There are many different techniques for making a system more difficult to exploit. In this video, you’ll learn about encryption, open ports, default passwords, and more.
If you take a look around your network, your servers, and other devices, you may find opportunities to make those devices just a little bit more secure. And in this video, we’ll go through a number of hardening techniques. Let’s start with a server.
The system hardening refers to the operating system that’s running on this server. Operating systems like Windows, Linux, macOS, and others are very different. But there are some best practices to ensure that these operating systems remain secure. One of the first, most significant steps for keeping these systems hardened is to always apply the security updates. These would be updates to the operating system and security patches that are usually included with those.
Manufacturers like Microsoft will release these patches every month, and other manufacturers follow a similar schedule. You should also make sure that the user accounts on these systems are well secured. One of the ways to do that is with a password policy. You could set a rule that says that there should be a certain minimum password length, and there should be a certain complexity associated with those passwords. For example, your password should be at least eight characters long, and the password itself should include uppercase characters, lowercase characters, numbers, and special characters.
Another good idea is to have limited access for these accounts. Not every account on the system should be an administrator. And each individual user account should only have the rights and permissions necessary for that user to do their job. If you’re accessing this device across the network, it’s also a good best practice to limit who may have access to this particular system. You might include an IP address range that’s permitted to access this server. And if someone tries to access this server from a different IP address, they would be denied access.
And of course, it’s always good to monitor and secure the system with antivirus, anti-malware, or some other type of endpoint detection. Another good hardening technique is to encrypt any data that you would like to protect on these systems. One way to do this is with the file system itself. You can select individual files or folders and tell the operating system to only encrypt that specific data. This is easily done using things like the Windows Encrypting File System, or EFS.
If you would like to secure the entire drive with operating system, user documents, and anything else that’s stored on this system, you might want to use FDE, or Full Disk Encryption. This does encrypt everything that is stored on a particular volume. And you can do this with built-in tools like Windows BitLocker or the FileVault utility in macOS.
And if you’re communicating between devices across the network, you might also encrypt all of your network traffic. This can be done using a Virtual Private Networking option, or VPN. And the applications that you’re using may have encryption built into those applications already. For example, if you’re connecting to other devices from your browser, you’re probably using HTTPS on that address bar. And that encrypts all of the data between that browser and the web server.
It’s common these days for people to have two, three, or even more devices that they might use throughout the day. And we also need to think about how to harden each of these individual user endpoints. We’re of course concerned about attacks that may be inbound to any of these devices. There could be someone on the internet trying to access those devices directly. If a device does become infected with malware, it’s possible that that malware may try to attack other systems using the user workstation as the starting point.
We need to think about the type of security that we might put on a desktop computer, a laptop computer, or even the mobile tablets or mobile phones. All of these are probably running different operating systems, using different applications, and we need to apply the proper security for each individual platform. And of course, there’s never one single option or button to push to enable or disable security. You need to use many different types of security tools and utilities, and all of those work together to provide defense in depth.
It’s estimated that there are over 1 million malware variants created every day. To address this scalability problem, the industry is focusing on the next generation of malware detection through an EDR. This stands for Endpoint Detection and Response. EDR can certainly recognize known malware and vulnerabilities based on a signature. But it goes beyond signatures to provide additional security.
For example, the EDR could use behavioral analysis– watching what the user does, watching what the applications do, and identifying when something malicious may be occurring even though it may not have a signature for that particular piece of malware. EDR might also include machine learning for rapid identification of malware and malicious software. And process monitoring can constantly watch all of the processes running on your system. And if a new process suddenly began on your system, EDR can recognize that process and begin monitoring it for any type of malicious activity.
EDR also has the ability to go much further than a traditional antivirus or anti-malware application. For example, the EDR itself can perform root-cause analysis on the threats that it’s seeing. Once EDR recognizes something that could be malicious it begins performing additional studies on what that particular process might be. And after doing some research, it can make a decision on whether that is something that is malicious or something that should be allowed.
And once malicious code is recognized, the EDR itself can immediately take action. You don’t need to wait for a technician or a helpdesk ticket to be created. Instead, EDR will isolate the system, quarantine that threat, and even roll back to a previous config to remove that virus from the system. This entire process can be automated through the use of an Application Programming Interface, or API, so the EDR can perform all of its functions autonomously and then report all of that information back to a central management console.
It’s very common these days to have a host-based firewall running on your operating system. This is a software-based firewall that runs behind the scenes. And it provides a way to allow or disallow certain traffic flows both inbound and outbound from your system. Since this software-based firewall is sitting on your operating system itself, it gets to see all of the data before or after encryption has occurred. So it has complete visibility to what might be going on. And it can decide which processes should be allowed to communicate on the network and which processes should be blocked.
This is also a great place to monitor for unknown processes that may have been launched because of malware or some type of security vulnerability. And if the host-based firewall sees something unusual, it can be configured to automatically block that traffic until administratively approved by the user. This software-based firewall is running on each individual system, but it can be managed from one central console.
It’s very common to look for known attack types on the network by running an intrusion prevention system. But there are also host-based intrusion prevention systems that can provide this type of security on each individual device. This is often built into your EDR or your anti-malware software. And it watches all of the traffic that is inbound to your system to look for anything that might be a known vulnerability. The Host-Based IPS, or HIPS, can also secure application configurations and operating system configs. And it can look for and verify any inbound updates for securing that system.
We commonly associate intrusion prevention with looking for some type of malicious action. So this might be something based on signatures that are stored in the IPS. It might be based on heuristics or behavioral changes. Since the IPS is on the operating system itself, it can extend this visibility into the way the operating system is working. For example, if the host-based IPS recognizes a buffer overflow or registry change or perhaps some files were modified in the core Windows operating system folder, it can send an alert and block that particular process from continuing.
Each time you install an outward-facing service on a server or workstation, ports are opened inside of the operating system. And those ports can be accessed across the network. Ideally, you should close as many of these ports as possible. Each one of those ports is an opportunity for an attacker to find a vulnerability that would allow them to gain access to that system. This control of open ports can certainly be done on the server or workstation itself. You can also install a firewall to provide this port-based protection. Ideally, you could even use a next-generation firewall to provide much more granularity of not just the port number but the service that’s using that port number.
Sometimes these ports are opened without the knowledge of the end user. When you initially install an operating system or you install additional applications onto that operating system, you could be unknowingly opening ports in that system. And there are cases that I’ve documented that show an application manufacturer saying that you can install this application. But once this application is installed, you need to open port 0 through 65,535. This would effectively open every port on that particular server, which would certainly not be the best practice for a secure system.
If you see an example like this for software that you’re installing, it’s not because the software needs to have all of these ports open, but they’d rather not be called if there happens to be an issue communicating across the network to the port number used by the application. And if you’re not sure which ports are open and which ports are closed on your system, you can run a scan. Nmap is a great tool for scanning available port numbers on a system. And after a few minutes, it can give you a great deal of information about exactly what ports might be open on an individual system.
If you install a router, a switch, a firewall, an access point, or almost any other device, there will be a default configuration screen that allows you to set the settings in that device. These management interfaces might also be found in applications that you’ve installed on a system. And all of these might contain very sensitive data and certainly information that would be interesting to an attacker.
Normally, when you would first log in to one of these management consoles, it will prompt you to change the password. But not all systems provide that prompt. So it’s important that you manually go into these devices and change the default configuration. The attackers can very easily find what the default settings are for a username and password. And you want to be sure that all of your systems are secured against that type of attack. And in some cases, you can configure multifactor authentication or perhaps centralized authentication that synchronizes with all the accounts in your network.
Every piece of software that you use on a system has some type of bug inside of it. This may not be a bug that you found yet, but eventually you may find something that is a security vulnerability built into this software. And of course, you may have installed tens or hundreds of different applications on your system. And each one of those applications probably has a different process for performing security updates.
This makes it very challenging to keep these applications up to date and secure because you would have to go into every single application with their unique update process to ensure that everything is always running the latest version. Instead, the best practice might be to delete any applications that you’re no longer using. This would certainly remove any security concerns. And if you’re not using the application anyway, you certainly don’t need to have it loaded on that system. This is a relatively easy fix. And it allows you to remove one more application from the list of keeping everything up to date on your system.