According to the Department of Homeland Security (DHS), there are seven strategies that will prevent 85% of targeted attacks. To this list I have added a few of my favorites.
- Password Manager Programs – If you are truly going to have dozens or hundreds of unique and long passwords, you will need the help of a password manager program to keep them all straight, and enter them accurately. My recommendation at this point is to have the password manager generate a random 20 character password. Long passwords are impossible to brute force in a reasonable time-frame, and truly random passwords will defeat some of the hybrid/dictionary/predictive password crackers we discussed in an earlier post.
- Two-factor or Multi-factor Authentication – No matter how tough your passwords are to crack, they can still be acquired through a clever phishing exploit or a keylogger installation. Requiring the use of a one-time pass code using a smart phone app removes the risk of accidental password exposure.
- Operating System and Application Updates and Patching – When I am performing vulnerability scans, over half of the vulnerabilities that are discovered could have been mitigated by using the latest versions of operating systems and software applications, and conscientiously applying updates and patches.
- Limiting Network Privileges – I see so many small companies that have set up their users with administrative privileges to their own computer, and often, with administrative privileges to file shares and server based applications. When an attacker compromises one of these user’s computers or accounts, they are automatically added to the list of network admins. Prevent this by giving people the access they require, but restrict access where it is not needed.
- Run Only Authorized Applications – Enforcing application authorization, or application whitelisting as it is called, will prevent users for downloading and installing unapproved, untested, rogue, and malicious applications. This keeps malware off your network.
- Network Segmentation – It is simpler to run a single large network, or what is called a “flat” network. Simpler for you means simpler for attackers, too. Segmenting your network into security zones of related assets and resources limits the access an attacker has and the amount of damage they can create. The first segment you need is a separate “guest” network.
- File Reputation – This is application whitelisting taken to the file level. You can tune your security software to limit file execution to files with the highest reputation. This will prevent unknown files from running and creating problems.
- Input Validation – Make sure any custom code that your are deploying to your web site, as a stand alone web application, or even as an internal application is thoroughly tested for vulnerabilities to SQL injection, command injection, cross site scripting, and other application vulnerabilities.
- IP Blocking – Set up your perimeter defenses to block access to or from IP addresses of certain nation-states can be a great idea. If you are not doing business in Russia, China, India, or other centers of cyber-criminal activity, then remove access to and from those locations.
These ten strategies would go a long way to protecting your company from most of the cyber-crime exploits that are afoot today. You may find you need assitance to implement some of these strategies, and we would recommend that you find a cybersecurity partner you can work with on some of these issues.Share
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com