Don’t become an easy victim of cyber attacks! Read here why “cyber security” and the hardening of IT systems must be at the top of the list of priorities in 2023.
Have you already properly hardened all systems in your company?
Let’s just say how it is: System hardening makes an essential contribution to actually reducing the attack surface – and many IT security measures have a weakened effect without system hardening alone. Forbes also documented this fact a year ago:
“The switch to hybrid work expanded the attack surface of many organizations, leading to more expensive breaches in 2020, according to the Ponemon Institute. Hardening your attack surface is the best line of defense against cyberattacks, but many organizations struggle to keep up.”
While almost all measures currently in use support detection and hopefully an adequate response to ward off attacks and threats, professional system hardening closes existing vulnerabilities and security gaps. These closed security gaps can no longer be technically exploited.
Which security measure is suitable when?
An assignment of technical measures to the NIST Cyber Security Framework makes it clear why system hardening protects earlier.
|Measure \\ NIST Function
|Security Information & Event Management (SIEM)
|Endpoint Detection & Response
|Extended Detection Response
|Managed Detection & Response
Accordingly, you should now include the hardening of your systems in your IT security strategy and implement it consistently.
A lot has also happened in terms of regulation
In addition to the actual, technical protection of the IT systems, another reason is the continuously increasing requirements for IT security in the company. There is much to suggest that you should deal with system hardening as soon as possible.
In the following sections, we examine a few recently updated standards and point out requirements regarding system hardening.
The General Data Protection Regulation (GDPR)
For example, there is the General Data Protection Regulation (GDPR), which has been in force for a few years.
The DS-GVO (Datenschutz-Grundverordnung), that’s the German name, states that companies are obliged to protect customer data from misuse and, among other things, by securing the IT systems “to the state of the art“. System hardening or a secure system configuration is clearly part of it.
In addition, the mandatory provider control obligation required by the GDPR should be mentioned. This means: As the responsible body, every company is obliged to verifiably check the work of the service providers used from an information security and data protection point of view and to document the evidence.
The protection of the data as well as the check of the service provider can be done easily and automatically with professional hardening tools.
ISO 27001 as an internationally recognized and certifiable standard
In addition to the GDPR, the internationally established standard for information security was revised at the end of 2022. The final version of ISO 27001 has been available since the end of October 2022.
The standard defines how companies have to set up an ISMS (information management system). This is accompanied by requirements for “Secure Configuration Management”, i.e. for the secure configuration of IT systems.
In the “Configuration Management” control, which also includes “Secure Configuration Management”, requirements for a secure configuration (“hardening”) are made on several dimensions. The following is a simplified overview:
- “Templates” are to be used. This eliminates the need for self-developed hardening configurations
- Procedural requirements: A structured process for implementation must be set up
- A “monitoring” of the configuration is also required to detect changes and deviations (“anomalies”)
And very important: The implementation of ISO 27001 is not a singular event! You have to continuously adapt and continuously improve your measures and implementation.
Network and Information Security Policy (NIS2)
Not to be forgotten is the Europe-wide cybersecurity directive NIS (Network and Information Security). The new EU NIS 2 now has to be transposed into national law. After that, it becomes valid and applies to companies with 50 or more employees or at least 10 million euros in sales.
The affected companies then have to meet significantly stricter IT security requirements. Failure to comply could result in high fines running into the millions.
From KAIT and BAIT to TISAX and PCI DSS 4.0: There are now numerous specifications from various industries and areas that also have system hardening in mind. We introduce you to the most important ones.
BAIT, VAIT, KAIT
The BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht / Federal Financial Supervisory Authority) has issued several requirements in recent years. These include BAIT (bank supervisory requirements for IT), VAIT (insurance supervisory requirements for IT) and KAIT (capital management supervisory requirements for IT).
With the new versions of BAIT, VAIT and KAIT, banks, insurance companies, investment companies and capital management supervisors have to meet more requirements than ever before when it comes to IT security.
The topic of “system hardening” is specifically mentioned there, for example in the VAIT in the area of “operative information security” in chapter 5.2. There it says:
“The company has based on the information security guideline
and information security guidelines appropriate, up to date
Technically appropriate, operative information security measures
to implement measures and processes.”
PCI DSS 4.0
Organizations and companies that are not active in the sectors mentioned must also secure the money transfer – PCI DSS 4.0 ensures this. The new Payment Card Industry Data Security Standard (PCI DSS) was published in March 2022 and officially applies from March 31, 2024.
By then at the latest, merchants and companies that deal with credit card holder data will have to implement stricter cybersecurity measures. The subject of “hardening” is listed directly in Chapter 2 and, in addition to technical safeguarding, also considers the subject of processes.
The more specific requirements become clear in the screenshot:
In the German industry-specific security standard for the medical care sector B3S, which was published in December 2022, system hardening has also been included as a genuine preventive protective measure. In the chapter “technical information security”, “hardening and secure base configuration” is listed as a priority.
We find the level of detail here interesting: not only is one-time system hardening required, but process integration with monitoring. This is evident in the following requirements, for example:
- ANF-0105: “Systems and applications must include specifications for secure base configuration […]”
- ANF-0106: “A regular analysis and, if necessary, adjustment” must be carried out.
Here, too, it becomes clear: preventive measures such as system hardening are declared to be an essential addition to detection and response capabilities, even in the medical field.
The VDA (Verband der Automobilindustrie / The German Association of the Automotive Industry) has also internalized that the exchange of sensitive data must be sufficiently secure using state-of-the-art technology. That is why the industry standard TISAX (Trusted Information Security Assessment Exchange) for the automotive industry was developed in 2017 and has been continuously improved and tightened since then.
Various elements of TISAX are based on ISO 27001. Here, too, the secure configuration of IT systems at automobile manufacturers and their suppliers will play an increasingly important role.
Transferring risks: Cybersecurity insurance as a solution?
In order to protect themselves against the damage caused by hacker and malware attacks, there are so-called cybersecurity insurances for companies. But the insurance companies are setting ever stricter criteria. And that applies to both the recording and the processing of claims payments.
Understandable: Cyber attacks are increasing massively and causing costs to explode. And in many companies, a reliable risk calculation is not possible at all due to a lack of basic information security measures.
In order for your company to take out cybersecurity insurance or actually expect payments in the event of damage, it must now meet high requirements. For example, the insurance companies ask how you secure your systems in order to significantly reduce the areas of attack. If you cannot show any measures such as system hardening, you have a bad hand.
Companies of what size must act now?
The simple answer: everyone!
Because corporations as well as start-ups are caught in the crossfire of the “cyber gangsters”. Therefore, everyone has to implement measures for better information security and data protection. From our point of view, system hardening is the most important basic component. Because only here are technical attack vectors actually closed!
What happens if your company does not implement any measures?
Without system hardening and other IT security measures, your company is an easy victim. The question is not whether your company will be attacked by cyber criminals, but when. And then it is important to clarify how serious the attacks and their consequences are.
You should therefore ensure that hackers and other “cyber gangsters” have as little trouble as possible in compromising your IT systems!
Make it easy for attackers by taking fewer or inappropriate security measures and your company becomes a victim among many. The result: the “cyber criminals” steal sensitive (customer) data, block systems or switch them off completely. Financial damage is usually followed by image damage.
No C-level can accept both. Otherwise, in the worst case, the survival of the company is at risk and personal liability risks are accepted.
Does system hardening really do anything?
Oh yeah! We have already proven this several times – and on different levels. For example, Windows hardening prevents spying on telemetry data, and hardened systems also pass tests with vulnerability scanners with flying colors.
System hardening also prevents the improper use of “SeDebugPrivileges” with hacking tools such as DefenderSwitch or DefenderStop and the use of Mimikatz.
How can system hardening be implemented?
A multi-stage approach is recommended for this. At the beginning you should carry out an actual recording. In other words, how secure are your IT systems currently configured?
This check is easy to do with the AuditTAP. As a result, you will receive a detailed report that can also include a risk score.
The Risk Scores show how well or not your systems are hardened. But don’t just look at the chart, draw the right conclusions from the compliance report!
The next step is to determine how and to what extent you want to harden your systems. There is no such thing as 100% protection and it makes no sense – otherwise important applications may become unusable.
Then you have to put together an individual configuration or use a hardening template. Use the recommendations of BSI, DISA, CIS, ACSC and Microsoft as a guide. Roll out the hardening across all your systems – ideally automated using a tool like the Enforce Administrator.
That’s not all: constantly monitor your systems for accidental or intentional misconfigurations. And adapt your hardening settings to changing internal and external requirements as well as the current threat situation.
Invest your IT budget not only in symptom recognition and reaction, but also in the basic protection of your IT systems. Because system hardening is not a “nice to have” but a “must have”! The fewer gaps and attack surfaces the IT systems you operate offer, the lower the chance that attackers can penetrate your systems and cause damage.
Make 2023 – if you haven’t already planned it – the year in which you raise your IT security to a new, important level!
Can we help you?
Would you like to know how you can professionally implement (automated) system hardening and implement it in your company? Talk to us – our system hardening experts will be happy to help you!
Images: Freepik, IT Support Guys, FB Pro