Hardening of systems

Hardening refers to the process of securing a system configuration in a way that limits the occurrence of vulnerabilities exploitable by an attacker. Nowadays, hardening of systems is one of the basic security measures to protect a company's information and information system.

What is the process of hardening?

The process of ensuring a high level of security for applications and operating systems is continuous. The following phases must be addressed when hardening systems:

• Analysis - in the initial phase, the systems that will be subject to hardening are fully identified. These systems are usually selected according to their criticality and importance within the company's information system. This may include the selection of a suitable tool for automated configuration control.
• Establishing hardening security policies - these are technical and procedural rules that specify what the configuration of applications and systems should be, including implementation checks to verify compliance with reality. At this stage, we rely on existing and proven standards such as CIS Benchmarks, NIST and others. Hardening security policies are designed in such a way that they can be evaluated not only manually as part of internal audits, but crucially in an automated manner, which saves internal resources required for performing checks.
• Building processes - Hardening includes not only documents and regulations to ensure a high level of configuration, but also processes for maintaining and updating policies, managing, reviewing, enforcing and the further opportunity of updating them.
• Technical control and deployment - the processes and technical regulations developed need to be deployed into practice. This step usually includes the implementation of a tool that can verify the deployment of the hardening policy to the devices and identify non-compliance against approved policies.

Any applications, systems and platforms that are part of a company's IT infrastructure are suitable for hardening. These include:

• servers and their applications (operating system, database, web servers, application servers, and others),
• hardware devices (e.g. SCADA, hardware firewalls, Wi-Fi access points),
• BYOD and MDM devices,
• workstations and AD GPOs (Group Policy), web browser settings, Java and .NET framework behaviour, etc.

Which devices can or cannot be hardened and their control enforced is usually part of the analysis phase.
 

Any VMS (Vulnerability Management System) product can be used for automated control of hardening policies, enabling automatic control and evaluation of system settings. Such a product usually includes the following features:

• Option to set "zero-configuration", i.e. to set a configuration benchmark for the system.
• Performing "agent-less" control.
• Modification and creation of custom security policies.
• Evaluation of compliance and non-compliance, exception management.
• Connecting to SIEM and the ticketing system.
• Reporting and alerting.

A large energy company used dozens of platforms for its applications. It faced the problem of securing them because each audit required a vast amount of human resources. So, they asked us to create unified documentation for the 15 most used platforms.

We created standards for security settings (called hardening) to meet the high level of security required. These methodologies now help the company guide its vendors in modifying applications. After successfully completing the project, we were tasked with developing new standards for 40 other platforms.

Due to the vast amount of technology under management, we designed the deployment of a vulnerability management tool (VMS) that automated the compliance checking of the developed security standards and began to deliver clear and concise reporting. As a direct result, the customer saved additional human resources time and expenditure.