3.5 Security techniques for computing resources
📘CompTIA Security+ (SY0-701)
1. What is Hardening?
Hardening means strengthening a system to make it more secure against attacks or misuse.
It involves removing unnecessary features, applying security configurations, installing updates, and enforcing security policies.
The goal is to reduce the attack surface — meaning, minimize the number of ways an attacker could gain unauthorized access.
Hardening is applied to all types of systems, including mobile devices, servers, cloud infrastructure, network devices, and specialized systems like IoT and SCADA.
2. Hardening Different Types of Systems
Below are the main areas that the exam expects you to know and understand how to harden.
A. Mobile Devices Hardening
Mobile devices (smartphones, tablets, laptops) are portable and connect to many networks, so they are at high risk.
Key Hardening Steps:
- Use Mobile Device Management (MDM):
Centralized tool to enforce security policies, push updates, and wipe lost or stolen devices remotely. - Enable Screen Locks:
Require PINs, passwords, biometrics, or facial recognition. - Encrypt Storage:
Protects data if the device is lost or stolen. - Apply Regular Updates:
Keep OS and apps patched to prevent exploitation of known vulnerabilities. - Disable Unused Features:
Turn off Bluetooth, NFC, or Wi-Fi when not needed. - Restrict App Installation:
Allow apps only from trusted stores and block sideloading (manual installation from unknown sources). - Enable Remote Wipe and Location Tracking:
Allows security teams to erase sensitive data if a device is compromised.
B. Workstation Hardening
Workstations are employee computers used daily and are common targets for malware or phishing.
Key Hardening Steps:
- Apply Operating System and Software Updates:
Regular patching closes known vulnerabilities. - Remove Unnecessary Software and Services:
Fewer applications mean fewer possible exploits. - Use Standard User Accounts:
Avoid using administrative rights for everyday tasks. - Enable Host-based Firewalls and Antivirus:
Protect against malicious traffic and malware. - Enforce Group Policies:
Centralized control through Active Directory to enforce password rules, screen locks, etc. - Implement Disk Encryption (e.g., BitLocker):
Protects data if the computer is stolen. - Restrict USB/External Devices:
Prevent unauthorized data transfer or malware infections.
C. Switch Hardening
Switches control traffic inside a network. Misconfigured switches can expose the network to attacks.
Key Hardening Steps:
- Disable Unused Ports:
Prevent unauthorized devices from connecting. - Enable Port Security:
Limit the number of devices per port and use MAC address filtering. - Use VLANs (Virtual LANs):
Separate traffic logically to limit access between departments or functions. - Disable Unused Services (like Telnet):
Use secure protocols such as SSH instead of insecure ones. - Set Strong Management Passwords:
Change default credentials immediately. - Enable Logging and Monitoring:
Detect unauthorized access attempts.
D. Router Hardening
Routers connect networks together and are often targeted for control or eavesdropping.
Key Hardening Steps:
- Change Default Admin Passwords:
Default credentials are easily found by attackers. - Disable Remote Management (if unnecessary):
Prevent unauthorized external access. - Use Secure Management Protocols:
Use SSH and HTTPS, not Telnet or HTTP. - Apply Firmware Updates:
Regularly update router firmware for security patches. - Disable Unused Services:
Turn off unnecessary features like UPnP. - Implement ACLs (Access Control Lists):
Restrict who can access the router and which networks can communicate. - Enable Logging:
Keep records of configuration changes and access attempts.
E. Cloud Infrastructure Hardening
Cloud systems host data and services in virtual environments, so configuration is critical.
Key Hardening Steps:
- Use the Shared Responsibility Model:
Understand what the cloud provider secures (hardware, network) and what the customer secures (data, accounts, configurations). - Restrict Access:
Implement Identity and Access Management (IAM) roles with least privilege. - Use Encryption:
Encrypt data at rest and in transit. - Apply Security Groups and Firewalls:
Control network traffic between cloud instances. - Regularly Audit Configurations:
Use tools to check for misconfigurations (e.g., open storage buckets, public databases). - Monitor Cloud Activity Logs:
Detect suspicious actions and unauthorized access.
F. Server Hardening
Servers store data and run applications — they are high-value targets.
Key Hardening Steps:
- Apply OS and Software Updates:
Regularly patch to fix known vulnerabilities. - Disable Unused Services and Accounts:
Minimize active processes and remove default accounts. - Use Strong Authentication:
Enforce multi-factor authentication (MFA) for admin access. - Use Firewalls and Intrusion Detection/Prevention Systems:
Limit inbound/outbound connections. - Implement Secure Configurations:
Follow CIS Benchmarks or vendor-recommended configurations. - Regular Backups:
Ensure recovery from compromise or hardware failure. - Enable Logging and Monitoring:
Track login attempts, configuration changes, and suspicious activity.
G. ICS/SCADA Hardening
ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition) systems are used in industrial environments.
They control critical infrastructure like manufacturing, power, and water systems — so security is crucial.
Key Hardening Steps:
- Network Segmentation:
Separate ICS/SCADA networks from corporate and public networks. - Restrict Remote Access:
Only allow secure, authorized connections. - Apply Patches Carefully:
Updates must be tested to avoid interrupting critical operations. - Monitor System Activity:
Detect unauthorized or unusual commands. - Use Whitelisting:
Only allow approved applications to run. - Implement Physical Security:
Protect control rooms and hardware devices.
H. Embedded Systems Hardening
Embedded systems are small computing devices built into hardware — like medical devices, printers, or routers.
Key Hardening Steps:
- Change Default Passwords:
Manufacturers often use weak or shared credentials. - Disable Unused Ports/Interfaces:
Reduce attack points like USB or debug ports. - Apply Firmware Updates:
Patch vulnerabilities as updates are released. - Restrict Network Access:
Limit communication only to trusted devices. - Encrypt Communications:
Secure any data sent over networks.
I. RTOS (Real-Time Operating System) Hardening
RTOS is used in time-sensitive systems (e.g., robotics, vehicles, industrial machines).
Security must not interfere with performance or timing.
Key Hardening Steps:
- Isolate Critical Functions:
Prevent non-critical processes from affecting real-time tasks. - Apply Access Control:
Restrict who can modify or interact with the RTOS. - Use Code Signing:
Ensure that only trusted software can run. - Update Firmware Carefully:
Balance security and performance. - Network Isolation:
Limit unnecessary connectivity to reduce exposure.
J. IoT (Internet of Things) Device Hardening
IoT devices (like cameras, sensors, and smart appliances) are often targeted due to weak security controls.
Key Hardening Steps:
- Change Default Credentials:
Default usernames and passwords are easy to guess. - Apply Firmware Updates:
Regularly patch vulnerabilities. - Disable Unused Features:
Turn off unnecessary network services or sensors. - Network Segmentation:
Keep IoT devices on a separate network from sensitive systems. - Use Encryption:
Protect data transmission and control signals. - Monitor Device Activity:
Detect unexpected communication patterns that could signal compromise.
3. Summary Table
| System Type | Key Hardening Focus |
|---|---|
| Mobile | MDM, encryption, screen lock, app control |
| Workstations | Patching, antivirus, limited privileges |
| Switches | Disable unused ports, VLANs, secure management |
| Routers | Change defaults, ACLs, firmware updates |
| Cloud Infrastructure | IAM, encryption, configuration auditing |
| Servers | Secure configs, MFA, backups, monitoring |
| ICS/SCADA | Segmentation, restricted access, monitoring |
| Embedded Systems | Disable interfaces, firmware updates |
| RTOS | Access control, code signing, isolation |
| IoT | Change credentials, segment network, patching |
4. Exam Tips
- Understand “least privilege” — give users or devices only the access they need.
- Know the difference between hardening network devices vs. hosts.
- Remember that embedded and IoT devices often lack standard update methods, making them a high risk.
- Cloud security is shared between the provider and customer.
- ICS/SCADA must prioritize safety and availability over convenience.
✅ In summary:
Hardening means configuring and maintaining systems in a secure state to reduce vulnerabilities. Every type of system — from mobile to industrial — has its own risks and specific best practices to follow. For the Security+ exam, focus on understanding these principles and applying them logically to each environment.
