Quick wins for everyone plus deeper controls for network/IT engineers and ISC2 candidates. Align choices to NIST CSF 2.0 and CIS Controls v8 for measurable, auditable outcomes.
Prefer passkeys (FIDO/WebAuthn). Require hardware security keys for admins. Block legacy protocols, enforce device posture and JIT/PAM elevation. Vault and rotate secrets; disable shared accounts; enable SSO and SCIM provisioning.
Deploy EDR/XDR everywhere with auto-isolation on high risk. Enforce BitLocker/FileVault, Secure Boot, host firewall, disk encryption, extension control. Patch SLAs: critical ≤7 days, high ≤14 days. Use LAPS for local admin rotation and allow-listing on critical servers.
Use security-focused resolvers (e.g., Quad9) and log DNS to SIEM. Enable DoH/DoT, restrict egress DNS, and pin resolvers on endpoints. Add SWG/SASE/TLS inspection under policy and law.
Implement SPF+DKIM+DMARC at quarantine/reject, monitor look-alike domains, enable BIMI, add report-phish button and just-in-time training. Use CASB/DLP, restrict OAuth, and enforce session controls for unmanaged devices.
Adopt WPA3-Enterprise with EAP-TLS; avoid shared PSKs. Use RADIUS with per-user certs and isolate BYOD/IoT on separate VLANs with mDNS/SSDP controls. Disable WPS and monitor rogue APs.
Separate users, servers, and OT/IoT. Default-deny inter-VLAN, restrict east-west, apply FQDN egress policies, and use identity-aware micro-segmentation for critical apps.
Centralize DNS, DHCP, firewall, proxy, endpoint, identity, and cloud logs. Retain 30–180 days based on risk/privacy. Build detections for impossible travel, MFA fatigue, DGA DNS, anomalous PowerShell, and unusual service installs. Enrich with TI, apply UEBA, automate response with SOAR.
Keep 3 copies on 2 media, 1 off-site, 1 immutable/offline, and 0 errors after verification. Protect backup consoles with MFA/network isolation; run quarterly restore drills; encrypt at rest and in transit.
Maintain SBOMs and run SCA. Scan for secrets in CI/CD and move them to a vault with short-lived tokens and code signing. Use minimal, non-root containers with image scanning and attestations. In Kubernetes, enforce NetworkPolicies, read-only FS, Pod Security, RBAC least privilege, admission control, and audit logs.
Replace broad VPN with ZTNA for app-only access and require healthy device posture. Use SASE for unified SWG/CASB/DLP/ZTNA and consistent policies on and off network. Tag resources, enforce least-privilege IAM, and monitor drift.
First hour: isolate, disable suspect accounts/keys, preserve evidence, verify backups and lock immutability, coordinate out-of-band comms, then contain/eradicate/recover. Run tabletop drills for BEC, lost admin laptops, ransomware in branches, and cloud token leaks.
