Reducing your attack surface helps reduce the risk of cyber-attacks. It is a more effective way than adding more security on top to prevent threats.
The approach to stay safe is not to make the application more secure, but to avoid making it insecure. It is better to set up the network correctly the first time than to try to fix it later.
Here are 11 proven tips to reduce your attack surface.
1. Keep your software updated
New vulnerabilities are being found constantly and most of the attacks are because of older outdated software. Turn on your auto-update software functionality to ensure that your software is up to date to prevent any vulnerabilities.
2. Secure your data
There are two ways of securing data – don’t put data on the internet if it’s not necessary and isolate your network. To prevent an attacker from accessing the data from the machine, it is best to not let them access the machine. Always ensure that there is a firewall between your application and the internet.
3. Don’t install or run unimportant services
Any service running on your machine can be insecure and the fewer the services are, the fewer are the vulnerabilities. Limit the services you run on the machine to only the most important ones to reduce vulnerabilities and chances of attacks,
4. Run a local firewall and don’t open unnecessary ports
You should allow everything into the machine even when you’re not on the internet. Even if an attacker gets access to one host on your network, a firewall can help prevent them from moving laterally to other assets.
5. Don’t run applications as root
If your application runs as root, it can access everything like opening the firewall, starting new services, reading sensitive information, and listening on the network. This is particularly dangerous, and you should make sure your application runs on minimum privileges.
6. Sanitize configurations and inputs
Always make sure to sanitize your inputs, especially when passing them to a database. Failing to do so can lead to leakage of crucial data, application crashes, and even remote code execution.
7. Don’t use the shell
The shell should only be used for administrative purposes and not for application logic. Execute the other processes directly if you need to run them from your application.
Monitor both your application and its environment for full visibility. You can easily see an attack from a huge spike in network traffic.
Good monitoring is performed by aggregating the data, alerting on abnormalities, and responding at the earliest.
9. Use TLS for all network communications
A compromised machine or internal threat can read any unencrypted data sent on the network. TLS is easy to set up and ensures security when transporting the data.
10. Use infrastructure as code
Don’t deploy anything manually and use infrastructure as code. It is easier to maintain and by having the definition of what is installed and its configuration in code, you can compare the deployed state with the defined state and observe suspicious activities by comparison.
11. Follow best practices for configuration and use of applications
Securing the network and OS is great but your application may have domain-specific security concerns. The OWASP Top Ten is great web security if you’re building a web application. For third-party applications, the vendor or maintainer may already have a security best practices page. To protect yourself from unknown threats, do not run applications you don’t understand.