An often overlooked means to significantly reduce risk has been hardening systems, technologies, and network infrastructure. Each infrastructure component, including the human elements, can be hardened to reduce attack structure and risk, and streamline utilization, and support costs associated with maintaining and securing systems due to vulnerabilities that require patching.
Only Give What Is Needed for the Job
From a cybersecurity perspective, security hardening is only [giving] a person, process, or device what is mandatory to serve its desired function, nothing else. The same philosophy can also be applied to employees in an organization. To reduce risk, organizations should only give employees exactly what is needed to conduct their job functions, nothing more. It is worth asking: Does this person require Internet access, email, and Microsoft Excel to perform their job duties? If not, then they should not have access to these applications. Every application comes with inherent risk.
To reduce risk, organizations should only give employees exactly what is needed to conduct their job functions, nothing more.
Harden Bloated Software
Bloated IT infrastructure components are a common occurrence in organizations. This is especially true of operating systems (OS). Whether the OS is for a user endpoint, server, domain controller, database, or application server, it is usually bloated with unneeded and risky add-ons, applications, background processes, utilities, services, protocols, and accessories. Hardening provides a solution to this problem. A central tenet of hardening is one function per device. Everything unnecessary for that function (i.e., not needed to do the job) should be eliminated. This streamlines the OS, reduces the amount of patching vulnerabilities, and significantly reduces risk to organizational infrastructure. Furthermore, it reduces the number of issues that require service desk tickets and end-user support. Hardening also reduces the usage of system resources, CPU power, memory, network utilization, and hard disk space.
Reduce the Attack Surface
The primary goal of hardening is to reduce risk by eliminating or condensing the attack surface. Unneeded applications, software, access, ports, services, etc. all contribute to the attack surface utilized by threat actors. These unnecessary packages of tools and accessories can help the threat actor move laterally, gather information, and conduct a more targeted attack. By removing extraneous elements unrelated to functionality, threat actors and malware have fewer opportunities to establish persistence and move around on a network.
Building STIGS and Hardened Images
Hardening requires methodical diligence to remove everything that is not needed. To build hardened images, an organization needs to develop Security Technical Implementation Guides (STIGs). A STIG is a written plan for a specific asset such as an OS, application, or piece of hardware. STIGs encompass specific configuration and maintenance practices necessary to ensure that everything is set up and managed securely. A STIG even details exactly how the installation should take place. Every job function, OS, server, application, or software package should have its own STIG and accompanying protected image. Crafting effective STIGs requires a comprehensive grasp of network dynamics, existing vulnerabilities, job roles, and workflows. Tailoring distinct STIGs to specific job functions, along with their corresponding technological prerequisites, ensures robust security measures aimed at mitigating risk.
There are software applications that can be used to monitor compliance with STIG standards and report issues that occur. Some STIG software packages are free, while others require subscriptions. These packages grant network administrators insight into any deviations and help with compliance audits of the STIGs and hardening guidelines.
Hardened images must be protected from malware or threat actor manipulation. There have been many incidents in the last decade where images were restored that still contained malware.
Implement Industry Best Practices
The type of hardening an organization uses depends on anticipated risk, deployed technologies, and cybersecurity maturity priorities.
To start a robust hardening program, an enterprise must perform a comprehensive audit of its entire network. The audit includes network discovery, vulnerability scanning, internal and external penetration testing, and configuration management tools. Many mature organizations will deploy change monitoring tools once a secure baseline has been documented and STIGs created. Afterward, administrators can conduct hardening assessments against all assets using recognized industry standards.
Harden by Priority
Performing assessments, developing STIGs, and hardening images can be tedious and time consuming in any organization. To establish priorities, enterprises should consider Internet-facing assets first, then use business criticality to determine the next steps. Inventory records should always contain business criticality levels. As critical assets are secured and STIGs are established, these practices may be extended to less critical assets, and eventually, a comprehensive hardening program may be developed for the entire network. This comprehensive approach significantly reduces risk and aids in effective risk management.
Best Hardening Practices
There are several key considerations for hardening. The following represent a subset of common hardening practices, but there are many other essential configurations to consider:
- Eliminate all unnecessary accounts and privileges—Enforce the concept of least privilege by removing unnecessary accounts and access privileges throughout the network infrastructure. This is the greatest approach to minimizing attack surfaces and reducing risk.
- OS hardening—Apply all OS updates, service packs, and patches while removing all unnecessary drivers, file shares, software, services, and unneeded functionality; encrypt data at rest and in motion; secure the system registry and all permissions; ensure robust logging; and tighten user access controls.
- Network device hardening—Ensure that routers, load balancers, switches, Wi-Fi networks, cloud management devices, access points, gateways, voice over IP (VOIP) systems, and firewalls are secured and configured and that everything is properly audited for STIG compliance. Hardening involves ensuring one function per asset, blocking unnecessary ports, removing extraneous protocols and services, and properly encrypting all traffic. Remember to always change default passwords and remove unneeded system accounts.
- Endpoint hardening—Eliminate all local admin rights on all OS, including tablets and mobile devices. Ensure that no default passwords exist. Eliminate all unnecessary software and block any unnecessary tools or communications.
- Server hardening—Ideally, servers should always be hardened before connecting them to a network. Be careful not to keep unnecessary software, services, or protocols on servers; to segregate servers appropriately, and to ensure that any privileged accounts and shares are properly set up, and that access rights are limited to a principle of least privilege and needed job functionality.
- Application hardening—Remove all unnecessary applications and restrict access based on job functionality. Remove all default passwords and mandate multifactor authentication (MFA). Hardening of applications should also encompass installations and integrations with other applications, and removing, or reducing, unnecessary components and access rights.
- Database hardening—Administrator and privileged access should be restricted based on job function. Perform Open Worldwide Application Security Project (OWASP) and secure coding assessments and ensure that all data is encrypted at a high level, at rest, and in motion.
Benefits of Systems Hardening
Systems hardening at the enterprise level is no small project. It requires time and diligence. However, when done properly, it can reduce risk to the enterprise and help reduce an organization’s attack surface. There are several benefits to systems hardening:
- Enhanced cybersecurity—Reducing attack surfaces decreases the risk associated with malware and attack actor damage. It also reduces the risk of data exfiltration and misconfigurations due to user error.
- System functionality—Hardening enterprise systems reduces the risk of user error, misconfigurations, and threat actor compromise.
- Easier auditability—By simplifying the complexities of systems and minimizing attack surfaces, organizations can streamline information collection for audits, resulting in greater efficiency and reduced complexity.
In an era marked by consistently evolving threats, even small reductions in attack surface or removal of vulnerabilities can provide dramatic results. Effective cyberdefense comprises hundreds of layers, and the implementation of robust hardening techniques and practices is a crucial layer that everyone should adopt.
Patrick Barnett
Is an incident response principal consultant for Secureworks. He has more than 30 years of experience as a cybersecurity professional and specializes in network engineering with a focus on security. In previous roles, he acted as chief information security officer (CISO) and chief information officer (CIO) and has served as vice president at a large financial enterprise. Barnett is driven by a passion for seeing cybersecurity done right and is committed to aiding organizations in defining proper policies, procedures, and mechanisms to respond to security events of any size.