Reply to post: Never been a better time to lock down

Dunno about you, but we're seeing an 800% increase in cyberattacks, says one MSP

PriorKnowledge
Go

Never been a better time to lock down

For businesses: If you use Windows then deploy WDAC using a strict whitelist and start restricting outbound communications per-app using Windows Firewall (in addition to only allowing required inbound on workstations). If you use macOS, turn on the firewall and then consider deploying Santa, while Linux desktop users should get fapolicyd in place. TLS versions older than 1.2 should be blocked (IISCrypto can help with this on Windows) and a solution like chocolatey (Windows) or homebrew (macOS) should be adopted at a minimum to run on a schedule to auto-patch any non-store apps. Start using GPOs or MDM to block macros and remote links in any documents which aren’t in trusted locations. Possibly consider adopting a service to rewrite all Internet URLs in inbound emails to point to a service which checks against phishing databases while implementing strict attachment policies to block abused file types completely.

Home users should: Switch off uPnP on their routers. Get Windows Defender set up with Cloud Extended Protection set to Zero Tolerance, macOS users can grab Sophos for free to supplement the built-in XProtect. Also, adopt OpenDNS FamilyShield, Cloudflare filtered DNS (e.g. 1.1.1.3) or Quad9 to block known malicious domains. Install uBlock Origin and NoScript to help protect web browsers from zero days. If using Chrome with a Google Account, then turn on Enhanced Protection. If using Edge, make sure SmartScreen is enabled. Enforce that all websites be accessed via HTTPS. Disable macros outright in office products. Most importantly, avoid pirating things if you can afford to as untrusted video, music and image files can and will be weaponised. If you must, use Windows Sandbox or a free version of VMWare to run a disposable virtual machine to download and fully transcode pirated content beforehand to clean it prior to use.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon