I couldn't put my finger on what was nagging at me the last few months. When I finally sorted it out, it was the realization that most computer security advice is an absolute waste of time -- and most of what isn't is barely useful.
Even I'm guilty. Statements I've spouted in the past, like using long and complex passwords or hardening your computer system, don't really deliver much value. Disable weak password hashes? That was good advice 15 years ago. Use an up-to-date antivirus program? If that worked, we would have solved the problem decades ago.
When I look at the data of how people and computers are compromised, those previous recommendations didn't effectively address the attack vectors that make malicious hackers so successful. Instead of giving you dozens to hundreds of truly ineffective recommendations, I'm going to give you a few basic defenses that really work.
Forget every past computer security advice you've ever read -- even from me. This is the real deal. Everything else is wasted cycles.
Patch the most popular software first
Bank robbers rob banks because that's where the money is. Malicious hackers and malware concentrate on exploiting the most popular programs because those are the ones most likely to be on the computers they want to compromise.
If you look at how most computers are compromised, it's through unpatched software. Usually, the exploited unpatched software is the popular software used by everyone. Today, client-side, Oracle Java leads the pack, followed by Adobe Flash and Acrobat Reader. Server-side it's unpatched admin or remote access tools. The most popular programs change over time. What doesn't change is that those programs are the ones most often exploited.
You're going to get far more bang for your buck by patching the most commonly exploited programs and doing that perfectly than patching almost all of your programs with less rigor (which is the case in most organizations). If you can't patch or mitigate the most exploited programs, the rest of your efforts aren't worth much.
Don't get socially engineered
Social engineering is a fancy name for a con, accomplished over the phone, via email, or on the Web, where the con artist manages to extract some vital piece of information or convince the victim to install malware. The only way to guard against social engineering is to keep your user training up to date to combat the most prevalent threats, which most companies fail to do.
Test your employees, and if you can successfully socially engineer them, do a better job at education. If you have an excellent user education program and employees still fail the test, redouble your efforts.
Make sure your user education material tells people they're more likely to be exploited by trusted websites than strange or new websites. Tell users not to be tricked into installing new programs. Let them know that popular, free software, is often full of unwanted programs and malware (you can't even trust CNET's Download.com).
Two-factor authentication has its benefits
Although the security of 2FA (two-factor authentication) is often oversold, its effectiveness often depends on which risks you think you're mitigating. For example, 2FA can't stop most of today's APTs (advanced persistent threats) once they have full control of your PC -- but 2FA is great at preventing phishing attacks (which often precede the ultimate compromise).
If you can be strict enough to allow only 2FA when users log on to company resources, then there's no logon name and password combination to steal. When the fake phishing email arrives asking for the user's logon credentials -- sorry, bad guy, you're out of luck. This works well only if you use 2FA everywhere on the corporate network, and you don't need a logon name and password for some websites.
Don't use the same passwords across systems or websites
After phishing, the most common way hackers obtain your password is from other systems and sites. Many users have been successfully phished for their Facebook or Twitter logon and the attackers use the same password for the user's corporate logon. It works all the time.
Make sure your corporate passwords never match any password you use off the corporate network -- and don't use the same passwords on multiple websites. Even on the corporate network, local admin and service/daemon accounts should never share passwords on different systems -- it allows a credential theft attacker to leverage a single compromise into a network-wide compromise in minutes. Not sharing local passwords is one of the best measures you can take to slow down attackers and minimize the damage.
Don't have permanent members in your highest elevated groups
Malicious hackers always escalate their privileges to obtain the highest security credentials in the network. Once they have those, it's game over. Want to frustrate a hacker? Don't have any permanent members of any elevated group, and monitor and alert on unexpected member additions. There are ways around this defense, but most hackers are stymied when their go-to methodologies fail. Frustrate a hacker today!
Put your event monitoring on a diet
If you're collecting a bazillion events a day, you're doing it wrong. Instead, focus on defining only events that indicate maliciousness, and only alert on those. Everything else is trying to find needles in a haystack. If you want to know what events to monitor, email me.
Network traffic analysis is a godsend
Today's attackers gain a regular user's credentials, then begin moving around the network accessing servers and sites the user's logon credentials can access. Or they are using memory-only resident software that's really hard to detect. But no matter what they use, bad guys move around networks in illegitimate ways. Use a network flow analysis tool, define what is normal, and alert on the abnormal.
Whitelisting works better than antimalware
If everyone used a whitelisting application control program it would make everyone's life easier. Whitelisting programs can prevent previously undefined programs from executing. That's a terrific way to stop previously unknown malware. But even if you can't use it in enforcement mode, turn on your application control program in audit-only mode. Then you can alert on and respond to new suspicious programs without interrupting normal operations.
Focus on how, not what
Lastly, learn how badness breaks into your network and put less focus on names. The name of the malware program on an exploited computer isn't nearly as useful as how it got in (through unpatched software, social engineering, and so on). Learn those modalities and focus on mitigating those types of threats; then you have a real computer security defense plan in the works.
After every major public hacking attack I read article after article offering absolutely useless advice. Those writers aren't thought leaders. They are parroting the unoriginal, unsupported dogma they've read. They haven't spent years looking at the data and interacting with hacked customer after hacked customer. I have. This advice is the real deal. Follow it, and you'll be better off than anyone else.