OK, now we should certainly know that securing the network is great. But if you're in points, connecting to the network aren't secure than none of that matters. So when we talk about in point and data security here, we're talking about those hosts that we connect to the network and specifically the ones that are users have access to. So
user said that their desktops, they bring in laptops and tablets and smartphones and all of these
different devices. And so what we want to make sure is that we just follow the basic principles of hardening systems.
The most important, remove what's unnecessary. If it's not a service, an interface of protocol and application that's in use, it needs to be removed because the more of those elements you have on a system, the larger the attack surface is no benefit to having a large attack surface
other than that to an attacker.
Then you gotta patch her systems.
You've got to make sure that their current enough to date you gotta have anti malware software because you know what
best way to deal with malware just don't get it?
And the best way to just not get it is to remove unnecessary service is to patch your systems to keep any malware installed enough today.
All right, get rid off default configurations, rename administrative accounts. And I'm not gonna read every one of these to you. But these air just the basic principles of hardening. But I will tell you those first handful, three or four first 34 Those are most important and should be done first.
Get rid of what's unnecessary.
Hatch patch, patch her systems. One thing I will mention when I say remove unnecessary service's I by no means implied that you should do that outside the change control process. Right? So I haven't used this system 32 folder. That can't be worth anything. Let me just deleted.
That's not at all what I'm encouraging.
Really. What I'm encouraging you is as a schism that will influence the policies and procedures that guide the baseline configurations. You and we should be reviewing those systems and ensuring that something unnecessary isn't part of that baseline image that's going out to our clients, right?
So I'm not just saying right, click and delete everything you don't immediately recognize
followed the process of change control But it is perhaps necessary that our configuration images do need to be modified. If we're looking at it from a hardening stand for
and then with dabba security, protect your data
and whether that's in rest, which would be stored on the hard drive, you encrypt
data in motion, you secure transport protocols and those would be things like SSL
And of course, really, When we say SSL today, we mean t l s so s S l N T l s or to secure transport protocols. We usually associate those with http, but they could be used to secure file transfer and first secure copies.
SSL could be used for lots of other things.
Um, also I p sec is a secure transport protocol, so that's helpful as well.
Now, data in use is harder to secure because you know it's encrypted on your drive. You open it up and you're working on it, or those transactions are being processed,
so we don't really usually think of encrypting data and use. However, on the horizon we look at home or FIC encryption,
and what that means is, and this is something you'll see like a Blockchain technologies Bitcoin in some of the digital currency is being able to encrypt that information while it's those transactions while in use. Okay, that's in the future. Of course, Quantum cryptography is going to be a means.
You know, it's gonna be a game changer
how quickly that's on the horizon or how soon will be up. You know will be safe.
All right. Other things. We need integrity for our data. We need proof that our data hasn't been modified. So we use message, digests or hash.
When we think about availability, we want redundancy and the non repudiation. We talked about digital signatures. We want to make sure that if we're sending data across an unprotected network one that's not secured by default, then a VPN tunnel
should be established from in point
all the way to through to the network into end security. So our data in motion at rest needs to have the CIA triads of various ways that we're gonna employ that