Domain 4 · 4.1 Securing Computing Resources

4.1.2 Hardening Targets

14 min

Hardening targets is the practice of reducing a system's vulnerability by removing unnecessary functions, securing configurations, and implementing robust authentication to minimize the attack surface.

Infrastructure and Authentication Hardening Securing the network foundation requires moving beyond default settings and protecting the directory services that manage identities. - Secure LDAP (LDAPS): Encrypting directory access using SSL/TLS (Port 636) to prevent credential sniffing during authentication. - Shared Authentication/SSO: Implementing Single Sign-On improves the user experience but creates a single point of failure; it must be protected against Password Spraying, where attackers test common passwords against many accounts to avoid lockout thresholds. - Trust Relationships: Establishing formal trust between different domains or organizations to allow secure resource sharing without duplicating credentials.

Host and Hardware Security Individual endpoints must be resilient against both physical and logical compromises. - Boot Integrity: Using Secure Boot and Measured Boot to ensure that firmwares, bootloaders, and OS kernels have not been tampered with by a Rootkit. - Non-persistence: Implementing techniques like snapshots, revert to known good, and Live CDs to ensure that any malicious changes (like a RAT or Backdoor) are wiped upon reboot. - Physical Hardening: Disabling unused ports (USB/Thunderbolt), using chassis intrusion detection, and securing the physical environment to prevent direct hardware manipulation. - Benchmarks: Following vendor-specific guides and industry standards (like CIS benchmarks) to verify that a system meets the required security posture.

Cybersecurity Resilience Maintaining operations during an attack or failure requires high availability and architectural variety. - Redundancy: Eliminating single points of failure through load balancing and failover clusters. - Diversity: Using a mix of vendors (e.g., different firewall brands or operating systems) to ensure a single exploit doesn't take down the entire infrastructure. - Detection Utilities: Using reconnaissance tools for internal audits to discover unauthorized file manipulation or hidden processes before attackers do.

Role-Based Training Hardening is incomplete without addressing the human element through specialized instruction. - Users: Training focused on basic malware recognition and physical security (e.g., unauthorized users at workstations). - Privileged Users: Specialized training for those with elevated access; they must understand the management of security tools, such as updating anti-malware signatures. - Data/System Owners: Training on the legal and organizational responsibilities of protecting specific information assets.

Quick recall - Password Spraying: Attacking many accounts with one common password (avoids lockouts). - LDAPS: Port 636; secures the directory service. - Rootkit: Malware that hides deep in the OS; countered by Secure Boot. - Non-persistence: Resilience through "clean-slate" reboots or snapshots. - Benchmarks: Pre-defined "best practice" templates for hardening (e.g., CIS, NIST).