The Top Cybersecurity Strategies That Prevent Targeted Attacks

According to the Department of Homeland Security (DHS), there are seven strategies that will prevent 85% of targeted attacks.  To this list I have added a few of my favorites.

  • Password Manager Programs – If you are truly going to have dozens or hundreds of unique and long passwords, you will need the help of a password manager program to keep them all straight, and enter them accurately.  My recommendation at this point is to have the password manager generate a random 20 character password.  Long passwords are impossible to brute force in a reasonable time-frame, and truly random passwords will defeat some of the hybrid/dictionary/predictive password crackers we discussed in an earlier post.
  • Two-factor or Multi-factor Authentication – No matter how tough your passwords are to crack, they can still be acquired through a clever phishing exploit or a keylogger installation.  Requiring the use of a one-time pass code using a smart phone app removes the risk of accidental password exposure.
  • Operating System and Application Updates and Patching – When I am performing vulnerability scans, over half of the vulnerabilities that are discovered could have been mitigated by using the latest versions of operating systems and software applications, and conscientiously applying updates and patches.
  • Limiting Network Privileges – I see so many small companies that have set up their users with administrative privileges to their own computer, and often, with administrative privileges to file shares and server based applications.  When an attacker compromises one of these user’s computers or accounts, they are automatically added to the list of network admins.  Prevent this by giving people the access they require, but restrict access where it is not needed.
  • Run Only Authorized Applications – Enforcing application authorization, or application whitelisting as it is called, will prevent users for downloading and installing unapproved, untested, rogue, and malicious applications.  This keeps malware off your network.
  • Network Segmentation – It is simpler to run a single large network, or what is called a “flat” network.  Simpler for you means simpler for attackers, too.  Segmenting your network into security zones of related assets and resources limits the access an attacker has and the amount of damage they can create.  The first segment you need is a separate “guest” network.
  • File Reputation – This is application whitelisting taken to the file level.  You can tune your security software to limit file execution to files with the highest reputation.  This will prevent unknown files from running and creating problems.
  • Input Validation – Make sure any custom code that your are deploying to your web site, as a stand alone web application, or even as an internal application is thoroughly tested for vulnerabilities to SQL injection, command injection, cross site scripting, and other application vulnerabilities.
  • IP Blocking – Set up your perimeter defenses to block access to or from IP addresses of certain nation-states can be a great idea.  If you are not doing business in Russia, China, India, or other centers of cyber-criminal activity, then remove access to and from those locations.

These ten strategies would go a long way to protecting your company from most of the cyber-crime exploits that are afoot today.  You may find you need assitance to implement some of these strategies, and we would recommend that you find a cybersecurity partner you can work with on some of these issues.

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment