Attack surface reduction is the security design principle of minimizing the number of potential entry points for an adversary. This is achieved by removing all non-essential software, disabling unnecessary services, closing unused network ports, and restricting protocols. This process directly addresses the architect's requirement to expose the least number of services possible, thereby limiting an adversary's ability to access and exploit the systems. It is the foundational strategy that encompasses other more specific hardening actions.

A. Enforce Secure Boot.

This protects the pre-boot and boot process from rootkits and bootkits, ensuring system integrity at startup, but it does not reduce the number of services running once the OS is loaded.

C. Disable third-party integrations.

This is a specific tactic within the broader strategy of attack surface reduction. While a valid step, it is not the comprehensive first action to take, which is the overall analysis and reduction process.

D. Limit access to the systems.

This involves access control measures (e.g., firewalls, ACLs) that restrict who can reach the services. It does not reduce the number of services themselves, which remain running and potentially vulnerable.

---

1. National Institute of Standards and Technology (NIST) Special Publication 800-53

Revision 5

Security and Privacy Controls for Information Systems and Organizations. Control CM-7 (Least Functionality)

Page 138. The control states

"The organization: a. Configures the system to provide only essential capabilities; and b. Prohibits or restricts the use of... functions

ports

protocols

and/or services..." This directly describes the core activity of attack surface reduction.

2. National Institute of Standards and Technology (NIST) Special Publication 800-160

Volume 1

Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. Section 3.3.3.2 (Attack Surface Reduction)

Page 68. This section defines the principle: "Attack surface reduction is a means of reducing risk by giving attackers less opportunity to exploit a potential weakness or vulnerability. This can be achieved by running only essential services

removing unnecessary software

disabling unnecessary user accounts

and eliminating unused or unnecessary system capabilities or functions."

3. Purdue University

Center for Education and Research in Information Assurance and Security (CERIAS)

Introduction to Systems and Network Security. This courseware emphasizes attack surface minimization as a primary defense strategy. It defines the attack surface as the "set of ways in which an adversary can enter a system and potentially cause damage

" and its reduction as the first step in hardening a system by removing all but the necessary services. (Reference to general principles taught in foundational cybersecurity courses at institutions like Purdue).