With every attack on your IT infrastructure, a potential hacker must find a way to get in. They may attempt to inject malicious code into your OS by tricking a user into giving them access. Or they may target the hardware, firmware, or software. If successful, attackers can inject malicious elements to hijack a system. In cases where malicious code injection is difficult, sophisticated attackers can use residual data left from trusted applications to build gadgets that subvert modern security technologies. If other attempts fail, attackers can also simply steal a laptop or other device and gain access at their leisure. They may try to physically exploit vulnerabilities in device drivers to bypass traditional OS security—for example, with a kernel DMA attack. However they compromise your system, once they’re in, hackers can spy on users, steal data, prevent authorized access, or render machines unusable.
System hardening means doing everything you can to find and fix security vulnerabilities, whether it’s in hardware, firmware, software, applications, passwords, or processes.
Benefits of System Hardening
The main goal of system hardening is to improve your overall IT security. This lowers your risk for data breaches, unauthorized access, and malware injection. By avoiding attacks, you’ll also avoid the unplanned downtime that comes with remediation. System hardening can also help you simplify compliance with any internal or external regulations.
Types of System Hardening
System hardening should be practiced at every layer of your IT infrastructure. This ranges from servers to networks to endpoints. While IT system administrators typically focus on server hardening in the data center, it’s just as important to help protect clients. Reducing potential vulnerabilities in endpoint security reinforces a zero-trust enterprise security strategy.
You already know that PCs are a major potential attack surface. However, many IT administrators don’t realize that antimalware is no longer enough to secure PCs. Attacks on hardware and firmware have always been possible, but they are very difficult to do. Now, with the availability of kits and tools online, hackers have become much more sophisticated, moving down the stack to attack PCs beneath the OS.
PC hardening focuses on closing any potential attack vectors and routinely updating your systems to avoid being exploited. Attacks may include:
- Malicious hardware injection attacks that exploit openings in the supply network (supply chain attacks).
- Social engineering attacks that manipulate users into divulging confidential credentials.
- Malicious code-based attacks that exploit vulnerabilities in software and firmware.
- Legitimate code-based attacks that use residual data in-memory to compromise the system.
- Physical access attacks that exploit vulnerabilities in hardware.
- Side-channel attacks.
At Intel, security is not just product security. It’s an ongoing effort intended to assure that users work best and are most secure on Intel®-based platforms.
Intel’s security-first pledge represents our commitment to design for product security. It starts with customer-first urgency. We consistently work with our customers in the commercial segment, our ecosystem, researchers, and leaders in academia to better understand their pain points so we can build and deliver helpful solutions with security deeply rooted within.
Our transparent, timely communications and ongoing security work demonstrate our efforts to push the boundaries of security beyond what is built into the product. Thanks to our bug bounty program, security red teams, and involvement with Common Vulnerabilities and Exposures (CVE), we can proactively identify and mitigate threats to Intel® platforms and provide guidance to our customers in a timely manner.
Intel® security technologies are embedded into our silicon to help protect devices at the most foundational level. But system hardening is not fully possible without a joint effort from the ecosystem. That’s why Intel® technologies are designed to integrate with other end user solutions, enhancing software-based security features from leading vendors.
In addition, Intel offers a business-class PC platform that was designed to simplify PC hardening. The Intel vPro® platform is built with hardware-based security features that help minimize the risks associated with security threats. It includes Intel® Hardware Shield, which is designed to provide out-of-the-box protections from attacks below the OS. In 10th Generation Intel® Core™ vPro® processors, these features are expanded to include application and data protection features and advanced threat protection capabilities to provide holistic endpoint security features across hardware, firmware, and software. The processors also provide the hardware resources needed for virtualized workloads and help reinforce virtualization-based security (VBS) with features to help protect PCs at runtime and data rest.
Considerations for PC Hardening
As you’re planning your IT security hardening strategy, there are a few important goals to keep in mind when it comes to PC hardening.
- Ensure supply chain visibility from assembly to IT provisioning. Intel® Hardware Shield helps IT identify any unauthorized hardware changes made prior to the platform provisioning.
- Make sure you’re protecting PCs at runtime. With the below-the-OS capabilities that are part of Intel® Hardware Shield, you can support a secure boot so that systems launch into a trusted state.
- Protect your BIOS. Intel® Hardware Shield locks down memory in the BIOS when software is running. This helps prevent planted malware from compromising the OS.
- Ensure hardware-to-software security visibility. Dynamic Root of Trust for Measurement (DRTM), included with Intel® Hardware Shield, helps relaunch the OS and virtualized environments in an Intel-protected code-execution environment to help protect OS secrets from firmware. This provides the OS visibility of firmware security and enables additional OS security features.
- Protect against physical memory access attacks. Intel® Hardware Shield helps prevent unauthorized access to data stored on the device with no additional setup required.
- Prevent malware injection into the OS with industry-leading hardware virtualization and advanced threat detection features. Intel® Hardware Shield provides essential hardware resources for modern and virtualized client security workloads, helping protect the OS from the latest cyber threats.
- Provide a way to remotely manage PCs. This allows you to install security patches and perform configuration management as needed. Intel® Active Management Technology, part of the Intel vPro® platform, provides an out-of-band connection for remote PC management. You can also use it to boot devices into a safe environment for troubleshooting and repair. And now, the Intel® Endpoint Management Assistant (Intel® EMA) tool lets IT remotely and securely manage devices, inside and outside the firewall, over the cloud.
Getting Started: System Hardening Checklist
The following is a short list of basic steps you can take to get started with system hardening. For a more comprehensive checklist, you should review system hardening standards from trusted bodies such as the National Institute of Standards and Technology (NIST).
- Take an inventory of all your IT systems, including PCs, servers, and networks. Document your hardware and software products, including OS and database versions.
- Perform an audit of your users and their access to all systems and applications. Eliminate any accounts and privileges that are no longer necessary.
- Consider how you will approach operating system hardening. For PCs, upgrade your OS to Windows* 10 to make sure you’re getting the latest security updates.
- Automate software updates so that neither the user nor IT administrator needs to think about them.
- Train users to adopt strong passwords and identify phishing schemes. A large number of attacks come from stolen credentials and social engineering. User education is the foundation of any system hardening strategy.
It’s important to remember that system hardening is an evolution, rather than a one-time activity. As attacks grow more sophisticated, so must your hardware security strategy. By choosing business laptops and business PCs on the Intel vPro® platform, you can simplify PC hardening with our latest hardware-based security technologies built into your devices. This helps you ensure strong protection for your PCs.
With the built-in security capabilities that are part of Intel® Hardware Shield, you can enable holistic endpoint security across all layers of the PC computing stack.