Home / Blog / The importance of system hardening

The importance of system hardening

Posted on 05/18/2015, by Lorenzo Martínez Rodríguez
Candado amarillo

Complaining is part of human nature. When it rains, why is it raining? When it is hot, why is it hot? When Real Madrid wins, why does Barcelona not lose, and vice-versa? The issue is that we complain. However, we do not always think what we can do to change or improve the causes of our complaints. Of course, not everything is under our control or in our hands, but we can do a lot, beginning with our own environment.

In the world of security, the same occurs. We complain about the damage caused by others, but what have we done to prevent it?

All systems are vulnerable to attacks. Data security is the target of mafias, rivals, and industrial spies, amongst other threats, who wish to make money off the value of our information. They steal data to use it to their advantage or encode it so they can demand a ransom in exchange, or to use the power and Internet connectivity of the machines that store it in order to send spam, mine bitcoins, store pornography or malware, or simply act as a pivot from which they can carry out cybercrimes through the Internet framing us.

Back to the original question: what have we done to avoid it?

We think that when we connect a machine that provides a service to the Internet, the operating system is already secure simply because we update patches and have an “antivirus” program. It seems that Steve Jobs’ aim, in which a user unpacks an Apple product, plugs it in, and it is ready to go, is the message transmitted to IT and development department employees, with the system security being left for later.

If I got a euro every time I have sat before a client who said to me “What does it matter if a defacement is carried out? What does it matter if something happens if we have everything backed up? I would have already retired a millionaire.

Who has never heard it said “We were also very thoroughly audited 6 months ago and they told us that everything was fine”? Of course, and from 6 months ago until now has nothing changed?

Combatting daily attacks is not something static.

The measures and improvements in security have to be implemented continuously.

“Don’t carry out denial of service tests, and those that you carry out, don’t do them at peak production times” Ah, of course… and are you saying that whoever intends to attack you will be as considerate as us asking which tests they can carry out and which they can’t and when they can do them?

We function with fines

Clearly, it is enough for a radar to take a photo of us and make our wallets a little bit lighter to make us think twice the next time we put our foot on the throttle. When there are regulations that require us to apply certain security measures, we take a little more care. In general, we do it to comply with regulations, not because of security awareness itself. That is, we again underestimate what could happen. This is when, to complete the checklist, we subcontract the service to “a specialist company”.

Here, purchasing departments are pleased with themselves for “squeezing” the trusted provider by obtaining a lower price for the implementation of systems and security services. Obviously, if they have managed to get a company to provide a service in which the latter loses money, this company will send the cheapest resource that it has, or it will apply an effort that is proportional to the payment received. Obviously, this will have an impact on the final result, that is, security will again be the element that suffers.

The training of employees

During the three years of my business venture, I have given many courses related to security for companies, universities and organisations. In my experience, the most in-demand courses are those of Ethical Hacking and Forensics. Lastly, and in general due to curriculum obligations, courses on hardening of Operating Systems and Infrastructure, perimeter security, etc., are restricted mainly to universities that need to include this content in their masters in security.

The following can be extrapolated from these data:

  • Firstly, breaking is what people find most interesting.
  • I agree that in order to be able to protect ourselves, we should know how to attack. That is, that in order to audit whether or not the systems of your organisation are secure, knowledge of pentesting is essential.Secondly, Forensics. By this we mean that when we suffer a security incident we are interested in being able to identify how and when it occurred, and what the extent of the damage was.
  • Lastly, we are interested in the protection of operating systems, the secure configuration of services, the strengthening of infrastructure, good security practices in mobile devices, and the monitoring of systems and networks. In general, having knowledge about how to make things more difficult for the bad guys’ interests us less than putting ourselves in the shoes of a supposed attacker.

As I was told by a gentleman with whom I recently signed a contract, and who alluded to including certain clauses in writing: “Believing something is good, but controlling it is better”. If you believe that one audit every 6 months is sufficient, perfect. However, if you want advice, take measures so that yours is not the next database that appears in Pastebin.

Since we are mentioning well-known quotes, the saying “attack is the best form of defence” will not be new to us, although, it is also well-known if we change the nouns around so that it reads “defence is the best form of attack”.