Yesterday, I was reading about the Utah Department of Health’s recent breach, in which 500,000 patient records and 280,000 social security numbers were stolen. One of the things that jumped out at me was how insufficient configuration hardening played a role, based on a statement by the Utah Department of Technology Services (DTS).
“DTS had recently moved the claims records to a new server, which had a configuration error at the authentication level, allowing hackers to circumvent the security system.”
This is not unique to this compromise – I’ve seen similar statements from other breaches (examples include a Microsoft cloud breach, a UMass Memorial Healthcare breach, and the Wanadoo data breach).
This ties into my mantra that security hardening is one of the most fundamental security competencies you can develop within an IT organization. Security hardening minimizes network security vulnerabilities, reduces the attack surface, and can help your organization avoid becoming a target of opportunity in breaches. It’s a lot like making sure your doors and windows are locked, or using “The Club” on your car – it’s definitely a deterrent.
A lot of orgs I know of do some minimal security hardening due to regulatory requirements, but I’d like to see a more comprehensive approach. If you don’t know where to start, there are vendor-specific hardening guidelines from many OS, virtualization, and application vendors, as well as industry-led standards like the Center for Internet Security (CIS) benchmarks. And even if you aren’t a government entity, there is a lot of good, applicable content in DISA STIGs and NIST guidance.
Other resources include the OWASP Top 10 project, and the SANS Institute’s Top 20 Critical Security Controls – these are great places to start. You can tackle this on your own, or leverage commercial technology to help (Tripwire, for example).
By the way – if you’re looking for a silver bullet, I’m sorry to say there just isn’t one. However, in my book, IT Security Hardening is one of the highest-leverage activities you can engage in to prevent firefighting, opportunistic breaches, and drive consistency of practice in your data center.