Today’s cybersec note dump relates to concepts that are important to understand about hardening your operating system against security threats.
OS Hardening Practices Framework
Basics of security hardening
What is security hardening?
What is “attack surface?”
What kinds of things need security hardening?
Common Types of Hardening Procedures
Other examples of security hardening
Penetration Testing
2. OS hardening practices
What does it mean to harden the operating system (OS)?
Why is it important to update the latest security patches?
What is a baseline configuration, or baseline image?
The importance of hardware and software disposal.
The importance of a strong password policy.
What is multi-factor authentication (MFA)?
3. Brute Force Attacks and OS Hardening
Brute Force Attacks
Simple brute force attacks
Dictionary attacks
Brute Force Prevention Measures
Salting and hashing
Multi-factor authentication (MFA) and two-factor authentication (2FA)
CAPTCHA and reCAPTCHA
Strong Password Policies
Basics of security hardening
What is security hardening?
Security hardening is the process of strengthening a system to reduce its vulnerability and attack surface. All the potential vulnerabilities that a threat actor could exploit are referred to as a system’s attack surface.
What is “attack surface?”
Attack surface refers to all the potential vulnerabilities a threat actor could potentially exploit in a system.
What kinds of things need security hardening?
Security hardening is conducted on:
Hardware
Operating systems
Applications
Computer networks
Databases
Common Types of Hardening Procedures
Common types of hardening procedures include:
A security configuration change requiring longer passwords or more frequent password changes. This makes it harder for a malicious actor to gain login credentials.
Another example of a configuration change is updating the encryption standards for data that is stored in a database. Keeping encryption up-to-date makes it harder for malicious actors to access the database.
Other examples of security hardening
Other examples of security hardening include removing or disabling unused applications and services, disabling unused ports, and reducing access permissions across devices and network.
Minimizing the number of applications, devices, ports, and access permissions makes network and device monitoring more efficient and reduces the overall attack surface, which is one of the best ways to secure an organization.
Penetration Testing
Another important strategy for security hardening is to conduct regular penetration testing.
A penetration test, also called a pen test, is a simulated attack that helps identify vulnerabilities in a system, network, website, application, and process. Penetration testers document their findings in a report. Depending on where the test fails, security teams can determine the type of security vulnerabilities that require fixing. Organizations can then review these vulnerabilities and come up with a plan to fix them.
OS hardening practices
Why is it important to harden the operating system (OS)?
It’s important to secure the OS on each device because one insecure OS could lead to the whole network being compromised.
Why is it important to update the latest security patches?
As soon as a patch is published, malicious actors know the location of a vulnerability. This highlights the importance of installing the latest patch update as soon as it is published.
What is a baseline configuration, or baseline image?
A baseline configuration (or image) is a documented set of specifications within a system that is used as the basis for future builds, releases, and updates.
For example, a baseline may contain a firewall rule with a list of allowed and disallowed network ports. If a team suspects unusual activity affecting the OS, they can compare the current configuration to the baseline and make sure that nothing has been changed.
The importance of hardware and software disposal.
This ensures that all old hardware is properly wiped and disposed of. It’s also a good idea to delete any unused software applications since some popular programming languages have known vulnerabilities.
The importance of a strong password policy.
Strong password policies require that passwords follow specific rules.
For example, an organization may set a password policy that requires a minimum of eight characters, a capital letter, a number, and a symbol.
To discourage malicious actors, a password policy usually states that a user will lose access to the network after entering the wrong password a certain number of times in a row.
What is multi-factor authentication (MFA)?
MFA is a security measure that requires a user to verify their identity in two or more ways to access a system or network.
Categories of multi-factor identification.
Something you know.
Something you have.
Something unique about you.
Brute Force Attacks and OS Hardening
Brute Force Attacks
In order to effectively secure an OS, it’s vital to understand what brute force attacks are and the threat they present to OS security.
Brute force attacks are when a threat actor tries to aggressively guess at the username and password. There are two ways to go about this. This can be a tedious process when performed manually, so it should be noted that there are a range of tools hackers may use to help automate this process.
Simple brute force attacks
This is an attack where the threat actor is attempting to break into a system with manual trial-and-error guesswork.
Dictionary attacks
A threat actor will use previously stolen usernames and passwords in a dictionary attack.
Back in the day, hackers would run words from the dictionary to try and gain access to systems before it was common place to require complex passwords.
Brute Force Prevention Measures
Some common techniques for preventing brute force attacks include
Salting and hashing.
MFA and 2FA.
CAPTCHA and reCAPTCHA
Strong Password Policies
Salting and hashing
Imagine you have a secret recipe for the best cookies in the world. You wouldn’t want anyone to steal it, so you lock it in a safe.
That’s what hashing does to your passwords.
It turns them into a scrambled code that’s difficult to crack, even if someone gets their hands on it.
But what if someone finds the key to your safe? That’s where salting comes in. It adds a unique ingredient to your recipe, making it even harder to guess the original password.
Hashing converts information into a unique value that is used to determine its integrity. It’s a one-way function, therefore impossible to decrypt and obtain the original text.
Salting adds random characters to hashed passwords, which increase the length and complexity of hash values, making them more secure.
How do salting and hashing work together?
To hash a password, you would first take your password and put it through a special program called a “hashing function.”
This function scrambles your password into a random-looking string of letters and numbers. This scrambled code is called a “hash.” The hash is then stored instead of your actual password.
What is salting?
Before you hash your password, you add a random string of characters called a “salt.” This salt is like a secret ingredient that makes your hash unique. The salt is stored along with the hash.
Why use both salting and hashing?
If you only hashed your password, if someone steals that hash, they can try to guess the original password by running different words and phrases through the same hashing function. This is called a “brute force attack.”
When you salt and hash a password, even if someone steals the hash, they don’t know the salt. This makes it much harder to guess the original password because they would need to try every possible combination of password and salt.
Salting and hashing protect your passwords from being stolen and cracked.
Salting and hashing make it much harder for attackers to gain access to your accounts. Many websites and applications use the standard security practices of salting and hashing.
Multi-factor authentication (MFA) and two-factor authentication (2FA)
Imagine you’re entering a high-security building. You wouldn’t just use a single key to get in, right?
You’d probably need a keycard, a fingerprint scan, and maybe even a secret code.
That’s what MFA and 2FA are like for your online accounts. They add extra layers of security to make it much harder for someone to break in.
Here’s the difference between MFA and 2FA.
MFA is a security measure that requires a user to verify their identity in two or more ways to access a system or network.
MFA (Multi-Factor Authentication) requires you to provide two or more different pieces of evidence to prove your identity.
These factors can include something you know: Your password, something you have: Your phone, a security token, or a fingerprint scanner, and something you are: Your fingerprint, your face, or your voice.
2FA (Two-Factor Authentication) is a specific type of MFA that requires two factors to log in.
2FA is similar to MFA, except that it only uses two forms of identification. The more factors you use, the more secure your account is.
The most common type of 2FA uses your password and a code sent to your phone via text message or an authenticator app. 2FA is a good option for most people, but MFA with more factors can be even more secure.
Benefits of MFA and 2FA. MFA and 2FA make it much harder for attackers to gain access to your accounts. They protect your accounts even if your password is stolen. These methods are becoming a standard security practice for many websites and applications.
CAPTCHA and reCAPTCHA
Imagine you’re walking into a library. The librarian asks you to solve a simple puzzle before you can enter.
That’s what CAPTCHA and reCAPTCHA are like for websites.
They’re designed to keep automated programs, also known as “bots,” from accessing websites and doing things like creating fake accounts or stealing data. Here’s the difference between the two:
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) asks you to solve a simple challenge, such as identifying images with specific objects or reading distorted text. Bots typically have difficulty solving these challenges, while humans can usually do so easily. These tests can be frustrating for users, especially if the challenge is difficult to understand or solve.
reCAPTCHA (a free CAPTCHA service from Google) uses advanced technology to distinguish between humans and bots without requiring users to solve explicit challenges.
It analyzes user behavior, such as mouse movements and clicks, to determine if they are human. reCAPTCHA is considered more user-friendly than traditional CAPTCHAs.
The benefits of CAPTCHA and reCAPTCHA are that they prevent bots from creating fake accounts and stealing data. They protect websites from spam and other malicious activity and help keep websites secure and accessible for human users.
How CAPTCHA and reCAPTCHA work. When you visit a website that uses CAPTCHA or reCAPTCHA, you may be presented with a challenge. If you are using traditional CAPTCHA, you will need to solve the challenge to access the website. If you are using reCAPTCHA, you may not even notice that you are being tested. reCAPTCHA analyzes your behavior and determines whether you are a human or a bot.
Strong Password Policies
If you were building a fortress, you wouldn’t use a flimsy wooden gate to protect it, right? You’d use a strong, reinforced door with multiple locks.
That’s what password policies are like for your online accounts. They’re designed to make your passwords as strong as possible, so they’re harder to guess or crack.
Organizations use password policies to standardize good password practices throughout the organization.
Policies can include guidelines on how complex a password should be, how often users need to update passwords, whether passwords can be reused or not, and if there are limits to how many times a user can attempt to log in before their account is suspended.
Common elements of password policies.
Minimum length. This specifies the minimum number of characters your password must have. The longer the password, the harder it is to guess.
Complexity requirements. This specifies that your password must include a mix of uppercase and lowercase letters, numbers, and symbols. The more complex the password, the harder it is to crack.
Expiration. This specifies how often you need to change your password. Changing your password regularly helps to prevent attackers from gaining access to your account if your password is compromised.
History. This prevents you from reusing old passwords. This helps to ensure that you’re always using a strong, unique password.
Restrictions. This specifies what characters are not allowed in your password. This helps to prevent attackers from using common dictionary words or patterns to guess your password.
Benefits of password policies. Password policies make it harder for attackers to guess or crack your passwords. They help protect your accounts from unauthorized access.
A good password policy promotes good password hygiene.
How to create a strong password. Use a mix of uppercase and lowercase letters, numbers, and symbols. Make it at least 12 characters long. Don’t use personal information, such as your name, birthday, or address. Don’t use the same password for multiple accounts. Change your passwords regularly.