So far, we have been analyzing strategies and techniques to avoid hardware attacks that can be requested or purchased during the manufacturing stage. But what happens if you have legacy equipment, installed equipment, or if you want to start diagnosing or applying an enterprise-wide security strategy? Let ’s look at ways to reduce the risk of attacks thanks to hardening.
What is hardening?
If your goal is to reduce security risks, eliminate potential attack vectors, and condensing system’s attack surface you can apply tools, techniques, and best practices included in hardening. You can apply hardening to technology applications, systems, infrastructure, firmware, software, and hardware. For example, you can eliminate unnecessary or redundant programs, accounts functions, applications, ports, permissions, access, etc., which are used by criminals and malware to infiltrate your systems.
Hardening is vital to Cybersecurity as it offers a methodical approach to auditing, identifying, eliminating, controlling potential security vulnerabilities throughout the organization. These are the levels included in hardening systems:
How can hardening be applied to hardware?
Below you will find 5 tips on how to harden hardware in your facilities (Some of the general tips apply for other levels. Take notes!).
Audit Existing Systems
Conduct a comprehensive audit of all existing technology and equipment. Pay special attention to penetration testing, vulnerability scanning, and configuration management. You need to methodically find all flaws in the system or company and assign a priority for fixing. In addition, stick to industry standards like NIST, Microsoft, CIS, DISA, to comply with system hardening best practices.
Plan Your System Hardening Strategy
Trying to remove all vulnerabilities at once is a rookie mistake. First, you need to assess risks. In other words, how likely you are to suffer an attack from this vulnerability and prioritize the most dangerous flaws for fixing. Second, you need to review budget. Some vulnerabilities might be more expensive to fix than others. Try to find factory-default features that might not be turned on instead of focusing solely on huge capital investments. After these two steps, you will be better equipped to prioritize vulnerability fixes based on your budgetary constraints and most pressing risks. Then, you need to start patching vulnerabilities ASAP!
Restrict Access to Critical Systems or Equipment
This is particularly relevant for distributed infrastructures, IOT applications and Edge Computing. Make sure your enclosures are specially designed to avoid and/or notify physical intrusions. If you can move the equipment, place it within restricted areas access. If this is not possible, include state of the art encryption and access controls. You can leverage Hardware Security Modules, Tamper Pins, or Trusted Platform Modules (You can read more about these strategies in our blog post) to authenticate credentials and passwords. Nowadays there are many off-the-shelf encrypting drives and flashes that you can use for systems outside restricted areas, like for employee computers or workstations.
Remove Unnecessary or Redundant Privileges
You can start at the microcontroller and firmware level. The recent technological advancements allow processors to confirm if malicious code has been injected before booting applications or software. Some will even be able to return null values and avoid the attack all together. This is possible thanks to the limited privileges to read and execute instructions at the microcontroller level. You can read more about secure boot, SoC protection, Trust Zones and Bus Monitors, in our blog about common hardware vulnerabilities.
Continuous Review and Update
As you implement your hardening activities, review, and update your plan periodically. Make sure the capital investments align with business priorities and that you leverage any internal resources or untapped equipment capabilities to reduce and eliminate risks. Please note that the best hardening activities are related to eliminating unnecessary or redundant systems which are usually a wasted opportunity for financial savings as well. Finally, be aware that over time the relevance of vulnerabilities might change, and you will need to adapt fast to correct them in a timely manner.
System hardening will quickly payoff both in avoided losses and productivity gains. First, your company will experience enhanced system functionality due to the fewer systems, applications, software, and hardware you need to manage and update. This will also translate into less risk of operational problems, incorrect configurations, and incompatibility. Second, you will significantly improve security and reduce the attack surface. This means that your company will be less attractive to criminals when they will probably gain more from other possible targets. If you have not started hardening your systems, now you know why you need to start as soon as possible. To learn more about cybersecurity, read our Cybersecurity Blog Series.