One of the joys of continuing my education is having getting to write a mini-article once a week for my fellow students and instructors. I’ve decided to share some of the better ones here. B.
“Hardening” is a term used by IT professionals to describe various processes used to make computer systems more secure against different kinds of attacks. The key concept underlying system hardening is to minimize the “attack surface”, often by implementing a policy of least privilege.
Typical hardening techniques include restricting which protocols are enabled on a system (Gite, 2019), disabling unneeded user accounts (University of Colorado Boulder, 2017), segregating different server tasks to individual servers or VM instances (Gite, 2019), keeping systems updated with the latest patches and updates (Freshly, 2018), and running offline antivirus scans on a regular basis (Vytas, 2017).
Each one of the techniques described above has a cost which may include labor hours to implement and maintain, licensing fees for software updates, and/or expenses tied to physical or virtual hardware. For example, penetration testers are notorious for telling companies to update their software, frameworks, or third-party libraries to the latest version available so that their applications will no longer be vulnerable to known exploits. Unfortunately, doing so may impact tens of thousands of lines of legacy code which will need to be reviewed and tested to accommodate changes from one version of software, framework, or library to another.[1]
Failure to harden systems, however, can cost even more. Failure to update or patch software can leave an organization vulnerable to attacks with disastrous consequences. Failure to segregate sensitive systems, or to isolate them from the Internet altogether, is akin to leaving your door unlocked and open while living in a high crime neighborhood. Part of the “price of doing business” in modern times involves balancing the cost of performing reasonable security tasks and including them in your regular processes with the very real risk of losing the business completely.
References
Freshly, M. (2018, September 12). Configuration Hardening: Proactively Guarding Systems Against Intrusion. Tripwire. https://www.tripwire.com/state-of-security/security-data-protection/automation-action-proactively-hardening-systems-intrusion/
Gite, V. (2019, August 14). 40 Linux Server Hardening Security Tips. NixCraft. https://www.cyberciti.biz/tips/linux-security.html
University of Colorado Boulder. (2017, August 9). Security Awareness – Hardening Your Computer. https://oit.colorado.edu/it-security/security-awareness/hardening-your-computer
Vytas. (2017, May 9). Security Hardening Tips and Recommendations. TechNet. Retrieved February 6, 2020, from https://social.technet.microsoft.com/wiki/contents/articles/18931.security-hardening-tips-and-recommendations.aspx
[1] This may seem anecdotal, but I have experienced this firsthand back when I was still in the development world. At one point a company I worked for needed to update the middleware for their web services to a version three (3) entire integers higher than what they had been running. It took us months, and everyone in the department was fragged when we finished just days before a hard deadline we HAD to meet.