Weekly Stand-up — Security Hardening.
Last week, I talked about network protocol analyzers, network attack tactics, and defense. This week I’ll be talking about security hardening, its importance, and the tools and methods used in security hardening. (These are things I learned from my Google cybersecurity certification program (GCSCP) and research on the internet).
Security hardening is a process of strengthening a system to reduce its vulnerability and attack surface — all potential vulnerabilities a threat actor could exploit. Security analysts may perform security hardening on devices, networks, applications, cloud infrastructure, databases, etc.
Security hardening involves security software updates (patches), device or application configuration changes (updating encryption standards for data stored in a database), disabling or removing unused ports, reducing access networks across devices & networks, conducting regular penetration testing, etc.
OPERATING SYSTEM (OS) HARDENING
It is important to secure the OS on each device in a network because one insecure OS could lead to the whole network being compromised. OS hardening is a set of procedures that maintains OS security and improves it. This set of hardening procedures could be performed at regular intervals, or once in a while — once a month, or every other week.
OS hardening performed at regular intervals:
- Patch updates: This is a software and OS update that addresses security vulnerabilities within a program or product. The newly updated OS should be added to the baseline configuration.
A baseline configuration (baseline image) is a documented set of specifications within a system that is used as a basis for future builds, releases, and updates, for example, a firewall rule with lists of allowed and disallowed network ports).
2. Hardware and software disposal: This ensures that all old hardware and software are properly wiped and disposed of.
3. Implementing a strong password policy: This includes the use of Multi-Factor Authentication (MFA), following specific rules, etc.
NETWORK SECURITY HARDENING
This section of security hardening focuses on port filtering, network access privilege, and encryption over networks. Just like OS hardening, network security hardening could be performed at regular intervals, or once in a while.
Regularly performed tasks include Firewall rule maintenance, Network log analysis, Patch updates, and Server backups.
While the non-regular tasks include Port filtering on firewalls, Network access privileges, Encryption for communication, etc.
Network Security Applications include firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and System Information and Event Management (SIEM) tools.
A firewall is a network security device that monitors traffic to and from your network. Just like it has its advantages, it also has its limitation which includes only being able to filter packets based on information provided in the header of the packets.
An IDS is an application that monitors system activity and alerts administrators based on the signature of malicious traffic. Its limitations are that it only scans for known attacks and obvious anomalies (new ones might not be caught), also, it only detects but cannot stop incoming traffic. It is placed behind the firewall and before entering the LAN in the network architecture, which is done to reduce noise in the IDS alerts.
An IPS is an application that monitors systems for intrusion activity and takes action to stop the activity. It sits behind the firewall in the network architecture, Its limitations include the possibility of false positives (security alerts incorrectly categorized as suggesting a threat when there is none), which can result in legitimate traffic getting dropped. Also, it is inline, which means that if it breaks, the connection between the private network and the internet breaks.
SIEM tool is an application that collects and analyzes log data to monitor critical activities in an organization. It also analyzes log data sourced from IDS, IPS, firewalls, proxies, VPN, and DNS logs. Its limitation includes not being able to take action to stop or prevent suspicious events, also it only reports on possible security issues.
CLOUD NETWORK SECURITY
One distinction between cloud network hardening and traditional network hardening is the use of server baseline images for all server instances stored in the cloud. This allows you to compare data in the cloud servers to the baseline image to make sure there haven’t been any unverified changes. The more services the cloud offers, the more it is prone to attack. some cloud security considerations (security challenges) include Identity and Access Management (IAM), configuration, attack surface, zero-day attacks, visibility and tracking, and shared responsibility model. In addition, things change fast in the cloud, for example, connection configuration might need to be changed based on the cloud service provider’s updates.
Cloud hardening techniques include incorporating IAM, hypervisors, baselining, cryptography, and cryptographic erasure.
I also performed two tasks, The first was to write a well-documented security risk assessment to analyze a major security breach in a social media organization, stating the hardening tools to be used and explaining what methods could be used to further secure the network. The second was a security breach at a multimedia company, I was tasked to create a plan to improve the company’s network security, following the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
After completing this section of the course, I moved on to the next: LINUX AND SQL.
Started by understanding the basic operation principle of an operating system (OS) (the entire process of getting an OS running, starting by pressing the power button), common ones, functions of an OS, the relationship between OS, applications, and hardware, and finally the Graphical User Interface versus the Command Line Interface (CLI).
I also learned about virtualization technology example, Virtual Machines (VM) and Virtual servers — Although not yet in-depth. The benefits include security and efficiency. Also, the hypervisor is a software program that enables users to manage multiple virtual machines and connect virtual and physical hardware.
There’s still so much to be learned in this section and I look forward to it, as it is a very important aspect of my career.
Learning is a superpower. It gives you the ability to not only get that job that you’ve been looking at but also gives you the ability to define the next one. — Kelsey from Google
In summary, As a security analyst, you might not always know exactly what is the primary cause of a network issue or a possible attack. However, being able to analyze the protocols involved will help you make an informed assumption about what happened. This will allow you and your team to begin resolving the issue. — GCSCP.
See you next week.
