Security hardening is the process by which an organization reduces its vulnerability to attack, making it “harder” for an attacker to gain access or breach the environment. The larger the attack surface, the more likely it is that a cyber attack may occur, so an important part of an IT team’s job is to look for ways to harden the environment. After all, it stands to reason that the less doors – the less likelihood of someone getting in, or something getting out.
Why use security hardening techniques?
According to Forbes, hardening your attack surface is the best line of defense against cyber attacks. Isn’t that reason enough? In today’s day and age – cyber attacks are daily headline news, and an insecure IT environment is an open invitation. If there are simple steps or changes in processes that you can take to harden your ecosystem, now is the time to make it happen.
How do you start when thinking about hardening your security?
First, think about how you can reduce the number of attack vectors. Here there’s definitely going to be a balancing act. After all, the only way to get a 100% safe environment is to remove everything. No systems or processes, no customer or employee data, and no business at all. AwesomeITDudes.com is the most secure business in the world – because I just made them up. All environments will have risk, but what you’re looking to remove is unnecessary risk. Do you have machines that are still connected to the network, but they aren’t in use? Do you have subscriptions to cloud tools that are lying dormant? Have you made sure all ex-employee credentials and accounts are unable to be used? These are just some of the questions you can ask yourself to ensure that there are no open items that need closing.
Top tip: Network Discovery tools can be a great help in providing visibility into unused assets such as drivers, services or software, as well as alert you to dormant systems and processes.
What are some common ideas for security hardening?
Security hardening can take many forms, but once you feel confident that there’s nothing opening you up to risk that could be removed, it’s time to look at your existing processes. Yes, you need to take payments and customer data, but who needs access to that data? If you have cloud resources which hold your most sensitive data, these should be enforced with the tightest level of privileges, or if on-premises, segmented away from the rest of your environment. Think about using the Principle of Least Privilege.
Each user should have only the access they need to do their role, and no further. If this means more access requests – that’s a reasonable trade-off to ensure sensitive data is secured. This is a great way to harden your environment against a potential threat. Other ideas that can make a real difference without requiring huge investment or change are:
Workforce training: Make sure that all employees and clients have regular training on the latest threats and challenges. After all, 95% of security breaches are due to human error, according to IBM. Hardening your environment also means hardening the people who use that environment.
Automating patching and updates: Patches and security updates should be part of your business as usual, but are you relying on manual effort to ensure your machines are up to date? Both software and hardware patches can be updated automatically, ensuring that you never have a gap where attackers can take advantage of your delay.
Password management: Ultimately, a weak credential is a weak environment. In today’s connected world it only takes one user’s account to be breached to open the whole environment up to risk through lateral movement across a network. That’s why resetting default passwords, using hashing in password hygiene, and onboarding a solution for password rotation and secrets management is so important.
Data transfer processes: Many organizations fail to think about the way they store and send data, despite it being a huge part of how they work. Look at the SaaS tools you use to collaborate, send files, or discuss sensitive information. Do they, and the other applications you rely on, all encrypt their data in transit as well as at rest?
Keep really good records: Documentation is an important part of security hardening, and one which often gets forgotten. If something is unusual, even if it isn’t immediately dangerous – write it down! This will help your colleagues troubleshoot if the situation escalates, and provide better intelligence for incident response in case of a threat.
Windows 10 inherent hardening processes
Don’t forget, if you’re looking for some quick fixes, your system or your customer’s operating systems probably comes with some tools and applications as standard. For example, on Windows 10 you should make sure that you’re utilizing Device Guard, Credential Guard, Application Guard and Exploit Guard which all work as device hardening measures and are included when you set up the machine.
Make sure you’ve turned on Ransomware protection, which isn’t actually toggled on by default. If you want, you can also use Microsoft Edge on Windows in a sandbox environment, which can also add to the security of your environment for specific situations where you want to be able to browse without risk, for example if you’re 99.9% certain about a link, but don’t want that 0.1% to come back to bite you.
Security hardening is a huge topic – we could talk about it all day! If you’re interested in some more tips and tricks around security, did you catch our cybersecurity MSP Minds webinar, where we spoke to experts from tech companies including Microsoft about how to shore up your defenses and harden an MSP or IT professional ecosystem.