Default configurations of operating systems are designed with a focus on usability. This compromises information security and leaves doors wide open to cyber criminals, who in the vast majority of cases don’t target specific organisations or individuals. Instead, they systematically and automatically scan the entire internet for known and easy to exploit vulnerabilities. Making adjustments to these default configurations to increase security is called hardening. Hardening vastly decreases chances of being attacked by a cybercriminal. Actions include:

• Removing or disabling unused functions and user accounts.
• Assigning secure values to security settings.
• Changing default passwords.

Hardened systems provide maximum security against cybercriminals.

Secquard audits and reports the compliance levels of configurations on consolidated and individual system level. For each system, it is possible to zoom in to individual controls. To give an impression, Windows 2008 contains 215 security controls.

The actual system hardening is benchmarked against either best practices, own baselines, or industry standards such as NIST, CIS and ISO. Each control and result are individually explained and recommendations for mitigating measures are provided.

Software can contain vulnerabilities. These vulnerabilities are exploited by cyber criminals to attack systems and networks. Software suppliers resolve these issues as quickly as possible and release security updates called patches, for some software this happens at very frequently.

To protect an organisation against cybercrime, it is therefore important that operating systems of servers, workstations and network components are always up to date. Measures that help safeguard this are:

• Policies for timely installation of software updates and patches.
• Disabling and removing software that is no longer supported by the supplier.

Secquard compares the actual patch levels of each operating system with the latest patches of the software supplier. The information that we use comes from e.g. Microsoft, Red Hat, Cisco or MITRE. When a system is not fully patched, it is reported as not compliant. In the detailed report, an overview of the missing patches and related risks is provided. We provide the opportunity to adopt a specific patching policy for each organisation.

The Secquard reports also contain an overview per system of installed software, including version and comparison to the latest available version.

Cybercriminals use viruses and other malware such as trojans, worms and ransomware to disrupt, cause data corruption, or gain access to systems. By installing anti-virus software on all systems, organisations can mitigate this risk. Antivirus protects your systems from malware. Adhering to the following guidelines is a minimal requirement:

• Anti-virus software has to be updated.
• Anti-virus software has to scan all files daily.

Secquard determines for each system if antivirus is installed and if the version corresponds to the most actual information of the supplier.

Certain users, like administrators, have special and often very extensive rights in systems and applications. When cyber criminals gain access to such accounts, risks are significantly higher than for other accounts. It is therefore imperative that organisations limit access of user accounts to levels that are strictly necessary. In addition, who has access to which systems needs to be adequately monitored.

The minimum requirements for robust access control are:

• Assignment and management of user rights must be a secured process and approved at the highest possible level in the organisation.
• The number of users with extensive administrator rights should be limited as much as possible and should be reserved to accounts without access to email and internet. Passwords of these accounts should be changed regularly.
• All users should be linked to a password policy. User accounts that are inactive should be deleted.

Secquard reports the status of users and possible inconsistencies per active directory. Information is provided on e.g. users, domain administrators, administrators and inactive users, users without passwords, etc.