2.5.5 Hardening Techniques
Endpoint protection, host firewall, HIPS.
Hardening is the process of reducing the attack surface of a system by removing unnecessary software, services, and vulnerabilities while enhancing existing security controls.
Endpoint Protection Endpoint protection focuses on securing individual devices (workstations, servers, mobile devices) against exploitation and unauthorized access. - Antimalware and Antivirus: Traditional signature-based detection combined with heuristic analysis to identify Rootkits, RATs (Remote Access Trojans), and Keyloggers. - EDR (Endpoint Detection and Response): Advanced monitoring tools that record system activities and use behavioral analysis to identify Indicators of Compromise (IoCs) like unusual file permission changes. - DLP (Data Loss Prevention): Software that monitors data in motion, at rest, or in use to prevent sensitive information from leaving the organization. - Patch Management: The systematic process of updating software to fix security vulnerabilities and bugs.
Host-Based Firewalls and HIPS Securing the internal network traffic and system state of an endpoint is critical for defense-in-depth. - Host-Based Firewall: Software running on a single host to restrict incoming and outgoing network traffic based on port, protocol, or IP address. It prevents lateral movement by attackers. - HIDS (Host-Based Intrusion Detection System): Monitors log files and system activity for suspicious patterns but does not actively stop them. - HIPS (Host-Based Intrusion Prevention System): An active defense tool that can terminate processes or block traffic if it detects an attack in progress, such as a buffer overflow or unauthorized registry change.
Secure Boot and Hardware Integrity Protecting the system begins at the hardware level during the power-on stage. - Secure Boot: A standard within UEFI that ensures only digitally signed, trusted operating system loaders and drivers can execute during the startup process. - Measured Boot: Records a "fingerprint" of each startup component, allowing an administrator to verify the system hasn't been tampered with. - TPM (Trusted Platform Module): A hardware chip that provides cryptographic keys and ensures platform integrity, often used for Full Disk Encryption (FDE).
Cybersecurity Resilience Standardizing and diversifying systems ensures they can withstand or recover from an attack. - Non-persistence: Using technologies like snapshots, Live CDs, or VDI to ensure that a system returns to a known-clean state after being rebooted. - Diversity: Implementing different vendors for firewalls or operating systems to ensure a single exploit doesn't take down the entire infrastructure.
Quick Recall - BPA (Business Partnership Agreement): Legal document defining the relationship between companies, including data access levels. - Indicator of Compromise (IoC): Artifacts like spikes in outgoing traffic or strange log entries that suggest a breach. - Data Sovereignty: The principle that data is subject to the laws of the country in which it is physically located. - TPM: Essential for hardware-based root of trust.