- How hackers and their malware creations successfully attack computers and networks has not changed greatly since the beginning of computers.
- Most organizations could do no better to reduce overall cybersecurity risk than to concentrate far more resources and education on fighting social engineering and phishing.
- Never assume all end users understand and know anything. Always better to ensure everyone is knowledgeable and understands.
- Most organizations should concentrate more on better patching, ensuring that 100% of assets are appropriately patched, within 1 week of the patch being released.
- Make sure every software and firmware instance has an accountable PERSON for patching.
- The CISA Known Vulnerability Catalog list is worth its weight in gold (https://www.cisa.gov/known-exploited-vulnerabilities-catalog). If you’ve got software or firmware on it, get it patched immediately.
- If you are considering multifactor authentication and are able, choose a phishing-resistant variety (https://www.dhirubhai.net/pulse/my-list-good-strong-mfa-roger-grimes).
- The hardest part of a cybersecurity defender’s job is not getting distracted by all the stuff that doesn’t really matter that much.
- That thing that claims to detect those other things 100% of the time will not.
- That thing that claims to be unhackable is not.
- In general, avoid people and companies that make extreme, singular, claims.
- Assuming something was done has never been a good strategy.
- A great inventory is harder to produce than it first seems, but will be the base for everything else that follows.
- Don’t worry that much about “crypto weaknesses”. They aren’t how you will be compromised.
- AI will change everything, but improved AI will likely not be why your organization was compromised. It will likely be because of something very basic missed.
