Beginner Information Security Tips (Page 2)

Here are some basic concepts for security:

• Open source doesn't guarantee that something is benign. Security flaws or backdoors can be obfuscated or just made to look like simple mistakes.
• Security through obscurity is not real security.
• Be aware that there can be both false positives and false negatives for security events.
• Don't always assume someone else is in charge of securing something. Maybe no one is.
• Be proactive rather than reactive about security. Don't wait for something bad to happen before taking action on security-related matters.
• Use versioned backups, in case of things like ransomware. Backups need to be in multiple locations and on different storage media too. Backups should be tested, otherwise you might not know if you even have working backups.
• Monitor network traffic.
• Segment networks with VLANs, subnets, and ACLs.
• Look up OWASP top 10 vulnerabilities and test your web app against all of them.
• Subscribe to security mailing lists, such as Full Disclosure.
• Make sure you're not running any unnecesary listening services.
• Depending on your industry, make sure to meet regulatory compliance standards, but don't assume passing compliance means you're hack-proof.
• Don't trust email attachments: not even PDFs or docs.
• If you get an email urging you to click on a link and take action now, such as with your bank or company, go directly to the site instead of clicking the link.
• Use multi-factor authentication. Authenticator apps are better than SMS.
• Make sure you have proper supply chain security. For example, if you buy a motherboard from any random seller, it might have a hard-to-detect UEFI rootkit that will load before your operating system does.
• Revoke access to accounts of former employees.
• Use dummy data in addition to Google Alerts (and other methods of keeping up with things) to quickly find when a breach occurs.
• Read privacy policies before blindly using something. For example, VirusTotal.
• Learn about industry news. Technology and security change constantly. Fighting against old threats won't protect you against new ones.
• Remember that security will always be a problem. You're never finished.
• Don't use unmaintained projects or devices. For example, abandoned server software, or an old Android phone that no longer gets updates.
• Maintain a budget for security. Getting hacked is expensive.
• Train users about social engineering. Not all hacking is really high-tech.
• In order to secure your site, you can use Kali Linux to perform pen testing, using the built-in tools.
• It’s good to know how to use Metasploit and meterpreter or netcat shells too.
• However, be aware that Kali itself is not very secure. For example, it runs everything as root.
• Only run things as admin or root when absolutely necessary.