Here is my best advice for keeping your organization safe from online attacks. I've given similar advice in the past, and I suspect this advice is nearly the same that almost every security professional will give you. None of it is very deep or complicated. 1/
First, patch all vulnerabilities on all your machines as soon as possible, and never run an operating system or software version that is out of support. 2/
(Some people will tell you that your company can reasonably evaluate how important particular patches are, or that they are better able to determine if a patch is safe than Microsoft or Apple. I recommend ignoring such advice.) 3/
Second, you may need to restore absolutely everything someday. Make sure all machines are fully backed up, and that backups are stored offline. Make sure you test that backups are correct and complete at intervals or it may turn out that they aren't. 4/
Third, make all users use a password safe and use unique passwords for all uses; a password safe makes this convenient. Reused passwords are unsafe passwords, and humans can't remember dozens or hundreds of unique passwords. 5/
Fourth, implement two factor authentication. If you can at all avoid it, don't use SMS as a second factor; OTP apps on phones are the way to cheap out, not SMS. 2FA is easy, cheap, and blocks a wide variety of attacks. 6/
If, and only if, you have done all these things, then you can think about more sophisticated countermeasures. However, the bulk of the embarrassing security failures you read about in the newspaper would have been prevented by these simple measures. 7/
If you're not doing the simple stuff, don't bother talking to the salesman with the cool sounding CyberAI Hyperdefense Shield or whatever his marketing people named it this week. There's no point. 8/
And again, if your staff tell you that really the important thing is to rotate passwords every sixteen minutes, or that they have a methodology to analyze new Microsoft patches for safety even though none of them know how to program, they're giving you bad advice. 9/
So step one is patch, back up, use unique passwords and 2FA. Start there. If you're not doing that, you're wasting your time on anything more sophisticated. 10/
Do I expect most organizations are going to take this advice? No. Why do I assume that? Because no matter what the SEC makes companies say, past performance is an indicator of future performance. Mostly people fail to do the simple stuff and will continue to do so. 11/
Does doing the simple stuff make you invulnerable? Hell no. But it's a start, and it's probably better than what you're likely doing now if you're most companies. 12/
(And given the front page headlines we've seen in recent years, "most companies" includes huge banks, credit reporting agencies, pipeline operators, international airlines, and more.) 13/
I don't expect much is going to change. But when you next see an article about some company's systems that got broken in to because they didn't patch, didn't use 2FA, etc. and couldn't recover because they had no backups, don't act surprised. 14/14
• • •
Missing some Tweet in this thread? You can try to
force a refresh
