0 / 10 flipped
Concept
Why are default configurations never secure, and what is the starting point for hardening any system?
Answer
Default configurations optimize for usability and compatibility, not security β open ports, weak credentials, unnecessary services, verbose logging disabled. They must work out of the box for non-security-aware setup.
The starting point for hardening is a platform-specific hardening guide from the manufacturer. If none exists, third-party benchmarks (CIS, NIST, DISA STIGs) provide platform-specific recommendations for most common systems.
The starting point for hardening is a platform-specific hardening guide from the manufacturer. If none exists, third-party benchmarks (CIS, NIST, DISA STIGs) provide platform-specific recommendations for most common systems.
Term
Mobile Device Hardening β three key controls
Definition
1. Updates: Apply OS security patches promptly β mobile devices are always connected and exposed; unpatched mobiles provide known attack vectors.
2. Data segmentation: Separate corporate and personal data into distinct containers (work profile) β compromise of one does not expose the other.
3. MDM: Mobile Device Management platform enforces security policies, pushes configurations, and enables remote wipe β makes hardening scalable across a fleet.
2. Data segmentation: Separate corporate and personal data into distinct containers (work profile) β compromise of one does not expose the other.
3. MDM: Mobile Device Management platform enforces security policies, pushes configurations, and enables remote wipe β makes hardening scalable across a fleet.
Term
Workstation Hardening β four key controls
Definition
1. Patch all three layers: OS, applications, and firmware β each can contain exploitable vulnerabilities.
2. Policy management: Active Directory Group Policy enforces settings consistently and reapplies them if changed.
3. Remove unnecessary software: Every installed application is a potential attack vector; minimize the inventory.
4. EDR: Behavioral detection beyond traditional AV β detects active attacks on the endpoint.
2. Policy management: Active Directory Group Policy enforces settings consistently and reapplies them if changed.
3. Remove unnecessary software: Every installed application is a potential attack vector; minimize the inventory.
4. EDR: Behavioral detection beyond traditional AV β detects active attacks on the endpoint.
Concept
What makes network infrastructure devices unique hardening targets, and what is the single most important first step?
Answer
Network infrastructure devices (switches, routers, firewalls) run purpose-built embedded operating systems β not Windows or Linux. They have limited management interfaces, rare firmware updates, and are rarely interacted with directly by users β making them easy to overlook.
The single most important first step: change default credentials immediately. These devices often ship with well-known defaults documented in public manuals. Default credentials are among the most actively exploited weaknesses in network infrastructure.
The single most important first step: change default credentials immediately. These devices often ship with well-known defaults documented in public manuals. Default credentials are among the most actively exploited weaknesses in network infrastructure.
Term
Cloud Infrastructure Hardening β four pillars
Definition
1. Secure cloud management workstation: Harden and EDR-protect the machine that controls cloud resources β its compromise = entire cloud environment.
2. Least privilege: Every service, account, and app has only the permissions its function requires.
3. EDR on all cloud-connected endpoints: Behavioral detection on all devices with cloud access.
4. Cloud-to-Cloud (C2C) backup: Replicate to a different provider/region so a provider outage or ransomware doesn't eliminate both primary data and backup.
2. Least privilege: Every service, account, and app has only the permissions its function requires.
3. EDR on all cloud-connected endpoints: Behavioral detection on all devices with cloud access.
4. Cloud-to-Cloud (C2C) backup: Replicate to a different provider/region so a provider outage or ransomware doesn't eliminate both primary data and backup.
Term
SCADA / ICS β definition, risk, and primary hardening approach
Definition
Definition: Supervisory Control and Data Acquisition / Industrial Control System β manages physical industrial processes (power generation, water treatment, manufacturing).
Risk: Compromise causes physical damage, safety hazards, and critical infrastructure failure β not just data breach.
Primary hardening: Air-gap or extensive segmentation β the ICS network is isolated from corporate IT and has no internet access. Physical process control requires no connectivity with general networks.
Risk: Compromise causes physical damage, safety hazards, and critical infrastructure failure β not just data breach.
Primary hardening: Air-gap or extensive segmentation β the ICS network is isolated from corporate IT and has no internet access. Physical process control requires no connectivity with general networks.
Term
RTOS (Real-Time Operating System) β what it is and how it is hardened
Definition
What it is: An OS with a deterministic processing schedule β every task runs within a guaranteed time window. Used where timing failures have immediate physical consequences: industrial machinery, automotive control (ABS, airbags), military systems.
Hardening:
β’ Isolate from all general networks β network traffic disrupts deterministic timing and introduces attack vectors
β’ Run minimum services only β fewer processes = more predictable behavior, fewer vulnerabilities
β’ Host-based firewall for any required communication
Hardening:
β’ Isolate from all general networks β network traffic disrupts deterministic timing and introduces attack vectors
β’ Run minimum services only β fewer processes = more predictable behavior, fewer vulnerabilities
β’ Host-based firewall for any required communication
Concept
Why are IoT devices inherently difficult to secure, and what are the three most important IoT hardening actions?
Answer
Why difficult: IoT manufacturers are domain experts (HVAC, lighting, sensors), not security professionals. Devices ship with weak defaults, receive infrequent updates, have limited management interfaces, and often cannot run endpoint security software.
Three key actions:
1. Change default credentials immediately β published defaults are actively exploited (Mirai botnet)
2. Apply patches quickly β patches are rare; when one is available, every day of delay is exploitable
3. Segment to own VLAN β network containment limits blast radius when device-level hardening is insufficient
Three key actions:
1. Change default credentials immediately β published defaults are actively exploited (Mirai botnet)
2. Apply patches quickly β patches are rare; when one is available, every day of delay is exploitable
3. Segment to own VLAN β network containment limits blast radius when device-level hardening is insufficient
Concept
What is the hardening challenge unique to embedded systems, and what is the compensating control when patching is not possible?
Answer
Unique challenge: The operating system is firmware-embedded in the device at manufacture. Many embedded systems β particularly industrial equipment and older purpose-built appliances β have no mechanism to receive software updates after deployment. Vulnerabilities may remain permanently unpatched.
Compensating control: Network segmentation + firewall in front of the segment. Place embedded devices on an isolated network segment; a firewall controls what they can reach and what can reach them. Limits the impact if an unpatched device is compromised.
When patches ARE available, apply immediately β embedded patches are rare and significant.
Compensating control: Network segmentation + firewall in front of the segment. Place embedded devices on an isolated network segment; a firewall controls what they can reach and what can reach them. Limits the impact if an unpatched device is compromised.
When patches ARE available, apply immediately β embedded patches are rare and significant.
Concept
How does server hardening differ from workstation hardening, and what four controls does server hardening emphasize?
Answer
Key difference: Servers hold critical data, run continuously, and have operational dependencies β patching requires change control, reboots have impact, and compatibility testing is more critical than for workstations.
Four server hardening controls:
1. OS patches and service packs β with change control and testing
2. Strong account controls β minimum password length/complexity, disable dormant accounts, least privilege for service accounts
3. Limit network access β firewall rules restrict which systems can reach the server
4. EDR + AV β behavioral monitoring detects active intrusions
Four server hardening controls:
1. OS patches and service packs β with change control and testing
2. Strong account controls β minimum password length/complexity, disable dormant accounts, least privilege for service accounts
3. Limit network access β firewall rules restrict which systems can reach the server
4. EDR + AV β behavioral monitoring detects active intrusions