For #CyberSecurityAwarenessMonth, I'd like to start with a basic assumption we often seem to overlook:
If you don't need the data, don't keep it. Or put another way: you can't lose what you don't have.
Cheap (virtually unlimited) storage encourages us all (people and organizations) to keep lots of sensitive data we don't need - and there are plenty of examples of that coming back to bite people in sensitive places.
CISA and NSA have released their "Top 10" list of cybersecurity misconfigurations and I'm assured they aren't from the home office in Wahoo, Nebraska. (disconcertingly, they also didn't provide them in a 10-to-1 countdown, which is just, well, sad)
1. Default configurations of software and applications
2. Improper separation of user/administrator privilege
3. Insufficient internal network monitoring
4. Lack of network segmentation
5. Poor patch management
6. Bypass of system access controls
7. Weak or misconfigured multifactor authentication (MFA) methods
8. Insufficient access control lists (ACLs) on network shares and services
9. Poor credential hygiene
10. Unrestricted code execution
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a
Bill Bernard