Device Hardening
■ Refers to ensuring that a device has had any unnecessary application or port disabled or removed from the host
■ Process of securing a host system by reducing its attack surface
■ Key Practices
● Run only necessary services
● Install monitoring software for malware protection
● Establish a maintenance schedule for system patching
■ Applies to endpoint devices, servers, network infrastructure, and mobile devices
Endpoint Security Software
■ Install anti-malware, antivirus, spam filters, host-based firewalls, and log collection agents
■ Enhances security posture and threat detection capabilities
Specialized Hardware
■ Manufacturers add secure hardware like UEFI, TPM, and HSM
■ Aids in securing devices, especially as networks become more de-perimeterized
Host Hardening Practices
■ Ensure all software is patched and up-to-date
■ Ensure that device is properly configured
■ Remove unnecessary applications.
■ Block unnecessary ports and services
■ Control external storage devices tightly
■ Disable unneeded accounts
■ Rename default accounts
■ Change default passwords
Balancing Security and Usability
■ Open the least amount of ports
■ Run the least amount of services needed
Network Interfaces
■ Disable unneeded network connections
■ Consider wired, wireless, and management LAN interfaces
Services
■ Disable unused services (e.g., CUPS daemon for print server)
Ports
■ Close ports not needed for services
■ Use host-based firewalls for further hardening
Disk Encryption
■ Enable full disk encryption or use self-encrypting drives
■ Protects data at rest from unauthorized access
Account Review
■ Disable or delete unused accounts
■ Follow the rule of thumb
● Disable, delete, or block anything unused or unneeded
Consideration of Device Lifecycle
■ End of Life (EOL)
● Date when a manufacturer will no longer sell a given product
■ End of Support (EOS)
● Last date that a manufacturer will support a given product
■ Ensure devices are always using supported and up-to-date software to prevent vulnerabilities
