EP013

Episode 13 – Hardening is Haaaaaard

Music provided by: Denis Kreynin https://soundcloud.com/denis-kreynin

By default, systems are typically configured to be usable in all scenarios, meaning that a lot of services are running just in case you need them. This is resource intensive and can expose those services to attack. The purpose of hardening a system is to put control back in your hands by removing those unneeded services, and generally turning your computer from a soft hackable surface to a hard and spike covered surface that bad guys should quickly learn to stay away from.

Choose your scope:
Your network
your computer
your website
your enterprise

Considerations for individual systems:
Default passwords should be changed or the accounts disable if not necessary
2 tiers of user accounts as a minimum; privileged accounts only used when privileged access needed, and everything else done as a non-privileged user
Disable, or even uninstall, unused service
Have services use lower privileges if possible (such as the way Apache starts up)
Patching vulnerabilities
Hardened kernel (SELinux / EMET )
DAC vs MAC (Role based security)
antivirus
firewall
baselines

Multi-layered or multi-system considerations:
Intrusion detection systems monitor computers and network for signs of compromise, reporting centrally
logs captured at the appropriate level and centrally stored means that even if a system gets hacked, you have the logs to figure out how it happened and what the bad guys did
architectural layers give greater protection by limiting what a compromised system can access
sandbox vs virtual machine
physical security

References:
NSA hardening guides: https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml
Centre of Information Security Security Benchmarks – https://benchmarks.cisecurity.org/downloads/
Microsoft template tool: https://technet.microsoft.com/en-us/library/bb742512.aspx
Enhanced mitigation Experience Toolkit – https://support.microsoft.com/kb/2458544
SELinux and Mandatory Access Control FAQ: https://fedoraproject.org/wiki/SELinux_FAQ

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.