In February of 2017, The Australian Signals Directorate (ASD) Australian Cyber Security Centre (ACSC) published an update to their “Top 4” Strategies to Mitigate Cyber Security Incidents by revising the list to include four more crucial strategies. The “Essential Eight” has received considerable attention over the past several years although I have encountered many organisations that are unsure where to begin. In this article, I will try to give you a bit of a kick-start to help you get going in the right direction. You are not alone…. if you need help, please ask for it since we’re all on the same side!

2017年2月，澳大利亚信号局(ASD)澳大利亚网络安全中心(ACSC)通过修订清单以包括另外四个关键策略，发布了其“缓解网络安全事件的前四大策略”的更新。 尽管我遇到了许多不确定从哪里开始的组织，但“重要的八人”在过去几年中受到了相当多的关注。 在本文中，我将尝试为您提供一些帮助，以帮助您朝正确的方向前进。 你不是一个人…。 如果您需要帮助，请寻求帮助，因为我们都在同一边！

The original ASD/ ACSC Top 4 included Application Whitelisting, Patching Applications, Restricting Administrative Privileges, and Patching Operating Systems. The Essential Eight now includes those four plus Disabling Untrusted Microsoft Office Macros, Using Application Hardening, Multi-Factor Authentication, and Daily Backups of Important Data. While the full ASD /ACSC list contains 37, your focus should be on these eight before putting too much effort into the other 29 and I’ll save those for future articles.

原始的ASD / ACSC前4名包括应用程序白名单，修补程序应用程序，限制管理权限和修补程序操作系统。 现在，“基本八级”包括这四个，以及“禁用不受信任的Microsoft Office宏”，“使用应用程序强化”，“多因素身份验证”和“重要数据的每日备份”。 尽管完整的ASD / ACSC列表包含37个，但您应该将重点放在这8个上，然后再花大量精力在其他29个上，我将保留这些以备将来使用。

这些是什么？ (What Are They?)

Application Whitelisting: I consider a firewall to be a Yes / No device when you strip away all the “Next Generation” and Unified Threat Management (UTM) pieces. To some degree, Application Whitelisting works the same way by specifying which applications can execute (The Whitelist) leaving everything else implicitly or explicitly denied (The Blacklist). Granted, there will always be some that fall in the middle (The Greylist) but those should be reserved for administrative decision and not for the user to decide. By the way…. make sure the aforementioned firewall also has a default “deny all” rule in place! I have seen many installations where the final rule was an “Allow All” with millions of hits against it.

应用程序白名单：当您剥离所有“下一代”和统一威胁管理(UTM)部分时，我认为防火墙是“是/否”设备。 在某种程度上，应用程序白名单通过指定可以执行的应用程序(白名单)以相同的方式工作，而其他所有内容都被隐式或显式拒绝(黑名单)。 当然，总是会有一些落在中间(灰色列表)，但是这些应该保留给行政决策，而不是由用户决定。 顺便说说…。 确保上述防火墙还具有默认的“全部拒绝”规则！ 我见过许多装置的最终规则是“全部允许”，并受到数百万次点击。

Patching Applications: In a nutshell, applications are designed to perform a specific task but often don’t account for potential flaws and vulnerabilities. Unless it’s a security-centric application, security is lower on the features list… if it makes the list at all. In some cases, applications are released with undocumented capabilities, have features enabled not being used, or use non-standard ports and services. In all fairness, if we tried to QA the apps to perfection, we’d never actually get anything to market! Over time, these capabilities, features, and other bugbears come to the surface and are fixed by the vendor or, in other cases, discovered and exploited by those that don’t share my sunny disposition.

修补应用程序：简而言之，应用程序旨在执行特定任务，但通常不会考虑潜在的漏洞和漏洞。 除非它是一个以安全性为中心的应用程序，否则安全性在功能列表中要低一些……如果它使所有功能都成为安全性列表。 在某些情况下，发布的应用程序具有未记录的功能，未启用功能或使用非标准端口和服务。 公平地说，如果我们尝试对应用进行质量检查，以确保其完美无缺，那么我们实际上永远也不会向市场推出任何产品！ 随着时间的流逝，这些功能，特性和其他缺陷逐渐浮出水面，并由供应商修复，或者在其他情况下，由不认同我的乐观态度的人发现和利用。

Restricting Administrative Privileges: In nearly every environment, there are accounts that have elevated privileges beyond the everyday users to add, remove, and change elements of the information systems. These accounts, including dedicated service accounts for automatic execution, yield considerable power and the ability to cause untold sorrows if used inappropriately. Some may consider only the administrator accounts used directly on servers or in Active Directory, but administrative privileges can be local, domain, or enterprise level, and have varying degrees of control (such as power users, domain administrators, and enterprise administrators to say nothing of delegated privileges). Beyond that, they exist on workstations, network appliances, and just about every piece of IoT technology. Absolute power corrupts absolutely…. or words to that effect.

限制管理特权：在几乎每种环境中，都有一些帐户具有比日常用户更高的特权，可以增加，删除和更改信息系统的元素。 这些帐户，包括用于自动执行的专用服务帐户，会产生可观的功能，并且如果使用不当，还会引起无法言状的悲伤。 有些人可能只考虑直接在服务器上或Active Directory中使用的管理员帐户，但是管理权限可以是本地，域或企业级别，并且具有不同程度的控制权(例如高级用户，域管理员和企业管理员，什么也没说)委托特权)。 除此之外，它们还存在于工作站，网络设备和几乎所有物联网技术中。 绝对权力绝对会破坏…。 或类似的词。

Patching Operating Systems: One could probably argue that this is no different than Patching Applications, which I covered in Part 2 of this series. Yes, and no. Yes, because it is, in fact, applying updates and patches to your systems, and no, because the operating system is critical to making all the other parts operate in your environment. We seem to forget at times that our favourite applications, covered in part 2, must run on top of other software. We install applications into (or onto, depending on how you look at it) on operating systems. We also must think beyond just the ubiquitous “Windows” operating systems and consider Mac, Linux, Unix, and any of many other platforms (Novell, anyone? Don’t laugh…. it’s still out there!)

修补操作系统：可能有人会争辩说，这与修补应用程序没有什么不同，我在本系列的第2部分中已经介绍过。 是的，没有。 是的，因为实际上是在对系统应用更新和补丁，而否，因为操作系统对于使所有其他部分在您的环境中运行至关重要。 有时我们似乎忘记了，第2部分中介绍的我们最喜欢的应用程序必须在其他软件之上运行。 我们将应用程序安装到操作系统上(或视您的外观而定)。 我们还必须考虑不仅是无处不在的“ Windows”操作系统，还要考虑Mac，Linux，Unix和许多其他平台(Novell，有人吗？不要笑……它还在那儿！)

There are also the operating systems that run on our favourite mobile devices powered by Apple, Android, Blackberry, Microsoft, and more. We could also consider network devices and IoT, but I think I’ve made my point. Whether virtual or physical, the operating system is the heart of the computer. Think of it like a car: you may have the baddest hot rod on the block (app) but without the engine (operating system) it’s useless. Critical maintenance updates (think of safety recalls on cars), absolutely must be applied, or else bad things can happen to good people.

还有一些操作系统可以在我们最喜欢的移动设备上运行，这些移动设备由Apple，Android，Blackberry，Microsoft等提供支持。 我们也可以考虑网络设备和物联网，但我想我已经指出了。 无论是虚拟的还是物理的，操作系统都是计算机的心脏。 可以把它想象成一辆汽车：您可能在程序块(应用程序)上安装了最糟糕的热棒，但是没有引擎(操作系统)就没有用了。 至关重要的维护更新(考虑到汽车的安全召回)，绝对必须应用，否则好人会遇到坏事。

Like applications, operating systems don’t have the luxury to sit in QA for endless tests trying to sort out every little bug and detail that can and may go wrong when the stars align just right. So, surprise, surprise, operating systems have bugs. Some are an annoyance; some are a major security flaw. The vendors know this, and through their own means or through issues brought to them by people like you and me, they’re constantly seeking to make their product better, safer, and do more.

像应用程序一样，操作系统也没有资格进行无休止的质量检查，以进行无休止的测试，试图找出每个小错误和细节，当星号对齐正确时可能会或可能会出错。 因此，令人惊讶的是，操作系统存在错误。 有些令人烦恼； 有些是主要的安全漏洞。 供应商知道这一点，并且通过自己的手段或通过像您和我这样的人向他们提出的问题，他们不断寻求使产品更好，更安全，做更多的事情。

Unless you’ve been living under a rock, you’ve heard of WannaCry and Petya/NotPetya and how much of an impact it had globally. You’ve probably also heard how there was a patch that dealt with this available before the major outbreak even began yet, it cascaded around the world anyway despite there being a fix in place. I won’t go into the logistics (nor will I play the “I told you so” card; there are many that have been doing this so why pile on?) but it highlights the need for regular patching.

除非您一直生活在岩石下，否则您会听说WannaCry和Petya / NotPetya以及它对全球产生的影响。 您可能还听说过，甚至在重大疫情尚未爆发之前，就有一个补丁可以解决这个问题，尽管有适当的解决方案，但它还是在世界各地蔓延开来。 我不会参加后勤工作(我也不会打“我告诉过你”的卡片；很多人都在这样做，所以为什么要堆积呢？)但是它强调了定期修补的必要性。

Disabling Untrusted Microsoft Office Macros: Macros are basically a batch of commands and processes all grouped together to make life a little easier when performing routine tasks. In many cases, they simply execute as the user and save untold hours, reducing the number of errors one can make with tedious tasks. Unfortunately, Macros are also a popular exploit through leveraging this autonomy and ability to execute code, reaching even beyond the application itself. Anyone that has been around for a long time will remember the Melissa macro virus and the havoc it caused with email services worldwide. Or even the Wazzu macro virus that altered the content of files. Most of this is due to Visual Basic for Applications (VBA) which is still used to this day. Microsoft, to their full credit, has done a tremendous amount of work to secure macros in the past several versions of Office. Of course, you can’t save people from themselves. I once had a car with advanced safety features but all the technology in the world wouldn’t keep me from driving off the road if I did it on purpose.

禁用不受信任的Microsoft Office宏：宏基本上是一组命令和处理，它们全部组合在一起，以使执行常规任务时的工作变得更轻松。 在许多情况下，它们只是以用户身份执行并节省大量时间，从而减少了单调乏味的任务可能导致的错误数量。 不幸的是，通过利用这种自治性和执行代码的能力，宏也是一种流行的利用方法，甚至可以超越应用程序本身。 任何已经存在很长时间的人都将记住Melissa宏病毒及其在全球电子邮件服务中造成的破坏。 甚至是改变文件内容的Wazzu宏病毒。 大多数原因是由于Visual Basic for Applications(VBA)至今仍在使用。 在过去的几个版本的Office中，Microsoft都应尽最大努力来保护宏。 当然，您无法将人们从自己身上救出来。 我曾经有一辆具有先进安全性功能的汽车，但如果我故意这样做，世界上所有的技术都不会阻止我开车上路。

Application Hardening: Think of it kind of like spring cleaning on top of a minimalist lifestyle where you keep only what you absolutely need after taking stock of what you have. Many applications are installed with defaults (you know the Next-Next-Next-Next-OK approach) and as a result many options, services, and capabilities enabled. We’re all guilty of installing applications this way, being more interested in using the program than securing it.

应用程序硬化：将其视为一种极简主义生活方式之上的Spring大扫除，在清点所拥有的东西之后，仅保留绝对需要的东西。 许多应用程序安装时使用默认设置(您知道Next-Next-Next-Next-OK方法)，因此启用了许多选项，服务和功能。 我们都以这种方式安装应用程序感到内gui，对使用该程序而不是对其进行保护更感兴趣。

Default user names and passwords, insecure services, default SNMP communities, anonymous access, and the list goes on. Hardening these applications renders them more secure and less likely to be used against us. We all have applications on our infrastructures that could have a negative impact is used incorrectly or maliciously, so reducing that possibility only makes sense. Controlling who can access an application, what the application can do, and periodically revisiting this on a regular basis or after significant changes is a good approach.

默认的用户名和密码，不安全的服务，默认的SNMP社区，匿名访问，并且列表继续存在。 加强这些应用程序可以使它们更安全，并且不太可能被我们使用。 我们所有人在我们的基础架构上都有不正确或恶意使用可能造成负面影响的应用程序，因此减少这种可能性仅是有意义的。 控制谁可以访问应用程序，应用程序可以做什么，并定期或在进行重大更改后定期重新访问它是一个好方法。

Multi-Factor Authentication: The short explanation is that it adds another layer of security by forcing you to provide another means of identifying yourself and in some cases, may include multiple means (it’s MULTI-factor, after all, and not just two-factor). So, what is the first factor? That’s usually your user name and password and while I have heard arguments that the user name can be one factor and the password another, I prefer to think of the two together as the first layer. Multi-factor authentication already exists in many other facets of our lives like when we apply to lease a property and must provide several pieces of identification.

多重身份验证：简短的解释是，它通过迫使您提供另一种身份验证方法来增加另一层安全性，在某些情况下，可能包括多种方法(毕竟，它是多重因素，而不仅仅是两个因素)。 那么，第一个因素是什么？ 通常是您的用户名和密码，尽管我听到有人争辩说用户名可能是一个因素，而密码又是另一个因素，但我更希望将两者一起作为第一层。 多因素身份验证已经存在于我们生活的许多其他方面，例如当我们申请租借财产时，必须提供多个身份证明。

Multi-Factor Authentication is not new, but it is gaining considerable momentum. Some of you remember the key fobs with a code that changed at set intervals. You entered your user name and password, and then the code displayed on the fob. It is assumed that only you have that fob and it provides a secondary way to identify whoever is logging in is who they say they are. It isn’t perfect, but it does improve security. While these fobs still exist, they appear to have been supplemented by (or replaced by) mobile apps, SMS codes, and other methods. Even smart cards are still very much in use.

多重身份验证并不是什么新鲜事物，但是它正在获得可观的发展势头。 你们中有些人还记得密钥卡，其代码会按设置的时间间隔进行更改。 输入用户名和密码，然后在密钥卡上显示代码。 假定只有您拥有该表链，并且它提供了一种辅助方法来识别登录的人是他们所说的人。 它不是完美的，但是可以提高安全性。 尽管这些密钥卡仍然存在，但它们似乎已被移动应用程序，SMS代码和其他方法所补充(或被其替代)。 甚至智能卡仍在使用中。

On top of those methods, we’re also seeing the proliferation of biometric authentication into the consumer market through fingerprint scanners and touch-IDs on mobile devices (in all fairness, sometimes these look like a single-factor only but are usually underpinned by a user name and password during the initial setup — simply swiping your finger over the reader just reduces the other steps as the rest is “known”). We have a lot of options and given the current threat landscape, we really have no excuses to not at least consider it. If it’s available, use it. If you have a cloud-centric strategy, it’s quickly becoming a must rather than an option.

除了这些方法，我们还看到了通过指纹扫描仪和移动设备上的触摸ID在消费者市场中普及了生物识别身份的方法(公平地说，有时这些方法看起来像是一个因素，但通常以在初始设置过程中输入用户名和密码-只需在读取器上滑动手指即可减少其他步骤，因为其余步骤是“已知的”)。 我们有很多选择，并且鉴于当前的威胁状况，我们确实没有任何借口可以不至少考虑它。 如果可用，请使用它。 如果您有以云为中心的策略，那么它很快就会成为必须而不是一种选择。

Daily Backups of Important Data: Backing up your data has been a long-standing strategy in safeguarding your information when things go sideways. Servers crash, laptops get lost, files get deleted accidentally, and mistakes are made. Mistakes, accidental or intentional, can have severe repercussions that require recovering your data such as in the event of a Ransomware attack. Whatever the reason, the fact remains you should have a backup copy of your important data.

重要数据的每日备份：备份数据一直是长期保护数据信息的长期策略。 服务器崩溃，笔记本电脑丢失，文件被意外删除，并且犯了错误。 意外或故意的错误可能会造成严重的后果，这需要恢复您的数据，例如在勒索软件攻击的情况下。 无论出于何种原因，事实仍然是您应该拥有重要数据的备份副本。

There are many options at many different price points that will suit everyone from individuals to large enterprises. These include magnetic and optical media, cloud-based storage such as iCloud, OneDrive, and Box, and even all the way up to Disaster Recovery Sites. The latter can be fully functional exact replicas of production data centres with 100% live replication, to warm standby sites, to even cold sites ready to build from scratch and restore your data. The fact remains you have options, but you have no excuses.

在许多不同的价位上都有许多选择，适合从个人到大型企业的每个人。 其中包括磁性和光学介质，基于云的存储(例如iCloud，OneDrive和Box)，甚至一直到灾难恢复站点。 后者可以是具有100％实时复制的生产数据中心的完全功能完全相同的副本，可以热备站点，甚至冷站点准备从头开始构建并恢复数据。 事实仍然是您可以选择，但是您没有任何借口。

Just as critical as backing up your data is the ability to restore it and use it without it being incomplete, corrupt, or completely inaccessible. It’s like a one-way ticket to somewhere you can’t get back from otherwise.

与备份数据同样重要的是，在不残缺，损坏或完全无法访问的情况下，还原和使用数据的能力。 这就像一张单程票，是您无法从其他地方回来的地方。

我应该从哪里开始？ (Where Should I Start?)

Application Whitelisting: The first place to start should be understanding your information systems and which applications are needed to perform your business functions. If you don’t have this list already, please create it and engage a security specialist to help if needed. This will essentially become your “Whitelist”. It’s worth noting not every team in your organisation will use the same list…. there may be a core list (such as office applications) for everyone but different lists for other roles (such as Payroll and HR). Getting a handle on what applications you need and which you don’t want is crucial otherwise you can find yourself preventing good and allowing bad like a lousy B-grade superhero movie.

应用程序白名单：首先应该从了解您的信息系统以及执行业务功能需要哪些应用程序开始。 如果您还没有此列表，请创建它，并在需要时聘请安全专家提供帮助。 这实际上将成为您的“白名单”。 值得注意的是，并非您组织中的每个团队都会使用相同的列表…。 可能每个人都有一个核心列表(例如办公应用程序)，其他角色(例如薪资和人力资源)的列表则不同。 掌握所需的应用程序以及不想要的应用程序至关重要，否则，您会发现自己像坏的B级超级英雄电影一样，避免出现不良情况。

Patching Applications: As is the case with Application Whitelisting, a current inventory of applications is a must-have. We need to know what is on our network and why. Odds are the vendors of those applications have released patches and updates to address these issues, add features, and improve performance. Once we know what applications we have, we can investigate whether we have the latest stable releases and patches. In some cases, vendors are very proactive and notify their clients, supplying the patches at no charge during the lifetime of the application. Some charge extra for this service, but some just make them available without letting you know. In the end, patches and updates should be available.

修补应用程序：与应用程序白名单一样，当前的应用程序清单是必须的。 我们需要知道我们网络上的内容以及原因。 这些应用程序的供应商已经发布了补丁和更新来解决这些问题，添加功能并提高性能，这很奇怪。 一旦知道了我们拥有哪些应用程序，就可以调查我们是否具有最新的稳定版本和补丁。 在某些情况下，供应商会非常主动地通知他们的客户，在应用程序的生命周期内免费提供补丁。 有些服务为此服务收取额外费用，但有些服务只是在不通知您的情况下使它们可用。 最后，补丁和更新应该可用。

Restricting Administrative Privileges: As you would have with Application Whitelisting, an inventory. A current inventory of administrator accounts is a great place to begin. It will take a while to get a thorough list of all your administrator accounts, but it needs to be done. Include accounts with elevated privileges and not just Local, Domain, and Enterprise administrator groups — consider power users and any users with delegated authority. While you’re at it, inventory your service accounts as well. Include the local administrator accounts on your workstations and whether users have this access. Finally, consider your network-capable devices such as routers, switches, firewalls, IoT, and so on. Any one of these can have many local administrator accounts. It may be a good time regarding these local accounts to evaluate your password strategy, but more on that in a future article. If it has administrator rights, it has power, and that power must be used wisely!

限制管理特权：与应用程序白名单一样，它是一个清单。 当前的管理员帐户清单是一个很好的起点。 可能需要一段时间才能获得所有管理员帐户的完整列表，但是需要这样做。 包括具有提升特权的帐户，而不仅仅是本地，域和企业管理员组-考虑高级用户和具有委派权限的任何用户。 在使用时，也要清点您的服务帐户。 在您的工作站上包括本地管理员帐户，以及用户是否具有此访问权限。 最后，考虑具有网络功能的设备，例如路由器，交换机，防火墙，IoT等。 这些中的任何一个都可以具有许多本地管理员帐户。 现在是使用这些本地帐户评估密码策略的好时机，但在以后的文章中会介绍更多。 如果它具有管理员权限，则它具有权力，并且必须明智地使用该权力！

Patching Operating Systems: For Microsoft aficionados, Patch Tuesday is a thing and has been for a very long time, but that doesn’t mean that patches and updates aren’t available at other times. Find out from your team how patching is handled, how patches are acquired from the vendor, tested, and deployed. If it’s a case of just checking occasionally or whenever you have time, I’d suggest making this part of your regular security maintenance. Ask the questions and get the right people involved to understand your patching and updating strategy. Ideally, you want central control and distribution, so you don’t have 500 users downloading the same patch 500 times, let alone being a patch that may cause issues. Understand what the patch is, what it impacts, and if you even need it.

修补操作系统：对于Microsoft爱好者而言，“星期二修补程序”是一件很久以前的事情，但这并不意味着其他时间不提供修补程序和更新。 从您的团队中了解如何处理补丁，如何从供应商处获取补丁，如何进行测试和部署。 如果只是偶尔或有时间检查的情况，建议您将其作为常规安全维护的一部分。 提出问题并找合适的人参与，以了解您的补丁和更新策略。 理想情况下，您需要集中控制和分发，因此您没有500个用户下载同一补丁500次，更不用说是一个可能引起问题的补丁了。 了解补丁程序是什么，它会产生什么影响，甚至您是否需要它。

Disabling Untrusted Microsoft Office Macros: While it might be tempting to simply disable all macros, full stop, that isn’t the answer. Remember that macros exist for a reason and that’s to automate tasks, save time, and keep some of us from going loopy after doing the same thing a thousand times over. A better approach is to selectively trust macros but remove the choice from the end user. How do we trust macros? Digitally sign them and then lock down the application to disable all but the signed ones.

禁用不受信任的Microsoft Office宏：虽然可能很想简单地禁用所有宏，但是句号并不是解决之道。 请记住，宏的存在是有原因的，那是为了使任务自动化，节省时间，并使我们中的一些人在一千次完成相同的操作后不会出现循环。 更好的方法是有选择地信任宏，但从最终用户中删除选择。 我们如何信任宏？ 对它们进行数字签名，然后锁定应用程序以禁用除已签名者以外的所有对象。

So how do I digitally sign macros?

那么如何对宏进行数字签名？

This is where it can get complex. While there are tutorials about how to self-sign digitally signed macros, self-signed certificates really don’t inspire any trust in the broader community, so the availability of a PKI infrastructure, either internal using the Microsoft solution or external using a third-party trusted CA is preferred. Rather than bog you down in details, I would encourage you to start exploring digital signing of your macros and get the right people involved before moving ahead. This is a perfect example of when you need to put your hand up and ask for some help unless you have the in-house skills. On top of digitally signing and distributing your macros, you also need to consider policies that lock down these features in the office applications lest your users just go in and disable this protection anyway to run all macros. Yes, scary, I know.

这就是它可能变得复杂的地方。 虽然有关于如何对数字签名的宏进行自签名的教程，但自签名的证书实际上并不会激发对更广泛社区的信任，因此，PKI基础结构的可用性(内部使用Microsoft解决方案或外部使用第三方解决方案)首选方受信任的CA。 与其让您陷入困境，不如让我开始探索宏的数字签名，并让合适的人员参与进来，然后再继续前进。 这是一个完美的例子，说明除非您具有内部技能，否则何时需要举起手来寻求帮助。 除了对宏进行数字签名和分发之外，您还需要考虑在Office应用程序中锁定这些功能的策略，以免您的用户进入并禁用此保护以运行所有宏。 是的，我知道。

Of course, in an environment that doesn’t need macros, go ahead and just disable them completely. I doubt, however, that many of these environments exist.

当然，在不需要宏的环境中，请继续并完全禁用它们。 但是，我怀疑其中是否存在许多环境。

Application Hardening: If you have undertaken an Application Whitelisting exercise or similar that required a full inventory of your applications, you have a big head-start. Otherwise, it’s time to make that list. It goes without saying that if you don’t need it, get rid of it and you’ll probably start finding applications you never knew you had. List in hand, you can check with the vendors to see what their hardening recommendations are or even use the industry best practices to better secure your environment.

应用程序强化：如果您进行了应用程序白名单练习或类似的操作，需要对应用程序进行完整的清单清点，那么您将有很大的领先优势。 否则，该列出该列表了。 不用说，如果不需要它，请摆脱它，您可能会开始寻找自己不知道的应用程序。 列出清单，您可以咨询供应商以了解他们的强化建议，甚至可以使用行业最佳实践来更好地保护环境。

Something else that should go without saying (but I’m going to say it anyway) is to change default user names (if possible) and passwords if the application uses them. You’d be surprised how often this gets overlooked. If the application uses a service that is not essential, consider disabling it or — if possible — uninstalling that component completely, which can often be done through the installation wizard (if the app uses one). Use non-default program folders to fool exploits that go looking for default installation locations. Close network ports unless required and for applications that use random ports, try to statically define these ports and adjust your firewall and security policies accordingly.

其他不言而喻的事情(但无论如何我还是要说)是更改默认用户名(如果可能)和密码(如果应用程序使用它们的话)。 您会惊讶于这种情况经常被忽略。 如果应用程序使用的服务不是必需的，请考虑将其禁用，或者(如果可能的话)完全卸载该组件，通常可以通过安装向导来完成(如果应用程序使用了该服务)。 使用非默认程序文件夹来欺骗那些正在寻找默认安装位置的漏洞。 除非需要，否则请关闭网络端口；对于使用随机端口的应用程序，请尝试静态定义这些端口，并相应地调整防火墙和安全策略。

Another good tip is to engage in vulnerability scanning using any of many commercial (or even open source) tools like Nessus, Nexpose, OpenVAS, SAINT, and so on. These will often locate vulnerable services that can be considered.

另一个不错的技巧是使用Nessus，Nexpose，OpenVAS，SAINT等许多商业(甚至开源)工具中的任何一种来进行漏洞扫描。 这些通常会找到可以考虑的易受攻击的服务。

There is also patching your applications and enabling logging and auditing, but I’ll cover these separately.

还可以修补您的应用程序并启用日志记录和审核，但我将分别介绍这些内容。

Multi-Factor Authentication: Let’s assume that you already have a solid user name and password strategy and if you don’t, stop reading and make that happen first (as an aside, I’ve been reading a lot about length versus complexity lately and it may make for a future article). For the rest of us, we need to consider what we’re safeguarding as implementing MFA can be expensive and time consuming. Take stock of your present situation. You will probably find that you have some systems that are more critical than others, so that is where you begin. I won’t go into a detailed explanation on vendors and options; you can do that, but as with everything else, make sure you ask the right questions and get the right people involved.

多重身份验证：假设您已经有一个可靠的用户名和密码策略，如果没有，请停止阅读并首先进行设置(顺便说一句，最近我阅读了很多有关长度与复杂性的文章，可能会在以后发表文章)。 对于我们其他人，我们需要考虑我们要维护的内容，因为实施MFA可能既昂贵又耗时。 盘点您目前的状况。 您可能会发现有些系统比其他系统更关键，因此这是您的起点。 我将不对供应商和选件进行详细的解释。 您可以做到这一点，但与其他所有事项一样，请确保您提出正确的问题并吸引合适的人员参与。

Perhaps use of an authentication app will suffice such as those available from Microsoft or Google and can be installed on your mobile. Maybe you’re looking for a smart card solution, biometrics, or a combination of factors. Remember that while it needs to be secure, it needs to be usable. Fewer things can be more frustrating that taking what feels like forever just to log in. Combined with multiple systems that don’t share credentials, you’re just asking for trouble, so it may also be time to consider Single Sign-On options.

使用身份验证应用程序可能就足够了，例如可以从Microsoft或Google获得的身份验证应用程序，并且可以将其安装在您的手机上。 也许您正在寻找智能卡解决方案，生物识别技术或多种因素的组合。 请记住，虽然它需要安全，但也需要可用。 很少有的事情比永久登录更令人沮丧。结合不共享凭据的多个系统，您只是在自找麻烦，因此也可能是时候考虑“单点登录”选项了。

Spend the time up front to figure out what will be the most usable solution for you that will deliver adequate security, then set about implementing it in a phased approach. It may seem like a challenge but adding that extra layer can mean the difference between a hacker exfiltrating your intellectual property versus them moving on to a softer target.

先花时间弄清楚什么是最适合您的解决方案，它将提供足够的安全性，然后着手分阶段实施。 这看起来似乎是一个挑战，但是增加额外的层数可能意味着黑客窃取您的知识产权与他们向更软的目标转移的区别。

Daily Backups of Important Data: If you have data, you need to back it up, so the first part is already determined. Depending on service level agreements and who is responsible for your data, either on premise, hosted, or cloud-based, many other factors need to be considered. How long can you be down before you must have your services and data available? How much work can you stand to lose in the event you need to restore? Figuring out your Recovery Time Objective (RTO) and Recovery Point Objective (RPO) may determine your investment in the solution, and it needs to be a business-led conversation and not just technology. If you don’t have a plan, you’ll need to create one. If you already have a plan, it may be time to review it to make sure it meets your current objectives.

重要数据的每日备份：如果有数据，则需要备份，因此第一部分已经确定。 根据服务水平协议以及负责您的数据的人员(在内部，托管或基于云的情况下)，需要考虑许多其他因素。 您必须停机多长时间才能必须提供服务和数据？ 如果需要恢复，您将损失多少工作？ 弄清楚您的恢复时间目标(RTO)和恢复点目标(RPO)可能会决定您对解决方案的投资，这需要以业务为导向，而不仅仅是技术。 如果您没有计划，则需要创建一个计划。 如果您已经有一个计划，那么可能是时候对其进行审核，以确保它符合您当前的目标。

Determine what you need to back up in a prioritised order, and how to back it up. Will you do full backups every day or a full backup once a week with incremental daily backups? Will you use tapes, cloud, or replication to a DR site? Will you rotate media off site on a regular basis and how quickly can you get that media back when you need it?

确定需要按优先顺序备份的内容以及如何备份。 您会每天进行完整备份还是每周进行一次增量备份每日完整备份？ 您将使用磁带，云还是复制到灾难恢复站点？ 您是否会定期将媒体移出现场，并在需要时可以多快的时间将其取回？

The backup itself is just a small part of the overall solution. Your Disaster Recovery / Business Continuity Plan (DR/BCP) needs to address a lot of moving parts and remove single points of failure. For example, if John is expected to be the one that kicks off the restore but he’s in Bermuda on a fishing trip without his mobile, someone needs to do his job.

备份本身只是整个解决方案的一小部分。 您的灾难恢复/业务连续性计划(DR / BCP)需要解决很多活动部件并消除单点故障。 例如，如果希望约翰成为能够开始恢复工作的人，但他却没有移动装置就去百慕大钓鱼，那么有人需要干他的工作。

Regular testing, including full-scale DR exercises, are highly recommended. Whether you need to restore a file for someone in HR or recover a 10 TB database, your system MUST work.

强烈建议定期进行测试，包括全面的DR练习。 无论您是需要为HR中的某人还原文件还是要恢复10 TB数据库，系统都必须工作。

我如何使它们为我工作？ (How Do I Make Them Work For Me?)

Application Whitelisting: You probably already have the required hardware and software to make this a reality. Most modern endpoint protection applications, such as those from Symantec, Kaspersky, Sophos, and McAfee can perform application whitelisting. Modern UTM firewalls that offer application control are not really “Whitelisting” but can add another layer of defence if you choose.

应用程序白名单：您可能已经拥有实现此目标所需的硬件和软件。 大多数现代的端点保护应用程序(例如Symantec，Kaspersky，Sophos和McAfee的应用程序)都可以执行应用程序白名单。 提供应用程序控制的现代UTM防火墙并不是真正的“白名单”，但如果您选择的话，可以添加另一层防御。

It’s time to take stock and figure out what your business needs and what it doesn’t want. That comes down to what makes your business tick — the very applications you rely on.

现在该盘点一下，找出您的业务需求和不想要的东西。 这归结于让您的企业tick花一现的原因-您所依赖的应用程序。

Patching Applications: Once you have a current inventory of your applications and a reliable change management process in place, it’s time to begin (or at least keep going) with patching your systems to the current stable releases. Remove or replace any unsupported applications and make sure they’re included in your application whitelisting solution. Create a list, subscribe to alerts, or at the very least ask your vendors to notify you of updates and patches so you can include them in your regular scheduled maintenance. When it comes to emergency or urgent patches, treat them as a priority. Recent incidents with WannaCry and Petya/NotPetya should have highlighted this.

修补应用程序：一旦拥有了最新的应用程序清单并建立了可靠的变更管理流程，就可以开始(或至少继续进行)将系统修补到当前的稳定版本。 删除或替换所有不受支持的应用程序，并确保将它们包含在应用程序白名单解决方案中。 创建一个列表，订阅警报，或者至少要求您的供应商将更新和补丁通知您，以便您可以将它们包括在定期的计划维护中。 当涉及紧急或紧急补丁时，应将其作为优先事项。 WannaCry和Petya / NotPetya的最近事件本来应该强调这一点。

Take a deep breath, and realise this isn’t going to happen overnight. Get the right people involved and don’t hesitate to put your hand up if you need some help. Begin with your current application inventory and if you’ve recently undertaken an Application Whitelisting project, you should already have that. Prioritise your applications and make sure you have the latest stable version of each. If you are a few versions behind, acquire, test, and deploy the patches using your change management process. Rinse and repeat!

深吸一口气，意识到这不会在一夜之间发生。 让合适的人参与进来，如果需要帮助，请毫不犹豫地举起手。 从您当前的应用程序清单开始，如果您最近进行了“应用程序白名单”项目，那么您应该已经拥有了该清单。 确定应用程序的优先级，并确保每个应用程序都具有最新的稳定版本。 如果您的版本比较落后，请使用变更管理过程来获取，测试和部署补丁。 冲洗并重复！

Restricting Administrative Privileges: Technically, it’s easy, but I’ve yet to find someone willing to blindly start revoking administrator rights (or granting them for that matter) arbitrarily. You need a rock-solid policy to underpin this strategy and it must be supported and enforced by management. The roles of staff should dictate what they can and cannot have access to. Where possible, use security groups rather than assigning admin rights to individual accounts…. it’s easier to move users in and out of groups than worry about individual accounts. Always remember to ask “why” the administrator privileges are required in the first place as it should be backed up with a solid business case.

限制管理权限：从技术上讲，这很容易，但是我还没有找到愿意盲目地撤销管理员权限(或为此授予他们权限)的人。 您需要一个坚如磐石的策略来支撑该策略，并且该策略必须得到管理层的支持和实施。 工作人员的角色应规定他们可以和不能使用的内容。 尽可能使用安全组，而不是将管理权限分配给各个帐户…。 与担心单个帐户相比，将用户移入和移出组要容易得多。 始终记住首先要问“为什么”需要管理员特权，因为应该以可靠的业务案例来备份它。

Take inventory and then review the roles that have administrator privileges. Review your policies, plan, run it through proper change management, and then just get moving with the clean-up. And take your time…. this won’t happen instantly or overnight.

清点清单，然后查看具有管理员特权的角色。 查看您的策略，计划，通过适当的变更管理运行它，然后进行清理。 慢慢来...。 这不会立即或一夜之间发生。

Patching Operating Systems: If you’re not patching your operating systems, start doing so. There are plenty of applications available that can scan your network, identify the patch levels of computers, and provide a report to advise which systems need which patches. Get those patches, test them, and deploy them but try to automate the process as much as possible. There will always be systems that cannot be updated or must be done manually. You may also need to get management involved to help enforce the idea that computers must be patched, and users cannot simply ignore the updates because they will put more than just themselves at risk. While it may be tempting to spend time evaluating every single patch that gets released, perhaps consider working with someone that understands your infrastructure, like a managed service provider, and have them either provide advice or look after the patching entirely.

修补操作系统：如果不修补操作系统，请开始进行修补。 有许多可用的应用程序可以扫描您的网络，识别计算机的补丁程序级别并提供报告以建议哪些系统需要哪些补丁程序。 获取这些补丁，对其进行测试，然后进行部署，但请尝试使该过程尽可能自动化。 总会有一些系统无法更新或必须手动完成。 您可能还需要让管理人员参与进来，以帮助贯彻必须修补计算机的想法，用户不能简单地忽略更新，因为它们将给自己带来更多风险。 尽管可能会花时间评估发布的每个修补程序，但也许可以考虑与了解您的基础结构的人员(如托管服务提供商)合作，并让他们提供建议或完全照顾修补程序。

Ask questions. Find out what your patch management strategy for operating systems is and ask if you can do anything better. Talk with managed services providers and specialists in patch management. Implement a regular, scheduled patching regime and allow for the occasional emergency update. Include change management process in the strategy. Decide which patches are needed, test, and deploy. Happy Days!

问问题。 找出您的操作系统补丁管理策略是什么，并询问您是否可以做得更好。 与托管服务提供商和修补程序管理专家联系。 实施有计划的定期修补程序，并允许不时进行紧急更新。 在策略中包括变更管理过程。 确定需要哪些补丁，测试和部署。 快乐的时光！

Disabling Untrusted Microsoft Office Macros: Determine if you need macros. If no, then happy days, just implement a blanket policy to disable them across the board and move on. For non-domain systems, just disable them in your applications. For the rest of us, and likely the majority, that need macros, it’s time to take inventory of the macros we use. Delete the ones we don’t and begin the process of vetting the ones we do. Digitally sign your required macros after thorough QA and testing, and then distribute and control as needed. Ideally, we should never execute an untrusted macro unless we’re the ones that developed it and are trying to make it legitimate. Once these hurdles have been crossed, you can get back to unhindered productivity and make it out of the office before midnight.

禁用不受信任的Microsoft Office宏：确定是否需要宏。 如果否，那么开心的日子，只需实施全面保护策略即可全面禁用它们并继续前进。 对于非域系统，只需在应用程序中将其禁用。 对于需要宏的其他人(可能是大多数人)，是时候对我们使用的宏进行清点了。 删除我们不做的，然后开始审查我们做的。 经过全面的质量检查和测试后，对所需的宏进行数字签名，然后根据需要进行分发和控制。 理想情况下，除非我们是开发它并试图使其合法的人，否则永远不要执行不受信任的宏。 一旦克服了这些障碍，您就可以恢复不受阻碍的生产力，并在午夜之前离开办公室。

Find out what your current policy is on Microsoft Office Macros and if you don’t have one, consider creating one. As I mentioned earlier, this can be complex with a lot of moving parts so unless you have the resources like in-house skills and PKI, put up your hand and ask us to help you. If you have the resources, look at locking down your macros and controlling their distribution and the end user control over the applications. People are very skilled at Googling how to bypass security settings and pushing their limits. Logging and alerting may be a worthwhile side project to this as well. For those of you that already have all of this in place including digitally signed macros, it’s time to run a health check on your current state to make sure it’s still doing what it’s supposed to. Nothing in this world is even set-and-forget!

找出您对Microsoft Office宏当前的政策，如果没有，请考虑创建一个。 正如我之前提到的那样，这可能很复杂，需要很多活动部件，因此除非您拥有内部技能和PKI这样的资源，否则请举手并要求我们为您提供帮助。 如果您有足够的资源，请查看锁定宏并控制其分发以及最终用户对应用程序的控制。 人们非常善于使用Google搜索技术来绕过安全设置并突破限制。 日志记录和警报也可能是值得这样做的附带项目。 对于已经具备所有这些功能(包括数字签名的宏)的那些人，是时候对您的当前状态进行运行状况检查，以确保其仍在执行应有的操作。 这个世界上没有什么是一劳永逸的！

Application Hardening: Once you have an inventory of applications, find out how to secure them using either vendor or industry best practices. Test these changes to understand what you can and cannot do and then run them through change management bearing in mind the benefits and any potential negative impacts. Office politics will always be present when dealing with issues of control, so management support and enforcement is a good idea. Once the logistics have been looked after, set about implementing the changes. Unless you can control the changes through large scale distribution (such as AD Group Policy) it can be a bit cumbersome. Putting all required hardening into a base image helps, followed by implementing the hardened applications through distributed software points, so the hardening is already embedded.

应用程序强化：一旦有了应用程序清单，就可以了解如何使用供应商或行业最佳实践来保护它们。 测试这些更改，以了解您可以做什么和不能做什么，然后在考虑到好处和任何潜在的负面影响的情况下，通过更改管理来运行它们。 在处理控制问题时，办公室政治总是存在的，因此管理层的支持和执行是一个好主意。 照顾好后勤人员后，就着手实施更改。 除非您可以通过大规模分发来控制更改(例如AD组策略)，否则可能会有些麻烦。 将所有必需的加固放入基础映像中会有所帮助，然后通过分布式软件点实施加固的应用程序，因此加固已被嵌入。

As with most things, begin with a current state inventory to understand what you have. Understand how best to secure these applications (and other devices if you wish) and create a plan to address these issues. Perform proper testing and QA and ensure that proper change control is followed.

与大多数事情一样，从当前状态清单开始，以了解您拥有什么。 了解如何最好地保护这些应用程序(和其他设备，如果需要)的安全，并制定解决这些问题的计划。 执行适当的测试和质量检查，并确保遵循适当的变更控制。

Management support is important, so it is seen as not just an IT approach, but a business approach. Work your way methodically through the systems with a goal of allowing secure functionality of your applications. Regular reviews, such as after major upgrades or staffing changes, are also recommended.

管理支持很重要，因此它不仅被视为IT方法，而且被视为业务方法。 有条不紊地在系统中工作，以实现应用程序的安全功能。 还建议定期进行审查，例如在重大升级或人员变更之后。

Like a good spring cleaning, get rid of anything you don’t absolutely need!

就像进行良好的Spring大扫除一样，摆脱掉所有您不需要的东西！

Multi-Factor Authentication: Start with a plan. Implementing MFA is important, but it needs to be done for the right reasons and implemented correctly. Evaluate what you are protecting and why and begin to get the users involved very early on — the last thing you want to do is drop it on the staff suddenly. We humans don’t like change! Evaluate your options and thoroughly understand the pros and cons of each solution. If you need help, consult with MFA specialists who can help you find the best solution using the right combination of vendor products and services. For some of you, you may already have the capability through existing services such as Microsoft subscriptions. Trial your solution with a pilot group, learn from that experience, then begin a phased roll-out. Throughout the whole experience, always bear in mind the end users who will have to use the solution. In an environment with many systems, you may need to also consider Single Sign-On as well.

多重身份验证：从计划开始。 实施MFA非常重要，但是出于正确的原因需要正确地实施它。 评估您要保护的内容以及原因，并尽早开始让用户参与其中-您要做的最后一件事就是将其突然丢给员工。 我们人类不喜欢改变！ 评估您的选择，并彻底了解每种解决方案的利弊。 如果需要帮助，请咨询MFA专家，他们可以使用正确的供应商产品和服务组合帮助您找到最佳解决方案。 对于某些人来说，您可能已经可以通过现有服务(例如Microsoft订阅)获得此功能。 与试点小组一起试用您的解决方案，从中汲取经验，然后开始分阶段推广。 在整个体验中，请始终牢记将不得不使用该解决方案的最终用户。 在具有许多系统的环境中，您可能还需要考虑单点登录。

Ask the questions to determine what your present stance is on MFA and if you don’t have it, ask if you should. If you already have it, ask if you can do it better or more securely. Always be willing to go back and re-assess, aligning your security posture with the present threat landscape. Once you have the answer to these questions, act.

提出问题以确定您对MFA的当前立场，如果没有，请问是否应该这样做。 如果已经拥有它，请询问您是否可以做得更好或更安全。 始终愿意返回并重新评估，使您的安全状况与当前的威胁状况保持一致。 找到这些问题的答案后，请采取行动。

Daily Backups of Important Data: Rather than just jumping straight into backing up files, make sure you have a plan in place and ideally this should be a part of your overall DR/BCP. Identify what you are backing up and why, the priority of the data, the recovery time and recovery point objectives, and how it is being backed up. Equally important is how it gets restored and by whom, when, and where. Don’t overlook the value of annual full-scale, live DR testing and regular revisions to the plans. Also remember to include any new systems and their data as well as any storage location movements. Vendor support and even support by a managed services organisation can be worth every penny.

重要数据的每日备份：确保您已经制定了一个计划，而不仅仅是直接进入备份文件，并且理想情况下，这应该成为整个DR / BCP的一部分。 确定您要备份的内容以及原因，数据的优先级，恢复时间和恢复点目标以及如何备份数据。 同样重要的是它如何恢复以及由谁，何时何地恢复。 不要忽略年度全面测试，实时灾难恢复测试和定期修订计划的价值。 还请记住包括任何新系统及其数据以及任何存储位置的移动。 供应商的支持，甚至是托管服务组织的支持，都是值得的。

Ask the questions and get informed and if need be, get the right people involved. The ability to backup and restore critical information can mean the survival of your enterprise. Among the essential eight strategies, this one has probably been around nearly the longest but is probably also the one that gets overlooked the most. Make sure that any future changes to your data includes a section in change management to consider the backup and restore impacts.

提出问题并了解情况，如果需要，请合适的人员参与。 备份和还原关键信息的能力可能意味着企业的生存。 在基本的八项策略中，这一策略可能是最长的，但也可能是最被忽视的策略。 确保将来对数据进行的任何更改都包括更改管理中的一节，以考虑备份和还原的影响。

什么是陷阱？ (What Are The Pitfalls?)

Application Whitelisting: Many, which is why I recommend getting the right people involved and this means more than just the IT team. Management also needs to support and sign off on this initiative. Having it as part of your information security / general IT policies is also recommended. You need to know exactly what applications are on your network and which ones are needed. It’s not an easy voyage, but one worth taking. At the heart of it, executing code is the cause of a lot of breaches. Also consider that it’s not always malware; sometimes your own tools and utilities can be used against you!

应用程序白名单：很多，这就是为什么我建议让合适的人员参与其中，这不仅意味着IT团队，还意味着更多。 管理层还需要支持并批准该计划。 还建议将其作为信息安全性/常规IT策略的一部分。 您需要确切了解网络上有哪些应用程序以及需要哪些应用程序。 这不是一次轻松的航行，但值得一游。 从本质上讲，执行代码是导致大量违规的原因。 还请注意，它并不总是恶意软件。 有时您可能会使用自己的工具和实用程序！

Patching Applications: Without a doubt, Shadow IT can bite hard here. If you focus only on the “known” and approved applications, you may overlook the one-off applications downloaded to perform some task not officially sanctioned by the company. Even these one-off systems should be updated (or preferably removed until their existence can be justified and approved) in larger enterprises, patching applications can become all-consuming as it seems there are updates every day. A solid change-management process to test, schedule and deploy updates and patches on a prioritised basis is a must-have.

Patching Applications: Without a doubt, Shadow IT can bite hard here. If you focus only on the “known” and approved applications, you may overlook the one-off applications downloaded to perform some task not officially sanctioned by the company. Even these one-off systems should be updated (or preferably removed until their existence can be justified and approved) in larger enterprises, patching applications can become all-consuming as it seems there are updates every day. A solid change-management process to test, schedule and deploy updates and patches on a prioritised basis is a must-have.

Restricting Administrative Privileges: There are plenty of things that can go sideways when it comes to restricting administrative privileges. Service accounts can break, so be sure you maintain the level of access required by the services and vendors. Maintain a secure local account on your network equipment in the event it cannot reach the domain for authentication or else you may find yourself unable to fix a router or switch quickly. Failing to remove administrator access for employees that change roles or leave the company and are not deactivated can cause hours and hours of “fun”. There may be accounts with administrative access to the most obscure things but ultimately, restricting the ability of a hacker to run riot on your systems, having a degree of accountability when changes are made, and giving people pause-for-thought before “clicking OK” is a solid strategy. There are tools available to help and bringing in the pros to untangle the mess can be worth its weight in gold. A good password management application is a big plus, too.

Restricting Administrative Privileges: There are plenty of things that can go sideways when it comes to restricting administrative privileges. Service accounts can break, so be sure you maintain the level of access required by the services and vendors. Maintain a secure local account on your network equipment in the event it cannot reach the domain for authentication or else you may find yourself unable to fix a router or switch quickly. Failing to remove administrator access for employees that change roles or leave the company and are not deactivated can cause hours and hours of “fun”. There may be accounts with administrative access to the most obscure things but ultimately, restricting the ability of a hacker to run riot on your systems, having a degree of accountability when changes are made, and giving people pause-for-thought before “clicking OK” is a solid strategy. There are tools available to help and bringing in the pros to untangle the mess can be worth its weight in gold. A good password management application is a big plus, too.

Patching Operating Systems: Plenty, but probably more from the perspective of not actually doing ANY patching at all. Not every update fixes every problem and sometimes, they can cause other issues which is why patches should be tested prior to deployment unless it’s critical and you can’t wait. Scheduling of patches needs to be handled right because you don’t want to reboot someone’s computer when they’re trying to make a deadline or have open documents with a lot of unsaved changes. Things can and do go wrong, but like wearing your seatbelt, I prefer the odds of having it on over not doing anything.

Patching Operating Systems: Plenty, but probably more from the perspective of not actually doing ANY patching at all. Not every update fixes every problem and sometimes, they can cause other issues which is why patches should be tested prior to deployment unless it's critical and you can't wait. Scheduling of patches needs to be handled right because you don't want to reboot someone's computer when they're trying to make a deadline or have open documents with a lot of unsaved changes. Things can and do go wrong, but like wearing your seatbelt, I prefer the odds of having it on over not doing anything.

Disabling Untrusted Microsoft Office Macros: There can be a lot of moving parts here, so a plan is critical. Consider group policies, restricted privileges, macro control and distribution, digital signing and PKI and you will quickly see how many places you can come off the rails. Please don’t throw this in the “too hard bucket” because there is a lot to gain when macros are managed correctly, especially in an environment where the productivity can be impacted tenfold by their proper use but a hundred-fold by their exploitation.

Disabling Untrusted Microsoft Office Macros: There can be a lot of moving parts here, so a plan is critical. Consider group policies, restricted privileges, macro control and distribution, digital signing and PKI and you will quickly see how many places you can come off the rails. Please don't throw this in the “too hard bucket” because there is a lot to gain when macros are managed correctly, especially in an environment where the productivity can be impacted tenfold by their proper use but a hundred-fold by their exploitation.

Application Hardening: Many, because unless you harden your applications correctly, you may be effectively committing a denial-of-service attack against yourself. Some applications may just need “insecure” services or settings which will have to be accepted but can be guarded using a defence-in-depth strategy. Ensure that your approach allows for functionality as well as security because the most amazing applications are pointless if we can’t use them due to security settings. Asking the right questions to the right people, testing, and change management are crucial.

Application Hardening: Many, because unless you harden your applications correctly, you may be effectively committing a denial-of-service attack against yourself. Some applications may just need “insecure” services or settings which will have to be accepted but can be guarded using a defence-in-depth strategy. Ensure that your approach allows for functionality as well as security because the most amazing applications are pointless if we can't use them due to security settings. Asking the right questions to the right people, testing, and change management are crucial.

Multi-Factor Authentication: Unless your organisation is Greenfields, you will need the implementation to be gradual and well received by those used to just typing in their user name and password. Hopefully by now you’ve already managed the nightmare known as password complexity requirements. Users may often see this as just another obstacle in getting their work done, so education as to the “why” is beneficial (and just scaring people or using an “or else” approach helps no one). We’re all very much attached at the hand to our mobiles these days, so this may be the preferred approach. Many vendors make some slick mobile MFA solutions (which I would prefer over SMS but at the end of it, something is better than nothing. For now, at least).

Multi-Factor Authentication: Unless your organisation is Greenfields, you will need the implementation to be gradual and well received by those used to just typing in their user name and password. Hopefully by now you've already managed the nightmare known as password complexity requirements. Users may often see this as just another obstacle in getting their work done, so education as to the “why” is beneficial (and just scaring people or using an “or else” approach helps no one). We're all very much attached at the hand to our mobiles these days, so this may be the preferred approach. Many vendors make some slick mobile MFA solutions (which I would prefer over SMS but at the end of it, something is better than nothing. For now, at least).

Be prepared for resistance from users that refuse to install company-mandated apps on their personal devices. Even if you allow them to expense part of their devices, it is intrusive. Policy can help, or you can consider other means such as SMS, biometric, smart cards, or old-school fobs, but be ready for some politics.

Be prepared for resistance from users that refuse to install company-mandated apps on their personal devices. Even if you allow them to expense part of their devices, it is intrusive. Policy can help, or you can consider other means such as SMS, biometric, smart cards, or old-school fobs, but be ready for some politics.

Daily Backups of Important Data: A common pitfall is not adjusting backups to allow for new servers, data stores, or applications, so when new systems and new data come online, they’re not captured in the backup scheme. Also, commonly overlooked are device backups such as firewall and router configurations so if a device falls over, its replacement or the device itself can be quickly brought back up to speed. Another common pitfall is backing up everything…. just because. It’s all well and good to capture every tiny bit of data, but not at the cost of bandwidth, storage capacity, or at the risk of over-writing critical information. Plan, execute, review, adjust the plan, and repeat.

Daily Backups of Important Data: A common pitfall is not adjusting backups to allow for new servers, data stores, or applications, so when new systems and new data come online, they're not captured in the backup scheme. Also, commonly overlooked are device backups such as firewall and router configurations so if a device falls over, its replacement or the device itself can be quickly brought back up to speed. Another common pitfall is backing up everything…. just because. It's all well and good to capture every tiny bit of data, but not at the cost of bandwidth, storage capacity, or at the risk of over-writing critical information. Plan, execute, review, adjust the plan, and repeat.

Are There Any Ghosts In The Machine? (Are There Any Ghosts In The Machine?)

Application Whitelisting: It’s us, plain and simple. At the end of the day, we just want to do our jobs, get paid, and go home to our families. Be ready to uncover shadow IT and related shadow data that often arise because of shortcuts (well-intended or otherwise) that we use to get the job done. Application Whitelisting can really help secure the environment but be prepared for some resistance from the masses.

Application Whitelisting: It's us, plain and simple. At the end of the day, we just want to do our jobs, get paid, and go home to our families. Be ready to uncover shadow IT and related shadow data that often arise because of shortcuts (well-intended or otherwise) that we use to get the job done. Application Whitelisting can really help secure the environment but be prepared for some resistance from the masses.

Patching Applications: We are fooling ourselves if we think we can secure every application perfectly; risk will always remain. The key is to reduce the risk inherent in using applications to an acceptable level. Where the possibility to interact with an application exists, so does the ability to exploit the same. Technology was created by humans so human error is innate.

Patching Applications: We are fooling ourselves if we think we can secure every application perfectly; risk will always remain. The key is to reduce the risk inherent in using applications to an acceptable level. Where the possibility to interact with an application exists, so does the ability to exploit the same. Technology was created by humans so human error is innate.

Restricting Administrative Privileges: Politics, plain and simple. Administrative access is a powerful element of a user’s psyche and taking it away can open Pandora’s Box, but at the same time, also be the key to locking that very same box. Be ready for the battles that come with taking away admin rights, especially at the workstation level. Admittedly, Application Whitelisting can only help at an endpoint level so far by controlling installation and execution of programs. You can consider separate privileged accounts for those times when the user “must” have it and the service desk is swamped. Managers and Executives often demand administrator rights, so tread lightly and fully understand why before arbitrarily granting the power to the powers that be. Auditing and logging systems for privileged account activities should be thought of as well so when (not if) things get a little scary, you can follow the audit trail and make resolution a bit easier.

Restricting Administrative Privileges: Politics, plain and simple. Administrative access is a powerful element of a user's psyche and taking it away can open Pandora's Box, but at the same time, also be the key to locking that very same box. Be ready for the battles that come with taking away admin rights, especially at the workstation level. Admittedly, Application Whitelisting can only help at an endpoint level so far by controlling installation and execution of programs. You can consider separate privileged accounts for those times when the user “must” have it and the service desk is swamped. Managers and Executives often demand administrator rights, so tread lightly and fully understand why before arbitrarily granting the power to the powers that be. Auditing and logging systems for privileged account activities should be thought of as well so when (not if) things get a little scary, you can follow the audit trail and make resolution a bit easier.

Patching Operating Systems: Human error will always be a factor. We will overlook patches, miss computers because they were offline, incorrectly assign patches to computers that don’t need them, and no doubt we will always find at least one user that simply cannot be interrupted or can’t be bothered rebooting their computer. Implements some checks & balances to help mitigate these potential landmines.

Patching Operating Systems: Human error will always be a factor. We will overlook patches, miss computers because they were offline, incorrectly assign patches to computers that don't need them, and no doubt we will always find at least one user that simply cannot be interrupted or can't be bothered rebooting their computer. Implements some checks & balances to help mitigate these potential landmines.

Disabling Untrusted Microsoft Office Macros: The macros themselves must be trusted because as you can imagine, if we make a mistake and then trust that mistake, digital signing won’t make an ounce of difference. You must QA the macros and thoroughly test them before using them. Human error, as with all things, is omnipresent.

Disabling Untrusted Microsoft Office Macros: The macros themselves must be trusted because as you can imagine, if we make a mistake and then trust that mistake, digital signing won't make an ounce of difference. You must QA the macros and thoroughly test them before using them. Human error, as with all things, is omnipresent.

Application Hardening: Shadow IT seems to creep into our systems using grey applications, which are neither explicitly approved nor denied for their use in the infrastructure. These “unauthorised” programs can provide a quick and dirty workaround but unless secured, can present a bigger risk to your environment. Shadow IT exists often when users feel the tools they are given are inadequate or unduly restricted among many other reasons.

Application Hardening: Shadow IT seems to creep into our systems using grey applications, which are neither explicitly approved nor denied for their use in the infrastructure. These “unauthorised” programs can provide a quick and dirty workaround but unless secured, can present a bigger risk to your environment. Shadow IT exists often when users feel the tools they are given are inadequate or unduly restricted among many other reasons.

Multi-Factor Authentication: As with everything else, we humans seem to get in the way of perfect solutions. We lose our phones and are unable to log in. The same goes for smart cards and fobs that get left at home or lost. Even technology itself can let us down, so even if you have your phone but your battery is dead (which seems to happen a lot) there are plenty of ghosts. Always have a “Plan-B” to make sure users can get in when they need to. This is doubly critical for management and executives who may often refuse to accept there is an “issue” that prevents them from getting their email and logging in to their computers.

Multi-Factor Authentication: As with everything else, we humans seem to get in the way of perfect solutions. We lose our phones and are unable to log in. The same goes for smart cards and fobs that get left at home or lost. Even technology itself can let us down, so even if you have your phone but your battery is dead (which seems to happen a lot) there are plenty of ghosts. Always have a “Plan-B” to make sure users can get in when they need to. This is doubly critical for management and executives who may often refuse to accept there is an “issue” that prevents them from getting their email and logging in to their computers.

Daily Backups of Important Data: The list of things that can go wrong is extensive, but simply assuming the backups will work every time is hazardous. As with all technology, things can and do go wrong. We all have stories about how our backups let us down at the worst time possible. You simply must stay on top of things, even if it’s feeding the logs into another system so we can quickly check the status of our backups and right the ship, so to speak. Like a good insurance policy, we need it to be there when it matters.

Daily Backups of Important Data: The list of things that can go wrong is extensive, but simply assuming the backups will work every time is hazardous. As with all technology, things can and do go wrong. We all have stories about how our backups let us down at the worst time possible. You simply must stay on top of things, even if it's feeding the logs into another system so we can quickly check the status of our backups and right the ship, so to speak. Like a good insurance policy, we need it to be there when it matters.

Is There Anything Missing? (Is There Anything Missing?)

Application Whitelisting: Make sure you have the endpoint protection applied to every host that you can and think beyond just workstations…. locking down the ability of applications to execute on your servers — especially database servers and web servers — can be an invaluable tactic.

Application Whitelisting: Make sure you have the endpoint protection applied to every host that you can and think beyond just workstations…. locking down the ability of applications to execute on your servers — especially database servers and web servers — can be an invaluable tactic.

Patching Applications: While this approach seems to consider the current state, make sure to include any new applications as soon as they hit production. Even the latest and greatest systems will be updated at some point. Also, don’t overlook the software and firmware that run on your network appliances, physical and virtual. The programs that run your routers, switches, firewalls, load balancers and so on are still applications.

Patching Applications: While this approach seems to consider the current state, make sure to include any new applications as soon as they hit production. Even the latest and greatest systems will be updated at some point. Also, don't overlook the software and firmware that run on your network appliances, physical and virtual. The programs that run your routers, switches, firewalls, load balancers and so on are still applications.

Restricting Administrative Privileges: If there is one thing you shouldn’t miss, it’s the presence of generic accounts that have administrator privileges — watch out for these! I advocate against generic accounts but if you *must* have them, restrict them as tightly as possible and log everything they can do. Also, wherever possible, try to leverage your directory services as the “source of truth” when logging onto network appliances. Changing the name of default administrator accounts doesn’t hurt either. Oh yes… remember good password practices lest you’ll end up with a hacker on the core switch using “admin” “admin”.

Restricting Administrative Privileges: If there is one thing you shouldn't miss, it's the presence of generic accounts that have administrator privileges — watch out for these! I advocate against generic accounts but if you *must* have them, restrict them as tightly as possible and log everything they can do. Also, wherever possible, try to leverage your directory services as the “source of truth” when logging onto network appliances. Changing the name of default administrator accounts doesn't hurt either. Oh yes… remember good password practices lest you'll end up with a hacker on the core switch using “admin” “admin”.

Patching Operating Systems: Just remember the non-Windows systems such as Linux, UNIX, Mac, and mobile platforms like Apple, Android, and Blackberry. If you haven’t included network devices and IoT in your application patching strategy, include them here. They’re all part of your extended family!

Patching Operating Systems: Just remember the non-Windows systems such as Linux, UNIX, Mac, and mobile platforms like Apple, Android, and Blackberry. If you haven't included network devices and IoT in your application patching strategy, include them here. They're all part of your extended family!

Disabling Untrusted Microsoft Office Macros: By the way, it’s worth considering macros in applications other than office. Microsoft isn’t the only ones that figured out macros are incredibly powerful!

Disabling Untrusted Microsoft Office Macros: By the way, it's worth considering macros in applications other than office. Microsoft isn't the only ones that figured out macros are incredibly powerful!

Application Hardening: It doesn’t hurt to look at network appliances that may be running default services that are not used or may be insecure. Network printers & multi-function devices, UPS systems, routers, switches, and more may be considered if one is undertaking a hardening exercise. FTP, SNMP, HTTP, TELNET and more are often running on these devices and may present a risk.

Application Hardening: It doesn't hurt to look at network appliances that may be running default services that are not used or may be insecure. Network printers & multi-function devices, UPS systems, routers, switches, and more may be considered if one is undertaking a hardening exercise. FTP, SNMP, HTTP, TELNET and more are often running on these devices and may present a risk.

Don’t overlook patching your applications and enabling relevant logging and auditing.

Don't overlook patching your applications and enabling relevant logging and auditing.

Multi-Factor Authentication: In addition to considering mandatory work-arounds for those times when something gets a little sideways, you really need to consider the personal angle. Use MFA on everything you can — email, Social Media, banking, and so on. Be ready to defend yourself as an individual as well as your enterprise. Most popular platforms such as Outlook, Gmail, Facebook, Twitter, and more all leverage MFA, so do yourself a favour and set it up. A personal breach may give an attacker enough information to launch an attack on your enterprise — especially if you’re in the management tier of your organisation and a more attractive target.

Multi-Factor Authentication: In addition to considering mandatory work-arounds for those times when something gets a little sideways, you really need to consider the personal angle. Use MFA on everything you can — email, Social Media, banking, and so on. Be ready to defend yourself as an individual as well as your enterprise. Most popular platforms such as Outlook, Gmail, Facebook, Twitter, and more all leverage MFA, so do yourself a favour and set it up. A personal breach may give an attacker enough information to launch an attack on your enterprise — especially if you're in the management tier of your organisation and a more attractive target.

Daily Backups of Important Data: While you’re at it, it’s time to evaluate backing up your personal data. Far too many of us fail to back up our home data and files, so with a wealth of cheap & cheerful options such as personal iCloud, OneDrive and GDrive, we’ve plenty of options. Just be wary of your bandwidth usage and it may be time to look at your ISP options…. you may even save a few dollars!

Daily Backups of Important Data: While you're at it, it's time to evaluate backing up your personal data. Far too many of us fail to back up our home data and files, so with a wealth of cheap & cheerful options such as personal iCloud, OneDrive and GDrive, we've plenty of options. Just be wary of your bandwidth usage and it may be time to look at your ISP options…. you may even save a few dollars!

Daily Backup Bonus Points: Watch out for data stored on local drives of workstations and laptops…. anything business important should be stored on the corporate servers. I’ve seen a few instances of a staff laptop crashing only to lose vital work documents with the online copies several months out of date.

Daily Backup Bonus Points: Watch out for data stored on local drives of workstations and laptops…. anything business important should be stored on the corporate servers. I've seen a few instances of a staff laptop crashing only to lose vital work documents with the online copies several months out of date.

Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock

免责声明：本博客中提出的想法和观点是我自己的，而不是任何相关第三方的想法。 提供的内容仅用于一般信息，教育和娱乐目的，并不构成法律建议或建议； 绝对不能以此为依据。 在实际情况下应寻求适当的法律咨询。 除非另有说明，否则所有图片均通过ShutterStock授权