Make 2024 the year of cybersecurity and think about System Hardening. Because there are more and more threat situations and also specifications that require systems to be hardened. Here is an overview.
Have you already properly hardened all systems in your company?
Let’s just say how it is: System Hardening makes an essential contribution to actually reducing the attack surface – and many IT security measures have a weakened effect without hardening alone.
Forbes, for example, noted this fact during the COVID-19 pandemic, when there was a lot of working from home:
“The switch to hybrid work expanded the attack surface of many organizations, leading to more expensive breaches in 2020, according to the Ponemon Institute. Hardening your attack surface is the best line of defense against cyberattacks, but many organizations struggle to keep up.”
While almost all measures currently in use support detection and hopefully an adequate response to ward off attacks and threats, professional System Hardening closes existing vulnerabilities and security gaps. These closed security gaps can no longer be technically exploited.
Which security measure is suitable when?
Why is System Hardening so important? While almost all measures currently in use support detection and a hopefully adequate response to ward off attacks and threats, professional System Hardening closes existing vulnerabilities and security gaps. This makes the hardening an essential measure in the area of protection.
The following figure shows how System Hardening can be categorized in the NIST Cyber Security Framework:
Accordingly, you should include the hardening of your systems in your cybersecurity strategy now at the latest and implement it consistently.
A lot has also happened in terms of regulation
What else speaks in favor of hardening your systems? In addition to the actual, technical protection of IT systems, another reason is the continuously growing requirements for IT security in companies. There is much to suggest that you should get to grips with System Hardening as soon as possible.
In the following sections, we highlight a few ordinances, laws, standards and regulations that recommend or even directly require System Hardening.
GDPR
For example, there is the General Data Protection Regulation (GDPR), which has been in force for a few years.
The DS-GVO (Datenschutz-Grundverordnung), that’s the German name, states that companies are obliged to protect customer data from misuse and, among other things, by securing the IT systems “to the state of the art“. System Hardening or a secure system configuration is clearly part of it.
In addition, the mandatory provider control obligation required by the GDPR should be mentioned. This means: As the responsible body, every company is obliged to verifiably check the work of the service providers used from an information security and data protection point of view and to document the evidence.
The protection of the data as well as the check of the service provider can be done easily and automatically with professional hardening tools.
ISO 27001
In addition to the GDPR, the internationally established standard for information security was revised at the end of 2022. The final version of ISO 27001 has been available since the end of October 2022.
The standard defines how companies have to set up an ISMS (information management system). This is accompanied by requirements for “Secure Configuration Management”, i.e. for the secure configuration of IT systems.
In the “Configuration Management” control, which also includes “Secure Configuration Management”, requirements for a secure configuration (“hardening”) are made on several dimensions. The following is a simplified overview:
-
- “Templates” are to be used. This eliminates the need for self-developed hardening configurations
- Procedural requirements: A structured process for implementation must be set up
- A “monitoring” of the configuration is also required to detect changes and deviations (“anomalies”)
And very important: The implementation of ISO 27001 is not a singular event! You have to continuously adapt and continuously improve your measures and implementation.
NIS2
Not to be forgotten is the Europe-wide cybersecurity directive NIS (Network and Information Security). The new EU NIS 2 now has to be transposed into national law. After that, it becomes valid and applies to companies with 50 or more employees or at least 10 million euros in sales.
The affected companies then have to meet significantly stricter IT security requirements. Failure to comply could result in high fines running into the millions.
BAIT, VAIT, KAIT & ZAIT
BaFin (German Federal Financial Supervisory Authority) has issued several requirements in recent years. These include:
-
- BAIT (banking supervisory requirements for IT)
- VAIT (insurance supervisory requirements for IT)
- KAIT (capital management supervisory requirements for IT)
- ZAIT (payment services supervisory requirements for IT)
With the new versions of BAIT, VAIT, KAIT and ZAIT, banks, insurance companies, investment companies and capital management supervisors must meet more requirements than ever before in terms of IT security.
The topic of “System Hardening” is specifically mentioned there, for example in the VAIT in the “Operational information security” section in chapter 5.2:
“The company shall, on the basis of the information security guideline
and information security guidelines, the company shall implement appropriate, state-of-the-art operational information security measures and
and processes in line with the state of the art.”
And it goes on to say:
“Information security measures and processes take into account, among other things:
-
- Vulnerability management (..)
- Segmentation and control of the network (..)
- secure configuration of IT systems
- encryption (..)
DORA
While BAIT, VAIT, ZAIT and KAIT only apply to companies that are under the supervision of BaFin, DORA was created for all financial companies (e.g. banks, insurers and investment companies) in Europe.
The Digital Operational Resilience Act (DORA for short) is a European Union initiative aimed at strengthening the resilience and security of digital operations in the financial sector. The focus is on improving IT security measures.
Under DORA, financial institutions are required to secure their IT infrastructures against current and potential cyber threats and operational failures. One key aspect is the implementation of measures aimed at improving the robustness of IT systems – hardening the system landscape is a cornerstone of this.
PCI DSS 4.0
Organizations and companies that are not active in the sectors mentioned must also secure the money transfer – PCI DSS 4.0 ensures this. The new Payment Card Industry Data Security Standard (PCI DSS) was published in March 2022 and officially applies from March 31, 2024.
By then at the latest, merchants and companies that deal with credit card holder data will have to implement stricter cybersecurity measures. The subject of “hardening” is listed directly in Chapter 2 and, in addition to technical safeguarding, also considers the subject of processes.
The more specific requirements become clear in the screenshot:
B3S
In the German industry-specific security standard for the medical care sector B3S, which was published in December 2022, System Hardening has also been included as a genuine preventive protective measure. In the chapter “technical information security”, “hardening and secure base configuration” is listed as a priority.
We find the level of detail here interesting: not only is one-time System Hardening required, but process integration with monitoring. This is evident in the following requirements, for example:
-
- ANF-0105: “Systems and applications must include specifications for secure base configuration […]”
- ANF-0106: “A regular analysis and, if necessary, adjustment” must be carried out.
Here, too, it becomes clear: preventive measures such as System Hardening are declared to be an essential addition to detection and response capabilities, even in the medical field.
VDA TISAX
The VDA (Verband der Automobilindustrie / German Association of the Automotive Industry) also points out that the exchange of sensitive data must be sufficiently secure according to the state of the art. For this reason, the industry standard TISAX (Trusted Information Security Assessment Exchange) was developed for the automotive industry in 2017, which is based on the VDA Information Security Assessments (ISA).
Various elements of VDA-ISA and TISAX are based on ISO 27001, which means that the secure configuration of IT systems is playing an increasingly important role for automotive manufacturers and their suppliers.
And: TISAX has been continuously adapted since its publication. From April 1, 2024, the VDA-ISA catalog 6.0 will apply, in which – as with the VDA-ISA catalog 5.1 – system hardening is mentioned several times.
Companies of what size must act now?
The simple answer: everyone!
Because corporations as well as start-ups are caught in the crossfire of the “cyber gangsters”. Therefore, everyone has to implement measures for better information security and data protection. From our point of view, System Hardening is the most important basic component. Because only here are technical attack vectors actually closed!
What happens if your company does not implement any measures?
In times of the “cyber war” currently raging on the Internet, the question is no longer whether a company will be attacked by cyber criminals, but when.
Without System Hardening and other IT security measures, your company is an easy target. That’s why you should make sure that hackers and other “cyber gangsters” find it as difficult as possible to compromise your IT systems!
If you make it too easy for the attackers by only taking fewer or inappropriate security measures, they will strike mercilessly. The result: the “cyber criminals” steal sensitive (customer) data, block systems or shut them down completely.
The financial damage is usually followed by reputational damage – or, in the worst case, insolvency.
Does System Hardening really do anything?
Oh yeah! We have already proven this several times – and on different levels. For example, Windows 10 Hardening prevents spying on telemetry data, and hardened systems also pass tests with vulnerability scanners with flying colors.
System Hardening also prevents the improper use of “SeDebugPrivileges” with hacking tools such as DefenderSwitch or DefenderStop and the use of Mimikatz.
How can System Hardening be implemented?
A multi-stage approach is recommended for this. At the beginning you should carry out an actual recording. In other words, how secure are your IT systems currently configured?
This check is easy to do with the AuditTAP. As a result, you will receive a detailed report that can also include a risk score.
The Risk Scores show how well or not your systems are hardened. But don’t just look at the chart, draw the right conclusions from the compliance report!
The next step is to determine how and to what extent you want to harden your systems. There is no such thing as 100% protection and it makes no sense – otherwise important applications may become unusable.
Then you have to put together an individual configuration or use a hardening template. Use the recommendations of BSI, DISA, CIS, ACSC and Microsoft as a guide. Roll out the hardening across all your systems – ideally automated using a tool like the Enforce Administrator.
That’s not all: constantly monitor your systems for accidental or intentional misconfigurations. And adapt your System Hardening settings to changing internal and external requirements as well as the current threat situation.
What role does cybersecurity insurance play?
In order to protect themselves against the damage caused by hacker and malware attacks, there are so-called cybersecurity insurances for companies. But the insurance companies are setting ever stricter criteria. And that applies to both the recording and the processing of claims payments.
Understandable: Cyber attacks are increasing massively and causing costs to explode. And in many companies, a reliable risk calculation is not possible at all due to a lack of basic information security measures.
In order for your company to take out cybersecurity insurance or actually expect payments in the event of damage, it must now meet high requirements. For example, the insurance companies ask how you secure your systems in order to significantly reduce the areas of attack. If you cannot show any measures such as System Hardening, you have a bad hand.
Conclusion
Invest your IT budget not only in symptom recognition and reaction, but also in the basic protection of your IT systems. Because System Hardening is not a “nice to have” but a “must have”! The fewer gaps and attack surfaces the IT systems you operate offer, the lower the chance that attackers can penetrate your systems and cause damage.
Make 2023 – if you haven’t already planned it – the year in which you raise your IT security to a new, important level!
Can we help you?
Would you like to know how you can professionally implement (automated) System Hardening and implement it in your company? Talk to us – our hardening experts will be happy to help you!
Images: Freepik, IT Support Guys, FB Pro