System Hardening
-
Definition: Reduce a host’s attack surface by disabling/uninstalling unnecessary components
-
Checklist:
- Remove/Disable Unused Devices
- Regular Patching
- Uninstall Unused Network Protocols
- Disable Unnecessary Services/Shared Folders
- Enforce ACLs on Resources
- Least Privilege Accounts
- Secure Admin/Root Accounts
- Disable Default User/Group Accounts
- Verify Permissions on Accounts/Groups
- Install/Update Anti-Malware
-
Availability Hardening:
- Power Outages: Use UPS/battery backup → keep servers online during outages
- Internet Outages: Use multiple ISPs (primary, cellular, microwave, satellite)
- Other Threats: Plan for hardware/network failures
Patch Management
- Definition: Identify, test, deploy updates to fix vulnerabilities
- Classification: Critical, Security-Critical, Recommended, Optional
- Enterprise Tools: SCCM, Endpoint Manager
- Risks:
- Requires scheduled downtime; patches may introduce new issues
- Sometimes no patch exists → apply compensating controls
- Strategy:
- Regular Scanning (Nessus, Qualys) → identify missing patches
- Prioritize by severity (e.g., CVSS score)
- Controlled Deployment:
- Test in non-prod environments
- Schedule maintenance windows
- Monitor post-deployment for new issues
- Documentation:
- Record applied patches; update CMDB
- Mitigation for Unpatched Systems:
- Network segmentation, increased monitoring, WAF, strict access controls
- Risk acceptance only if compensating controls suffice
User Input Sanitization
- Definition: Validate/sanitize all user inputs to prevent injection attacks
- Principles:
- Treat all inputs as untrusted
- Use approved-listing—allow only known safe characters/patterns
- Avoid relying solely on unapproved-listing (can be bypassed)
- SQL Injection Example: Use parameterized quieres
SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "' #vulnerable SELECT * FROM users WHERE username = ? AND password = ? #better - Remediation Steps:
- Identify all input points (forms, URL params, APIs)
- Implement input validation (approved-listing)
- Convert database calls to parameterized queries
- Sanitize output to prevent XSS
- Conduct regular security testing (automated scans, manual pen tests)
- Train developers on secure coding—emphasize input validation and parameterization
Network & Infrastructure Controls
- Network Segmentation:
- Divide network into isolated subnets → limit lateral movement
- Methods:
- Firewalls: Enforce policies between segments
- VLANs: Separate broadcast domains on same physical network
- ACLs: Granular access control to specific segments
- Infrastructure Security:
- Strong Authentication: MFA, certificate-based
- Encryption: Data at rest/in transit
- Regular Updates/Patching: OS, firmware, network devices
- IDS/IPS: Monitor and block malicious traffic
- Recommended Remediation:
- Review network architecture → identify unsegmented areas
- Implement VLANs, configure firewall rules
- Define ACLs for critical resources
- Enforce MFA for admin access
- Verify encryption protocols (TLS, IPSec) in use
- Schedule regular vulnerability scans and patching
- Deploy/configure IDS/IPS; train staff on monitoring and response
Authentication Recommendations
- Multifactor Authentication (MFA):
- Requires ≥2 factors:
- Something you know (password)
- Something you have (token, YubiKey)
- Something you are (biometric)
- Implementation: Use diverse, independent factors; apply to all critical systems
- Requires ≥2 factors:
- Certificate Management:
- Digital Certificates: Authenticate identities, enable encrypted channels
- Practices:
- Issue, renew, revoke as needed
- Track expiration; automate renewals
- Key Rotation:
- Rotate cryptographic keys regularly → limit exposure
- Automate rotation; use a secure key management system
- Secrets Management:
- Use password managers or vaults (e.g., HashiCorp Vault) to store/generate credentials
- Ensure MFA protects manager vaults
Encryption Recommendations
- Definition: Convert plaintext to ciphertext to protect confidentiality
- Best Practices:
- Use strong algorithms (e.g., AES for symmetric, RSA for asymmetric)
- Encrypt data at rest (disk, databases) and in transit (TLS/SSL)
- Wireless Encryption:
- WPA2: AES-based; widely adopted
- WPA3: Enhanced key management; protects against brute-force
- Network Communication:
- SSH: Encrypts remote admin sessions
- Enterprise methods: PEAP, EAP-TTLS, EAP-FAST for 802.1X authentication
- Export Regulations:
- EAR License Exception ENC: U.S. rules governing encryption exports
- Recommended Remediation:
- Ensure all sensitive data (databases, files) uses AES-256 or better
- Enforce TLS 1.2/1.3 for all web and API traffic
- Validate WPA2/WPA3 on wireless networks; disable legacy protocols
- Implement SSH for all remote access; disable Telnet/FTP
- Use enterprise 802.1X with PEAP/EAP-TTLS/EAP-FAST where feasible
- Audit key management practices → secure, rotate keys regularly
Process-Level Remediation
- Definition: Change operational procedures to improve security without direct system modifications
- Recommended Remediation:
- Identify processes that introduce risk (e.g., cleartext protocols)
- Evaluate replacing with secure methods (SSH, VPN tunnels)
- Automate security tasks (password changes, log reviews)
- Train staff on updated workflows; monitor adherence
Administrative Controls
- RBAC (Role-Based Access Control):
- Assign permissions based on job functions
- In Windows domains: implement via security groups reflecting org hierarchy
- Benefits: Enforces least privilege; scales with user turnover
- Password Policies:
- NIST SP 800-63B guidelines:
- Length: 8–64 ASCII characters
- Complexity: discouraged; focus on length
- No forced frequent changes (unless compromised)
- Password history: prevent reuse (e.g., last 25)
- Use Password Managers: Encourage strong, unique passwords
- NIST SP 800-63B guidelines:
- Policies & Procedures:
- Maintain/updating: MDM, remote access, password, RBAC policies
- Integrate lessons from pen tests → revise policies accordingly
- SDLC Security Integration:
- Eight phases: Plan, Requirements, Design, Develop, Test/Validate, Release, Certify/Accredit, Change/Config Management
- Embed security checks (code reviews, vulnerability scans, UAT, peer reviews) throughout SDLC
- Recommended Remediation:
- Implement RBAC; map roles to least privilege
- Update password policies per NIST; remove complexity mandates; enforce length/histories
- Deploy an organization-wide password manager protected by MFA
- Review and update security policies post-pen test
- Integrate security controls into SDLC (vulnerability scans, code reviews)
Physical Controls
- Access Control Hardware:
- Badge Readers: RFID, smart cards; require badge+PIN for two-factor
- Biometric Readers: Fingerprint, retina, voice; combined with PIN
- Mantraps (Access Vestibules):
- Automated: Badge+PIN entry → one door at a time
- Manned: Security verifies identity
- Protecting Data Center Equipment:
- Standard rack dimensions (48U, 50” depth, 20” width)
- Lock racks/cabinets; designate key custodian; log key access
- Employee Training:
- ROI: 69% (SMB), 248% (Enterprise) (Forrester)
- Focus on physical security (badging, tailgating prevention) and technical security (malware/anti-phishing)
- Video Surveillance:
- Wired preferred over wireless (resistant to jamming)
- Fixed vs. PTZ cameras based on coverage needs
Operational Controls & Policies
- Job Rotation:
- Rotate duties periodically → detect fraud, cross-train staff, ensure redundancy
- Mandatory Vacations:
- Require time off → uncover fraudulent or malicious activities during absence
- User Training:
- Annual or as needed; cover current threats, best practices; specialized IT/admin training
- Time-of-Day Restrictions:
- Limit system access to business hours → reduce off-hour risk
- Recommended Remediation:
- Define and document operational controls (rotation, vacations, access windows)
- Automate enforcement (can’t access systems outside allowed hours)
- Monitor adherence; audit logs to verify controls are in place