0 / 10 flipped
System Hardening
Tap to reveal
The process of reducing a device's attack surface by eliminating unnecessary features, enforcing strict access controls, keeping software current, and encrypting sensitive data. Applied across all platforms: Windows, Linux, macOS, iOS, Android, and network appliances. No single technique provides complete protection β hardening is a collection of layered controls where each layer addresses scenarios the others miss. Core principle: defense in depth. Hardening is ongoing, not a one-time event β configurations drift, new software is installed, and new vulnerabilities emerge. An effective hardening program includes initial setup, periodic assessment (Nmap scans, vulnerability scans), and continuous monitoring for deviations.
EDR β Three Phases
Tap to reveal
Endpoint Detection and Response operates across three phases: Detect: uses signatures (known malware), behavioral analysis (malicious patterns without a signature β e.g., Office spawning PowerShell), machine learning (structural similarity to known malicious code), and process monitoring (anomalous process trees and connections). Investigate: performs root cause analysis β traces back through process trees, file writes, and network connections to identify the full attack chain and initial access vector. Respond: automatically isolates the endpoint (severs network connection), quarantines malicious files and persistence mechanisms, and rolls back the OS to a pre-infection configuration. All three phases are API-driven β no technician intervention required. EDR addresses the 1M+ new malware variants per day problem that makes signature-only detection insufficient.
Behavioral Analysis
Tap to reveal
An EDR detection method that identifies malicious activity based on what a process does rather than what it is. Does not require an existing signature β detects unknown and zero-day malware by recognizing attack patterns. Examples of behavioral indicators: word processor spawning a command interpreter (macro exploitation), script interpreter downloading and executing a binary, a new process writing to system directories immediately after installation, a process modifying the run registry key without an authorized deployment, mass file read-write of diverse types at high speed (ransomware encryption pattern). Key distinction from signatures: behavioral analysis can detect an attack even if the specific malware has never been observed before, because the technique (Office macro β PowerShell β download β execute) is the same regardless of the specific payload.
Host-Based Firewall
Tap to reveal
A software firewall running on the endpoint OS that controls both inbound and outbound network connections at the application-process level. Unlike a network firewall, a host-based firewall sits on the OS and sees traffic before encryption (outbound) and after decryption (inbound) β giving it full application-layer visibility. Per-process rules enable: permitting chrome.exe on port 443 while blocking an unknown process using the same port; detecting malware the moment it attempts its first outbound C2 connection (new, unrecognized process initiating network access). Centrally managed via Group Policy (Windows Defender Firewall) or endpoint management platforms. Last line of network-layer defense β enforces policy at the endpoint regardless of what network controls allowed through.
HIPS β Detection and What It Catches
Tap to reveal
Host-Based Intrusion Prevention System β monitors OS-level activity and blocks malicious actions inside the endpoint. Three detection methods: Signature: matches OS behaviors/memory patterns against known attack signatures. Heuristic: evaluates behavior against rules defining suspicious-but-not-confirmed-malicious patterns. Behavioral: establishes normal OS activity baseline and alerts on significant deviations. HIPS-specific detections include: buffer overflows (process writing beyond allocated memory β classic code execution exploit), unauthorized registry modifications (run keys, security policy modifications), writes to protected OS directories (C:\Windows\System32\ by a non-system process = rootkit/DLL hijacking indicator), and unauthorized kernel driver installation. In modern deployments, HIPS is integrated into EDR agents β not a separate standalone product.
Open Ports β Hardening Principle
Tap to reveal
Every open port is a potential entry point β a service is listening there, and that service may have vulnerabilities, accept weak authentication, or expose unintended functionality. Hardening principle: close every port that is not required for the system's function. Port management process: (1) inventory with Nmap β document all actually-open ports; (2) map to services β identify which service each port belongs to; (3) disable unnecessary services; (4) enforce with firewall β NGFW preferred (enforces by application identity, not just port number, preventing port re-use by malware); (5) monitor continuously β software updates silently re-open ports. Beware vendor instructions to "open ports 0β65535" β this is not a technical requirement, it is vendor avoidance of support calls. Identify the specific ports the application actually uses and open only those.
Nmap
Tap to reveal
The industry-standard open-source network scanner for port discovery during hardening assessments. A basic scan of a single host (nmap -sV [target]) takes seconds and returns all open TCP ports with service version information. Used for: (1) pre-hardening baseline β what is currently open on the system; (2) post-hardening verification β confirm that unnecessary ports were closed; (3) ongoing monitoring β periodic scans that alert when a system's port profile changes unexpectedly (a new open port can indicate a new service, a misconfiguration, or malware establishing a listening channel). Exam connection: when a question asks how to verify which ports are open on a system or how to confirm a hardening change was effective, Nmap is the correct tool. Port scanners are both a hardening tool and an attacker reconnaissance tool β the same scan that helps you find unintended open ports also helps an attacker find them first.
Default Credentials
Tap to reveal
Usernames and passwords shipped with devices and applications from the manufacturer β identical across every unit sold and publicly documented in vendor manuals. An attacker who identifies a device model can look up its default credentials immediately. Hardening requirement: change all default credentials before placing any device in service. Applies to: network devices (routers, switches, firewalls, WAPs), server management interfaces (IPMI/iDRAC/iLO), application management consoles (database admin tools, monitoring platforms), and IoT/embedded devices (cameras, printers, VoIP phones, building systems). Additional hardening beyond password change: restrict management interface access to a dedicated management VLAN (not reachable from general user network); add MFA; integrate with centralized authentication (RADIUS/LDAP) for centralized policy, audit logging, and password management.
Removal of Unnecessary Software
Tap to reveal
A hardening practice that permanently reduces the attack surface by uninstalling applications, OS components, roles, and features not required for a system's intended function. Every installed application is a vulnerability source: it contains bugs; it requires ongoing patching (with its own update process, adding maintenance burden); and if unused, it is typically not monitored for new CVEs. Removal eliminates these risks entirely. Common targets: default OS components (Telnet, FTP, SMBv1 β the WannaCry vector), OEM bloatware, development tools on production servers (compilers, debuggers β attackers use them for payload development), deprecated/unsupported software (no future patches), and applications from decommissioned projects. On servers: install only OS roles required for that server's function. Exam rule: when a vulnerability is found in software that is not being used, the correct action is removal β not patching.
Password Policy + Least Privilege
Tap to reveal
Two complementary OS-level hardening controls applied to user accounts. Password policy: enforces minimum length (commonly 8β16 characters) and complexity (uppercase, lowercase, numbers, special characters) β increases brute-force cost; typically enforced via Group Policy on Windows domains. Least privilege: each account receives only the rights required for its specific function β standard users do not get local administrator rights on their workstations. Why least privilege matters for hardening: malware executing in user context inherits the user's permissions. Without admin rights, malware cannot install kernel drivers, modify system services, write to protected directories, or create high-privilege persistence mechanisms. The blast radius of a compromised standard account is dramatically smaller than a compromised admin account. Correct model: standard account for daily work; temporary elevation only for specific admin tasks.