System Hardening
The process of securing a system by reducing its attack surface β changing insecure default configurations, removing unnecessary software and services, applying security patches, enforcing access controls, and implementing continuous monitoring. No default configuration is inherently secure; hardening is the deliberate process of making it so.
Hardening Guide
Platform-specific documentation published by manufacturers, security organizations (CIS, NIST, DISA), or industry groups detailing the recommended security settings, configurations, and practices for securing a specific operating system, application, or device. The starting point for any hardening effort β organizations adapt these guides to their specific environment rather than building from scratch.
Mobile Device Management (MDM)
A centralized platform for managing and enforcing security policies on enrolled mobile devices β phones, tablets, and laptops. Enables remote configuration, policy enforcement (screen lock, encryption, app restrictions), and remote wipe of lost or stolen devices. The operational control layer for mobile hardening at scale.
Data Segmentation (Mobile)
The logical separation of corporate data and personal user data on a mobile device into distinct containers or work profiles. Prevents a security incident in one container from exposing data in the other β corporate data compromised does not affect personal data, and personal app malware cannot access corporate resources.
SCADA (Supervisory Control and Data Acquisition)
A large-scale industrial control system architecture used to monitor and control industrial processes β power generation, water treatment, oil and gas pipelines, manufacturing equipment. Combines networked sensors, controllers, and management interfaces. Compromise of SCADA systems can cause physical damage, safety hazards, and critical infrastructure failure. Typically isolated from corporate networks via air-gap or extensive segmentation.
ICS (Industrial Control System)
The broader category of systems used to control industrial equipment and processes, of which SCADA is one type. Includes distributed control systems (DCS), programmable logic controllers (PLCs), and other components. Distinguished from IT systems by direct physical interfaces and the potential for cyberattacks to have physical, safety, or environmental consequences.
Air-Gap
A physical network isolation technique where a system or network has no electronic connection to external networks. Used for the most sensitive SCADA/ICS systems and other critical infrastructure where even indirect connectivity creates unacceptable risk. The gold standard of network isolation β an air-gapped system cannot be reached via network-based attacks.
Embedded System
A hardware-software combination designed to perform a specific function, with the operating system embedded in the device's firmware. Examples: smart TVs, smartwatches, medical devices, industrial controllers. Often difficult to update after deployment. Hardening relies on network segmentation and firewall protection in addition to applying manufacturer patches promptly when available.
RTOS (Real-Time Operating System)
An operating system with a deterministic processing schedule where every task runs within a guaranteed time window. Used in applications where timing failures have immediate physical consequences β industrial machinery, automotive control systems (ABS, airbags), military systems, aircraft flight control. Must be isolated from general networks to prevent timing disruption and security exposure. Run with minimum services only.
IoT (Internet of Things)
Networked devices that monitor or control physical environments β smart thermostats, networked lighting, building access controls, industrial sensors, wearables. Typically manufactured by vendors whose expertise is the physical domain (HVAC, lighting), not security. Common vulnerabilities: weak default credentials, rarely updated firmware, open network services. Hardening: change defaults immediately, apply patches quickly, segment to dedicated VLAN.
Cloud-to-Cloud (C2C) Backup
A backup strategy where cloud-hosted data is copied to a different cloud provider or a separate cloud region under different credentials. Protects against data loss from the primary cloud provider's outage, accidental deletion, or ransomware. Avoids the single-provider failure mode where the same incident affects both primary data and backup.
Endpoint Detection and Response (EDR)
Client-based security technology that goes beyond traditional antivirus by monitoring for behavioral indicators of compromise β unusual process behavior, credential dumping, lateral movement techniques. Provides real-time detection of attacks in progress and response capabilities. Required on cloud management workstations and all devices accessing cloud environments to detect compromise before it extends to cloud infrastructure.