| technology | system admin - Jon Welling
What Does It Mean to Harden a Device?
Hardening a device means making it more resilient against threat actors. In the cybersecurity world, that means making that device more secure and resilient to attacks. By hardening a device, you are making it more difficult to break into for hackers.
In essence, you are building the biggest, hardest "wall" you can around devices and services. Let's explain why this is the perfect term for device security.
There is a saying in infosec. The only secure computer is one that is turned off. That's because there is no such thing as perfect security. If a threat actor is willing enough, they will break into a computer system. The idea of information security is to make your assets harder to break into than the other guy's.
That's what it means to harden a device. You are making your computers more difficult to break into than someone else's. You are making the return on investment for breaking into your systems very low, and thus, the risk to reward factor is too large for most bad guys to consider.
So, you need to harden your devices, but aren't sure where to start. Thankfully, there are a lot of good resources available online. Before attempting to harden all your hardware and software components, take a moment to develop a security baseline, first. Only after ensuring that you have a minimum level of security across your organization should you start attempting to hunt down and fix random exploits in your organization. Otherwise, you may end up just putting on a good show of IT theater.
An Overview of Hardening Devices [VIDEO]
In this video, CBT Nuggets trainer Keith Barker covers what it means to harden a device, which is an important step in creating a security baseline.
What is a Cybersecurity Baseline?
A security baseline in cybersecurity is a minimum recommended configuration for software, services, or hardware devices. Keep in mind, these recommendations are the bare minimum for meeting security requirements. Depending on your industry, you may need to meet more stringent standards.
For instance, if you are in the healthcare industry, you will need to comply with both HIPPA and HITECH laws. Many people are already familiar with HIPPA, but not as many are familiar with HITECH. Both HIPPA and HITECH breaches can cost businesses tens of thousands of dollars per month per incident.
Each violation typically includes multiple incidents, too. So, when reviewing or creating your security baseline, make sure to know whether you need to comply with any laws or regulations in the places you do business in. Otherwise, you could easily accrue hundreds of thousands of dollars in fines.
Security baselines are a good checklist for IT professionals. With how complex information systems are today, even for small businesses, it is easy to miss changing a setting or disabling a specific service. Even worse, these security baseline checklists need to be constantly audited and tested as new security vulnerabilities are found.
Creating and auditing security baselines isn't an easy task. It's common for businesses to have a mix of devices like laptops, desktops, smartphones, and servers. Likewise, many businesses are deploying a hybrid cloud environment. That means that a security baseline needs to be created for both local software as well as web-based services.
Many vendors offer free documentation for securing IT environments. For example, Microsoft offers white papers explaining how to secure Server, how to control access to resources like Office 365, and what policies to use for Windows in an Active Directory environment. Don't let these resources go underutilized.
Where to Find Cybersecurity Recommendations
Though creating a security baseline for your organization might not be easy, it is not impossible. It will require research and work. Thankfully there are a lot of vendors and government agencies that do the heavy lifting for you. All you need to do is read their documentation and follow their guidance.
I hear the skeptics among you criticizing that last statement. Why would you ever put your faith in vendors or government agencies? A healthy amount of skepticism is always a good thing, but the white paper documentation from industry giant IT software and hardware vendors has been trusted for decades. Likewise, though agencies like the CIA may not reveal all their secrets, they have special branches dedicated to helping organizations safeguard their IT infrastructure. In fact, the CIA and NSA regularly report exploits they find.
Though many vendors will have security procedures and recommendations available for their products, and there are tons of government agencies, it would behoove us not to mention the three big players here: Microsoft, Cisco, and NIST.
Where to Find Microsoft Security Recommendations From Microsoft
Microsoft is one of the largest corporate software vendors. Their Server OS, Windows operating system, and productivity suites are some of the most installed pieces of software in the world. Likewise, Microsoft's applications are some of the most configurable software on the planet, too.
Microsoft's reputation depends on them to be able to deliver a usable and secure product. So, they also create documentation for all their applications, from Server to Windows and Office, on how to configure, manage and secure it.
Microsoft has a lot of documents outlining recommended security baselines for their products, but a good place to start is here.
Where to Find Cisco Security Recommendations
Cisco is one of the most recognizable names when it comes to IT network equipment. So, it would only make sense that Cisco would have tons of documents explaining how to secure their hardware and software.
Thankfully, a lot of Cisco's security suggestions can be used with hardware from other vendors as well. You may need to reference documentation from those other vendors to find specific settings or to cross-reference vendor-specific terminology, but it is possible.
If you would like to reference Cisco's documentation, look at document number 13608.
Where to Find NIST Security Recommendations
One of the best places to stay up to date regarding new security vulnerabilities is NIST. NIST has a database of all known security vulnerabilities for a lot of software and hardware. Anyone in the IT trade needs to regularly visit NIST's website.
That database mentioned above is free, too. NIST doesn't hide information behind paywalls. Though NIST catalogs security issues, they don't go into the nitty gritty of how each vulnerability works. It would still be worthwhile to investigate any vulnerabilities thoroughly that may affect your business. NIST is a perfect starting point for those investigations, though.
One of the best features offered by NIST is their newsletter. NIST will often send subscribers notifications of any potential new vulnerabilities before those vulnerabilities hit the news cycle. By the time a new vulnerability is being reported by more mainstream tech media outlets, it can be assumed that bad actors are already exploiting it. It is best to subscribe to NIST's newsletter and stay ahead of the cybersecurity curve.
The Risk of Mobile Devices
Imagine, for a moment, that it is your job to safeguard all the secrets of an organization. Those secrets are stored in a super-secure storage facility, but that information is also stored in pieces on hundreds of different mobile devices like laptops and smartphones. How do you secure those mobile devices?
The problem with mobile devices is that they cannot be continuously monitored. It's too easy to pick up a smartphone or laptop and walk away with it. Once that device is in the hands of threat actors, it's only a matter of time before they can steal the information from it. Often that information is worth far more than the device itself.
You can harden mobile devices. For instance, you can disable unused accounts on Windows laptops and prevent someone from being able to log into it. You can set proper permissions for folders in that laptop's storage drive. You can even create policies that allow you to remotely remove information from that laptop. However, none of that matters if a bad actor can physically remove storage from a device.
So, what do you do? One of the ways you can harden mobile devices is by encrypting them.
What is Drive Encryption?
Drive encryption involves turning data into unreadable chunks by passing data through various algorithms. Depending on the algorithm used, those unreadable chunks may not be able to be used without a key to reverse the random noise added to that data.
What are Self-Encrypting Drives?
Self-encrypting drives are storage drives (hard drives) that do not require software or user input to encrypt data stored on that drive. Encryption is automatic. Self-encrypting drives use the computer's TPM to store the private keys used for encrypting and decrypting the storage drive. The most common standard of self-encrypting drives is OPAL drives.
What is Whole Disk Encryption?
Whole disk encryption is the process of encrypting all storage blocks on a drive and not just single files. This is different from file-level encryption.
Whole disk encryption typically requires a user to input a password when a computer starts to decrypt the drive. That's because the boot files are also encrypted, too. A computer won't have any idea of what to do until the drive is decrypted. On the other hand, file-level encryption only encrypts specific folders or files on a drive.
Whole disk encryption does impose performance impacts on a computer system. Likewise, once a drive is decrypted, its data is fair game for hackers. So, make sure to weigh the pros and cons of whole-drive encryption before implementing it. It's not a magic security bullet.
The most popular way to perform whole drive encryption today is BitLocker. BitLocker is a Microsoft product. It is included with Windows Pro and Enterprise by default.
Another common application for whole drive encryption is True Crypt. Though True Crypt was discontinued years ago, it has many forks that are still being maintained today.
By now, you should have a good idea of what it means to harden a device. Before we end this article, though, let's go through a quick recap. Hardening a device is the act of making it more secure than someone else's. There is no such thing as perfect security, so your job as a cybersecurity professional is to make your IT infrastructure harder to break into than someone else's.
There are multiple ways of hardening devices. One of the first steps you need to take is developing a security baseline. A security baseline is like a checklist of tasks that you can perform to meet a minimum-security standard. As new exploits are discovered in the wild, that security baseline should be updated, and devices should be audited.
Mobile devices require extra attention simply because they are mobile. Once a device is outside of the grasp of an IT administrator, threat actors have tons of ways of stealing data. The best way to prevent data theft from mobile devices is by encrypting them.