How many devices are used in your business? Hundreds? Thousands? From mobile phones to laptops, through to servers, printers and IOT enabled devices, the web of assets that can connect into your network can be vast.
Every device, or endpoint, running an operating system is a potential inroad for a hacker to breach your business. And while it might seem like an impossible task to ensure every endpoint is as secure as possible, there are some basic things you can do that will make a big difference when it comes to closing off options for hackers.
When IT orders a new laptop or mobile phone for an employee, more often than not it comes pre-loaded with a plethora of applications and software that simply aren’t needed. From secondary browsers to free trials of productivity software, even devices sold for enterprise often carry a lot of digital bloat that goes unused by the average corporate worker.
It might seem harmless enough to just leave this software as is, but it’s important to understand that the more applications that exist on a device, the greater surface there is for an attacker to leverage.
Think of it this way – imagine if that secondary browser that sits unused on your desktop was found to have a critical vulnerability that was being actively exploited by hackers. If you’re not regularly using the browser, you might miss an important security update. Suddenly that seemingly harmless application becomes a ticking timebomb – one click away from becoming an open door for hackers looking for unpatched applications to exploit.
It’s not just software that is an issue – a lot of hardware comes packed with features and functions, some of which are completely superfluous to your needs. For example, your IOT device might come with Bluetooth connectivity or a camera, which could be used as a foothold for an attacker, even if you don’t actually use these features for your everyday operations.
That’s why we recommend each device used by your business goes through a hardening process, where applications and functions that are not needed are switched off or removed, leaving you only with the business-critical apps and software that you need. You can also determine other security controls, such as anti-virus and VPN software, that can be used by your employees to further strengthen security as they go about their daily tasks.
The best way to do this for personal devices is to create a hardened or gold image and build each laptop and smartphone to this standard. The CIS benchmarks are a great resource to help you determine what you should turn off, and what should be turned on – and it is free! If you can apply this gold image to every employee’s device, you can immediately reduce your attack surface, and make patching a more manageable process.
Creating a gold image isn’t a set and forget exercise – it’s important to treat this as a “living image” and constantly refresh and renew it. As the threat landscape evolves and software vendors release patches and upgrades, you will need to make updates to your image to ensure it’s up to your required security standards.
There are plenty of tools that can push out your updated hardened image to devices. Microsoft’s Intune is a perfect example. This makes light work of updating 3rd party software – simply push out any updates via Intune and each device should prompt employees to update and refresh their machines with the latest software versions.
You can even build multiple images for different parts of the business – for example, your finance team might require access to certain platforms that the rest of the business doesn’t need, so you can build a custom image for just users in the finance team to use.
While employee devices make up a large proportion of your endpoints, businesses also need to take the same approach to other hardware, hardening anything with an operating system.
Take your server for example. The default settings on most servers are not setup with security in mind – and like personal devices, servers often come with unnecessary software, which should be removed if not needed. It’s really critical for IT teams to go through that process of reconfiguring your corporate server to ensure it meets your standards of security. Servers are a lucrative target for cyber criminals looking to extract the most value from their efforts breaching your business.
Some equipment may not be able to go through the hardening process – operational technology and IOT is a notorious example of this. Perhaps the operating system is too old or clunky to be updated or modified, or there might not be an appropriate patch or update from the vendor. In these cases, you might want to consider a mitigation – ie standing up another layer of defence such as a firewall. A penetration test may be helpful here, to determine the weak points of this infrastructure and how to best resolve them.
If endpoint hardening hasn’t been a big consideration for your business thus far, I’d urge you to set up a process to start implementing the basics. Your employees are only human, and by giving them a device that’s sufficiently hardened against as many vulnerabilities and risks as possible, you’re reducing the chance of them accidently clicking on or exposing your business to opportunistic hackers.
The key to endpoint and server hardening, like all parts of cyber security, is consistency – if you can build a process around a hardened image, regularly update it and push this out to your endpoints, you’re already on the path to a more secure and operationally efficient organisation.
