.

Which services should be avoided when directly exposed to the Internet?

In general, it is advisable to avoid direct exposure of remote desktops, administration panels, old services, NAS devices, unmaintained applications and any system without adequate security controls. When publishing a service is necessary, it should be done with additional protection measures.

Do you like it? Share this post:

support

Do you need assistance?

Our team is ready to help you through our telecare program, offering remote support to resolve your problems quickly and improve the efficiency of your IT systems.
Equipo profesional de soporte técnico informático

You may also be interested...