With 2021 quickly approaching, you need to be ready for existing and new threats. If you want to secure your system from hackers, then you need to think like them. In 2020, we saw attacks on many companies such as Twitter, Experian South Africa, British Airlines, DigitalOcean, etc. These companies have trained security teams, but hackers continue to find ways exploit vulnerabilities.
It is important to have a strong foundation in order to secure your environment. Don’t make it easy for criminals to infiltrate your network by neglecting the basics.
The job roles responsible for carrying out these tasks are typically system administrators, network administrators, security engineers and security analysts.
Do these seven things to safeguard your computer:
- Proper base OS install
- Network hardening
- Application hardening
- Web server hardening
- Web Application Hardening
- Email Servers
- DNS Servers hardening
1. Proper base OS install
- Non-essential services - It’s important that an operating system only be configured to run the services required to perform the tasks for which it is assigned. For example, unless a host is functioning as a web or mail server there is no need to have HTTP or SMTP services running on the system.
- Patches and Fixes - As an ongoing task, it’s essential that all operating systems be updated with the latest vendor-supplied patches and bug fixes (usually collectively referred to as security updates).
- Password Management - Most operating systems today provide options for the enforcement of strong passwords. Utilization of these options will ensure that users are prevented from configuring weak, easily-guessed passwords. Additional levels of security include enforcing the frequent changing of passwords and the disabling of user accounts after repeated failed login attempts.
- Unnecessary accounts - Unused and unnecessary user accounts must be disabled or removed from the operating systems. It’s also vital to keep track of employee turnover so that accounts can be disabled when employees leave the organization.
- File and Directory Protection - Access to files and directories must be strictly controlled by Access Control Lists (ACLs) and file permissions.
- File and File System Encryption - Some file systems provide support for encrypting files and folders. For additional protection of sensitive data, it is important to ensure that all disk partitions are formatted with a file system type with encryption features (NTFS in the case of Windows).
- Enable Logging - It is important to ensure that the operating system is configured to log all activity, errors, and warnings.
- This is important because logs can help us identify malicious events on a system by reviewing logs. It’s an important step because our security controls can fail so we need to be able to check for bad events. Hackers can disable audits or use overwriting techniques to hide their malicious act which can make our jobs harder. As a result, we need also to take backups from the log.
- File Sharing - Disable any unnecessary file sharing.
2. Network hardening
Network hardening is essentially the process of removing as many security threats and risks as possible. Here are some network hardening techniques:
- Updating Software and Hardware - An important part of network hardening involves the ongoing process of ensuring that all networking software along with the firmware in routers is updated with the latest vendor-supplied patches and fixes.
- Password Protection - Most routers and wireless access points provide a remote management interface that can be accessed over the network. It is essential that such devices are protected with strong passwords. Here are basic password do’s and don’ts.
- Unnecessary Protocols and Services - All unnecessary protocols and services must be disabled and ideally removed from any hosts on the network. For example, in a pure TCP/IP network environment, it doesn’t make sense to have AppleTalk protocols installed on any system.
- Ports - A hardened network should have any unneeded ports blocked by a firewall and associated services disabled on any hosts within the network. For example, a network in which none of the hosts act as web servers do not need to allow traffic for port 80 to pass through the firewall.
- Wireless Security - Wireless networks must be configured to the highest available security level. For older access points, WEP security should be configured with 128-bit keys. Newer routers should implement WPA2 enterprise or WPA3 security measures.
- Restricted Network Access - A variety of steps should be taken to prevent unauthorized access to internal networks.
The first line of defense should involve a firewall between the network and the internet. Other options include the use of Network Address Translation (NAT) and Access Control Lists (ACLs). Authorized remote access should be enabled using secure tunnels and virtual private networks.
3. Application hardening
- Application hardening is a process of taking a finished application and making it more difficult to reverse engineer and tamper.
- Combined with secure coding practices, this will be a best practice for companies to protect their applications.
4. Web server hardening
- Uninstall all unnecessary software
- Remove all unnecessary user accounts and make sure that user accounts that run services do not have excessive privileges
- Enable automatic OS patching or enable patch notifications
- Enforce strong firewall rules
- Remove all unnecessary web server modules
- Modify the default configuration settings
- Turn on additional protection for web applications
- Install and run a web application firewall (WAF)
5. Web Application Hardening
- Regularly scan all your web applications using a web vulnerability scanner. Eliminate all vulnerabilities as early as possible.
- Perform further penetration testing. While a vulnerability scanner will find most security vulnerabilities, penetration testers will be able to find the ones that are not detectable automatically.
- Add temporary rules to the web application firewall if there are vulnerabilities that you cannot eliminate immediately.
6. Email Servers
- Configure mail relay options carefully to avoid being an Open Relay.
- Limit connections to protect your server against DoS attacks.
- Activate SPF to prevent spoofed sources.
- Maintain local IP blacklists to block spammers.
- Encrypt POP3 and IMAP authentication for privacy concerns.
- Enable SURBL to verify message content.
7. DNS Servers hardening
- Audit your DNS zones.
- Restrict Zone Transfers.
- Disable DNS recursion to prevent DNS poisoning attacks.
- Use a DDoS mitigation provider.
The most important thing to realize about hardening is that it’s a continuous process. You should perform regular system hardening checkups to make sure that:
- Your security configuration is up to date.
- All the security measures are still in place.
- There are no new threats to your information security .
Such new threats may come from other users of the server, the developers of web applications or simply due to the vulnerabilities found in the existing software.
Recommended courses to develop these skills