What is an 'attack surface' and name two methods to reduce it in an enterprise network?

• A. The sum of points where an attacker could compromise a system; reduce via patch management and reducing unnecessary services or hardening endpoints.
• B. The total budget of a cybersecurity program.
• C. A cloud service's SLA.
• D. The legal framework governing cyber operations.

Answer: (A)

An attack surface is all the points where an attacker could potentially compromise a system. In an enterprise network, that includes exposed services, endpoints, apps, and interfaces that attackers can reach or interact with. To shrink this surface, two effective approaches are patch management and reducing exposed capabilities on endpoints. Patch management keeps software up to date with security fixes, closing known gaps that could be exploited. Reducing unnecessary services or hardening endpoints means disabling or removing unused services, applying secure configurations, and enforcing least-privilege and strong controls, which minimizes the number of ways an attacker could gain a foothold. The other options don’t describe exposed entry points or how they’re limited, so they don’t address the concept of the attack surface.