A set of standardized system images with a pre-defined set of applications is used to build enduser workstations. The security administrator has scanned every workstation to create a current
inventory of all applications that are installed on active workstations and is documenting which
applications are out-of-date and could be exploited. The security administrator is determining the:

A.
attack surface.

B.
application hardening effectiveness.

C.
application baseline.

D.
OS hardening effectiveness.

Explanation:
In this question, we have out-of-date applications that could be exploited. The out-of-date
applications are security vulnerabilities. The combination of all vulnerabilities that could be
exploited (or attacked) is known as the attack surface.
The attack surface of a software environment is the sum of the different points (the “attack
vectors”) where an unauthorized user (the “attacker”) can try to enter data to or extract data from
an environment.
The basic strategies of attack surface reduction are to reduce the amount of code running, reduce
entry points available to untrusted users, and eliminate services requested by relatively few users.
One approach to improving information security is to reduce the attack surface of a system or
software. By turning off unnecessary functionality, there are fewer security risks. By having less
code available to unauthorized actors, there will tend to be fewer failures. Although attack surface
reduction helps prevent security failures, it does not mitigate the amount of damage an attacker
could inflict once a vulnerability is found.