1
If a bad actor can persuade you to run their program on your computer, it’s not solely your computer anymore.
2
If a bad actor can persuade you to run their program on your computer, it’s not solely your computer anymore.
3
If security isn’t easy for users, they work around it to get their job done. Always make sure solutions are secure and usable.
4
Attackers use any available method to get into your environment and access your assets, including networked printers, fish tank thermometers, cloud services, PCs, servers, Macs, or mobile devices. They influence or trick users, exploit configuration mistakes or insecure operational processes, or just ask for passwords in a phishing email. Your job is to understand and take away the easiest, cheapest, and most useful options, like anything that leads to administrative privileges across systems.
5
Nobody has enough time and resources to eliminate all risks to all resources. Always start with what is most important to the organization, most interesting to attackers, and continuously update this prioritization.
6
Nobody can do it all, so always focus on the things that only you (or your organization) can do to protect the organization’s mission. For things that others can do better or cheaper, have them do it (security vendors, cloud providers, community)
7
A security strategy that relies on passwords and trusting any intranet device is only marginally better than no security strategy at all. Attackers easily evade these defenses so the trust level of each device, user, and application must be proven and validated continuously starting with a level of zero trust
8
While air-gapped networks can offer strong security when maintained correctly, successful examples are extremely rare because each node must be completely isolated from outside risk. If security is critical enough to place resources on an isolated network, you should invest in mitigations to address potential connectivity via methods such as USB media (e.g. required for patches), bridges to intranet network, and external devices (e.g. vendor laptops on a production line), and insider threats that could circumvent all technical controls.
9
Encryption protects against out of band attacks (on network packets, files, storage, etc.), but data is only as secure as the decryption key (key strength + protections from theft/copying) and other authorized means of access.
10
Attackers use any available method to get into your environment and access your assets, including networked printers, fish tank thermometers, cloud services, PCs, servers, Macs, or mobile devices. They influence or trick users, exploit configuration mistakes or insecure operational processes, or just ask for passwords in a phishing email. Your job is to understand and take away the easiest, cheapest, and most useful options, like anything that leads to administrative privileges across systems.
Discover a world of possibilities
Welcome to a world of rapidly increasing security posture & aligning security to business priorities, where the journey is to Guide organizations through an end-to-end security modernization from strategy and program level through architecture and technical planning using Zero Trust principles The only limit is the extent of your imagination. Navigating security intricate fabric, Provide best practices, references, and other guidance based on real-world lessons learned for
Strategy and Program (CISO Workshop)
Architectures and Technical Plans
Security Capability Adoption Planning
Cloud Estate Evaluation
Strategic Planning for the advancement of cloud infrastructure.
Verify conformity with the aims and goals of the business.
Create cloud architectures that are safe, scalable, and resilient.
Offer best practices and architectural direction for cloud infrastructure.
Adopt and support best security practices within the cloud environment.
Ensure compliance with security standards and regulations.
We have learned you have to be both aspirational and practical on your journey to modernize security – you need a clear direction to work in and incremental steps to execute each day.
Ayo Dada's Blog 