People soft. Computers hard.

People are advised to be soft and vulnerable in order to be able to communicate and build trust between each other. Please do remember that with computers this is not the case.

One of the classic situations that we face with clients is a phenomena where hardening the systems or limiting traffic between trust zones or network is seen as "burdensome useless waste of time that is done merely to please the compliance". Clients sometimes seem to race on how little is counted as "hardening done" tick-box on the audit report.

MS just updated their CVE-2020-16898 ICMPv6 RCE vulnerability to "just" 8.8 from 9.8 on CVSS score due exploitability index changes. They realized that building an exploit for this is a bit harder than initially expected. A working exploit would still make it possible to spread the foothold of the initial attack to every non-hardened latest version Windows server or Win10 computer in the network.

How many of you have IPv6 stateless address auto-configuration as primary source of routing information in your network? If not, why then keep it enabled and running on the background? If you don't support printers on every server, why then let the print spooler service run and communicate on every host? Why allow insecure SMB versions to exist? Or SQL server to communicate to whole internal network and not just the application server that actually uses it?

Hardening is hard but that's why it's called hardening. When looking it from a very Finnish perspective, you simply cannot keep your house warm in the freezing winter times if you use single layered window glasses, poor insulation on walls and if you leave the backyard door open just in case you might want to visit the garden tomorrow.

Ask for advice if you need some. Winter is coming.

Good place to start. https://www.cisecurity.org/cis-benchmarks/