Forging a Virtual Steel Wall

Hardening software to prevent security breaches is coming back into fashion. And, yes, it's worth the trouble.

1 2 3 Page 2
Page 2 of 3

Vahid Sedghi, CellTrust's vice president of technical services, says that the decision to go with a hardening product came down to convenience and a desire not to take IT staffers away from their core responsibilities. "It was either having our Linux folks go manually out there and see what has been applied and what hasn't been applied in our environment, or letting this tool to do the work in a more automated fashion," he explains. Sedghi says that a process that previously involved hours of writing, pushing and applying Linux scripts was eventually whittled down so it now takes less than 60 minutes.

Sedghi feels that hardening provides a valuable extra layer of protection. "From a business perspective, it lowers the risk of downtime," he observes.

Hardening complements his business's other security measures, Sedghi says, noting that "obviously, we have our different vulnerability scanning tools and network security tools in place." Standard security tools are still important, he notes, because they perform tasks that hardening doesn't address. "They protect, monitor and scan our network and servers," he says. "Hardening just closes the gaps."

Getting It Right

Knowing exactly what to keep or delete among the various operating system or application tools and features is the biggest challenge facing users undertaking hardening projects for the first time. Organizations that decide to do the work in-house need to commit to a process of gathering information about best practices, says Makohon.

He notes that operating system and application vendors, as well as open-source organizations, are usually willing to offer some guidance to enterprises embarking on hardening projects. Software- and security-oriented Web forums are also good sources of practical information about hardening.

There are many resources, both in the private and public sectors, that help define baseline security configuration settings, says Makohon. They also offer information about how certain configuration settings should be made, the order in which they should be made, and what the resulting state of operation should be.

Phillips says that learning how to harden Windows on the Dell OptiPlex desktops that Forté markets to emergency room operators wasn't particularly difficult. "Almost everything we did, we found on the Web," he says. "There were a few things we found through trial and error, such as when we weren't sure how something would work, or when the instructions [found on the Web] weren't very good, but most things you can pretty much find yourself."

Veterans of this process recommend working closely with the application maintenance or application development team at the outset, to make sure you don't turn off something that is essential now or will be needed in a system you're planning to build later.

Makohon also advises enterprises to check with their software's developer to ensure that they're using the most up-to-date version of the product they're planning to harden. "It doesn't make sense to tackle hardening tasks that the vendor may have already addressed," he says.

Rafter says that successful hardening requires a holistic approach that takes overall system security, performance, usability and other key factors into consideration. "It's important to perform a very thorough asset inventory and to make sure that you've covered all the potential entry points, or places where malware could be executed," he says.

1 2 3 Page 2
Page 2 of 3
Shop Tech Products at Amazon