Monday, September 1, 2025

Attack Surface Managment

 Thanks to our colleague, Ben Carr, for the idea and the title of this post.  I wrote most of what follows in response to a post of his on LinkedIn

The attack surface of the typical enterprise includes all the users as well as all the other resources.

I think about the desktop where most of the vulnerabilities are in system code, system code that dwarfs the applications.

I think about all the applications that are on that system that are rarely if ever used.  

I think about the orphan data and servers.

I think about the excess privileges that permit entire enterprises to be compromised starting with one user who clicks on bait in an e-mail or on a web page that he visits out of curiosity.  


So, one way to manage the attack surface is to reduce it.

  • Remove unused user IDs.  Reverify and reauthorize users at least annually.  
  • Remove unused or rarely used applications or services.
  • Install only what you really need.
  • Prefer purpose-built apps to general and flexible facilities (e.g., browsers, spread-sheets, word processors).
  • Hide systems, applications, services, and sensitive data behind firewalls and end-to-end application-layer encryption.
  • Employee restrictive access control (i.e., least privilege, zero-trust, "white-list") at all layers
  • Scan and patch only what is left (i.e., that which can be seen by potentially hostile people and  processes).
  • Other.