Configuration hardening is vital for improving the security of IT infrastructure. As there are a number of various standards and benchmarks related to this topic, implementing the hardening plan does not seem to be a tough task. The practice shows something different - some recommendations may be unacceptable due to their negative impact on system usability, compatibility or effort related to IT infrastructure management. Risk assessment may be helpful in selecting the critical requirements for system hardening and omitting the ones which are not so important and may have an overall negative impact on the system. Risk assessment results may also justify using the substitutional safeguards instead of system hardening.
Main points covered:
• IT hardening based on best practices
• Building the hardening plan relevant to real needs - examples
• Finding the requirements and contraindications during risk assessment process
• IT hardening as a part of risk management
Presenter:
This webinar was presented by Adam Galach. Mr. Galach is an expert in the area of IT security, ISMS and risk management, having more than 20 years of professional experience. He has participated in and managed a number of projects delivered to the organization coming from various industries, including automotive, chemical and petrochemical, telecommunication, energy, banking and insurance etc.
Link of the recorded session published on YouTube: https://youtu.be/dwcwGVfXQWY
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Risk Assessment as a Basis for IT Hardening Plan
1. Risk assessment as a basis
for IT hardening plan
Adam Galach, CISSP, CRISC
2. Adam Galach
Owner Galach Consulting
Adam Galach is an expert in the area of IT security, ISMS and risk management, having more than 20
years of professional experience. He has participated in and managed a number of projects delivered to
the organization coming from various industries, including automotive, chemical and petrochemical,
telecommunication, energy, banking and insurance, etc.
+48 602 410 759
adam@galach.pl
www.galach.pl
www.linkedin.com/in/adam-galach-cissp-crisc-831595
3. Agenda
• IT hardening approach
• Benefits and drawbacks of IT hardening
• Using risk assessment for finding optimal IT
hardening requirements
• Compensation safeguards
4. IT hardening
• Reducing the attack surface due
to:
• Removing the unnecesary
functionality
• Enforcing additional protection
• Implementing additional
constraints
• Approach
• Self-defined benchmark
• Publicly accessible benchmarks
• Benchmarks accessible for given
organization or group of
organizations
5. IT hardening problem
• Benchmark should define the baseline for secure
configuration
• Sometimes baseline becomes too sophisticated…
• … and you need to have a way to select the
necessary safeguards.
6. IT hardening - examples
• Removing or switching off services – e.g. httpd, ftpd, sendmail etc.
• Reducing privileges for users and services
• Enforcing password policy and account lockout policy
• Enforcing time constraints for network traffic (e.g. syn flood
protection)
• Blocking insecure network protocols
• …
7. IT hardening drawbacks
• System becomes unfriendly
• Complex passwords
• Strict lockout policy
• Password history
• Restricted access time
• Restricted time-out policy
8. IT hardening drawbacks
• Communication problems
• Other systems do not support required protocols
• Communication time-outs due to slow network and
time constraints
• TCP stack hardening does not allow some required
communication
• Software-related issues
• Software does not run properly due to version
incompatibility
• Software can not be run due to issues related to
digital certificates
9. IT hardening drawbacks
• Resource usage
• Extended events logging policy
• Space required for log storage
• Additional effort related to
system management
• Solving users’ problems
• Incompatibility issues
• Restrictive policy issues
10. Risk assessment based on ISO/IEC 27005
Risk identification
Risk estimation
Risk evaluation
11. Risk assessment and IT hardening
• Identification of assets
• Which components of IT system should be considered: operating system,
dbms, application server, network environment, etc.
• Which data is processed using IT system
• Consider scope and boundaries relevant to IT hardening
12. Risk assessment and IT hardening
• Identification of threats
• What may happen?
• Are we currently protected against it?
• Current system configuration
• Additional safeguards
• Are there vulnerabilities?
• How could they be removed?
• What are the consequences of threat?
13. Risk assessment and IT hardening
• Threat analysis approach
• Understanding the threats
• Benchmark helps to identify
• Threats
• Vulnerabilities
• Benchmark is not a binary checklist any longer
• Risks related to system hardening should be considered
15. Summary
• IT hardening is neccessary to improve your system security
• Some requirements may seem to be to restrictive for your
organization
• Risk assessment may help to make a decision regarding IT hardening…
• … but you need to understand the specific requirements stated in
benchmark