Welcome to “Hardening Devices” After watching this video, you will be able to: evaluate methods to secure and harden devices, identify device and system vulnerabilities, and determine best practices for common security threats. Hardening is the process of securing a device to minimize vulnerabilities. You can harden devices by disabling unneeded device features, regularly updating device firmware, OS, and software, and using firewalls, VPN, and antimalware. The more layers of security you use, the safer your data and devices will be. To protect your applications and OSes, turn on auto-updates for PCs, phones, tablets, and routers. Outdated systems are huge targets for hackers. This includes systems that are missing updates, antivirus or firewall, or running unsupported operating systems. Work done on personal computers is also a risk, since those devices are not managed by a security team. For secure apps, OSes, and drivers, only install from app stores, authorized resellers, and manufacturers; check software for digital signatures; and update regularly. Patches are updates to apps and OSes that fix security weaknesses. Companies regularly release patches alongside system improvement updates to make sure that their customers are safe from new threats. But patches are a response to KNOWN threats—meaning the threat has already happened to someone. To prevent unknown threats, also use Multifactor Authentication, Virtual Private Networks, and strong passwords. Firmware is software that tells hardware how to behave. Security firmware protects devices and data from malware and tampering. BIOS passwords (also, firmware passwords): BIOS (or Basic Input Output System) is firmware that boots up Windows and Linux PCs, runs hardware checks, and starts the OS. The OS won’t start without the password, or if the checks find a problem. Secure boot: UEFI (or Unified Extensible Firmware Interface) is newer and more advanced boot firmware than BIOS. Secure boot is a feature of UEFI. It confirms an OS manufacturer’s digital signature, which prevents malware from taking control during boot-up. TPM TPM (or Trusted Platform Module) is a chip that stores and manages encryption keys. TPM chips won’t start a device or unencrypt data if tampering is detected. Drive encryption Drive encryption scrambles a drive’s data so it’s unreadable. Outdated firmware leaves devices vulnerable. Make sure your PCs, phones, networking hardware, and even your cars have firmware that is up to date. Encryption is one of the most powerful tools you can use to harden a device. It uses algorithms to encode plain text into unreadable ciphertext. Only the encryption key can decode it. Encryption is used at the network layer for data traveling across networks. It can also be done locally to hard drives, phones, and even thumb drives so that lost device data remains unreadable. A hacker can use features and ports to steal data and cause damage. Autorun allows inserted drives and disks to run or play automatically. Bluetooth allows connections and data transfers between devices. NFC also transfers data, but has zero protections aside from its limited range. But some of the most vulnerable ports must stay open. Port 443 manages secure web traffic. Port 22 is used for secure server connections, and Port 80 manages standard web traffic. To harden against attack, disable unused features and ports, and use other hardening tools to protect the ones in use. A zero-day attack is an attack that has never happened before. There are no patches or updates in a zero-day attack because they haven’t been created yet. To protect against zero-day attacks: use tools like VPN and IDS/IPS, only visit trusted networks and sites, and follow general security hygiene standards. Apps that harden are affordable, reliable, and provide helpful configuration suggestions. Examples include antivirus, anti-malware, anti-spyware, software firewalls, and VPNs. Maintaining these apps—especially on smartphones—helps keep attackers out of your devices. Firewalls harden devices by keeping unwanted visitors out of your system and off your network. There are software firewalls and hardware firewalls. They monitor connections and block harmful traffic based on preset rules. For example, schools and businesses use firewalls to block social media sites, age-inappropriate content, and certain types of downloads. VPNs encrypt the traffic coming out of your device. Even if a hacker is capturing your data, they won't be able to read it or decrypt it. VPNs and Firewalls range in cost, some are free. Public wifi is convenient, but it’s unencrypted and doesn’t require passwords. Hackers can easily intercept and steal your identity, drain your accounts, and scam your contacts. Secured wifi provided by your ISP or the network at your job is much safer to use. These have very strong encryption. If you can’t avoid public wifi: Use a VPN on all your devices. Only visit HTTPS sites that are well-known. Use your phone as a hotspot. Cellular networks are encrypted. Disable automatic wifi connection settings. Don’t access personal or financial information on public wifi. Default usernames and passwords are essential to tech support, software installation, and device configuration. They also pose serious risks. They’re easily found online in help guides or user manuals. They have admin-level privileges. They hide who’s using them. And they’re usually left unchanged. It’s common for hackers use them to break into apps, devices, OSes, databases, and BIOS. To close security loopholes disable built-in accounts, if possible, change all default passwords, use strong passwords, and check documentation for default, backdoor, and hidden accounts In this video, you learned that: Apps and OSes should be regularly updated. Patches protect against known threats. Outdated firmware leaves devices vulnerable. Encryption encodes plain text into ciphertext. Zero-day attacks are unknown threats. Disabling features and ports reduces attacks. Firewalls block traffic, VPNs encrypt traffic. Anyone can see what you do on public wifi, and hacking a device is easy with default passwords.