Hardened Baseline: A Guide

What is a hardened baseline?
According to NIST, a hardened baseline is a documented set of specifications for a network or configurable device which has been reviewed by and agreed upon by the appropriate authorities in an organization, and which can only be changed through formal procedure. It encompasses the steps taken to set a foundational security standard across your network and devices

How does baseline hardening work?
Baseline hardening works on the principle of reducing a system’s attack surface and making it more difficult for a threat actor to gain access to or exfiltrate data from the system. This is done by limiting access to non-essential services and features, regular patching, and rolling out features such as authentication, hard disk encryption, and additional security technologies.

Why is it necessary?
Whenever you install a new element to your system, you introduce a new potential avenue of attack by expanding your attack surface. In addition to this, out of the box configurations are generic and predictable. This makes it easy for threat actors to take advantage of systems left on the default configuration. You need to check that the features you are using are behaving appropriately, and anything unnecessary is removed or deactivated. This removes an easy pathway for attackers to compromise your systems.

What if don't have a hardened baseline?
Not having a hardened baseline means that you cannot be certain that all devices and assets are meeting your organization’s security standards and may be providing unnecessary points of attack for threat actors, as well as accidental breaches of data. Additionally, you might be risking penalties from government or regulatory bodies, revocation of funding or access to government programs, and reputation damage should clients, staff, or partners be impacted by a security incident at your organization.

Hardening standards
You should begin the process of baseline hardening by assessing the current status of your security controls against a recognized framework. Which framework you choose (ISO, NIST, CIS, PCI) will depend on your purposes and regulatory requirements. These organizations provide many resources and guides on hardening standards. By adhering to recognized standards you not only can assure yourself of industry best practice, but you streamline future audits and assessments by hardening in line with recognized standards.

Consistency builds resilience
Your hardened baseline should be rolled out across the organization with no exceptions. This consistency makes it easier to manage devices and configurations long term as your network grows, as you can be assured that everything is meeting the agreed standards. Device and service onboarding, off-boarding, and reviews will be made more efficient by applying a consistent standard. If there are any deviations, you should ensure that these are documented and reviewed by the security team on a regular basis.

An ongoing exercise
Technology changes, and existing devices, software and services will have new features and capabilities installed with patches. You need to be prepared to adapt your documented hardened baseline standard when this happens and adjust settings both for that asset and across the network if necessary. It is worth factoring a hardened baseline review into your system patching process and update schedule to keep everything up to date and to ensure nothing falls below your standards.

Checklist
When beginning the process of hardening your organizational baseline consider the following:

• What are our organizational security goals when it comes to a hardened baseline?
• What technologies, devices, and services are already in use that need to be brought into line with the hardened baseline?
• How do we communicate the new baseline with users and get them to support the rollout?
• What regulatory or legal compliance requirements are we under?
• Do we want to invest in solutions like MDM that can help with consistent patching and device management?