Adapting the “Reduce Attack Surface”​ approach

Adapting the “Reduce Attack Surface”​ approach

Senior System Engineer at SysteCom S.A

Remember the application you had to install at some point as a prerequisite for a deployment? You probably not.

The chances are that this piece of software is still sitting in a server somewhere inside your infrastructure most probably without doing nothing.

What’s the reason to bother one will say? Well, it might not bother you since the need for its presence is now gone, but it surely interests a particular audience: The malicious actors!

An excellent example of a seemingly harmless application that, once exploited, could put hundreds of thousand organisations at risk; is the 19 (now 20) Year Old Code Execution vulnerability found in WinRar in early 2019 from Check Point Research Team (CVE-2018-20250).

Until that point, not many could have imagined that a piece of software that sits in millions of devices as we speak, can be the starting point of what it could turn in being a Cybersecurity Attack.

Again, one could state that since organisations throughout the world have to deal with numerous applications installed in their infrastructure while not always having the right tools in place for that purpose; it seems nearly impossible to deal with all the attack vectors in a proactive manner.

Well, is that the truth?

The answer is that it purely depends on the approach one has on the matter.

The approach we discuss today is the “Reducing the Attack Surface” approach which gets adopted from more and more organisations on a global scale. An approach which its main assertion is that you can’t break into something that it’s not there!

No alt text provided for this image

Let’s go back to our WinRar example. What is the actual reason for having a non-patched, most of the times in trial version software, which you most likely use to extract compressed files and folders while Windows Server OS has this ability embedded nearly a decade now?

I must admit I do not see any reasoning for this, and chances are you don’t see any as well!

So how and why an unnecessary (given its only use is for extraction in our example) software ends up installed and gradually forgotten to the point that it stays there until the permanent decommission of the system?

Simply, because at some point, the need for its usage arose, then someone from the IT department thought of using it to get the job done, had the task completed but left the software there!

The theory behind the “Reducing the Attack Surface” approach is the opposite of the traditional cybersecurity theory where we add more and more security layers while in this one, the goal is to reduce the surface of potential attacks by leaving only the necessary components in our production systems.

No alt text provided for this image

Is there a better combination other than adding sophisticated security layers where needed while at the same time reducing the exposure of your systems?

I hope you found this article informative and that you had success in adapting it to your real-world experiences from the field.

Thanks for reading!