Which of the following are considered device-hardening techniques?
Show
Wouldn’t it be amazing if our laptops were as secure as Fort Knox? Where it’s so hard for bad actors to access your sensitive data, that they don’t even try? While operating systems, like Microsoft Windows, have become more secure over time, they’re nowhere close to being impenetrable. That’s why enterprises need to be hyper-vigilant about how they secure their endpoints. Endpoints like employee workstations, servers and cloud VMs are the gateways to your corporate network, which can and will be exploited by attackers. System hardening is an even bigger challenge as we go into 2022, as more sensitive devices move outside the secure office environments—and employees and contractors log in to sensitive corporate assets via unsecured or untrusted personal devices, or corporate devices that they use for mixed usage, and therefore also have a high level of risk. What is a Hardened System?Hardened systems are computing systems that are secured, with the goal of making them hack-proof. The process of hardening devices and systems involves eliminating or mitigating vulnerabilities. The term vulnerability refers to software flaws and weaknesses, which may occur in the implementation, configuration, design, or administration of a system. Threat actors exploit these vulnerabilities to hack into devices, systems, and networks. Hardening techniques typically involve locking down configurations, achieving a balance between operational functionality and security. Vulnerability management and change control is another critical component of this effort. It introduces visibility and controls that can help you maintain a hardened build standard. How Does System Hardening Reduce the Attack Surface?The term “attack surface” refers to all potential flaws that threat actors can exploit to hack into a technological device, system, or network. The purpose of system hardening tools and techniques is to mitigate as many vulnerabilities as possible and reduce the attack surface. There are several ways in which vulnerabilities may occur. Unpatched firmware and software, for example, can be exploited by attackers. Password vulnerabilities, such as hardcoded and default passwords or any credentials stored in plain text, can also create an exploitable attack surface. Additional common vulnerabilities include unencrypted data-at-rest or network traffic, missing or poorly configured access controls, and misconfiguration of BIOS, ports, servers, firewalls, routers, switches, or any other infrastructure component. System hardening identifies these vulnerabilities and remediates them, thereby minimizing and hopefully eliminating the system’s attack surface. Benefits of Systems HardeningWhile system hardening requires a large, continuous effort, it provides substantial benefits for organizations. Here are several notable benefits:
Server Hardening and OS Hardening Best PracticesThis strategy focuses on securing the operating system of a workstation or server. You can maintain a hardened state for an operating system by automating updates and patches. While operating systems are also a form of software, operating system hardening differs from regular application hardening in that the software here is responsible for granting permissions to other applications. Operating system hardening methods include:
Additional methods for hardening server systems include establishing a strong password policy, protecting sensitive data with AES encryption or self-encrypting drives, implementing firmware resilience technology and multi-factor authentication. Learn more in our detailed guides about: Software Application Hardening Best PracticesThis involves implementing software-based security measures to protect any standard or third-party application installed on a server. While server hardening seeks to secure the overall server system by design, application hardening focuses on securing specific applications, such as web browsers, spreadsheet programs, or custom software. Application hardening techniques may include:
Network Hardening Best PracticesThis approach secures the communication infrastructure for multiple systems and servers. You can achieve a hardened network state by implementing an intrusion prevention or detection system (IPS/DPS), which identifies suspicious network traffic. These network hardening methods, when combined with an IPS or IDS, can help reduce the network’s attack surface:
Database Hardening Best PracticesThis is the process of securing the contents of a digital database as well as the database management system (DBMS), which allows users to store and analyze the data in the database. Database hardening techniques may include:
Using System Hardening StandardsAn important first step when hardening a system is to establish a baseline. The baseline is a hardened state of the system, which you should aim to achieve, and then monitor the system to detect any deviation from this hardened state. Usually, the hardening baseline is determined using a benchmark—a set of security best practices provided by security researchers. There are many reference sources for security benchmarks, including the SANS Institute, the National Institute of Standards and Technology (NIST), Microsoft, and Oracle. There are also many guides and forums on the Internet for hardening best practices. However, these different sources can provide inconsistent advice in an inconsistent format. Which Benchmark Should You Use?Many organizations are focusing their hardening baselines on the Internet Security Center (CIS) benchmarks. The CIS Benchmarks are a set of best practice configuration standards developed through consensus among various cybersecurity experts. There are over 100 benchmarks available—covering most operating systems, server software, databases, desktop software, printers, and public cloud infrastructure. Because they have wide coverage and are highly authoritative, CIS benchmarks are an ideal starting point for hardening yous sytems. Using a Benchmark to Harden Your SystemsThe first step to using a benchmark is to perform an assessment of the target system, to understand how well the current configuration matches the relevant CIS benchmark. This initial assessment lets you identify areas where the system is not aligned with the required hardening baseline. Manual assessment can be time consuming, especially for complex systems, but automated tools have been developed for many CIS benchmarks, which can allow you to test systems automatically. Based on the assessment, you should modify system configuration to meet security recommendations. Ongoing AssessmentHardening a system to meet benchmark standards is only the first step. You should conduct periodic follow-up assessments to ensure that the system is still aligned with the hardening baseline. Any configuration or file changes could make it vulnerable to attack. In order to maintain a hardened state, you should constantly re-evaluate and remediate any change to the system that violates the security benchmark. 8-Step System Hardening ChecklistSystem hardening differs between computing systems, and there may be different hardening procedures for each component of the same system (for example, for a BIOS, operating system and a database running on the same machine). However, there are general hardening tasks applicable to most computing systems. Here is a list of the most important tasks:
Related content: Read our blog post about OS security Challenges of System HardeningSystem hardening is complex and labor intensive. Frustratingly, it is often not enough to prevent hackers from accessing sensitive company resources. The majority of malware comes from users clicking on emails, downloading files, and visiting websites that, unbeknownst to them, load viruses onto their systems. Once inside the operating system, attackers can easily gain access to privileged information. To help combat this, some enterprises lock down users’ devices so they can’t access the internet, install software, print documents remotely, and more. However, this makes employees, and thus the business, much less productive. It’s also incredibly frustrating to people just trying to do their jobs. As a result, users sometimes try to bypass those restrictions without understanding the implications. IT teams trying to harden the endpoint OS, therefore, continually struggle between security and productivity requirements, especially in 2021 when so much of the workforce is working remotely. Want to learn more about system hardening and isolating endpoint risk when users are out of the office?? Watch our webinar How to isolate risky or untrusted activities on user endpoints. OS Isolation: One-Step System Hardening without Hurting ProductivityOS isolation technology gives you the benefits of an extremely hardened endpoint without interrupting user productivity. It works by splitting each end-user device into multiple local virtual machines, each with its own operating system. Everything an end-user does happens in prescribed operating systems, which run side-by-side with complete separation. To enhance system hardening and productivity, you may run two zones: One is dedicated for privileged use and is extremely hardened. It’s fully locked down and limited to accessing sensitive data and systems. The other is reserved for general corporate work and has more relaxed security restrictions. It’s open to the internet, used for email, chat applications, and non-privileged information. Any cyber criminals that infiltrate the corporate zone are contained within that operating system. They cannot reach the privileged zone or even see that it exists. You can also configure that corporate zone to be non-persistent so that it’s wiped clean at specified intervals for added protection. This approach has two main advantages: Reduces the burden of hardening end-user devices, because it can provide full system hardening benefits even on an unsecured device.
Hysolate provides a full OS isolation solution, so Security and IT can “harden” an OS on a employee or contractor’s untrusted device. With Hysolate Workspace, users are empowered to do all of the below (and more) in the less restricted corporate zone, without putting the privileged access OS at risk:
Looking for a free solution for System Hardening? Try Hysolate Free, a sandbox on steroids for Windows 10 and Windows 11. Written in March 2020, updated for accuracy in September 2021. Oleg ZlotnikOleg is a Software Engineer and Cyber Security veteran, with over 15 years of experience. At Hysolate, Oleg led an engineering team for several years, after which he joined as an architect to the CTO's office and has pioneered the next-gen products. Prior to Hysolate, Oleg worked at companies such as Google and Cellebrite, where he did both software engineering and security research. He began his career in the intelligence unit 8200 of the IDF and holds a B.Sc in Computer Science, Cum Laude, from the Technion. What are device hardening techniques?by Jon Welling. Published on February 3, 2022. Hardening a device means making it more resilient against threat actors. In the cybersecurity world, that means making that device more secure and resilient to attacks. By hardening a device, you are making it more difficult to break into for hackers.
Which of the following are best practices for hardening a server select three?Examples of server hardening strategies include: Using data encryption. Minimizing the use of excessive software. Disabling unnecessary SUID and SGID binaries.
What is hardware hardening?In computer security, hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one.
What does hardening mean in technology?Definition(s):
A process intended to eliminate a means of attack by patching vulnerabilities and turning off nonessential services.
|