Cyber Security – The benefits of System Hardening
This article discusses the concept of ‘System Hardening’ and looks at the thought process and a few common strategies behind hardening to combat attack surface.
What is System Hardening?
System hardening is a highly proactive approach to cyber security that implements a formulaic series of measures and best practices to reduce the attack surface of a computer system or network.
While highly effective, like most cyber security subjects, System Hardening is an ongoing process that requires continuous attention and improvement to address emerging security challenges.
The System Hardening Strategy
The process of System Hardening typically involves creating baseline secure configurations for operating systems, networks, and applications. This is often achieved by implementing published security best practices and standards such as CIS Benchmarks, or vendor-specific hardening guides.
Some basic considerations for hardening are outlined below:
Operating System (OS) Hardening:
- This involves securing the core functionalities of your OS. Here you might close unused ports, disable unnecessary services, and implement strong authentication methods.
- At a minimum you would ensure the latest security patches and updates for the OS are installed to address known vulnerabilities, and you would remove unwanted applications and components to reduce the attack surface of the system.
- You would disable or remove unnecessary user accounts and default accounts with well-known credentials, and always configure permissions to enforce the principle of least privilege.
- You may reference published hardening guides – for example CIS – Windows Desktop or CIS – Ubuntu Linux
Network Secure Configuration Hardening:
- At a minimum you would enable firewalls and configure appropriate rules to restrict inbound and outbound traffic. You may disable or block unnecessary network services and ports and ensure only secure network protocols (e.g., SSH instead of Telnet, HTTPS instead of HTTP, etc) are allowed.
- You should implement network segmentation and access control between different networks to minimise lateral movement if a breach occurs.
- You should harden network devices such as routers, switches, and access points to vendor recommendations to prevent unauthorised configuration change or access.
Application Hardening:
- Similar to OS hardening, you would focus on securing individual applications by disabling or removing unnecessary features, components, and services within applications. You might configure secure settings and options within applications (e.g., session time-outs, input validation, etc) as well as keeping them updated.
- You would always implement the principle of least privilege for application accounts and processes.
System Monitoring and Logging:
- At a minimum would be expected to implement logging mechanisms to record security-relevant events and activities on a network or system(s) for signs of suspicious or malicious behaviour.
- You should be able to respond to real-time alerts and notifications of security incidents.
Vulnerability Management:
- Implement a vulnerability management program to identify, assess, and fix vulnerabilities.
- You should conduct a proactive cyber security approach by regular vulnerability scans and penetration tests to uncover potential weaknesses. You should always prioritise and address identified vulnerabilities based on the risk and business impact.
- You should regularly review and update system hardening measures to address new threats and vulnerabilities as they are published.
System Hardening Resource
- Consider CIS Benchmarks as a good hardening resource, and ensure you reference vendor-specific hardening guides for 3rd party apps and services.