Strong opinions and shared thoughts on cybersecurity, business, and tech. By the makers (and friends) of Mana Security.

I'm continuing our series of posts about how to kickoff cybersecurity at your company. This one looks at hardening.

Hardening is all about making it much more difficult for attackers to compromise your computer, so that they won't be able to find easy ways to break into it and switch to other targets. It's like fastening a car's seat belt – it increases your chances of survival in case of an accident. During the hardening phase, therefore, you will want to turn off any potentially dangerous settings (like leaving your disk unencrypted).

A good example of a hardened computer is an ATM. A bank's clients can't install software on it or do anything except withdraw cash. This makes them a tough target for attackers.

Apply hardening techniques
When an attacker finds a vulnerable spot in your company, they will try to use it as an entry point to your company's secrets. For example, a successful hack may start with an email containing a Word document. When you open the doc, it tries to launch a malicious program on your computer. Hardening makes such actions impossible by preventing Word from running any external programs.
A common approach to starting the hardening process is figuring out your greatest threats. After identifying the threats, you can decide which of them to prevent completely through hardening.

For example, a law firm may fear that somebody could steal its lawyers' notebooks and use files containing client secrets in order to compromise them. In this case, the company will apply several hardening policies to all of its laptops:

  • Turn on disk encryption, so that if a computer is stolen, the attacker won't be able to decrypt the data;

  • Enable screen lock after 5 minutes of idle time. If a lawyer has their laptop open in a cafe while talking to a barista, this restriction will prevent attackers from accessing private data.

There are many guides on hardening operating systems and popular apps. One of the most popular is CIS Benchmarks, where you can find guidelines for Windows/macOS/Linux and pick out the relevant techniques that match your list of threats. For example, here's a guide for macOS:

The same hardening policies don't always work for all employees. For example, many companies block developer tools (e.g. PowerShell, Bash, Python, GCC) on most computers. Still, developers need these tools to get things done. So organizations apply multiple policies depending on the team's requirements.

1. Threat modeling for PCI DSS (see chapter 4):

2. macOS hardening tips:

3. Windows hardening tips:

Identify what your organization fears most and think about how you can prevent this risk from occurring by tuning your computer settings.

You can often start by enabling disk encryption and automatic screen lock on all computers. So the next time you lose your laptop at a bar or during a party, no one will be able to see your intimate photos or your company strategy for the next year.

Security Baseline, Part 1: Vulnerability Management
In the next few posts, we will cover actionable steps to make a robust cybersecurity foundation for your company from day one. We wanted to make these tips cost-effective – the whole pack of tools will cost around $10/month/workstation. It will take 1-2 days to set up and deploy everything across all your company's workstations.

The very first piece is vulnerability management (sometimes referred as patch management). It is a process to identify and mitigate software that isn't up-to-date. According to reports, unpatched software is a top-1 reason for successful hacks of companies.

Apps usually get fresh updates every 2-4 weeks and often contain security patches. After the release, organizations and attackers start to play the cat-and-mouse game: the former should install the update before the latter begins to exploit this vulnerability in the wild. Patch management solutions help to identify vulnerable apps on all computers in an organization and to prioritize updates of the most susceptible apps.

Next time you see Chrome or Microsoft Office offer you to update – do it straight away, it's essential.
Get Mana Mag delivered straight to your inbox
One/two emails per month. All the latest posts. No spam, ever.