CodeX
Published in

CodeX

Hardening

Yeah, I agree. This term sounds funny, but get your head out of the gutter. It actually has to do with improving cybersecurity.

Photo by Alana Harris

The more formal definition, according to CompTIA, is:

The act of configuring an operating system securely by updating it, creating rules and policies to govern it, and removing unnecessary applications and services.

However, it’s important to realize that this is not a one-’n’-done type of process. This is an ongoing process, because a fundamental understanding behind hardening is that risk can never be eliminated! We can never guarantee security, but we can minimize risk! …and risks are mitigated by minimizing vulnerabilities to reduce exposure to threats.

So stick around because the following paragraphs will go over the methods of reducing your cyber risks.

Unnecessary Applications

This is where you ask yourself, “How many applications do I have?”

Deleting apps or programs that you don’t use anymore from your devices is a good practice to get into. The reason being that those unused apps or programs might have vulnerabilities that can make the device less secure. In some companies they implement a policy of least functionality. To do this, a server or workstation is configured to only provide essential applications and services. To scale this up to several machines, utilize a secure baseline image to add new machines with this least functionality policy. Microsoft’s System Center Configuration Management (SCCM).

Without monitoring this, personal computers can often accumulate unnecessary programs over time. Many solutions exist for organizations to implement this security measure. However, at the individual level, it’s more simply a matter of being mindful of the applications on our devices.

Restricting Applications

Another method similar to least functionality is application whitelisting / blacklisting . This is basically where the IT person in the office asks themselves,

“How do I keep Gary, from accounting, from downloading unauthorized software?”

I’m not saying Gary is doing anything malicious, but Gary might be oblivious to some cyber threats so he might inadvertently click on something that downloads something malicious. So whitelists and blacklists are created so we don’t have to worry about Gary screwing up! (No offense to anyone named Gary. I used this name at random for the example.)

Application whitelists only allow applications that are on the list to be run by the operating system while all other applications are blocked. Imagine a bouncer at a club with a list.

Application blacklists allow all applications to run except for ones on the list. Imagine a “no-fly” list at the airport.

These lists can be centrally managed for a network of computers using something like Microsoft’s Active Directory Domain Controller. With a software like that, an administrator can manage lists centrally and deploy them through group policies.

Unnecessary Services

Services are a type of application that runs in the background of the Operating System and performs various functions, like print spooler. Any services that are unneeded should be disabled in the OS.

This can easily be done on Mac and Windows.

For Windows, go to the search bar by the Windows icon in the bottom left hand corner of the screen. Type `services.msc` and press enter.

This will open up the services local connection window which looks like:

This window provides you a list of all of the services available on your Windows machine.

To start or stop a service, right-click the name of the service and then click on “Properties”

After that, another window will pop-up that looks like this:

At this window, you can start/stop a service at your discretion.

This is useful to know because if you find malware that has installed itself as a service, you can go and find it, disable it and remove it.

You can also stop these services from a command prompt with either

sc stop NameOfService

net stop NameOfService

For Mac computers, sorry I won’t have any screenshots to share for now…

But I’ll use my words as best I can to walk you through the process.

Ok, first create something to kill! — open up a textpad and type whatever you want. Next, open up the Activity Monitor, which is under your applications → then go to utilities and find Activity Monitor. The Activity Monitor window will open up and show you a list of all the services running.

Now find the TextEdit within the list. Double-click on it. Then another window will open, providing all the data on the service as it runs. To stop it, merely click the ‘Quit’ button. A pop-up will then have you confirm your decision and ask ‘Cancel’, ‘Force Quit’ or ‘Quit.’ You would click ‘Force Quit’ if you knew the service was malware, but in this case you can just click ‘Quit.’

To do this from the command line, it’s actually the same for Mac and Linux OS, open up a terminal. Type and run: top

That command will show you all the processes (another word for services) that are currently running. Next to each processes’ name on the list is a process id, labeled pid. To stop that process you would then type

kill pid xxxx where xxxx is the process id number

Trusted Operating Systems (TOS)

This is basically a classification of Operating Systems. It means that an operating system meets the requirements set forth by a government and has multilevel security. To get this classification, the software manufacturer must routinely provide patches & updates to the software to maintain security.

I’m pretty sure you could find an official list on a.gov site, but basically as long as you’re running the new versions of Windows or Mac, then you’re good. Other OS include FreeBSD (Trusted BSD) or Red Hat Enterprise Server, and some other less popular ones.

Before updating a system, best to identify the current version and build. To get that info in Windows, type in the command line or Windows search bar:

msinfo32.exe

Updates & Patches

Patches are a single problem-fixing piece of software for an operating system or application, like when a bug is found and fixed. Also the term, hotfixes , is used interchangeably with patches.

Updates can be classified into several different categories. Those being:

  • Security Update — software code that is issued for a product-specific security-related vulnerability
  • Critical Update — software code for a specific problem addressing acritical, non-secuirity bug in the software
  • Service Pack — a tested, cumulative grouping of patches, hotfixes, security updates, critical updates, and possibly some feature or design changes; common for OS updates
  • Windows Update — Recommended update to fix a noncritical problem that some users have found, as well as to provide additional features or capabilities
  • Driver Update — updates device driver to fix a security issue or add a feature to a supported piece of hardware

In Windows 10, updates are managed directly from Microsoft with the Windows Update program (wuapp.exe). It can be configured to update automatically as well. This is another thing home users can do to increase their security.

Patch Management

This is the process of planning, testing, implementing, and auditing of software patches. As an IT or cybersecurity professional, part of the job is keeping track of all of the various updates and ensuring they get installed properly throughout your organization’s environment. This involves verifying the compatibility of patches with your systems and planning for how to test and deploy them. For an organization, it’s very important to test a patch prior to automating its deployment, because sometimes a patch for one thing can create a bug somewhere else.

After testing, you should know if the patch is good to be deployed to all the clients on the network in order to implement it. This stage can be managed with a patch management tool, and large organizations will centrally manage updates through an update server. To ensure no surprises happen within an organization, best to disable the wuauserv service to prevent Windows Update from running automatically.

After implementation of a patch, the next stage is auditing . To do this simply monitor the clients’ status after patch deployment to ensure proper installation.

Linux and MacOS also have built-in patch management systems.

Group Policies

These are a set of rules, or policies, that can be applied to a set of users or computer accounts within the operating system. With these rules, user specifications can be made to require certain levels of password complexity, create lockout policies, and set software/application restrictions.

For more advanced use group policies, use an Active Directory domain controller. This is how a large organization can manage their policies across their network. They’ll create a security template, which is a group of policies that can be loaded through one procedure, and then implement that on the client machines.

Furthermore, implementing these Group Policy objectives (GPOs) with Baselining aid in the hardening process, because baselining will help identify what is “normal” activity on the network. When deviations from the norm occur, then one can easily identify that against the baseline and check for malicious activity.

File Systems & Hard Drives

Level of security of a system is affected by its file system type. Here’s a list of file system types:

  • NTFS
  • FAT32
  • ext4
  • HFS+
  • APFS

Windows systems can utilize NTFS or FAT32. However, NTFS ( New Technology File System) is the default file system format for Windows and is more secure because it supports logging, encryption, larger partition sizes, and larger file sizes than FAT32.

Linux systems should use ext4 and MacOS should use APFS.

Lastly, it’s important to know that all hard drives will eventually fail, and so it is important to prepare for this. Do this with the following steps:

1.Remove temporary files by using Disc Cleanup

2.Periodic system file checks

  • Windows: running Check Disc or System File Checker
  • MacOS: run First Aid from within the disc utility application
  • Linux: file system check by typing fsck in the terminal

3.Defragment your disk drive

4.Backup your data → Test your backups!

5.Use and practice restoration techniques

Zero-day Vulnerabilities

Remember at the beginning I mentioned how security can’t be guaranteed. Well these are a big reason why. These are software vulnerabilities that are unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the software vendor). A zero-day is not known by anyone, until a hacker discovers it for the first time and either reports it or exploits it, depending on their personal ethics. This risk is very well known, though, and can be addressed by participating in a bug bounty program.

Hardening = securing systems by reducing attack surfaces

Thanks for reading!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store