What It Costs When It Fails
Attack surface reduction is the most cost-effective security measure available. Disabling unused services costs nothing. Closing unnecessary ports costs nothing. Removing default credentials costs nothing. Each of these actions eliminates an entire class of attack vector. The cost of not doing them is measured in breach incidents, data loss, and recovery time.
Attack surface reduction is the practice of minimising the number of ways an attacker can interact with your infrastructure. Every service running on a server, every open port, every exposed administrative interface, every user account with elevated privileges represents a potential entry point. The goal is not to eliminate all risk. The goal is to ensure that no risk exists without a corresponding business justification.
The principle is simple: if you do not need it, disable it. If you cannot disable it, restrict access to it. If you cannot restrict access, monitor it intensively. The order of preference is elimination, restriction, monitoring. Most organisations invert this order and wonder why they have security problems.
The Default Configuration Problem
Software ships with default configurations optimised for ease of installation, not security. Default ports, default credentials, default administrative interfaces, and default feature sets are all known to attackers. The first thing any automated scanning tool does is check for default configurations. If your infrastructure still has them, it will be found.
"What is your process for auditing and closing unused ports and services, and when was the last time you conducted a full attack surface review of our infrastructure?"
HostRoman conducts attack surface audits at provisioning and quarterly thereafter. All servers run only the services required for the specific workload. No default credentials exist on any system we manage. SSH is key-only. Administrative interfaces are not exposed to the public internet. We document every open port and service and review the list with clients quarterly.