CompTIA Security Plus Mock Test Q374

Which of the following preventative controls would be appropriate for responding to a directive to reduce the attack surface of a specific host?

A. Installing anti-malware
B. Implementing an IDS
C. Taking a baseline configuration
D. Disabling unnecessary services

Correct Answer: D
Section: Compliance and Operational Security

Preventive controls are to stop something from happening. These can include locked doors that keep intruders out, user training on potential harm (to keep them vigilant and alert), or even biometric devices and guards that deny access until authentication has occurred. By disabling all unnecessary services you would be reducing the attack surface because then there is less opportunity for risk incidents to happen. There are many risks with having many services enabled since a service can provide an attack vector that someone could exploit against your system. It is thus best practice to enable only those services that are absolutely required.

Incorrect Answers:
A: Installing anti-malware is actually increasing the attack surface because it will enable more services.
B: Implementing IDS will also add an extra service to increase the attack surface of a specific host.
C: Taking the baseline configuration is a representation of a secure state and is not necessarily reducing the attack surface.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 384
Gregg, Michael, CompTIA Security+ Rapid Review (Exam SY0-301), Pearson Education, Sebastopol, CA, 2012, p. 107