One key point that I took from this Chapter 7 – host hardening is that although patch management is on of the significant controls to protect vulnerabilities and secure systems, there are some concerns and that organization should be aware of. Organizations might get overwhelmed by tons of patch updates because there are several and different operating system. Additionally, patching require time and labor costs. Therefore, organizations should prioritize the critical of patching based on risk analysis. Lastly, it is important to ensure that patch is already tested before using in production environment.
As you have mentioned, patch management is an integral part in host hardening. I also agree with you on the fact that patches should never be installed onto the production environment without testing them first because there is a possibility of crashing the entire network.
I learned firewalls alone cannot be enough to protect your host and that hardening is not a single protection but rather a number of protections that include regular backup as the vital aspect, restricting physical access, restricting number of applications to mention but a few.
My unique reading, however, was learning that you can go beyond baselines by creating secure software installations and then save then as disk images of the installations on which future installations. This saves companies money on each installation and ensures that each server is properly configured according to the firm’s security baselines and general security policies.
I found this chapter informative as it gives IT Auditors a basic understanding of tasks undertaken and performed by System administrators for securing Systems, including PCs. I observed that hardening a system involves a good knowledge about the OS and applications it is running. It is crucial that system admins are up to date with the latest vulnerabilities and related patches of their respective systems. However, I was surprised by the lack of one key element in Unix/Linux systems when it comes to creating user categories. While Windows OS has 6 general categories and further 13 special categories for differentiating users, Unix has simply 3 categories (Account owner, Single group, all other accounts). I am surprised how come Unix/Linux which is supposedly the most secure OS has been turning a blind eye to a major security limitation.
Hi Akshay, thank you for really getting granular with respects to the differences between the different operating systems outlined in this chapter. I would have guessed that the less accounts/classifications would prove to be more risky for an operating system. However, the more accounts the more possible vulnerabilities. From the auditor’s point of view, the more classifications simply add more work when breaking down the security of the information assets. But, in the end — security is the main goal!
One of the takeaways of this chapter is what is a security baseline and why it is important. Security baseline is a group of configuration settings to harden hosts of a certain type operating system. Security baselines are crucial because they constitute as a standard guideline that fit all units. These settings are determined according to feedbacks from engineering teams, partners and customers. In Today’s computing age, the security landscape is rapidly evolving, and security professionals and policy-makers are trying to keep up with new threats and make necessary changes to security settings to mitigate these. Microsoft’s Group Policy Objects Backups is an example of security baseline that is provided customers.
Yes, security baselines are necessary for organization to maintain to ensure security of their operations and networks. Also, is interesting to note that corporations have embraced cloud computing to help them decrease computing cost while also increasing their ability to quickly bring new offerings to the market. Adoption of cloud computing improved operations of organizations in terms of scalability, data loss reduction, reliability, disaster recovery and many more
Hi Zeynep,
I agree with you that security baseline is important to organization. With security baseline, it creates fundamental security safeguard controls for operating systems in all aspects such as password policies, user privilege access, firewall, or remote access. CIS Benchmark is the good example of security baselines for Windows Operating System.
One key thing I learned from this chapter is that virtualization allows systems administrators to create a single security baseline for each server within the organization. It’s interesting to know that cloning hardened virtual machines minimizes the chance of incorrectly configuring a server, and eliminates the need to install applications, patches, or server packs. Also, operating via virtual environments is beneficial to businesses because it reduces labor costs associated with server administration, development, testing, and training. Virtual environments can as well reduce utility expenses by shutting down unused physical servers and increasing fault tolerance and availability.
Hello,
I thoroughly enjoyed reading your thoughts on the seventh chapter of the Corporate Computer Security textbook, since virtualization technology is slowly becoming one of the more discussed topics in many of my courses. The benefits of virtualization that you’ve highlighted also really help provide smaller organization’s with the opportunity to employ and practice a fully-fledged cyber security program without the need for many physical resources, which can often be expensive.
Chapter 7, host hardening, is an interesting topic because if the diversity of controls needed to properly harden a host. Elements from physical security, access control, firewall configuration, and even cryptography all need to be considered when hardening the host. Hardening can get even more challenging when organizations have multiple OS’s running that all need baselines configured to operate securely. Fortunately there are a number of actions that can be applied to any operating system that will help the process of hardening. I really like figure 7-2 in the chapter and all 14 elements of host hardening suggested are relativity easy to follow and make your security posture much more secure. The elements from figure 7-2 listed below.
1)Backup 2)Backup 3)Backup 4)Restrict physical access 5)Install OS with secure config options 6)Minimize applications on the host 7) Harden all remaining applications 8) Download patches regularly 9) Manage groups and users securely 10) Manage user permissions 11) Encrypt where appropriate 12) Add a host firewall 13) Review logs 14) Run vulnerability tests
Hi Chris,
You made a good point that it is challenging to control and monitor when organization have multiple systems because different systems have different security baseline controls. Additionally, 14 elements of host hardening is also interesting which company can apply for these safeguards to secure network and OS such as backup and restrict physical access.
I think it’s also interesting how host hardening can be a combination of different security processes put together. It’s important for an IT personnel to be aware of this and how challenging this can be as well.
Host is any computer that has an IP address. Host hardening refers to protect the host from attack. For example, regular backups, limited physical access to the host, default passwords that need to be replaced by strong passwords, and reduced application usage on the host. It’s all about reducing the likelihood of being attacked. Virtualization is a common example. Virtual machines minimize the chance of misconfiguring the server, reduce the time required to configure the server, and eliminate the need to install applications, patches, or service packs. In addition to being more secure, virtual environments benefit enterprises by reducing labor costs associated with server administration, development, testing, and training.
Hi Han, You’re right by stating that organizations benefit a lot with the use of virtualization because it reduces labor cost associated with server administration, development, testing and training. Virtual environments can as well reduce utility expenses by shutting down unused physical servers and increasing fault tolerance and availability.
Yes, you’re right. Shutting down unused physical servers increases fault tolerance. And you can save the Settings, open it again to keep the Settings. This is very convenient.
In my opinion, although using virtual machine can reduce the labor cost for the company, it should not be the go-to option for most of the companies. Virtualization doesn’t work as efficient as a normal computer. If the company is able to purchase a huge amount of computers and also need to utilize all of the benefit of virtualization, then it will be the go-to option for those companies.
As I was reading through the seventh chapter of the Corporate Computer Security textbook which revolves around the most common methods used to protect all manner of devices that have an IP address, I began to develop an interest in the section that discusses some of the challenges faced by organizations in regards to patching their servers and software. This section really helped open my eyes to the perspective of system administrators and why they may choose to neglect patching their servers or software, with some of the more pressing concerns being the sheer amount and frequency that patches and updates come out. Among the more interesting of these concerns that system administrators face that I previously didn’t really know about is the different costs associated with patch installation, such as the labor costs associated with finding and downloading the patches that are released and the time costs associated with applying each of these patches.
This is something that I also wasn’t aware of, and while not patching due to cost isn’t exactly excusable, it does shed some light as to why systems go unpatched for so long. I think that sometimes we tend to think in an idealistic way and expect everyone to patch their systems accordingly, but since we’re so used to doing it on a small scale, like installing Windows updates, it’s sometimes difficult to understand how disruptive and costly it can be to do the same on a larger scale, multiple times per year.
I would like to add further to your observation on why patching is regularly neglected. There is also a factor of accountability associated to this. Whenever, new patches are released by manufacturer, no one wants to try this patch first, on their own production system as no one knows how the system might behave after applying patches. This is specially true for servers hosting mission critical applications, who need continuous uninterrupted service. Applying patches on these servers is a big risk for both the server admin as well as the owner of the application as unavailability of these services, can directly lead to employees getting terminated.
In Chapter 7, one interesting thing I found about host hardening is how the high number of patches released by vendors per year, along with the high cost associated with patch management, can be a reason why systems aren’t always up to date. As we saw in previous case studies, patch management is a vital part of any system that can often be seen as a hassle due to the time it takes to apply these patches. Another reason for not applying patches is the notion that they can possibly cause more harm than good, like freezing a system, so it’s better to just leave the system as is since it’s working just fine. One way to mitigate this is by having a test system where the patches can be installed and observed for any negatives effects. This is one of the best ways to understand how a patch is going to effect a system, however, it’s also worth noting that not all companies are going to have the resources to have a test system for this purpose (an example being a non-profit).
Hi Sarah,
You explained the importance of testing new patches before deploying them well. Organizations may perform tests inside of a sandbox environment before deploying patches. As you said, it keeps any problems impacting production systems. Mostly, organizations perform pilot deployment after discovering no problems from sandbox testing. Pilot deployment is done to verify patches on a limited number of production system so that make sure patches work properly. If patches are passed from this test too, they can be deployed on an organizational wide basis.
Host hardening is an important process/concept for IT Auditors to understand. It made me think of firewalls and how those work to help secure systems and devices. The amount of different trial and error combinations between firewalls, patching and other security measures often performed to protect the information systems is endless. As an IT Auditor, recognizing vulnerabilities and guiding organizations to ensure maximum security is the basis of the position.
Pentesting servers and hosts (both Unix/Windows) is one good way to harden them. Close/uninstall all unnecessary ports/services should not only reduce the surface of attack but also free up some resources as well.
Chapter 7 of Boyle and Panko has many tidbits regarding security baselining and taking overall procedures that any organizations can execute to secure their systems. One aspects that I found interesting is the Virtualizations aspect of hosting servers. By Virtualizing a computer disk images the organizations hold backups to their servers on 3rd party sites. This is has a dual impact on the security of the information assets. By 1) holding copies the firms is prepared if their original system is compromised and 2) by holding the copies in a virtual environment, the firms is mitigating its risk on multiple systems (aside from a physical location).
Back up, back up, backup. Holding back ups in multiple locations and in multiple formats increases your ability to restore in the case of an incident or disaster. you should always be making sure the back up strategy is taking place and test them periodically.
The key takeaway from chapter 7 is that how fast can vulnerabilities come. But there are vulnerability finders that could notify software vendors, so that vendors can develop fixes for these vulnerabilities. There are also some attacks that come before fixes are released called zero-day attacks, which means some hired vulnerability finders might leak some bugs for hackers. This is way a final fix right before software launch is also important for software vendors.
One key point that I took from this Chapter 7 – host hardening is that although patch management is on of the significant controls to protect vulnerabilities and secure systems, there are some concerns and that organization should be aware of. Organizations might get overwhelmed by tons of patch updates because there are several and different operating system. Additionally, patching require time and labor costs. Therefore, organizations should prioritize the critical of patching based on risk analysis. Lastly, it is important to ensure that patch is already tested before using in production environment.
Hi Neung,
As you have mentioned, patch management is an integral part in host hardening. I also agree with you on the fact that patches should never be installed onto the production environment without testing them first because there is a possibility of crashing the entire network.
I learned firewalls alone cannot be enough to protect your host and that hardening is not a single protection but rather a number of protections that include regular backup as the vital aspect, restricting physical access, restricting number of applications to mention but a few.
My unique reading, however, was learning that you can go beyond baselines by creating secure software installations and then save then as disk images of the installations on which future installations. This saves companies money on each installation and ensures that each server is properly configured according to the firm’s security baselines and general security policies.
I found this chapter informative as it gives IT Auditors a basic understanding of tasks undertaken and performed by System administrators for securing Systems, including PCs. I observed that hardening a system involves a good knowledge about the OS and applications it is running. It is crucial that system admins are up to date with the latest vulnerabilities and related patches of their respective systems. However, I was surprised by the lack of one key element in Unix/Linux systems when it comes to creating user categories. While Windows OS has 6 general categories and further 13 special categories for differentiating users, Unix has simply 3 categories (Account owner, Single group, all other accounts). I am surprised how come Unix/Linux which is supposedly the most secure OS has been turning a blind eye to a major security limitation.
Hi Akshay, thank you for really getting granular with respects to the differences between the different operating systems outlined in this chapter. I would have guessed that the less accounts/classifications would prove to be more risky for an operating system. However, the more accounts the more possible vulnerabilities. From the auditor’s point of view, the more classifications simply add more work when breaking down the security of the information assets. But, in the end — security is the main goal!
One of the takeaways of this chapter is what is a security baseline and why it is important. Security baseline is a group of configuration settings to harden hosts of a certain type operating system. Security baselines are crucial because they constitute as a standard guideline that fit all units. These settings are determined according to feedbacks from engineering teams, partners and customers. In Today’s computing age, the security landscape is rapidly evolving, and security professionals and policy-makers are trying to keep up with new threats and make necessary changes to security settings to mitigate these. Microsoft’s Group Policy Objects Backups is an example of security baseline that is provided customers.
Yes, security baselines are necessary for organization to maintain to ensure security of their operations and networks. Also, is interesting to note that corporations have embraced cloud computing to help them decrease computing cost while also increasing their ability to quickly bring new offerings to the market. Adoption of cloud computing improved operations of organizations in terms of scalability, data loss reduction, reliability, disaster recovery and many more
Hi Zeynep,
I agree with you that security baseline is important to organization. With security baseline, it creates fundamental security safeguard controls for operating systems in all aspects such as password policies, user privilege access, firewall, or remote access. CIS Benchmark is the good example of security baselines for Windows Operating System.
One key thing I learned from this chapter is that virtualization allows systems administrators to create a single security baseline for each server within the organization. It’s interesting to know that cloning hardened virtual machines minimizes the chance of incorrectly configuring a server, and eliminates the need to install applications, patches, or server packs. Also, operating via virtual environments is beneficial to businesses because it reduces labor costs associated with server administration, development, testing, and training. Virtual environments can as well reduce utility expenses by shutting down unused physical servers and increasing fault tolerance and availability.
Hello,
I thoroughly enjoyed reading your thoughts on the seventh chapter of the Corporate Computer Security textbook, since virtualization technology is slowly becoming one of the more discussed topics in many of my courses. The benefits of virtualization that you’ve highlighted also really help provide smaller organization’s with the opportunity to employ and practice a fully-fledged cyber security program without the need for many physical resources, which can often be expensive.
Chapter 7, host hardening, is an interesting topic because if the diversity of controls needed to properly harden a host. Elements from physical security, access control, firewall configuration, and even cryptography all need to be considered when hardening the host. Hardening can get even more challenging when organizations have multiple OS’s running that all need baselines configured to operate securely. Fortunately there are a number of actions that can be applied to any operating system that will help the process of hardening. I really like figure 7-2 in the chapter and all 14 elements of host hardening suggested are relativity easy to follow and make your security posture much more secure. The elements from figure 7-2 listed below.
1)Backup 2)Backup 3)Backup 4)Restrict physical access 5)Install OS with secure config options 6)Minimize applications on the host 7) Harden all remaining applications 8) Download patches regularly 9) Manage groups and users securely 10) Manage user permissions 11) Encrypt where appropriate 12) Add a host firewall 13) Review logs 14) Run vulnerability tests
Hi Chris,
You made a good point that it is challenging to control and monitor when organization have multiple systems because different systems have different security baseline controls. Additionally, 14 elements of host hardening is also interesting which company can apply for these safeguards to secure network and OS such as backup and restrict physical access.
Hi Chris,
I think it’s also interesting how host hardening can be a combination of different security processes put together. It’s important for an IT personnel to be aware of this and how challenging this can be as well.
Best,
Natalie Dorely
Host is any computer that has an IP address. Host hardening refers to protect the host from attack. For example, regular backups, limited physical access to the host, default passwords that need to be replaced by strong passwords, and reduced application usage on the host. It’s all about reducing the likelihood of being attacked. Virtualization is a common example. Virtual machines minimize the chance of misconfiguring the server, reduce the time required to configure the server, and eliminate the need to install applications, patches, or service packs. In addition to being more secure, virtual environments benefit enterprises by reducing labor costs associated with server administration, development, testing, and training.
Hi Han, You’re right by stating that organizations benefit a lot with the use of virtualization because it reduces labor cost associated with server administration, development, testing and training. Virtual environments can as well reduce utility expenses by shutting down unused physical servers and increasing fault tolerance and availability.
Yes, you’re right. Shutting down unused physical servers increases fault tolerance. And you can save the Settings, open it again to keep the Settings. This is very convenient.
Hi Junjie,
In my opinion, although using virtual machine can reduce the labor cost for the company, it should not be the go-to option for most of the companies. Virtualization doesn’t work as efficient as a normal computer. If the company is able to purchase a huge amount of computers and also need to utilize all of the benefit of virtualization, then it will be the go-to option for those companies.
As I was reading through the seventh chapter of the Corporate Computer Security textbook which revolves around the most common methods used to protect all manner of devices that have an IP address, I began to develop an interest in the section that discusses some of the challenges faced by organizations in regards to patching their servers and software. This section really helped open my eyes to the perspective of system administrators and why they may choose to neglect patching their servers or software, with some of the more pressing concerns being the sheer amount and frequency that patches and updates come out. Among the more interesting of these concerns that system administrators face that I previously didn’t really know about is the different costs associated with patch installation, such as the labor costs associated with finding and downloading the patches that are released and the time costs associated with applying each of these patches.
This is something that I also wasn’t aware of, and while not patching due to cost isn’t exactly excusable, it does shed some light as to why systems go unpatched for so long. I think that sometimes we tend to think in an idealistic way and expect everyone to patch their systems accordingly, but since we’re so used to doing it on a small scale, like installing Windows updates, it’s sometimes difficult to understand how disruptive and costly it can be to do the same on a larger scale, multiple times per year.
Hello Jordan,
I would like to add further to your observation on why patching is regularly neglected. There is also a factor of accountability associated to this. Whenever, new patches are released by manufacturer, no one wants to try this patch first, on their own production system as no one knows how the system might behave after applying patches. This is specially true for servers hosting mission critical applications, who need continuous uninterrupted service. Applying patches on these servers is a big risk for both the server admin as well as the owner of the application as unavailability of these services, can directly lead to employees getting terminated.
In Chapter 7, one interesting thing I found about host hardening is how the high number of patches released by vendors per year, along with the high cost associated with patch management, can be a reason why systems aren’t always up to date. As we saw in previous case studies, patch management is a vital part of any system that can often be seen as a hassle due to the time it takes to apply these patches. Another reason for not applying patches is the notion that they can possibly cause more harm than good, like freezing a system, so it’s better to just leave the system as is since it’s working just fine. One way to mitigate this is by having a test system where the patches can be installed and observed for any negatives effects. This is one of the best ways to understand how a patch is going to effect a system, however, it’s also worth noting that not all companies are going to have the resources to have a test system for this purpose (an example being a non-profit).
Hi Sarah,
You explained the importance of testing new patches before deploying them well. Organizations may perform tests inside of a sandbox environment before deploying patches. As you said, it keeps any problems impacting production systems. Mostly, organizations perform pilot deployment after discovering no problems from sandbox testing. Pilot deployment is done to verify patches on a limited number of production system so that make sure patches work properly. If patches are passed from this test too, they can be deployed on an organizational wide basis.
Host hardening is an important process/concept for IT Auditors to understand. It made me think of firewalls and how those work to help secure systems and devices. The amount of different trial and error combinations between firewalls, patching and other security measures often performed to protect the information systems is endless. As an IT Auditor, recognizing vulnerabilities and guiding organizations to ensure maximum security is the basis of the position.
Pentesting servers and hosts (both Unix/Windows) is one good way to harden them. Close/uninstall all unnecessary ports/services should not only reduce the surface of attack but also free up some resources as well.
Chapter 7 of Boyle and Panko has many tidbits regarding security baselining and taking overall procedures that any organizations can execute to secure their systems. One aspects that I found interesting is the Virtualizations aspect of hosting servers. By Virtualizing a computer disk images the organizations hold backups to their servers on 3rd party sites. This is has a dual impact on the security of the information assets. By 1) holding copies the firms is prepared if their original system is compromised and 2) by holding the copies in a virtual environment, the firms is mitigating its risk on multiple systems (aside from a physical location).
Back up, back up, backup. Holding back ups in multiple locations and in multiple formats increases your ability to restore in the case of an incident or disaster. you should always be making sure the back up strategy is taking place and test them periodically.
The key takeaway from chapter 7 is that how fast can vulnerabilities come. But there are vulnerability finders that could notify software vendors, so that vendors can develop fixes for these vulnerabilities. There are also some attacks that come before fixes are released called zero-day attacks, which means some hired vulnerability finders might leak some bugs for hackers. This is way a final fix right before software launch is also important for software vendors.