Organizations may conduct a
penetration test via internal team or hire a third-party organization to audit the organization's systems. Larger organizations may conduct internal attacker-defender scenarios with a "
red team" attacking and a
"blue team" defending. The defenders, namely
threat hunters,
system administrators, and
programmers, proactively manage
information systems, remediate
vulnerabilities, gather
cyber threat intelligence, and
harden their
operating systems,
code,
connected devices, and
networks. Blue teams may include all information and physical security personnel employed by the organization.[9]Physical security may be tested for weaknesses, and all employees may be the target of
social engineering attacks and
IT security audits. Digital and physical systems may be audited with varying degrees of knowledge of relevant systems to simulate realistic conditions for attackers and for employees, who are frequently trained in security practices and measures. In full-knowledge test scenarios, known as
white box tests, the attacking party knows all available information regarding the client's systems. In
black box tests, the attacking party is provided with no information regarding the client's systems.
Gray box tests provide limited information to the attacking party.
Cybersecurity researcher
Jeffrey Carr compares cyber self-defense to
martial arts as one's computer and network attack surface may be shrunk to reduce the risk of
exploitation.[10]
Minimize
authentication risk by limiting the number of people who know one's
three common authentication factors, such as "something you are, something you know, or something you have." Unique information is characterized as possessing a particular degree of usefulness to a threat actor in gaining unauthorized access to a person's information.
Use a
password manager to avoid storing passwords in physical form. This incurs a greater software
risk profile due to potential vulnerabilities in the password management software, but mitigates the risk of breaches if one's password list were stolen or lost and in the case
keyloggers were present on machine.
Pay attention to what information one might accidentally reveal in online posts.[13]
Appropriately use password
brute force attack prevention software such as
Fail2ban or an effective equivalent.
Never give out logins or passwords to anyone unless absolutely necessary and if so, change them immediately thereafter.[14]
Use
security questions and answers that are impossible for anybody else to answer even if they have access to one's social media posts or engage in social engineering.[14]
Beware of
social engineering techniques and the six key principles, reciprocity, commitment and consistency, social proof, authority, liking, and scarcity.
Beware of
shoulder surfing, wherein threat actors collect passwords and authentication information by physically observing the target user.
Beware of
piggybacking (tailgating) wherein a threat actor closely follows an authorized personnel into a secure facility.
Beware of
wardriving, wherein threat actors use mobile hacking stations to gain unauthorized access to WiFi. Wardriving might also consist of the use of
parabolic microphones to gather acoustic data, such as passwords and
personally identifiable data.
Refrain from interacting with fake phone calls
voice fishing, also known as "vishing".
Scan links to malicious websites with Google Transparency Report to check for known malware.
Preventative software measures
Use, but do not rely solely on
antivirus software,[11] as evading it is trivial for
threat actors. This is due to its reliance on an easily altered
digital signature, a form of applied
hash, of the previously known malicious code.
Use an antimalware product, such as
Malwarebytes Anti-Malware, in conjunction with an antivirus with vulnerability scanning features.
Uninstall insecure software such as
Adobe Flash[12][16][17] on one's operating system. Refrain from accessing web pages and related plugins within one's
web browser.
Only run software when necessary to reduce
attack surface.
Refrain from
rooting one's phone or internet-facing device.[13]
Network and information security measures
Using a
firewall on Internet-connected devices.[11]
Not running programs, services, or browsers with a
super-user or
privileged user account, such as root in
Linux and
Unix ) or as Administrator (
Windows), unless one understands the security risks of such an action.
Avoiding
free WiFi and not logging into any accounts while using it.[10]
Legal theorists and policy makers are increasingly considering authorizing the private sector to take active measures by "hacking back" (also known as hackbacks).[20][21] In contrast to active attack measures, passive defense measures present a reduced risk of
cyberwarfare, legal, political, and economic fallout.
A contemporary topic in debate and research is the question of 'when does a cyber-attack, or the threat thereof, give rise to a right of self-defense?'[22]
In March 2017,
Tom Graves proposed the Active Cyber Defense Certainty Act (ACDC) that would enhance the
Computer Fraud and Abuse Act (CFAA) to allow individuals and the private sector to use certain tools currently restricted under the CFAA to identify attackers and prevent attacks by hacking them.[20][23][24] This presents a "chicken or the egg" problem, wherein if everyone were allowed to hack anyone, then everyone would hack everyone and only the most skilled and resourced would remain.
Brad Maryman warns of
unintended consequences, stating that in his view "the notion that we should legislate and accept a level of undocumented and unmonitored cyber actions by anyone who thinks they have been hacked is unfathomable".[24]
^Tiwari, Mohit (April 2017).
"INTRUSION DETECTION SYSTEM". International Journal of Technical Research and Applications 5(2):2320-8163. Retrieved April 22, 2019.
^Waxman, Matthew C. (March 19, 2013). "Self-Defensive Force Against Cyber Attacks: Legal, Strategic and Political Dimensions". International Law Studies. 89.
SSRN2235838.