Hardening Procedures

April 8, 2009

As an IT audit and penetration testing firm, one of the key areas we see as deficient in most organizations is system hardening, specifically pre-deployment hardening procedures. These procedures provide guidelines to securing computer systems prior to installation for official business use. It is sometimes difficult to determine why organizations may not have hardening procedures.  Sometimes our bank or credit union clients are heavily reliant on vendors.  Sometimes procedures for hardening do not exist due to time constraints, budgetary concerns, missing technical knowledge, experience, or a combination of these.  While all are valid reasons, they do not excuse overlooking the practice.

Sometimes what we hear from clients is, “The systems are behind a firewall, we don’t have anything to worry about,” “Those computers don’t house any sensitive information,” or, our favorite, “The vendor [insert name] assures us the system is secure.”  Let’s address each of these individually. First, many attacks are perpetrated by insiders. Your firewall can keep out the “hacker,” but it doesn’t do much good against John the office temp.  Second, just because a device doesn’t, or you think it doesn’t, house sensitive information does not mean it shouldn’t be secured. We can’t count how many times we’ve gained access to sensitive information (e.g., customer/member social security numbers) from insecure computer systems using out-of-the-box administrator passwords or using a security hole in one of these systems to gain access to other more sensitive systems. Third, organizations should not trust hardware and software vendors with security.  These vendors are in the business of selling solutions and often have little or no consideration for the security of your information. Insist vendors secure systems according to your security standards and provide you with hardening evidence. Most will accommodate this request in the face of losing a client.

The following are typical hardening deficiencies we find at clients:

  • Systems are deployed with unused/unnecessary services and protocols (e.g., SNMP, FTP, Telnet, HTTP, System Enumeration, etc.)
  • Systems are deployed in their default state (i.e., default usernames and passwords)
  • Systems are deployed with inconsistent configurations (e.g., one router using a secure encryption schema while others do not)
  • Systems are deployed without up-to-date security patches
  • Systems are not configured with proper access and authentication controls (i.e., all users can access system resources without authentication)

Establishing hardening guidelines to manage each of the above issues will produce a satisfactory baseline hardening environment. However, each organization is different, as are the requirements for system and business unit functionality, necessitating additional procedures specific to your computing environment.

System hardening is at the core of securing your environment and should be given the attention it deserves. While determining how to properly secure systems takes time, effort, knowledge, and perseverance, the benefit to information security is significant and the initial cost associated with program development is easily recovered once the process is streamlined. Establishing and maintaining comprehensive hardening procedures for all devices (routers and switches, servers and workstations, printers and scanners, etc.) will provide a solid information security foundation as well as reduce your risk exposure.

Now don’t get us wrong, we thoroughly enjoy coming onsite, connecting to your network, and having Domain Administrator privileges before lunch – nothing excites us more. However, we’re willing to sacrifice our happiness for the security of your information. So please, secure your devices, if not for the protection of your information then at least for the satisfaction of our discontent.

For more information on system hardening (including downloadable hardening guides), please visit our resource center at www.TrustCC.com.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: