Hardware and software should be hardened as much as possible before it is added to a network. Organizations should make the assumption that the device or application is not safe when they receive it. The client should research and identify any issues that the manufacturer or publisher are already aware of. All known vulnerabilities should be addressed. Additional testing should be performed to attempt to uncover any additional vulnerabilities that are not already known. Also, the manufacturer of the hardware or software should be made aware of any vulnerabilities that you find as part of your testing.
Hardening techniques can include:
- Checking with any industry standards organizations that the client needs to comply with to see what guidelines they have for system hardening.
- General standards for hardening are offered by ISO, SANS, NIST, CIS (Center for Internet Security), and more.
- Installing any patches and updates hardware manufacturers and software publishers have available.
- Incorporating a patch management/change management process to optimize the patching process.
- Ensuring systems are incorporating firewall and anti-malware solutions.
- Ensuring firewalls are configured to uphold the principle of least privilege.
- Disabling specific ports or services that aren't needed.
- Uninstalling any software that isn't needed.
- Ensuring hosts are properly segmented from other hosts on the network.