What is it?
The act or process of making a network, data repository, sensor, computer system, software, or other equipment resistant to unauthorized access or damage.
Why is it important?
Unauthorized access is one of the primary catalysts for operational, financial, strategic, legal, and other damage to an organization. These breaches also increase the risk of harm to third parties, including customers, patients, and other stakeholders. Hardening hardware, software, and data systems is a key risk mitigation strategy.
Why does a business professional need to know this?
Hardening is necessary when there is a mission-critical need to:
- Protect information, content, or application data such as health records, credit card information, intellectual property, or location information
- Ensure continuous availability and reliable performance of facilities such as electric grids, factories, or data centers
- Safeguard hardware and other resources, such as computer servers, passenger vehicles, building sensor networks, or point-of-sale systems
Hardening is an ongoing, never-ending process that business professionals must understand and support. Frequently, the value of hardening -- and the need to invest in workforce development and processes -- is not apparent until a high-profile failure occurs.
A recent galvanizing event was the loss of credit card information for 40 million Target customers during the 2013 Christmas season(Radichel 2014). This breach resulted in a 46% drop in profits for that quarter, a CEO exit, and nearly $150 million in settlements. The vulnerabilities exposed included significant failures in hardening networking and other equipment found in most businesses.
In 2016, a Distributed Denial-of-Service (DDoS) attack left Twitter and Reddit inaccessible for many US web users(Meyer 2016). Similar questions about the amount of hardening applied to in-flight entertainment systems were raised in 2015, when a cybersecurity researcher was accused of unauthorized access to flight systems and issuing a command to one of the airplane engines that resulted in a change of flight movement(APTN News 2015).
Security industry analysis indicates that crisis planning and the application of lessons learned from a breach can minimize losses. Effective teams should be multi-disciplinary to ensure deep subject-matter expertise and capabilities. Funding for these teams should be available from product/service conception to end of life, because hardening approaches can differ at each point in the lifecycle.
Security culture has developed a number of ways to share lessons learned and build practical expertise in identifying and fixing vulnerabilities across a wide array of equipment and software. Investing in continued learning, such as conferences and certification, empowers cybersecurity teams to plan for, prepare for, and address the ever-shifting threat landscape.
- (Radichel 2014) Case Study: Critical Controls that Could Have Prevented Target Breach: Radichel, Teri (2014). PDF. Case study about the Target data breach in 2014.
- (Meyer 2016) How a Bunch of Hacked DVR Machines Took Down Twitter and Reddit: Meyer, Robinson (2016). Describes how lack of hardening of internet-connected devices made it possible to mount a massive Distributed Denial of Service (DDoS) attack.
- (APTN News 2015) Hacker told F.B.I. he made plane fly sideways after cracking entertainment system: Barrera, Jorge Barrera (2015). APTN National News.