With every security test I have done, there has been at least one attack surface that can vary in their level of security. These can be viewed as the number of accessible machines and applications within them.
As a result, the number of attack surfaces is not the only security measure to be implemented but should not be underestimated as a form of defence in depth. It is important to remember that malicious attackers will take advantage of any attack surface if given the opportunity. The following sections will cover the important reasons and explanations for minimising attack surface.
The bigger the attack surface, the bigger the risk
Every application contains risks that can be valued from low to critical. The more accessible applications, the more risks an attacker can take advantage of. This risk is increased by vulnerabilities that you have not patched or identified. For example, I have seen networks with several applications open that are up-to-date and that did not contain any high or critical vulnerabilities.
However, some of these had at least one application which due to misconfiguration contained vulnerabilities that an attacker could use to gain access to a network or escalate in privileges. Although some services are essential, most of these do not need to be publicly available or available to everyone.
There have been similar issues in the number of accessible machines where some machines in a network of 50+ machines contained one or two machines with high or critical vulnerabilities due to management of the network. Conducting security penetration testing can help find these vulnerabilities, but every available service will always contain a risk, so more services mean more risk.
Small is beautiful
Another reason for having a smaller attack surface is that it is easier to manage the security of two applications than ten applications. This includes aspects like updates, configuration, and access controls. This can become increasingly difficult in larger networks with multiple accessible applications on each machine.
There are tools and policies that help to manage and maintain these larger networks, but in a working environment with a large number of machines, it can be difficult to apply needed updates to all machines in a timely manner. I have seen internal networks and external networks with at least 50 machines that are not able to deploy new security updates within two weeks. This creates a risk where attackers have a larger attack window to exploit those machines.
One of these reasons is they do it in segments (i.e. 5 at a time) so if there is a problem, only some a small portion of machines are affected and not all. This has its benefits but results in larger networks taking considerably longer to update. Therefore, a smaller attack surface decreases the opportunities an attacker must infiltrate your network.
To recap, we have seen how a larger attack surface makes it easier for attackers to find their way in and gain access to your network. As a result of minimising your attack surface, you can decrease the risk of compromise. This can be done by restricting access to machines and applications to only those that require it. It is also important that other aspects of security are in place and used alongside access restrictions in order to minimise risk and protect data.