Cybersecurity Principles and Practices

To rely on a single, strong security mechanism to protect a system.

To create multiple layers of security to make it difficult for attackers to breach a system.

To ensure that only authorized users can access the system.

To quickly recover data after a successful cyberattack.

Using only a strong password for user authentication.

Implementing multi-factor authentication (MFA), mobile device management (MDM), and endpoint detection and response (EDR) on user devices.

Storing all data on a single, highly secure server.

Allowing all network traffic to pass through without inspection.

Be granted full administrative access to all systems.

Only receive access rights that are absolutely necessary for their job functions and only for the required duration.

Have their access rights automatically increase over time.

Be able to access any system "just in case" they might need it.

Keep them enabled but monitor them closely.

Change their default ports to obscure them from attackers.

Remove them entirely to reduce the attack surface.

Configure them with very strong passwords.

Keeping default administrator IDs and passwords for easy access.

Allowing all users to have full administrative privileges.

Removing unnecessary user accounts and changing default credentials.

Installing software without checking for known vulnerabilities.

Granting users only the necessary permissions for their current role.

Regularly reviewing and revoking unnecessary access rights.

Providing users with extra permissions they might need in the future, "just in case."

Changing default administrator usernames and passwords.

To allow a single individual to manage all critical system functions.

To simplify system administration by centralizing control.

To prevent any single person from being able to compromise a system alone.

To reduce the number of users who have access to any system.

Only after the system has been fully developed and is ready for production.

Primarily during the testing phase to identify and fix vulnerabilities.

From the initial requirements and design phases through to deployment and ongoing operation.

As an optional add-on feature if time and budget allow.

To add security features after the system is fully developed.

To ensure security is an inherent part of the system from its initial conception.

To make the system secure only when it is first installed.

To allow users to configure security settings after deployment.

Creating highly complex security systems to deter attackers.

Making security measures as simple and user-friendly as possible.

Implementing security features that are secret and unknown to users.

Prioritizing security over system usability and convenience.