Attack vector is hardware, attack surface is software

Attack surface includes all potential entry points; vector is the specific method used

Attack vector includes employees, attack surface includes only systems

They are interchangeable terms

Modifying system configurations

Encrypting files with ransomware

Monitoring data traffic without altering it

Deleting user data

Brute-force attack

Zero-day exploit

Social engineering

Denial-of-service

Port scanning

Baiting

Packet sniffing

Firewall bypassing

Smishing

Whaling

Vishing

Clone phishing

They are always trusted

Only administrators are verified

No one is trusted by default

Internal systems are secure by default

Crack passwords by trying many combinations

Infect systems with malware

Intercept unencrypted emails

Monitor employee communication