We have learned our methods through years of direct operational experience helping organizations defend their data. We have contributed to community activities designed to share and also work hard to consume the latest in best practices from our peers and other thought leaders in the space.
It is interesting that one of our key observations has been that simple checklists of what to do don’t help much at all. That also applies to the list below! This is just a review of best practices from the stand point of practitioners. To make the effective you need to contextualize them into a relevant action plan for your organization, something that makes sense for your business. That said, you can benefit from our decades of expertise in threat modeling and risk mitigation by reviewing these lessons.
Our Short list of Cybersecurity Best Practices:
1. Use a “framework” that will guide your action. Our favorite one is the NIST Cybersecurity Framework, but there are many. A good framework will help guide your policies, procedures, contracting and incident response, and will also help improve communications with others inside and outside your organization. The NIST framework divides actions you need into categories of: Identify, Protect, Detect, Respond, Recover and then fills in many details below those categories. One problem with most of these frameworks: The focus only on defense, as if the bad guys are static. You need to give the right amount of time to adversary models as well as defensive models (see next best practice).
2. Work to know the threat. Knowing the cyber threat will help you more rapidly and economically adjust your defenses. We wrote a book to help you get a quick baseline on the threat (see TheCyberThreat.com). Since the threat is dynamic you need continuous information. Our free daily report will keep you aware of the latest in threats and global business risks. For exclusive content and actionable intelligence join OODA Loop. No matter who you are you need to know what is happening in your adversary’s camp. Stay aware.
3. Think of your nightmare scenarios. Only you know your business and only you can really know what could go wrong if the worse happens, so your nightmares are what matters! Use these nightmare scenarios to help determine what your most important data is, this is going to help prioritize your defensive actions. Businesses should also seek to bring these nightmares to life, in a controlled environment, to see how you and your team will perform in response. The way to do this is via a “Table Top Exercise”. This is a structured way to talk through who will do what and look for gaps in your incident response plans. For more on Table Tops see: OODA.com
4. Encrypt your data. And back it up! Prioritize this protection on your most important data. This will help mitigate the risks of your nightmare scenarios. Moving to the cloud will provide smart encryption solutions for some of your data and operations (more on the cloud below). Many companies will want to leverage a specialized encryption company. But smaller firms with just a few devices can use the encryption available in your MacOS or Windows devices. The easy way to use encryption for the Mac is FileVault, which you can find in your settings. Windows users can turn on BitLocker in the System and Security section of the Control Panel. For a cross-platform solution with more versatility consider VeraCrypt. Sometimes you will just want to send a short bit of data to someone and are not worried about a nation state adversary threat. In cases like that we most strongly recommend Wickr Pro (also mentioned below).
5. Ensure you are patching your operating systems and applications. This sounds so basic, and it is so basic. But it is too frequently overlooked and it gets both individuals and companies hacked, again and again. So if you are a home user make sure you do this yourself and if you are a small business make sure you have processes in place for it to be done for all. Leaders in organizations of all sizes should realize it is a common mistake to just assume systems are being patched. Don’t just assume it is going on. Check it.
6. Go to the cloud! Recall the points we just made above, you have to keep your systems patched, and encryption is smart. Using cloud services shifts more of that patching and updating to highly qualified engineering teams and gives you new options for encryption. Moving to a well engineered cloud brings many other security functions too. You absolutely need to pay attention to how you configure your cloud services, including access control, identity management, and encryption and monitoring. But overall you will reduce risk with smartly configured cloud services. Based on our detailed and almost continuous review of security capabilities and future roadmaps right now we recommend the cloud capabilities of either Amazon Web Services or Google Cloud or a mix of both. Depending on the services you use and business needs of your company you may need to put into place a special tool known as a Cloud Applications Service Broker (CASB) to help control and manage your cloud services.
7. Put multi-factor authentication in place for every employee, including on their use of cloud based services, and encourage all to do this at home as well. Depending on your business model, you may need to do this for customers and suppliers too. This is very important for a good defense. Some multi-factor methods are still open to attack. Important accounts should be protected by a hardware token too, like the YubiKey.
8. If you operate in an environment where you are provided WiFi (like in a co-working space), we strongly recommend using the free open source web browser plugin called “HTTPs Everywhere” which will force the use of HTTPS everywhere possible and make your browsing more secure. This will minimize the very rare but real risk that you will be in unencrypted sessions that can be exploited by adversaries. For even more protection you can run your own hotspots that connect via cell, but we hardly recommend this anymore since well patched browsers have built in so much security already. That said, cellular speeds are so very high in most parts of the country you should be able to find a solution that gives you the performance you need while keeping your communications more secure, if you desire this path. This may include buying a hotspot designed to give your office direct connectivity. Notice that we are not recommending a VPN. Some may still use those, but if you have a well patched system and the very latest Chrome or Firefox and are using the HTTPs Everywhere plugin then your browser establishes your VPN.
9. Configure your WiFi to be as secure as possible. Larger businesses will have an ability to use the most up to date hardware and software and configure WiFi to leverage best practices. For smaller businesses and home offices we recommend leveraging the Google WiFi because it provides an easy management interface and simple way to make sure you are using DNS correctly (see below). We also like using the FingBox to help ensure we know who, and what, is on our network and who might be trying to connect (FingBox may also be of use in some larger organizations but most large firms will have access to far more capable systems).
10. Configure your DNS to make it harder on the bad guys. There are simple configuration changes you can put in place that will greatly reduce the risk of malicious code and privacy attacks. There are many options for the changes to make to your DNS, but for most we recommend changing your DNS server to 126.96.36.199 (learn more at Quad9.net and see more options and info at: DNS Configuration Tips).
11. Configure your email to make it harder to be spoofed/phished. By using widely used configurations called DMARC you can significantly reduce the chance that your email will be spoofed and your partners or employees tricked because of you. Learn more about DMARC here.
12. Use a password manager for personal passwords, at work and at home, and encourage every employee to do the same. We recommend Dashlane, but other good options include LastPass and 1Password. All three of those have options for business use. A best practice for small business is to use the password manage to make employee’s workflows easier and also give them a license for free use at home. More info, including info you can share with family and friends, is available at this CTOvision review of password managers.
13. Block malicious code. This is easier said than done, but work to put a strategy in place that ensures only approved applications can be installed in your computers, and, even though anti-virus solutions are not comprehensive, ensure you have them in place and keep them up to date. For home users and small businesses look into Sophos or Norton/Symantec. Both have versions for Mac and Windows. There are many other options, to research others see test results and reviews at av-test.org.
14. Prepare for the worse. Know what your incident response plan is and make sure it is well documented and reviewed. Ensure it includes notification procedures. Ensure your team is also prepared to respond to “digital swiftboating,” which can come at any time and may involve trolls and haters sponsored by your competitors or even hostile nations. Preparing for incidents means more than just planning. Exercise the plan by realistic scenario driven table top exercises.
15. Design your architecture to detect and respond to breach. This means put monitoring in place and also use proper segmentation of your systems so an adversary has a harder time moving around. Monitoring can be hard for any organization, so find a way to leverage cloud services to do that. For smaller organizations, we like the approach of Canary (see canary.tools), which will tell you when bad actors are in your net. For larger organizations we recommend smart network design focused on a zero trust architecture and advanced network control tools like those from Centripetal Networks.
16. Ensure you are able to communicate with others in a way that cannot be monitored by criminals/hackers. This is important in day to day business and urgent in incident response. Our recommendation: Wickr Pro, which will allow secure messaging, secure audio and secure video as well as document exchange.
17. Ensure every employee in the organization knows their role in cyber security. This is NOT just an IT function. Training and awareness is so critically important you should consider it your first line of defense. There are many firms that can help you execute on this goal in ways contextualized for your business. Contact us for recommendations.
19. Check everything. You need to get in the habit of checking things yourself, but it is also important to have independent assessments done (we would love to help with that!). Organizations can almost always make use of an external “red team” which seeks to replicate your adversaries. This type of assessment is best done by experienced professionals.
For other special reports and country studies see the OODA Network Resources page.