Which of the following preventative controls would be appropriate for responding to a directive to
reduce the attack surface of a specific host?
A.
Installing anti-malware
B.
Implementing an IDS
C.
Taking a baseline configuration
D.
Disabling unnecessary services
Explanation:
Preventive controls are to stop something from happening. These can include locked doors that keep
intruders out, user training on potential harm (to keep them vigilant and alert), or even biometric devices
and guards that deny access until authentication has occurred. By disabling all unnecessary services you
would be reducing the attack surface because then there is less opportunity for risk incidents to happen.
There are many risks with having many services enabled since a service can provide an attack vector that
someone could exploit against your system. It is thus best practice to enable only those services that are
absolutely required.
Incorrect Answers:
A: Installing anti-malware is actually increasing the attack surface because it will enable more services.
B: Implementing IDS will also add an extra service to increase the attack surface of a specific host.C: Taking the baseline configuration is a representation of a secure state and is not necessarily reducing
the attack surface.Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, p. 384
Gregg, Michael, CompTIA Security+ Rapid Review (Exam SY0-301), Pearson Education, Sebastopol, CA,
2012, p. 107