MANA MAG
Strong opinions and shared thoughts on cybersecurity, business, and tech. By the makers (and friends) of Mana Security.
Security Baseline, Part 2: Hardening Intro
TIM ISMILIAEV / NOV 17, 2021
I'm continuing our series of posts about how to kickoff cybersecurity at your company. This one looks at hardening.
WHAT IS HARDENING?
Hardening is all about making it much more difficult for attackers to compromise your computer, so that they won't be able to find easy ways to break into it and switch to other targets. It's like fastening a car's seat belt – it increases your chances of survival in case of an accident. During the hardening phase, therefore, you will want to turn off any potentially dangerous settings (like leaving your disk unencrypted).
A good example of a hardened computer is an ATM. A bank's clients can't install software on it or do anything except withdraw cash. This makes them a tough target for attackers.
WHAT IS HARDENING?
Hardening is all about making it much more difficult for attackers to compromise your computer, so that they won't be able to find easy ways to break into it and switch to other targets. It's like fastening a car's seat belt – it increases your chances of survival in case of an accident. During the hardening phase, therefore, you will want to turn off any potentially dangerous settings (like leaving your disk unencrypted).
A good example of a hardened computer is an ATM. A bank's clients can't install software on it or do anything except withdraw cash. This makes them a tough target for attackers.
Apply hardening techniques
WHY IS IT IMPORTANT?
When an attacker finds a vulnerable spot in your company, they will try to use it as an entry point to your company's secrets. For example, a successful hack may start with an email containing a Word document. When you open the doc, it tries to launch a malicious program on your computer. Hardening makes such actions impossible by preventing Word from running any external programs.
When an attacker finds a vulnerable spot in your company, they will try to use it as an entry point to your company's secrets. For example, a successful hack may start with an email containing a Word document. When you open the doc, it tries to launch a malicious program on your computer. Hardening makes such actions impossible by preventing Word from running any external programs.
HOW TO KICKOFF
A common approach to starting the hardening process is figuring out your greatest threats. After identifying the threats, you can decide which of them to prevent completely through hardening.
For example, a law firm may fear that somebody could steal its lawyers' notebooks and use files containing client secrets in order to compromise them. In this case, the company will apply several hardening policies to all of its laptops:
https://www.cisecurity.org/benchmark/apple_os/
LIMITATIONS
The same hardening policies don't always work for all employees. For example, many companies block developer tools (e.g. PowerShell, Bash, Python, GCC) on most computers. Still, developers need these tools to get things done. So organizations apply multiple policies depending on the team's requirements.
FURTHER READING
1. Threat modeling for PCI DSS (see chapter 4):
https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf
2. macOS hardening tips:
https://github.com/drduh/macOS-Security-and-Privacy-Guide
3. Windows hardening tips:
https://hackernoon.com/the-2017-pentester-guide-to-windows-10-privacy-security-cf734c510b8d
THE TAKEAWAY
Identify what your organization fears most and think about how you can prevent this risk from occurring by tuning your computer settings.
You can often start by enabling disk encryption and automatic screen lock on all computers. So the next time you lose your laptop at a bar or during a party, no one will be able to see your intimate photos or your company strategy for the next year.
A common approach to starting the hardening process is figuring out your greatest threats. After identifying the threats, you can decide which of them to prevent completely through hardening.
For example, a law firm may fear that somebody could steal its lawyers' notebooks and use files containing client secrets in order to compromise them. In this case, the company will apply several hardening policies to all of its laptops:
- Turn on disk encryption, so that if a computer is stolen, the attacker won't be able to decrypt the data;
- Enable screen lock after 5 minutes of idle time. If a lawyer has their laptop open in a cafe while talking to a barista, this restriction will prevent attackers from accessing private data.
https://www.cisecurity.org/benchmark/apple_os/
LIMITATIONS
The same hardening policies don't always work for all employees. For example, many companies block developer tools (e.g. PowerShell, Bash, Python, GCC) on most computers. Still, developers need these tools to get things done. So organizations apply multiple policies depending on the team's requirements.
FURTHER READING
1. Threat modeling for PCI DSS (see chapter 4):
https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf
2. macOS hardening tips:
https://github.com/drduh/macOS-Security-and-Privacy-Guide
3. Windows hardening tips:
https://hackernoon.com/the-2017-pentester-guide-to-windows-10-privacy-security-cf734c510b8d
THE TAKEAWAY
Identify what your organization fears most and think about how you can prevent this risk from occurring by tuning your computer settings.
You can often start by enabling disk encryption and automatic screen lock on all computers. So the next time you lose your laptop at a bar or during a party, no one will be able to see your intimate photos or your company strategy for the next year.
Security Baseline, Part 1: Vulnerability Management
TIM ISMILIAEV / OCT 04, 2021
In the next few posts, we will cover actionable steps to make a robust cybersecurity foundation for your company from day one. We wanted to make these tips cost-effective – the whole pack of tools will cost around $10/month/workstation. It will take 1-2 days to set up and deploy everything across all your company's workstations.
The very first piece is vulnerability management (sometimes referred as patch management). It is a process to identify and mitigate software that isn't up-to-date. According to reports, unpatched software is a top-1 reason for successful hacks of companies.
Apps usually get fresh updates every 2-4 weeks and often contain security patches. After the release, organizations and attackers start to play the cat-and-mouse game: the former should install the update before the latter begins to exploit this vulnerability in the wild. Patch management solutions help to identify vulnerable apps on all computers in an organization and to prioritize updates of the most susceptible apps.
THE TAKEAWAY
Next time you see Chrome or Microsoft Office offer you to update – do it straight away, it's essential.
The very first piece is vulnerability management (sometimes referred as patch management). It is a process to identify and mitigate software that isn't up-to-date. According to reports, unpatched software is a top-1 reason for successful hacks of companies.
Apps usually get fresh updates every 2-4 weeks and often contain security patches. After the release, organizations and attackers start to play the cat-and-mouse game: the former should install the update before the latter begins to exploit this vulnerability in the wild. Patch management solutions help to identify vulnerable apps on all computers in an organization and to prioritize updates of the most susceptible apps.
THE TAKEAWAY
Next time you see Chrome or Microsoft Office offer you to update – do it straight away, it's essential.
Get Mana Mag delivered straight to your inbox
One/two emails per month. All the latest posts. No spam, ever.