Most of these tips are covered by ISO27001 and other similar certifications and i consider it MVP security. You will need to do more today to stay ahead especially if you manage or protect valuable assets. Some tips that come to mind are; manage ingress traffic to your web property with a web application firewall. Setup machine learning to automate blacklist detection and dynamically update blacklists. Use principle of least privilege and role based access to manage users. Protect root accounts with webauthn avoid using them. Setup conditional access control policies to ensure certain roles have more stringent constraints. Mind your dependencies many future exploits will come from dependencies. Partition your pipelines so environments are isolated. Monitor egress traffic if possible. Use VPNs to connect environments but don’t use VPNs if you don’t know how to monitor them (its a complex abstraction and ipsec can be tricky). Once all these technical considerations are in progress consider the developer onboarding process and application connectivity try to implement context segmentation to avoid creating root service and make sire all activities are logged to a monitored aggregator. Look for suspicious activity that can originate in the source. The list goes on and on and on.
>Setup machine learning to automate blacklist detection and dynamically update blacklists.
Is there some good plug and play tool for this or something? Id imagine implementing something like this yourself would take quite a bit of time and know how. Are there non-paid solutions out there?
Sorry it was late past midnight and i did not find anything that could help with a opensource tool like nginx plus modsecurity. However I shared documentation that can help logically identify potential exploits and with nginx plus lua it’s possible this can easily be updated. The OWASP filters are similar. Yes we have done some automation like this many years ago but today we mainly use public cloud WAFs.
There is a typo below "User Management", "It" -> "If".
Yeah, I agree with most of it I think. I use a modified version of "pass" instead of "keepassxc", and I do not have anyone I really trust with pieces of my password. I think having a sentence as your password is the best (very easy to remember, difficult to crack), and you can append random characters to that at the end or wherever. It makes it even better if the sentence is not in English. :)
Thank you for reminding me of QR. There is a tool[1] written in Python that outputs the QR code as ASCII art to the terminal, or to a file as PNG. I will use it more in the future I think. You can get a QR scanner from F-Droid for Android. Be careful of executing "printf 'foo' | qr" though. Hide your processes with "hidepid=2" or something.
Android8 and newer and iOS11 and newer should scan QR codes natively from the default camera app. That _should_ be a fair bit safer than some random QR Code app of unknown provenience...
NIST Cyber Security Framework is the new hotness for enterprise cybersec. Pretty good if you ask me.
This is a nice summary though, for a personal blog. Props to the author for taking the time to put their thoughts out there.
I would emphasize the "threat model" idea whenever you go down a rabbit hole of security. "What kind of bad actors could try to access my network/data, and how hard do I want to protect against it?"
I used to be more paranoid about storing certain data in the cloud. Why would I put my highly encrypted password safe file on my Google Cloud? The NSA could get it!
Listen, if you're being targeted by the nation-state, you have 99 problems. So always balance that usability with reasonable security that aligns with your realistic threat model.
Also, expanding on the threat model is of course understanding why would one be targeted, what is the attacker's goal, and how would they carry out the attack. This will help the defender build layers of proactive and reactive controls specific to the threats and targets identified.
1) check out bitwarden + aegis - both seem popular as another tools
2) Reinstall your linux desktop instead of upgrading once in a while ( remove worms). Make sure you have all updates regularly.
3) When you are developing be careful with libraries - for example pin your versioning in python in the event you get a bad repo
4) use adware blocker to block malware in firefox
5) with keepassxc use the extra file - for security - call it random.mp3 and do not keep it in the cloud even encrypted
6) keep your otp passwords separate
7) use u2f for your main email account - yuibkey or other cheap alternative.
8) explore ssh using yuikey
9) use personal firewall on laptop
10) Use drive encryption for your laptop - backups need to be all encrypted as well
11) Bonus - have separate email account only for password resets that is very hardened and you don't log in regularly. Maybe with 2 different 2 factor auth on it.
12) Bonus 2 - have separate phone number for 2 factor sms authentication that people can't know about - (voip or tosser phone)
I have never actually seen any of these, but my gut reaction reading that was to assume that ISO standards are so slow and committee-driven that they're probably way to far behind current threat models in as fast a moving field as consumer computer security. (Having said that, the low hanging fruit of "Update your software/OS promptly, use strong unique passwords and a password manager, use 2FA where available, use full disk encryption where available." has been valid and relevant advice for well over a decade, so...)
