PACE-IT, Security+ 4.3: Solutions to Establish Host Security

Solutions used to
establish host
security.

Instructor, PACE-IT Program – Edmonds Community College
Areas of Expertise Industry Certifications
 PC Hardware
 Network Administration
 IT Project Management
 Network Design
 User Training
 IT Troubleshooting
Qualifications Summary
Education
 M.B.A., IT Management, Western Governor’s University
 B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger
with 10+ years of experience turning complex issues
into efficient and effective solutions.
Strengths include developing and mentoring diverse
workforces, improving processes, analyzing
business needs and creating the solutions
required— with a focus on technology.

PACE-IT.
– Hardening physical hosts.
– Hardening virtual hosts.

Solutions used to establish host security.

The individual hosts on a
network are the target of
hackers. It is the resources
that they contain that the
attackers are after.
Because the major purpose of networks is to create a way in
which communication and data can flow between systems, they
are vulnerable to being breached by hackers. This means that,
once a breach has occurred, it is vital that all of the hosts on a
network be hardened against attack.
Hardening hosts is the process of putting technological controls in
place that help to ensure the safety and integrity of the hosts—
including the data and resources that they contain.

– Basic methods of hardening hosts.
» Operating system (OS) hardening: remove or disable any
unnecessary features and services to reduce the OS’s attack
surface
• All features and services will present some type of
vulnerability that can be exploited.
» OS security settings: review all security settings available in
the OS and enable as many of them as make sense to help
harden the OS.
• Do not leave defaults in place; defaults are well known and
may represent a chink in the OS’s armor.
» Anti-malware: install it to protect against common attacks.
• Anti-malware applications should contain antivirus, anti-
spyware, pop-up blockers, and anti-spam features.
» Patch management: ensure that the OS is kept up to date with
current security patches supplied by the manufacturer of the
OS.
• All software installed on the host should also be part of the
patch management program to ensure that those applications
don’t become a weakness in the system.
• All firmware should also be patched as required.

– More advanced methods of hardening
hosts.
» Trusted OS: using an OS that implements multiple layers of
security by design (e.g., requires authentication and
authorization before granting access to host resources).
» Whitelisting applications: only applications that are
specifically designated in the whitelist are allowed to run on the
host.
» Blacklisting applications: explicitly denying (blocking) named
applications from being run on a host.
» Host-based firewalls: using host-based firewalls to control
what network traffic can be allowed into or out of the host.
• Especially important for mobile devices.
» Host-based intrusion detection system (HIDS):
implemented to monitor the host to help detect when an
intrusion has occurred to help minimize (or contain) any
damage.
» Host software baselining: baselining software can be used to
ensure that all OSs and applications on a host meet or exceed
the minimum level of security that is required.

Physical security controls
can be overlooked when
implementing host
hardening methods.
If an attacker has unfettered physical access to a host, it will not
matter how much hardening has been done to the host system. If
nothing else, the attacker can just walk away with the asset in
order to breach it at his or her leisure.
To reduce a hacker’s physical access to hosts, some physical
security controls should be put in place. Some of the controls that
should absolutely be used include locking cabinets for networking
equipment and servers. Safes may also be considered for
storage of smaller hosts. Cable locks can also be used to help
physically secure hosts from theft.

– Methods of hardening virtual hosts.
» Snapshot: an image of the virtual host created at a point in
time when that host is secure.
• It can be used to quickly revert the virtual host in cases where
security has been compromised.
• Snapshots can also be used to bring new hosts into service
quickly and efficiently as needed, creating elasticity in the
system.
» Patch management: same consideration as with physical
hosts.
» Host availability: high availability methods should be used to
ensure that virtual host systems are available to users as
needed, removing single points of failure.
» Security control testing: separate security testing should be
conducted on virtual systems to ensure that they operate as
expected.
» Sandboxing: when high security is needed, a sandboxed
environment can be created.
• Creating a virtual environment in which the virtual machines
are restricted to what they have access to.

The individual hosts of a system are the actual targets of hackers.
Hardening solutions (technological controls) should be put in place to help
protect hosts from attack. Some of these controls include: OS hardening,
OS security settings, anti-malware applications, patch management, using
a trusted OS, whitelisting and blacklisting applications, installing a host-
based firewall and HIDS, and using host baselining software. Physical
security controls should also be put in place. These may include: locking
cabinets, safes, and cable locks.
Topic
Hardening physical hosts.
Summary
Steps may also be taken to harden virtual hosts. These include: using
snapshots to create an image of the host when it is considered secure,
patch management, host high availability techniques (removing single
points of failure), security control testing, and sandboxing.
Hardening virtual hosts.

This workforce solution was 100 percent funded by a $3 million grant awarded by the
U.S. Department of Labor's Employment and Training Administration. The solution was
created by the grantee and does not necessarily reflect the official position of the U.S.
Department of Labor. The Department of Labor makes no guarantees, warranties, or
assurances of any kind, express or implied, with respect to such information, including
any information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued availability
or ownership. Funded by the Department of Labor, Employment and Training
Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and services are
available upon request to individuals with disabilities. For those that are hearing
impaired, a video phone is available at the Services for Students with Disabilities (SSD)
office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call
425.354.3113 on a video phone for more information about the PACE-IT program. For
any additional special accommodations needed, call the SSD office at 425.640.1814.
Edmonds Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran
status; or genetic information in its programs and activities.

PACE-IT, Security+ 4.3: Solutions to Establish Host Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to PACE-IT, Security+ 4.3: Solutions to Establish Host Security

Similar to PACE-IT, Security+ 4.3: Solutions to Establish Host Security (20)

Recently uploaded

Recently uploaded (20)

PACE-IT, Security+ 4.3: Solutions to Establish Host Security