Thanks to our colleague, Ben Carr, for the idea and the title of this post. I wrote most of what follows in response to a post of his on LinkedIn
The attack surface of the typical enterprise includes all the users as well as all the other resources.
I think about the desktop where most of the vulnerabilities are in system code, system code that dwarfs the applications.
I think about all the applications that are on that system that are rarely if ever used.
I think about the orphan data and servers.
I think about the excess privileges that permit entire enterprises to be compromised starting with one user who clicks on bait in an e-mail or on a web page that he visits out of curiosity.
So, one way to manage the attack surface is to reduce it.
- Remove unused user IDs. Reverify and reauthorize users at least annually.
- Remove unused or rarely used applications or services.
- Install only what you really need.
- Prefer purpose-built apps to general and flexible facilities (e.g., browsers, spread-sheets, word processors).
- Hide systems, applications, services, and sensitive data behind firewalls and end-to-end application-layer encryption.
- Employee restrictive access control (i.e., least privilege, zero-trust, "white-list") at all layers
- Scan and patch only what is left (i.e., that which can be seen by potentially hostile people and processes).
- Other.