System hardening practices

A system audit is an examination to identify if planned activities comply with system policies. When looking at a complete system, compliance is a major factor in ensuring that all components comply with the information governance policy set by the organisation (Harris et al., 2008).

There are five types of compliance audits:

1. SOC 2
2. ISO27001
3. GDPR
4. Sarbanes–Oxley (SOX)
5. industry-specific compliance audits

A system hardening strategy is a vision on how to ensure the efficiency of all the components of a computer network. Having a scalable risk-based plan is the best approach.

Having a resilient and efficient vulnerability identification system is important, including alerting users about critical updates. Updates can be classified using a three-tier system based on their importance: critical, mandatory and advisory (Harris et al., 2008).

An organisation’s network should be designed correctly with security at the heart of the design. A network that allows traffic from outside the organisation should have correctly configured firewalls with regular auditing policies to review what the firewalls are allowing or blocking. A firewall should have open ports that only allow traffic used by applications. Any ports not used for communication should be disabled to eliminate additional vulnerabilities.

Servers are computers that store and perform critical functions within an organisation. They should be installed in a segregated, monitored area with hard security in place. They should not have unnecessary applications or unused software. They should be set up prior to connecting them to the network, and administrative rights should be correctly set only for server administrators. Traditional employees should never have administrative access to a server, and their access permissions should be monitored closely.

Application hardening is the process of reducing the potential risks in applications. Access to all applications should reflect users’ roles. For example, an accountant in an organisation should not have access to user account servers, as this is not related to their role within the organisation.

A database should be stored in a secure area and should have role-based administrator restrictions. These allow the administrator to control what a user can see, use and interact within a database. Databases must have node-checking to verify applications accessing the stored data and users using programmatic access.

Operating systems are often tested by vendors, and patches are released when vulnerabilities are discovered. Updates and system packs should be installed as soon as they are released by the vendors, and unnecessary drivers and shared folders should be removed/disabled. Local storage should be enabled, in addition to appropriate system permissions and user access logs.

Unused, unnecessary accounts and additional privileges should be removed from the system.

Remove programs that are not used and have been installed on the computer. Expired programs can act as a backdoor.

Install the latest updates from vendors.

Install patches and plan patch management. Ensure that the operating system is updated as soon as a patch is available to avoid zero-day attacks.

Define what a group can and cannot do by implementing rules.

Build a template that contains a group of policies and procedures.

Create a baseline (standard set of base configurations ) with selected measures that meet the needs of each computer user.