Security Baseline, Part 2: Hardening Intro
TIM ISMILYAEV / JUL 24, 2020
I'm continuing our series of posts about how to kickoff cybersecurity at your company. This one looks at hardening.

WHAT IS HARDENING?
Hardening is all about making it much more difficult for attackers to compromise your computer, so that they won't be able to find easy ways to break into it and switch to other targets. It's like fastening a car's seat belt – it increases your chances of survival in case of an accident. During the hardening phase, therefore, you will want to turn off any potentially dangerous settings (like leaving your disk unencrypted).

A good example of a hardened computer is an ATM. A bank's clients can't install software on it or do anything except withdraw cash. This makes them a tough target for attackers.

Apply hardening techniques
WHY IS IT IMPORTANT?
When an attacker finds a vulnerable spot in your company, they will try to use it as an entry point to your company's secrets. For example, a successful hack may start with an email containing a Word document. When you open the doc, it tries to launch a malicious program on your computer. Hardening makes such actions impossible by preventing Word from running any external programs.
HOW TO KICKOFF
A common approach to starting the hardening process is figuring out your greatest threats. After identifying the threats, you can decide which of them to prevent completely through hardening.

For example, a law firm may fear that somebody could steal its lawyers' notebooks and use files containing client secrets in order to compromise them. In this case, the company will apply several hardening policies to all of its laptops:

  • Turn on disk encryption, so that if a computer is stolen, the attacker won't be able to decrypt the data;

  • Enable screen lock after 5 minutes of idle time. If a lawyer has their laptop open in a cafe while talking to a barista, this restriction will prevent attackers from accessing private data.

There are many guides on hardening operating systems and popular apps. One of the most popular is CIS Benchmarks, where you can find guidelines for Windows/macOS/Linux and pick out the relevant techniques that match your list of threats. For example, here's a guide for macOS:
https://www.cisecurity.org/benchmark/apple_os/

LIMITATIONS
The same hardening policies don't always work for all employees. For example, many companies block developer tools (e.g. PowerShell, Bash, Python, GCC) on most computers. Still, developers need these tools to get things done. So organizations apply multiple policies depending on the team's requirements.

FURTHER READING
1. Threat modeling for PCI DSS (see chapter 4):
https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf

2. macOS hardening tips:
https://github.com/drduh/macOS-Security-and-Privacy-Guide

3. Windows hardening tips:
https://hackernoon.com/the-2017-pentester-guide-to-windows-10-privacy-security-cf734c510b8d

THE TAKEAWAY
Identify what your organization fears most and think about how you can prevent this risk from occurring by tuning your computer settings.

You can often start by enabling disk encryption and automatic screen lock on all computers. So the next time you lose your laptop at a bar or during a party, no one will be able to see your intimate photos or your company strategy for the next year.
Get Mana Mag delivered straight to your inbox
One/two emails per month. All the latest posts. No spam, ever.