How to adapt the “Reduce Attack Surface”​ approach

Senior System Engineer at SysteCom S.A

In this post; we discuss how to better safeguard our infrastructure by following the “Reduce Attack Surface Approach.

This model gets increasingly adopted by organisations worldwide. Its main assertion is that you can’t break into something that does not exist!

The scenario

Do you remember the application you had to install at some point as a prerequisite for a deployment?

You probably not.

The chances are that this piece of software is still sitting in a server somewhere inside your infrastructure most probably without any real value.

The problem

But still, why bother? Well, despite it seems harmless; it surely interests a particular audience: The malicious actors!

An excellent example of such an application that, once exploited, could set hundreds of thousand organisations at risk; is the 19th (now 20th) Year Old Code Execution vulnerability found in WinRar (CVE-2018-20250).

At the dawn of 2019, the Check Point Research Team identified and disclosed the vulnerability publicly.

Until that point, not many could have imagined that a piece of software that sits in millions of devices as we speak, can trigger a cybersecurity attack with the potential to turn into a breach.

Undoubtedly, it poses a serious challenge for today’s organizations to keep up the pace and deal with numerous applications installed in their infrastructure. Many of them; often they don’t have the right tools in place.

Given the above; it seems nearly impossible to deal with the majority of the attack vectors proactively.

Well, is that the truth?

The Approach

Here is your answer:

It purely depends on the approach.

Let’s go back to our WinRar example: What is the reason for having a non-patched, most of the times in trial version software; sitting in your server?

Considering that Windows Server OS has embedded the option to Unzip files, do you really need it?

Even if the requirement is to Unrar some files, installing and removing the software once finished is the way to go.

So how such a software ends up installed and gradually forgotten in a system?

Simply, because at some point, someone installed it to get the job done and forgot to remove it afterwards!

The theory behind the approach; is the opposite of the traditional cybersecurity theory where we add more and more security layers.

In this one, the goal is to reduce the surface of potential attacks by leaving only the necessary components in our production systems.

Is there a better combination than adding sophisticated security layers as needed while at the same time reducing the exposure of your systems?

Please feel free to get into the discussion and share your thoughts.

Thank you for reading!