A thread
The quoted tweet is a long thread of high profile breaches of 2022.
What can we learn to guide our security programs in 2023?
10 Observations and recommendations from the writeups and my conversations with other CISOs about their experiences in 2022.
1/x
Two-factor auth, but better yet, FIDO must be cornerstone for your security program.
If you are fortunate enough to have great IAM, the minimum here should be deployed to tech staff, devs, and admins.
2/x
Repo and cloud security, especially tied to IAM and off-boarding of accounts is really important.
Don’t skimp on logging in cloud, you’ll pay for it later.
3/x
User awareness training is needed, even for IT help desk.
Double validation processes must be set up involving removal of 2fa.
4/x
Threat Intelligence is important and any way you do it, in-house or outsourced, should be trawling the darknet markets for stolen cookies and credentials of your staff.
5/x
Supply chain security risks are very real. Audit your vendors & SaaS.
Demand they audit themselves.
Limit reliance & access wherever possible. Work with vendors who actually have tenant separation of data.
Hold them to the same standards you do in your sec program
6/x
You must have a a view of internet facing assets and a internal registry to track ownership of said assets.
7/x
Table-top an assumed breach and having to do a complete internal repo credential rotation.
Even the best sec strategy can fail, this process needs to be defined and practiced.
8/x
Strong authentication, double verification, and segmentation needs to be applied to mission critical internal services when possible.
Specifically most IT and security management web portals.
Possibly financial apps as well.
9/x
Application Security testing as a core part of your security program is still necessary.
Especially for internet accessible apps and mobile.
Common stack companies can contract this out sometimes.
More modern stack companies usually have to build this team in-house.
10/x
For every breach we saw, 3-7 more per year are possibly prevented by running a bug bounty.
Bug bounty programs save millions of dollars.
(This is not my bias here, I promise)
11/x
That’s it for now, let me know if I missed anything glaring.
This was a pre-coffee tweet thread.
Retweet and comment if you find it useful!
12/12
