Term of the Week: Hardening

Why does a business professional need to know this?

Hardening is necessary when there is a mission-critical need to:

• Protect information, content, or application data such as health records, credit card information, intellectual property, or location information
• Ensure continuous availability and reliable performance of facilities such as electric grids, factories, or data centers
• Safeguard hardware and other resources, such as computer servers, passenger vehicles, building sensor networks, or point-of-sale systems

Hardening is an ongoing, never-ending process that business professionals must understand and support. Frequently, the value of hardening -- and the need to invest in workforce development and processes -- is not apparent until a high-profile failure occurs.

A recent galvanizing event was the loss of credit card information for 40 million Target customers during the 2013 Christmas season(Radichel 2014). This breach resulted in a 46% drop in profits for that quarter, a CEO exit, and nearly $150 million in settlements. The vulnerabilities exposed included significant failures in hardening networking and other equipment found in most businesses.

In 2016, a Distributed Denial-of-Service (DDoS) attack left Twitter and Reddit inaccessible for many US web users(Meyer 2016). Similar questions about the amount of hardening applied to in-flight entertainment systems were raised in 2015, when a cybersecurity researcher was accused of unauthorized access to flight systems and issuing a command to one of the airplane engines that resulted in a change of flight movement(APTN News 2015).

Security industry analysis indicates that crisis planning and the application of lessons learned from a breach can minimize losses. Effective teams should be multi-disciplinary to ensure deep subject-matter expertise and capabilities. Funding for these teams should be available from product/service conception to end of life, because hardening approaches can differ at each point in the lifecycle.

Security culture has developed a number of ways to share lessons learned and build practical expertise in identifying and fixing vulnerabilities across a wide array of equipment and software. Investing in continued learning, such as conferences and certification, empowers cybersecurity teams to plan for, prepare for, and address the ever-shifting threat landscape.