Cybersecurity Checklist: Essential Actions to Protect Your Organization

October 24, 2024 · 10 min read
Table of Contents
Cybersecurity is a difficult task, even for the largest enterprises. It can feel overwhelming for small and medium businesses (SMBs). Faced with few, if any, security workers on staff and a landscape of security threats that are constantly getting worse, it may appear impossible. However, this does not have to be the case. Companies can start with basic security measures that can provide a tangible improvement in their defense mechanisms without requiring extensive resources or expertise.
As part of Cybersecurity Awareness Month, Probely has created a checklist to help with this effort. It outlines basic but critical steps to significantly enhance an organization’s security posture. While not exhaustive, this checklist provides actionable measures that can be quickly implemented, giving companies a much-needed head start in the race against cyber threats.
Network Security Dos
1. Segment Your Network: If an attacker gains entry to your network, they can relentlessly jump to all attached devices. This access can be limited by dividing the network into segments, reducing the spread of an attack or malware infection.
2. Implement Firewalls: Implementing a firewall forms a good first line of defense to control network traffic based on security rules and makes it harder for attackers to access connected devices directly.
3. Regularly Update Routers and Switches: The latest firmware and software on network devices helps reduce known vulnerabilities, making your organization harder to attack.
4. Use VPNs for Remote Access: Rather than trusting random remote connection software from the Internet, use trusted virtual private network solutions (VPNs) to allow them to connect securely to your network.
5. Secure Wireless Access Points: Much like in a coffee shop where network traffic is unencrypted, this data can be easily intercepted, even at your business. Using strong encryption such as WPA3, if available, and hiding SSIDs will significantly improve WiFi security with minimal effort.
Network Security Don’ts
1. Don’t Leave Default Configurations: Always change default usernames, passwords, and network device and software settings.
2. Don’t Neglect Physical Security: It’s easy to overlook, but basic physical security can protect your network. In many cases, gaining in-depth network access is as easy as plugging in a USB, so securing your hardware against physical access is a must.
3. Don’t Use Weak Encryption: Legacy encryption like WEP is trivially easy to decrypt, making your WiFi networks as vulnerable as if you had no encryption.
4. Don’t Ignore End-Point Security: Any device connecting to the network increases your attack surface, so it needs to be secured and compliant with company policies.
5. Don’t Use Unsecured IoT Devices: IoT devices perform a lot of functions, such as access control or environmental management. However, many rarely get updates or have limited security features; isolating them on the network reduces the risk of them becoming entry points in an attack.
AppSec Dos
1. Implement Secure Coding Practices: Many industry-vetted best practices, such as the OWASP Top 10, set a solid baseline to help developers write secure code from the start.
2. Conduct Regular Security Testing: Including testing tools such as static application security testing (SAST) and dynamic application security testing (DAST) helps teams identify and eliminate vulnerabilities well before release.
3. Use Authentication and Authorization Controls: Strong authentication mechanisms like OAuth and proper authorization checks throughout the application make it harder for attackers to subvert the software.
4. Manage Dependencies Carefully: Third-party libraries and dependencies add their own vulnerabilities to your software. By regularly updating and auditing them, this risk can be reduced.
5. Adopt a DevSecOps Approach: Planning security into the software development lifecycle (SDLC) from the start addresses vulnerabilities early and efficiently, saving cost long-term.
AppSec Don’ts
1. Don’t Store Sensitive Data Unnecessarily: Storing unnecessary data, especially sensitive data, makes you a bigger target for attackers and increases the impact if a breach occurs.
2. Don’t Expose Detailed Error Information: Detailed error messages can contain hints about what software and libraries are running, giving threat actors a leg up in an attack.
3. Don’t Forget to Limit User Inputs: Many of the easiest attacks against software use the inputs provided. Restricting users to limited acceptable values prevents many common attacks, such as SQL injections.
4. Don’t Overlook API Security: APIs are direct communication channels to your applications, making them major targets, but proper authentication, rate limiting, and data validation can make them harder to abuse.
5. Don’t Neglect Regular Code Reviews: Automated tools are extremely valuable for catching vulnerabilities, but they are not perfect, and periodic code reviews help catch bugs these tools might miss.
Account Security Dos
1. Secure Password Management: Complex passwords over 12 characters with a mix of letters, numbers, and special characters make it hard for attackers to guess or brute force a password. This is made even more secure by periodically changing them, especially when a security breach is suspected.
2. Enable Multi-Factor Authentication (MFA): To make it even harder for attackers, MFA adds another hurdle for them to overcome, such as a validation from a phone app or secret mailed to your email. Without this factor, even if they have stolen the password, they are locked out.
3. Use a Password Manager: These applications help users by securely storing the complex passwords we made earlier, so there is no need to ever write it down or store it in an insecure location like an email or text file that could be compromised. So instead of having to remember dozens of secure passwords, they only need the one to their password manager (which hopefully has MFA enabled).
4. Educate About Phishing Attacks: Knowledge is power. Knowing how the tactics used by cybercriminals for phishing makes it easier to recognize suspicious emails, messages, and websites. This information helps users avoid becoming victims, even if they are targeted.
5. Log Out After Use: While it's easy to stay logged into a computer forever and avoid having to waste time logging in, the fact is, it's insecure. Cybercriminals can hijack these existing logins, especially from public or shared computers. By logging out, they make their job all the harder.
Account Security Don’ts
1. Don’t Reuse Passwords: Attackers know that passwords, especially secure ones, are hard to remember and that users re-use them in multiple places because of this. Cybercriminals often try passwords from one breach in other places, hoping to find them being re-used. Password managers help prevent this, allowing you to have unique passwords on every site and preventing these attacks.
2. Don’t Share Your Credentials: Keeping account information secret is necessary for keeping attackers out. When you share your login details, even with a trusted friend, you risk it being intercepted or misused.
3. Don’t Click on Suspicious Links: Attackers use suspicious links in unsolicited emails or messages to trick users into going to phishing sites. These sites are convincing and use deception to trick users into accidentally turning over sensitive data like passwords or downloading malware.
4. Don’t Use Easy-to-Guess Security Questions: Many password resets rely on security questions that should only be known by the user. However, many of these questions can easily be guessed through social media or public information, such as the city of your birth or your mother’s maiden name. When adding these questions for security, make them truly hard to guess.
5. Don’t Ignore Security Alerts: With all of the daily emails and messages users get, it's easy to overlook security alerts. These messages are important and may indicate a compromise. When they arrive, it is important to take immediate action, however, not by clicking on any link provided, which might be a phishing attempt. Instead, go to the site the alert came from using a trusted link such as a search engine to verify for yourself whether the alert is real.
Improving Your AppSec Posture
Most tech-savvy users can take many of these security steps on their own. For application security, having the right tools can make all the difference in delivering a secure application or deploying a target. Probely can help your organization build security into its development pipeline, detecting vulnerabilities from the start.
Probely is more than just security testing. It is also a non-intrusive asset discovery tool that seamlessly integrates into existing IT systems. Probely leverages sophisticated scanning technologies that quietly work in the background, ensuring normal operations remain unaffected. This is especially important for many organizations, where even minor interruptions can cause major repercussions.
Probely identifies an organization’s public-facing digital assets, such as public APIs, web applications, and online services, which are critical vulnerabilities since they are accessible from the internet. Probely scans and catalogs these assets, ensuring that all potential cyberattack entry points, including often overlooked unknown and shadow IT components, are secured. This comprehensive approach highlights hidden elements of the attack surface and enables organizations to implement more effective security measures, significantly reducing the risk of breaches.
Schedule a demo today to see how Probely can help your organization uncover its true software security posture.