Dump anything you don’t use. Dump anything with a proven track record of failure which you don’t need (for example, if you don’t need Java, uninstall it). That’s the easy bit, the rest requires thought and effort. If you need Java for desktop apps, but don’t need Java in your browser – disable the browser plugins.
You might find it a bit strange when we tell you to beware of experts – especially because we are often hyped as experts. But it’s not. The day we start believing our hype and calling ourselves experts in anything beside pontificating and drinking coffee, we’re done in this business. We’re fortunate to know a lot of experts, but knowing and being are very different things.
Jack’s point is exactly right. Anyone can talk to the press and that supposedly makes them an expert. It would be funny except that many of these folks say stupid and wrong things, and because they show up in reputable publications they must be right. Not so much. It’s easy to say things. It’s hard to do things, especially restrictive things like eliminating Java and IE from your environment. Is almost impossible to do these resrictive things on an enterprise scale. And that triggers Jack’s point about dumping software you don’t use. It’s convenient to have a standard desktop image, but that will involve basically allowing everything on it. That’s not a path to security success.
And how to deal with experts providing bad advice? Triangulate everything. Everyone has an opinion. Solicit a variety of different folks and see what they have to say. The more weighty the decision, the more folks you should talk to. Sometimes the opinions will be consistent and that makes the decision easy. Sometimes they aren’t, and then you have to figure out what’s right in the context of that decision. Which is why you make the big bucks.