Cybersecurity hardening is a comprehensive approach to keeping your organization safe from intruders, and mitigating risk. By reducing your attack surface, vulnerability is reduced in tandem.
Hardening (or system hardening) considers all flaws and entry points potentially targeted by attackers to compromise your system. While innovative and determined cybercriminals will seek out any opportunity to breach your security for their gain, hardening shrinks the attack surface as much as possible, adding more difficulty to an attacker’s efforts.
System hardening is more than just a one-and-done exercise; it requires continuous effort. It’s not all for naught, however, as a hardened system provides many benefits, including:
- Increased system functionality through best practices and the reduction of programs and unnecessary points of vulnerability. As such, organizations experience fewer operational issues and incompatibilities, reduced risk of misconfigurations, and less friction.
- A higher level of security by reducing the attack surface. Organizations and end users have a lower risk of data breaches, malware, unauthorized account access, and other nefarious activity.
- Streamlined compliance and auditing due to reduced environmental complexity. Hardening eliminates redundant or unessential systems, accounts, and programs, resulting in a more stable configuration and more transparent environment.
As a multi-faceted topic, hardening may overwhelm organizations when designing or amending their security strategy. There are different types of hardening to be aware of, which can be broken down into five key categories: Configuration, application, software, operating system, and server hardening.
Configurations are a vital part of modern systems, serving as messengers and parameters to instruct the elements of a system about how to behave. Hardening configuration elements begins with assessing the status and dependencies of a system’s customizable components.
For example, having all server ports configured open at all times is an enticing invitation for criminals to enter your system, using whatever they find for their personal gain. Closing all ports is, of course, unfeasible. Hardening finds the “sweet spot” of security and functionality.
Achieving configuration hardening takes time, as you will need to assess the elements of your environment and test configurations and interdependencies before they can be adopted. This may mean testing and implementing changes during scheduled downtime, depending on your environment and requirements.
Keep an eye out for configuration drift, where systems inevitably move away from your established company standard. Catch these changes and verify a policy update or move them back into compliance.
Applications play a significant role in the modern world. The second quarter of 2022 saw 3.5 million apps on the Google Play Store and 2.2 million on the Apple App Store. Google takes the trophy for highest app downloads (27.7 billion in Q3 ‘22), while Apple reigns supreme in revenues ($21.2 billion in Q3 ‘22).
With usage numbers like this, app security is at the forefront of many end users’ minds, particularly since they provide personal data or payment information through app interfaces.
Application hardening means protecting an app from intruders by increasing security and eliminating vulnerabilities. In the case of applications, this can be broken down into three key aspects:
- Understanding the threat landscape as it relates to your application to make better-informed decisions for prevention.
- Having a comprehensive detection process to stop or block cyberattacks when they occur. This includes privilege escalation detection, identifying when a user has granted privileged access to a system via an app login. Jailbreaking and rooting a device raises the threat-level, and escalation detection will alert an administrator when a system’s root level has been compromised.
- To prevent attacks at the application level, consider best practices, including cryptography, app allowlisting, and authentication hardening (such as implementing keylogging prevention and detection).
Application hardening refers to both internal and third-party applications, and the above steps should take the entire breadth of applications into account. To harden applications in your environment, best practices include: utilizing a firewall, installing automatic updates and patches, using antivirus software, storing and encrypting credentials. conducting static application security testing (SAST) during the development cycle, and ongoing dynamic application security testing (DAST).
In the modern workforce, applications and software go hand-in-hand to support end users with various needs. The importance of hardening applications thereby extends to the application that run within your organization. This is especially true if your organization writes its own software or customizes off-the-shelf packages.
Hardening software relies on three phases:
- Analysis - including static, and dynamic analysis to discover and correct vulnerabilities, as well as auditing the current scope and risk profile of software applications and development workflows.
- Transformation – using diversification and obfuscation techniques to thwart attacks.
- Monitoring - to support ongoing assessment and protection, including alerts or triggering actions to protect critical systems or data.
An exploited software vulnerability can be a gateway to costly and disruptive results, and software hardening will help keep critical data from falling into the wrong hands.
An important aspect of hardening your environment is at the OS level. OS hardening is critical to the effectiveness of your cybersecurity strategy and runs in conjunction with software and application hardening.
Essentially, OS hardening uses patches and security protocols to secure your operating systems. The focus of OS hardening is to increase the protection of hardware and software assets, thereby maximizing protection at every level.
Consider these elements in your OS hardening procedure:
- Firewall configurations - Restrict traffic to necessary ports, and control egress and ingress traffic flows to only what is needed for normal business operations.
- Define user roles - Create policies and access levels that restrict users to only the necessary functions for the performance of their jobs.
- Protect all systems from common threats - Use anti-malware and endpoint detection and response solutions.
- Isolate - Protect your environment by isolating workloads and data where possible.
- Eliminate unnecessary items – This includes applications, ports, resources, peripherals, and OS features.
- Patch and update - Use automatic patch and update installation where possible. Ensure that you manually deploy updates when automatic updates are not possible.
- Develop a workflow – This includes continuous monitoring and regular assessments of operating systems.
Each operating system will have its specifics required for OS hardening. MacOS, Windows, and Linux systems have differing levels of out-of-the-box and aspirational cybersecurity protection, so ensure that your strategy considers these individualized needs.
There are a lot of metaphors that can be used to illustrate the importance of the servers in your environment: the backbone, the general, the card-dealer. Whatever you call them, your servers are the gatekeepers of everything precious and valuable in your environment.
Server hardening is a process of securing server ports, permissions, functions, and components to reduce the attack surface. True server hardening relies on a security framework that takes the needs of each server into account. Your web server has different security needs than your database server, for example, due to accessibility and functionality.
Consider a few key aspects to help you get started with server hardening:
- Secure accounts and logins by changing default access credentials and removing default accounts; disable guest and vendor accounts.
- Address components and subsystems and turn off unnecessary or unused services, including drivers, scripts, file systems, subsystems, and features; Windows servers should only have active roles and features that are required in your environment; in Linux servers, disable unnecessary daemons and remove superfluous packages.
- Prioritize updates and patches to prevent vulnerabilities, and ensure this includes both server applications and operating systems.
- Address networks and firewalls, and secure them by only publishing ports required for features and software. Check port configurations, perimeter, and network firewalls to only permit necessary traffic.
- Protect remote access, as Remote Desktop Protocol (RDP) is among the most attacked subsystems in any environment. If possible, restrict RDP access via VPN rather than direct access from the internet. Linux supports remote access through SSH, so configure your allowlist only for connections from specific IP addresses, and disable remote login.
- Perform vulnerability scans to check (and re-check) for missing patches or existing misconfigurations that leave your server exposed to threats.
- Application hardening for server applications is crucial. Start with application security guidelines provided by the vendor, and if you have developed in-house server applications, perform penetration testing to discover and remediate vulnerabilities
System hardening in cybersecurity is a multilayered approach, and your environment is only as safe as your weakest link, that is, the least protected element.
To be made and remain secure, it’s crucial to follow best practices, such as those covered in this article, and to continually monitor and assess for any deviations. This isn’t as labor-intensive as it may sound. Tools like Tripwire’s Security Configuration Management (SCM) are here to help.
SCM helps to establish and maintain a baseline of security across your environment by monitoring your assets and sending actionable alerts if attention is required. The platform also enforces continuous compliance through global standards or customized policies so your business can rest with peace of mind.
About the Author:
Having spent her career in various capacities and industries under the “high tech” umbrella, Stefanie Shank is passionate about the trends, challenges, solutions, and stories of existing and emerging technologies. A storyteller at heart, she considers herself one of the lucky ones: someone who gets to make a living doing what she loves.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.