Cybersecurity · Practical Guides
Tips & Guides.
Practical recommendations drawn from real incidents. Every guide links directly to the case study that proves why it matters.
All Guides
60 guidesNever store passwords with MD5, SHA-1, or SHA-256 — use bcrypt, scrypt, or Argon2
Password hashing is not encryption — it is a one-way function designed to be slow. MD5 and SHA-1 are fast hash functions designed for checksums, not security. A modern GPU can crack billions of MD5 hashes per second. The RockYou breach exposed 32 million passwords in plaintext; the LinkedIn breach exposed 117 million SHA-1 hashes that were cracked within days. Use bcrypt (minimum cost factor 12), scrypt, or Argon2id — purpose-built password hashing functions with tunable slowness. Bcrypt's use in the Slack breach meant their stolen hashes provided negligible value to the attackers despite the database being fully compromised.
Segment OT and ICS networks completely from corporate IT
The 2015 Ukraine power grid attack succeeded because the attackers could reach SCADA industrial control systems from the corporate network they had infiltrated via phishing emails. The Target breach succeeded because POS systems were on the same network segment as a compromised HVAC vendor's access point. Operational technology (OT) and industrial control systems (ICS) must be completely isolated from corporate IT networks with no routable path between them. If monitoring requires connectivity, use unidirectional data diodes. Any device that can read a corporate email must never be able to reach a centrifuge controller, power substation relay, or manufacturing system.
Establish a company policy for what data employees may input into AI tools
Samsung engineers uploaded proprietary semiconductor source code and internal meeting notes to ChatGPT within weeks of the company lifting its AI tool ban. The data was sent to OpenAI's servers and potentially incorporated into training. AI tools that process user input are data processors — all data entered is shared with the vendor under their terms of service. Establish a clear policy before allowing AI tool use: define what data classification levels may be entered (typically public and internal only, never confidential or restricted), use enterprise AI contracts with data opt-out provisions, and implement DLP controls that block submission of certain data patterns to external AI services.
Install mantraps or badge-enforced turnstiles to eliminate tailgating
Training employees to challenge tailgaters helps, but research consistently shows 70–80% of people will hold a secure door open for a stranger who looks like they belong. The only reliable control is a physical barrier that permits exactly one person per badge swipe: a mantrap (an airlock with two doors where the first must close before the second opens) or a badge-enforced turnstile. These are standard in data centres and high-security facilities for exactly this reason. For areas that do not justify the cost of mantraps, tailgate detection sensors that alert security when multiple people pass a single badge read provide monitoring capability.
Pin dependencies to exact versions with hash verification in all production lockfiles
npm install without a lockfile, or pip install without hash verification, installs "latest" — which could be a malicious package that was uploaded minutes ago. The PyPI typosquatting campaigns uploaded hundreds of packages with names nearly identical to popular libraries. Dependency pinning (exact version numbers) prevents automatic upgrades to compromised versions. Hash verification (SHA-256 hashes of each package in the lockfile) ensures the package you install is byte-for-byte identical to what you tested. Use npm ci (instead of npm install) in CI/CD, which enforces lockfile integrity. Use pip install --require-hashes for Python.
Apply least-privilege IAM policies — no wildcard permissions in production
AWS IAM wildcard policies (Action: "*", Resource: "*") are the cloud equivalent of giving every employee a master key to every door. The Capital One breach was enabled by an SSRF vulnerability that allowed the attacker to query the EC2 metadata endpoint and retrieve IAM role credentials — credentials that had far broader permissions than the application needed. The GoDaddy breach used a provisioning system credential to access data across 1.2 million customer accounts. Audit every IAM role for over-broad permissions. Use AWS IAM Access Analyzer or equivalent tools to identify unused permissions. Restrict each role to exactly the S3 buckets, EC2 instances, and services it requires for its specific function.
Treat CVSS 9.0+ vulnerabilities as a 72-hour emergency, not a scheduled task
Equifax's catastrophic breach was caused by a vulnerability that had a published patch available 78 days before attackers exploited it. The Apache Struts vulnerability had a CVSS score of 10.0 — the maximum. At that severity, every day of delay is a calculated risk exposure. Establish a clear policy: CVSS 9.0 and above triggers an emergency patching process with a maximum 72-hour window from discovery to production deployment. Lower severities follow a normal cycle. This distinction alone would have prevented the Equifax breach.
Use hardware security keys for privileged and external-facing accounts
FIDO2/WebAuthn hardware security keys are phishing-proof — they cryptographically bind to the domain you registered them on, so a cloned login page cannot capture the credential. SMS-based two-factor codes can be intercepted via SIM-swapping or forwarded by a victim who receives a fraudulent phone call. The Twilio breach demonstrated exactly this: employees entered SMS codes into a phishing page. Hardware keys like YubiKey make that attack impossible. Deploy them first for all administrators, executives, and anyone with access to production systems or financial controls.
Write and test an incident response runbook before you need it
Organisations that handle breaches well have one thing in common: they had a plan before the attack. Target had a $1.6 million FireEye security system that detected the breach — and ignored the alerts because there was no clear runbook specifying what to do when the alert fired. An IR runbook documents: who is notified (internal and external), who has authority to make decisions, what systems are isolated first, how communications are handled publicly and with regulators, and what evidence is preserved. The runbook must be tested through tabletop exercises at least annually and updated after every significant incident.
Verify wire transfer requests by calling a pre-registered number — never one from the email
Business Email Compromise (BEC) caused more than $3 billion in losses in 2022 alone. Every BEC attack involving a wire transfer succeeded because the victim called back a phone number from the fraudulent email, or did not call back at all. The defence is simple and absolute: any wire transfer request arriving via email must be verified by calling the requestor at a number already in your company directory or phonebook — not a number provided in the email. FACC lost €50 million because no one picked up the phone. Ubiquiti lost $46.7 million for the same reason. A 60-second phone call to a known number prevents these attacks entirely.
Disable legacy protocols that no longer require patches — because they never get them
SMBv1 — the protocol exploited by EternalBlue, WannaCry, and NotPetya — had known vulnerabilities for years before the Shadow Brokers leak made exploitation trivial. Microsoft had provided a patch, but also offered a better solution: disable SMBv1 entirely, since no modern system requires it. The same principle applies to TLS 1.0/1.1, SSLv3, Telnet, and FTP. The safest patch for a protocol that has no legitimate current use is removal. Audit your network for legacy protocol usage and disable any that cannot be justified by a specific named business requirement.
Migrate from SMS and TOTP to phishing-resistant MFA
SMS two-factor authentication is vulnerable to SIM-swapping, SS7 interception, and real-time phishing relay. TOTP (authenticator app) codes are better than SMS but can still be captured on a convincing phishing page. Phishing-resistant MFA — FIDO2 hardware keys or passkeys — cannot be forwarded to an attacker's server because the credential is cryptographically bound to the exact domain. When Cloudflare was targeted by the same 0ktapus campaign that successfully breached Twilio, Cloudflare survived because their employees used hardware keys. Prioritise migration for your highest-value accounts first.
Adopt zero-trust architecture: verify every request regardless of network origin
The SolarWinds attack compromised the trust that internal network location implies authorisation. Once inside a network via a malicious software update, the attackers moved freely because internal systems implicitly trusted each other. Zero-trust architecture removes that assumption: every request, regardless of whether it originates from inside or outside the network perimeter, must be authenticated, authorised, and continuously validated. Implement micro-segmentation, require MFA for all internal application access, enforce device health checks before granting access, and log all east-west traffic.
Encrypt sensitive metadata, not just content — URLs and filenames reveal as much as files
LastPass stored encrypted vault content but kept the URLs of websites in each entry as unencrypted metadata. When their vault database was stolen, attackers immediately had a map of every service each user had an account with — extremely valuable for targeted attacks. Encrypt all metadata associated with sensitive data: not just file contents but filenames, access timestamps, record labels, and category information. In database design, consider whether column names themselves reveal information about the data they contain. End-to-end encrypted systems that leak metadata provide much weaker guarantees than their encryption implies.
Require out-of-band identity verification before any MFA reset or privilege escalation
The MGM Resorts breach and the Caesars Entertainment breach both began the same way: a caller to the IT helpdesk provided an employee's name (found on LinkedIn) and convinced the operator to reset MFA credentials over a phone call. With MFA reset, the attacker had full account access. Any request to reset MFA, change recovery methods, or grant elevated privileges must require verification through a separate, independent channel — a video call where the employee displays their physical badge, a manager confirmation via internal ticketing, or a physical visit to the help desk. The single phone call channel is broken by design.
Establish a breach notification timeline before a breach occurs — not during one
GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach. US state breach notification laws require notification within 30–72 hours in many states. Equifax waited 40 days after confirming their breach before public disclosure. Uber concealed their breach for 13 months. Both paid enormous financial and reputational penalties for the delay. Know your notification obligations before an incident: which regulators must be notified, within what timeframe, what information must be included, and who in your legal team has authority to approve the notification. Draft template notifications in advance.
Block public access on S3 buckets at the account level, not just the bucket level
Misconfigured S3 buckets containing sensitive data have been a consistent cloud security failure for a decade. The fix exists: AWS S3 Block Public Access can be enforced at the account level, preventing any bucket in the account from ever being made public regardless of bucket-level settings. Enable Block Public Access at the organisation level in AWS Organizations SCPs. For buckets that legitimately need public access (static website hosting), require explicit approval and documentation. Audit all existing buckets for public access using AWS Config rules. Capital One's breach involved a misconfigured WAF role that could list and access S3 buckets — public access controls would not have stopped it, but defence in depth would have.
Pin GitHub Actions to specific commit SHAs, never to floating version tags
GitHub Actions version tags (uses: actions/checkout@v4) are mutable — the action maintainer can change what v4 points to at any time, or have their account compromised. The tj-actions breach demonstrated this: a compromised action was immediately applied to all 23,000 repositories using it via floating tag. Pin actions to the specific commit SHA that you have reviewed (uses: actions/checkout@abc123def456). The full SHA is immutable — it cannot be changed retroactively. Use a tool like Dependabot or Renovate to open pull requests when pinned SHA versions need updating, giving you review control.
Disable USB mass storage on all corporate workstations via Group Policy or MDM
The FIN7 criminal group mailed BadUSB drives disguised as Amazon packages and Best Buy gift cards to hotel and restaurant employees. 45% of people plug in USB drives they find — even when they know they should not. BadUSB devices emulate keyboards and automatically type commands; they bypass all file-based antivirus scanning because they deliver no files. Disable USB mass storage on all corporate workstations via Group Policy (Windows) or MDM profiles (macOS/Linux). If USB access is required for legitimate use cases, use endpoint security tools that allow USB device whitelisting by hardware ID rather than disabling USB entirely.
Do not rely on voice recognition for financial authorisation — any voice can be cloned
AI voice synthesis has surpassed the quality threshold for telephone fraud. The first documented AI voice clone fraud transferred €220,000 in 2019. Garmin's CEO, financial executives at multiple Fortune 500 companies, and even LastPass's CEO have had their voices cloned for fraud attempts. For any financial transaction, the voice heard on a phone call is no longer sufficient authorisation. Require independent channel verification (a separate text or email from a known internal system, a coded authorisation number from your financial controls platform) for any wire transfer, regardless of whether the requesting voice sounds exactly like your CEO.
Implement Subresource Integrity for all externally hosted JavaScript
Subresource Integrity (SRI) is an HTML attribute that locks a script tag to a specific cryptographic hash of the file — if the CDN serves a modified version, the browser refuses to execute it. The polyfill.io CDN hijack in 2024 served malicious JavaScript to 100,000 websites because none of them had SRI hashes on their polyfill script tags. A single attribute (<script src="..." integrity="sha384-..."> ) would have protected every affected website. Apply SRI hashes to every externally-loaded JavaScript and CSS file. Self-host critical JavaScript dependencies where possible.
Treat your build environment as production — harden it with the same controls
The CCleaner backdoor, the 3CX supply chain attack, and the ASUS ShadowHammer operation all shared the same root cause: attackers compromised the build server or developer machine that compiled the final software. The build environment is where your trusted code signing happens, where clean source becomes signed binaries. Harden build servers: restrict access to the minimum set of people, use ephemeral build environments that are destroyed after each build, require MFA for all access, enable audit logging, and isolate build networks from general corporate networks. A compromise of your build environment is a compromise of every piece of software you ship.
Enforce a 90-day audit of all service accounts and shared credentials
Dormant accounts and over-privileged service credentials are a persistent attack surface. The Colonial Pipeline VPN credential that enabled the ransomware attack belonged to an account that was no longer actively used but had never been deactivated. Run a quarterly audit of all service accounts, API keys, and shared credentials. Deactivate anything unused for 30 days. Remove permissions that are broader than the account's stated purpose. Document every service account's owner, purpose, and expiry date.
Train employees that urgency plus unusual channel is a red flag, not a reason to act faster
Virtually every social engineering attack combines two elements: urgency ("this is time-sensitive, act now") and an unusual communication channel ("my CEO emailed me on WhatsApp"). The urgency is designed to short-circuit the instinct to pause and verify. The unusual channel is used because the legitimate channel would fail verification checks. Train employees to treat these two signals as reasons to slow down and verify, not to act faster. The LastPass employee who received AI-cloned audio of their CEO's voice via WhatsApp correctly identified it as suspicious because it came through an unofficial channel with unusual urgency — and reported it rather than complying.
Place IoT and smart devices on isolated VLANs with no access to production systems
An internet-connected fish tank thermometer at a casino served as the entry point for attackers who reached the high-roller customer database. The thermometer was on the corporate network with a routable path to internal systems. Every IoT device — smart TVs, HVAC controllers, IP cameras, building management systems, even fish tank sensors — must be on a dedicated VLAN that has no access to any system containing sensitive data. The VLAN should permit only the specific outbound internet traffic the device requires for its function. Treat every IoT device as untrusted by default.
Run a continuous asset inventory — you cannot patch what you do not know exists
One of the most common root causes of successful vulnerability exploitation is an unmanaged, forgotten system that never received patches. The Equifax breach involved an application that security teams did not know was internet-facing. The Fortinet VPN zero-days were exploited on appliances that network teams had lost track of. A continuously updated asset inventory — covering servers, virtual machines, cloud instances, network appliances, and containers — is the foundation of any patch programme. Scan your network weekly for new assets. Any new internet-facing asset must be tracked and added to the patch programme before deployment.
Maintain an offline, isolated backup of Active Directory
Active Directory is the single most critical system in most Windows enterprise environments — it controls authentication for every user, every server, and every service. NotPetya encrypted every domain controller at Maersk simultaneously, making recovery impossible without an offline backup. Maersk found one domain controller in Ghana that had been powered off during a power cut — it was flown to the UK and used to rebuild the entire domain. You should not rely on a power cut in Ghana. Maintain at least one offline, network-isolated backup of Active Directory that is physically separate from your main environment and restored to a known-good state at least monthly.
Implement a clean desk policy and lock unattended screens automatically
A physical intruder who reaches an unlocked workstation has the same access as the authenticated user who left it. During Kevin Mitnick's penetration operations, unlocked terminals, discarded printouts, and papers left on desks were as valuable as any technical exploit. Implement: automatic screen lock after 5 minutes of inactivity (enforce via Group Policy/MDM), required badge-out to lock desks when leaving them, a prohibition on leaving sensitive documents visible on desks, and locked cabinets for paper records. Clean desk audits — periodic unannounced checks of workstation and desk areas — measure compliance without being punitive.
Treat grammatically perfect emails as potential AI-generated phishing
For decades, poor grammar and spelling were reliable indicators of phishing emails. WormGPT, FraudGPT, and general-purpose LLMs have eliminated this signal. AI-generated phishing emails are indistinguishable from legitimate emails by grammar alone. Train employees that the absence of spelling mistakes is no longer a safety signal. Shift phishing recognition training to focus on: unexpected requests (even in well-written emails), urgency combined with an unusual ask, mismatched sender domains (visible in email headers), and links that do not go to the expected domain. Technical controls — DMARC, email authentication, URL scanning — become more important as human detection degrades.
Use short-lived credentials via OIDC for CI/CD pipelines instead of long-lived secrets
Long-lived AWS access keys, GitHub personal access tokens, and API secrets stored in CI/CD environment variables are stolen regularly. The Codecov bash uploader attack harvested environment variables from thousands of build pipelines. The GitHub/Heroku OAuth token theft gave attackers access to private repositories. OpenID Connect (OIDC) enables CI/CD systems to request short-lived, scoped credentials from AWS, GCP, and Azure for each specific pipeline run — with no static secret stored anywhere. A stolen OIDC token is valid for minutes, not months. GitHub Actions, CircleCI, and most major CI platforms support OIDC-based credential exchange.
Enable CloudTrail, VPC Flow Logs, and GuardDuty as a minimum baseline
You cannot detect or investigate a cloud breach without logging. The three minimum logging controls in AWS are: CloudTrail (API call audit log — who did what, when, from where), VPC Flow Logs (network connection records — which IPs connected to which IPs), and GuardDuty (threat detection service that analyses CloudTrail and flow logs for anomalies). These three together provide the visibility needed to detect credential misuse, unusual API calls, and lateral movement. Enable them in every account in your AWS Organization from day one. Store CloudTrail logs in a separate security account that production accounts cannot delete.
Generate and publish a Software Bill of Materials (SBOM) for every release
A Software Bill of Materials (SBOM) is a machine-readable inventory of every component in your software: libraries, frameworks, direct and transitive dependencies. When a new vulnerability is disclosed (Log4Shell, Spring4Shell, Heartbleed), an SBOM lets you answer "are we affected?" in minutes rather than days of manual code archaeology. The White House Executive Order 14028 requires SBOMs for software sold to the US federal government. Generate SBOMs using Syft, CycloneDX, or SPDX tools as part of your build pipeline. Store them alongside each release artifact. Subscribe to CVE feeds and cross-reference against your SBOM inventory automatically.
Prioritise patching internet-facing systems first, then internal systems
Not all systems carry equal risk. An internet-facing web application, VPN concentrator, email server, or API gateway can be exploited by anyone on the internet without prior access. Internal systems require the attacker to already be on your network. Apply patches to externally exposed systems first, within your 72-hour window for critical vulnerabilities. The Exchange ProxyLogon vulnerabilities were exploited by 10 separate threat actors within 24 hours of the patch being released — the gap between patch availability and deployment on internet-facing Exchange servers was measured in hours, not days.
Review all AI-suggested code for hardcoded credentials before committing
GitHub Copilot and other AI code assistants can suggest real credentials from their training data — API keys, passwords, and tokens from public repositories that were used to train the model. Security researchers demonstrated that Copilot would suggest valid AWS keys when writing code that declared an AWS client. Review every AI-generated code suggestion before committing. Use pre-commit hooks that scan for secrets patterns (git-secrets, truffleHog, Gitleaks) as a safety net. Never assume that because a credential appears in an AI suggestion, it is a placeholder — verify explicitly.
Verify the identity of anyone claiming to service hardware — call their employer directly
ATM jackpotting attacks involve criminals dressing as ATM technicians to open ATM cabinets. The NSA TAO hardware interdiction involved intercepting Cisco equipment in transit and resealing packages. FIN7 mailed USB drives in Amazon packaging. Physical security of hardware requires verifying the identity of anyone who physically touches infrastructure equipment. Before allowing anyone access to a server room, network closet, or ATM cabinet, call the organisation they claim to represent using a phone number from your own records — not a number they provide. Require government-issued ID and a work order that you can verify.
Implement credential stuffing detection on all login endpoints
Credential stuffing — using leaked username-password pairs from other breaches to log into your service — is automated, cheap, and devastatingly effective when users reuse passwords. 23andMe's 2023 breach, which exposed genetic ancestry data, was entirely credential stuffing: no vulnerability was exploited. Defences include: rate limiting login attempts per IP and per account, CAPTCHA after N failures, monitoring for login attempts with credentials appearing in breach databases (Have I Been Pwned Enterprise API), and blocking known Tor and VPN exit node IPs for login requests.
Do not use bug bounty programmes to pay extortion — it is illegal
Uber's security team paid $100,000 to the attackers who stole 57 million user records by routing the payment through their HackerOne bug bounty programme, falsely classified as a legitimate vulnerability report. The payment was intended to conceal the breach. The CSO who authorized this was convicted of obstruction of justice and sentenced to three years of probation. Bug bounty payments to attackers who have already stolen data constitute obstruction of a federal investigation. If you receive an extortion demand, contact your legal team and law enforcement immediately. Never use a bug bounty platform to pay a criminal — it does not legitimise the payment.
Conduct quarterly phishing simulations with immediate personalised coaching
Phishing simulations that simply report click rates produce marginal improvement. The most effective programmes deliver immediate, personalised coaching at the moment of failure: when an employee clicks a simulated phishing link, they see an explanation of what they missed and why it was deceptive. Studies show that this just-in-time training reduces repeat click rates by 50–70% compared to annual awareness videos. Simulate a range of attack types: credential harvesting pages, malicious attachments, BEC requests, and SMS phishing. Include AI-generated phishing emails that are grammatically perfect, since poor spelling is no longer a reliable indicator.
Classify data before storing it — you cannot protect what you have not categorised
The Equifax breach was catastrophic partly because Equifax had accumulated sensitive data on hundreds of millions of people who never chose to interact with them — Social Security numbers, birth dates, and financial histories — without a clear retention policy. Data classification assigns sensitivity levels (public, internal, confidential, restricted) and triggers corresponding controls: encryption requirements, access logging, retention limits, and disposal procedures. Before storing any data, ask: what is it, how sensitive is it, who needs it, and when can we delete it? Only store what you genuinely need, encrypted appropriately for its classification.
Monitor DNS traffic — it reveals command-and-control, data exfiltration, and lateral movement
DNS is one of the most information-rich network signals available. Command-and-control malware uses DNS to communicate with its operators. Data exfiltration can be encoded in DNS queries. Lateral movement generates characteristic DNS lookup patterns. Many organisations monitor HTTP traffic but leave DNS unmonitored. Deploy DNS security services (Cisco Umbrella, Cloudflare Gateway, or a self-hosted resolver with logging) and configure alerts for: newly registered domains, unusual query volumes, queries for domains with high entropy names (DGA indicators), and DNS-over-HTTPS to unexpected resolvers.
Block the EC2 metadata endpoint for workloads that do not require it
The EC2 Instance Metadata Service (IMDS) endpoint at 169.254.169.254 returns IAM role credentials to any process running on an EC2 instance that can make an HTTP request — including web application code exploited via SSRF (Server-Side Request Forgery). Capital One's breach exploited exactly this: an SSRF vulnerability in a WAF allowed the attacker to query the metadata endpoint and retrieve credentials. IMDSv2 requires a session token obtained through a PUT request, which SSRF attacks cannot easily forge. Enforce IMDSv2 on all EC2 instances using the instance metadata options. For containers, apply iptables rules to block access to 169.254.169.254 from container network namespaces.
Physically destroy hard drives and storage media — deletion is not destruction
Deleting files or formatting a drive does not erase the underlying data — it removes the index entry pointing to it. The data remains on the disk and is trivially recoverable with free tools. For any drive, SSD, USB stick, or backup tape containing sensitive data, physical destruction (shredding, degaussing, or certified destruction service) is the only reliable disposal method. The same principle applies to paper documents: cross-cut shredding at the minimum, secure shredding services for higher-sensitivity material. Organisations audited for dumpster diving regularly find intact personnel files, credit card statements, and medical records.
Establish a company-wide code word for verifying unusual executive requests
AI voice cloning and deepfake audio have reached quality where a CEO's voice on a phone call is no longer a reliable identity signal. The first documented AI voice clone fraud transferred €220,000 because the recipient trusted the voice. Establish a company-wide protocol for any unusual financial or sensitive request: a pre-agreed code word or phrase that is changed monthly and distributed only through internal secure channels. Any request from a senior executive that does not include the current code word — regardless of how the voice sounds or how urgent the matter seems — requires independent verification before action.
Retain an IR firm on retainer before a breach, not after
Organisations that retain an incident response firm before a breach begin their response within hours. Organisations that call a firm for the first time during an active breach spend 24–72 hours on procurement, contract signing, and onboarding before any work begins. IR retainers are relatively inexpensive compared to the cost they save during an incident. They include pre-agreed terms, pre-positioned resources, and the ability for the firm to begin work immediately when called. Major firms (Mandiant, CrowdStrike, Palo Alto Unit 42) offer retainer arrangements at various price points. The retainer also typically includes proactive threat hunting and tabletop exercise services.
Rotate all secrets immediately after any employee departure from a privileged role
When a privileged employee — sysadmin, developer, DevOps engineer — leaves your organisation, all shared secrets and credentials they had access to must be rotated immediately. The Cisco insider who deleted 456 WebEx virtual machines did so five months after resignation using credentials that had never been revoked. Maintain an offboarding checklist that includes: deactivating SSO accounts, revoking SSH keys, rotating shared infrastructure passwords and API keys, and auditing any cloud IAM roles the employee had assumed. Automate this process where possible.
Vet open source package maintainer changes before accepting dependency updates
The EventStream npm backdoor was introduced after a malicious actor successfully requested — and received — maintainer rights to a popular package from its overworked original author. The XZ Utils backdoor took two years of patient contribution before the attacker achieved the commit access needed. Review who maintains the packages you depend on. Monitor for ownership changes in critical dependencies (Snyk, Socket.dev, and Deps.dev track these). Be especially cautious about packages that recently changed maintainers or had a sudden increase in contributions. The XZ Utils attack involved manufactured community pressure to push the original maintainer into granting access.
Add video call verification for high-risk identity scenarios — deepfakes can pass audio-only checks
AI voice cloning passes telephone and audio-only verification. Deepfake video is advancing rapidly and can fool video calls under certain conditions. For the highest-risk identity scenarios — executive approval for large wire transfers, contractor onboarding with system access, MFA reset for privileged accounts — require a video call where the individual physically holds a company-issued badge next to their face. Current deepfake video technology struggles to render highly specific, real-time items accurately. Combine with a live action challenge: ask the person to perform a specific physical action (show a specific finger count, write a code word on paper) that a pre-recorded deepfake cannot anticipate.
Treat physical security and cybersecurity as one discipline, not two
A physical intruder who reaches a networked terminal has bypassed all your digital access controls. A cyber attacker who needs to install a hardware implant (as NSA TAO did with Cisco routers) must overcome physical security first. The Stuxnet weapon crossed an air gap via a USB drive — a physical act. Verkada's camera breach exposed live footage inside Tesla, Cloudflare, and schools because a super-admin credential stored on the public internet could reach every camera simultaneously. Physical and cyber security teams must share threat models, incident response processes, and access control policies. A camera system is a cyber attack surface, not just a physical one.
Use multiple DNS providers simultaneously to eliminate single points of failure
The Dyn DDoS attack in 2016 knocked Twitter, Netflix, Reddit, GitHub, and hundreds of other major services offline for most of a day — because they all relied on Dyn as their sole DNS provider. When Dyn's infrastructure was overwhelmed, those domains became unreachable for anyone using an unaware resolver. Configure your authoritative DNS with at least two independent providers simultaneously. Both Cloudflare and AWS Route 53, for example, offer distinct infrastructure and BGP paths. Traffic will route to whichever provider responds first, ensuring availability if one is attacked.
After patching authentication vulnerabilities, invalidate all active sessions
Patching a vulnerability is not the end of the incident. Citrix Bleed (CVE-2023-4966) allowed attackers to steal valid session tokens from Citrix ADC appliances. Many organisations patched promptly — but did not terminate active sessions, leaving the already-stolen tokens valid and usable. The advisory from CISA and FBI explicitly warned about this, but many organisations missed the step. After any patch for an authentication, session management, or access control vulnerability, invalidate all active sessions and require re-authentication. This applies to web applications, VPNs, and cloud consoles.
Be transparent during an incident — livestream the database deletion if you must
GitLab's response to accidentally deleting 300GB of production database data included a public live Google Doc updating in real time, and a YouTube livestream showing engineers working through recovery. The security and engineering community widely praised this transparency despite the embarrassing circumstances. LastPass's changing story — from "no customer data accessed" to "encrypted vaults stolen" over three months — destroyed trust more than a single comprehensive disclosure would have. Transparent, timely disclosure during an incident maintains trust, enables affected parties to take protective action, and demonstrates organisational integrity. Brief stakeholders early and update them regularly, even when the picture is incomplete.
Check your children's credit reports annually — their SSNs are prime synthetic identity targets
Children's Social Security numbers are particularly valuable for synthetic identity fraud because they have no credit history — meaning a fraudster can build a credit profile from scratch using the real SSN with a completely fabricated name and birthday. The mismatch between the SSN's issue date and the claimed age takes years to surface in credit bureau algorithms. AI-powered operations can manage thousands of synthetic identities simultaneously. Request a credit freeze for your children's SSNs at all three major bureaus (Experian, Equifax, TransUnion) — it is free, does not affect their future credit, and blocks the SSN from being used to open new credit accounts.
Test patches in staging, but do not let testing be a reason to delay production deployment
Patch testing exists to prevent broken production deployments — not to create a delay buffer. Security teams frequently report that patches are held in "testing" for weeks or months, negating the purpose of having a patch cycle. The WannaCry attack exploited EternalBlue — a vulnerability Microsoft had patched two months earlier. Most organisations that were hit had been holding the patch in their testing process. Establish a maximum testing window: 72 hours for critical patches. If a critical patch cannot complete testing in that window, deploy it with a rollback plan rather than waiting for testing to complete.
Implement and monitor egress filtering — outbound traffic controls detect exfiltration
Most network security focuses on blocking inbound connections. Egress filtering — controlling and monitoring outbound connections — is equally important and frequently neglected. The Codecov bash uploader attack sent CI/CD secrets to an attacker-controlled server via HTTP. The CCleaner backdoor sent system data outbound via standard ports. Without egress filtering, any process on any machine can establish outbound connections to any address. Implement explicit allow-listing for outbound traffic from sensitive systems, log all egress connections, and alert on connections to newly registered domains or unexpected geographic regions.
Protect W-2 forms and employee personal data from email-based requests
W-2 BEC attacks specifically target HR and payroll staff with emails impersonating executives requesting "a copy of all employee W-2 forms." The forms contain every employee's Social Security number and income data — sufficient to file fraudulent tax returns on their behalf. These attacks peak in January–April before the US tax season. The defence: establish a policy that W-2 data, payroll records, and employee SSNs are never transmitted via email regardless of who requests them. Any such request must be fulfilled through an internal HR system with audit logging, never as an email attachment.
Require MFA for all cloud console access — delete root API keys immediately
AWS root account credentials with no MFA are a single compromised email away from complete account loss. The AWS root account should never be used for day-to-day operations, should have a hardware MFA token attached, and its access keys should be deleted entirely. All IAM users with console access require MFA. Enforce this with an IAM policy that denies all actions unless MFA is present. The Snowflake credential theft campaign in 2024 targeted cloud platform accounts where MFA was not enforced — attackers used credentials obtained from infostealer malware to log in to cloud consoles directly.
Back up data with the 3-2-1 rule and verify restores quarterly
Three copies, two different media types, one offsite. The GitLab database deletion incident had five backup methods — all of which failed, for different reasons. The WannaCry and NotPetya ransomware attacks encrypted backup drives that were mounted to infected systems. Backups that have never been tested for restoration are theoretical, not operational. The GitLab incident demonstrated this: several backup systems that seemed healthy had silently failed months earlier. Test restoration of a full system backup quarterly. Store at least one backup copy offline (not mounted, not accessible over the network) to protect against ransomware.
Audit and revoke unused vendor and third-party access quarterly
Third-party and vendor access that outlives its original purpose becomes a persistent attack surface. The Axie Infinity Ronin bridge hack succeeded partly because a temporary access grant to a third-party validator had never been revoked after the high-traffic period that justified it. The Target breach began via a credential stolen from an HVAC vendor with network access. Maintain a registry of all third-party systems and vendor accounts that have access to your environment. Review each one quarterly: does this access still serve a current business purpose? If not, revoke it immediately. Treat "temporary" access as having an automatic expiry date.
Treat OAuth token scopes as a security boundary, not a convenience setting
OAuth tokens with broad scopes are high-value targets. When Heroku and Travis CI OAuth tokens were stolen in 2022, they had been granted full repository access to every GitHub user who had installed those integrations — enabling bulk cloning of private code. Restrict OAuth app scopes to the minimum required. Prefer short-lived tokens via OIDC over long-lived OAuth tokens for CI/CD integrations. Conduct quarterly audits of all OAuth apps connected to your GitHub, Google Workspace, or other identity provider and revoke unused apps immediately.
Conduct an annual physical penetration test of your offices and data centre
Organisations that conduct regular network penetration tests often have no equivalent programme for physical security. Physical penetration testing — engaging a firm to attempt tailgating, impersonation, dumpster diving, and device planting at your facilities — reveals gaps that policy and awareness training cannot surface. Professional physical pentesters routinely succeed in entering secure areas, planting rogue network devices, and photographing sensitive materials. The results directly inform where physical controls need investment. At minimum, conduct an annual physical security assessment of your primary office, data centre, and any facility that houses network equipment.
See the incidents behind these guides
Every recommendation is grounded in a real breach.