HOW TO KICKOFF
A common approach to starting the hardening process is figuring out your greatest threats. After identifying the threats, you can decide which of them to prevent completely through hardening.
For example, a law firm may fear that somebody could steal its lawyers' notebooks and use files containing client secrets in order to compromise them. In this case, the company will apply several hardening policies to all of its laptops:
- Turn on disk encryption, so that if a computer is stolen, the attacker won't be able to decrypt the data;
- Enable screen lock after 5 minutes of idle time. If a lawyer has their laptop open in a cafe while talking to a barista, this restriction will prevent attackers from accessing private data.
There are many guides on hardening operating systems and popular apps. One of the most popular is CIS Benchmarks, where you can find guidelines for Windows/macOS/Linux and pick out the relevant techniques that match your list of threats. For example, here's a guide for macOS: https://www.cisecurity.org/benchmark/apple_os/ LIMITATIONS
The same hardening policies don't always work for all employees. For example, many companies block developer tools (e.g. PowerShell, Bash, Python, GCC) on most computers. Still, developers need these tools to get things done. So organizations apply multiple policies depending on the team's requirements. FURTHER READING
1. Threat modeling for PCI DSS (see chapter 4): https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf
2. macOS hardening tips: https://github.com/drduh/macOS-Security-and-Privacy-Guide
3. Windows hardening tips: https://hackernoon.com/the-2017-pentester-guide-to-windows-10-privacy-security-cf734c510b8d THE TAKEAWAY
Identify what your organization fears most and think about how you can prevent this risk from occurring by tuning your computer settings.
You can often start by enabling disk encryption and automatic screen lock on all computers. So the next time you lose your laptop at a bar or during a party, no one will be able to see your intimate photos or your company strategy for the next year.