Serious Discussion How Does One improve Security ?

Victor M

Level 26
Thread author
Verified
Top Poster
Well-known
Oct 3, 2022
1,564
5,871
2,469
I have done some thinking, and I still have questions on how to improve security.

One way is to use STRIDE to id some threats. One has to sometimes say 'what if' and attempt to address them.
Another way is to wait for some interesting topic to arise in the forum or post our own questions.
Another way to improve securiity, a la mode, is to subscribe to intelligence feeds in your tools. So that you address an attack vector once a POC comes up or when somebody else gets hit.
Currently I am digging into SELinux, trying to put the 'targeted' SELinux policy to full use. NSA thought up this protection, and the 'targeted' policy only uses part of SELinux. It should be able to do wonderful things. Just trying to stay ahead of the red team.
Another proven way to improve is to follow a security framework and implement the controls that they say to do. But some of these frameworks are geared towards bigger shops than ours. They show the proper way to do things, which I fully understand and agree, but man power is a problem. Canada has its own Baseline Security for small medium organizations. And Australia has their Essential 8. Both doable. Essential 8 has clearer instructions. Of course there are those internationally recognized frameworks, like CIS Critical Controls, NIST Cybersecurity Framework and ISO 27001.

What else can you think of ?
 
Last edited:
I have done some thinking, and I still have questions on how to improve security.

One way is to use STRIDE to id some threats. One has to sometimes say 'what if' and attempt to address them.
Another way is to wait for some interesting topic to arise in the forum or post our own questions.
Another way to improve securiity, a la mode, is to subscribe to intelligence feeds in your tools. So that you address an attack vector once a POC comes up or when somebody else gets hit.
Currently I am digging into SELinux, trying to put the 'targeted' SELinux policy to full use. NSA thought up this protection, and the 'targeted' policy only uses part of SELinux. It should be able to do wonderful things. Just trying to stay ahead of the red team.
Another proven way to improve is to follow a security framework and implement the controls that they say to do. But some of these frameworks are geared towards bigger shops than ours. They show the proper way to do things, which I fully understand and agree, but man power is a problem. Canada has its own Baseline Security for small medium organizations. And Australia has their Essential 8. Both doable. Essential 8 has clearer instructions. Of course there are those internationally recognized frameworks, like CIS Critical Controls, NIST Cybersecurity Framework and ISO 27001.

What else can you think of ?
You already have several of the right building blocks. The main thing I would add is this:

Security improves fastest when you combine threat thinking, hardening, detection, and recovery into a repeatable process.

Frameworks, SELinux, threat intel, and “what if” exercises all help, but they work best when tied to a practical operating model.

What else to add

  • Asset inventory and attack surface reduction

    You cannot secure what you do not know exists.

    At a minimum, keep an accurate list of:
    • Servers
    • Endpoints
    • Network devices
    • Internet-exposed services
    • Admin accounts
    • Critical applications
    • Third-party connections

    In many smaller environments, simply removing unused software, disabling unused services, closing unnecessary ports, and reducing exposed applications gives immediate security value.
  • Privilege control

    This is one of the highest-value improvements for most organizations.

    Focus on:
    • Least privilege
    • Separate admin and user accounts
    • Restricting local admin rights
    • Just-in-time or just-enough administration where feasible
    • Strong MFA for admin access, VPN, email, and remote access

    If manpower is limited, reducing privilege often gives more benefit than adding another security product.
  • Secure configuration baselines

    A framework tells you what to do, but configuration baselines help with how to do it consistently.

    Examples include:
    • CIS Benchmarks
    • Vendor hardening guides
    • Microsoft security baselines
    • Distribution-specific Linux hardening guidance

    This fits well with your SELinux work. SELinux can be very strong, but it usually delivers the most value when the underlying service design, file labeling, and least-privilege model are already disciplined.
  • Patch and vulnerability management

    Threat intel is useful, but many real-world incidents still come from already-known vulnerabilities or weakly managed exposed services.

    A practical model is:
    • Prioritize internet-facing systems first
    • Prioritize actively exploited vulnerabilities next
    • Then high-impact internal systems
    • Use maintenance windows and rollback plans

    I would treat “patch reliability” as just as important as patch speed.
  • Logging, monitoring, and alert triage

    Prevention alone is not enough.

    Even basic centralized logging can help:
    • Authentication failures
    • Privilege changes
    • New service creation
    • Policy denials
    • Remote access activity
    • EDR or antivirus detections

    Since you mentioned SELinux, reviewing AVC denials in a structured way can also uncover misconfigurations and attempted abuse, but it takes tuning to avoid noise.
  • Backups and recovery testing

    This is often undervalued until something goes wrong.

    Have:
    • Offline or otherwise isolated backups
    • Documented restore procedures
    • Periodic restore testing
    • A list of critical systems and acceptable recovery times

    A backup that has not been tested is only a hopeful backup.
  • Security awareness tied to your real risks

    Generic training has limited value. Targeted training works better.

    Examples:
    • Phishing-resistant MFA adoption
    • How admins handle scripts, attachments, and downloads
    • Safe remote support procedures
    • Reporting suspicious emails or login prompts

    For smaller teams, a few focused habits can matter more than formal annual training.
  • Incident response playbooks

    You do not need a large enterprise SOC to benefit from this.

    Even a small set of written playbooks helps:
    • Compromised account
    • Suspected ransomware
    • Suspicious outbound traffic
    • Lost or stolen device
    • Business email compromise

    This reduces hesitation and confusion during a real event.
  • Validation through testing

    This is where your STRIDE mindset becomes operational.

    Good options include:
    • Tabletop exercises
    • Purple-team style validation
    • Atomic tests for common attacker techniques
    • External attack surface reviews
    • Configuration drift checks

    You do not always need a full red team. Small, controlled validation exercises can still reveal major gaps.
  • Application control and execution restrictions

    Where practical, controlling what can run is a strong defense.

    Examples:
    • Application allowlisting
    • Script control
    • Macro restrictions
    • Restricting unsigned or unapproved binaries

    This is especially useful against commodity malware and user-driven execution paths.
  • Network segmentation

    Smaller environments often have flat networks because they are easier to manage, but this increases blast radius.

    Even modest segmentation helps:
    • Separate user devices from servers
    • Separate backups from production
    • Restrict admin access paths
    • Limit east-west traffic where possible

    This improves containment when something does get through.
  • Third-party and supply chain review

    A lot of risk comes through vendors, remote tools, browser extensions, SaaS platforms, and update channels.

    At minimum:
    • Review who has access
    • Remove old integrations
    • Limit permissions for service accounts
    • Monitor remote access tools
    • Prefer reputable vendors with clear security documentation

A practical priority order for smaller teams

If staffing is the constraint, I would usually prioritize in this order:

  1. Asset inventory
  2. MFA everywhere important
  3. Remove unnecessary admin rights
  4. Patch internet-facing systems quickly
  5. Backups with restore testing
  6. Secure configuration baselines
  7. Centralized logging for key events
  8. Basic incident playbooks
  9. Segmentation and application control where feasible
  10. Threat modeling and framework mapping to close remaining gaps

On frameworks

Your point is valid: some frameworks are conceptually excellent but operationally heavy.

For smaller organizations, it is often better to:
  • Choose one primary framework for structure
  • Use one baseline for technical configuration
  • Adopt only a small number of measurable controls at a time

A sensible combination could be:
  • NIST CSF or CIS Controls for overall structure
  • Essential 8 or a national SME baseline for prioritization
  • CIS Benchmarks or vendor baselines for implementation details

That usually works better than trying to “fully implement” multiple frameworks at once.

On SELinux specifically

SELinux can absolutely be valuable, but I would be careful not to overestimate it as a standalone answer.

In general, SELinux is strongest when used as:
  • A containment layer
  • A way to reduce post-compromise freedom
  • A control that enforces separation between services and data

It does not replace:
  • Patch discipline
  • Identity controls
  • Good service design
  • Monitoring
  • Recovery planning

So I would view it as part of a defense-in-depth model, not the center of the whole program.

A useful mindset shift

Instead of asking only, “What control should we add next?”, it often helps to ask:

  • What is most exposed?
  • What would hurt us most if compromised?
  • What common attacker step is still too easy here?
  • What can we simplify or remove instead of protect?
  • If a control fails, how quickly would we notice?
  • If we notice, how quickly could we recover?

That tends to produce very practical improvements.

Bottom line

Beyond threat modeling, threat intel, SELinux, and formal frameworks, the biggest gains usually come from disciplined basics: inventory, privilege reduction, hardening, patching, logging, segmentation, and tested recovery.

That combination is usually more effective than chasing every new attack trend.
 
Where did you get this prioritization ?
It is not from one single official source.

That prioritization was my own practical ordering based on widely accepted security principles and what tends to give smaller teams the most risk reduction for the least operational overhead.

What it is based on

  • Common guidance across major frameworks

    There is a lot of overlap between:
    • CIS Critical Controls
    • NIST Cybersecurity Framework
    • Essential Eight
    • National small-organization baselines
    • Vendor hardening guidance

    They use different language, but they repeatedly emphasize the same themes: know your assets, control access, harden systems, patch vulnerabilities, detect problems, and recover reliably.
  • Practical attack patterns

    A lot of real incidents still start with fairly ordinary weaknesses, such as:
    • Unpatched internet-facing systems
    • Weak or missing MFA
    • Excessive privileges
    • Poor visibility
    • Flat networks
    • Weak backups

    So the ordering reflects controls that often reduce common, high-impact risk early.
  • Operational reality for smaller teams

    Some controls are excellent in theory but difficult to sustain with limited staff.

    For example:
    • A perfect detection program is hard without enough people
    • A broad threat intel program may not help much if patching and MFA are still weak
    • Advanced policy controls help less if asset inventory is incomplete

    So I weighted controls by both security value and likelihood that a smaller shop can actually maintain them.

Why that order specifically

  1. Asset inventory because everything else depends on knowing what exists.
  2. MFA because it can sharply reduce account compromise risk, especially for remote access, admin access, and email.
  3. Remove unnecessary admin rights because excessive privilege makes many attacks much worse.
  4. Patch internet-facing systems quickly because exposed systems are often the highest-priority path for attackers.
  5. Backups with restore testing because recovery matters even when prevention fails.
  6. Secure configuration baselines because consistency reduces avoidable weaknesses.
  7. Centralized logging because you need enough visibility to notice important failures and attacks.
  8. Basic incident playbooks because detection without a response process creates delay and confusion.
  9. Segmentation and application control because they are very valuable, but can require more planning and operational effort.
  10. Threat modeling and framework mapping to close gaps because they become more useful once the basics are in place and you have something stable to evaluate.

A caution

That does not mean the order is universally correct.

For example:
  • If you run mostly web-facing services, patching and hardening exposed systems may come before some identity work.
  • If ransomware is your top concern, backups and privilege separation may move even higher.
  • If you handle sensitive regulated data, segmentation and logging may need to come earlier.
  • If you already have strong MFA and patching, the next priority could be detection engineering or service isolation such as SELinux.

So it is better to view that list as a practical default, not a strict doctrine.

If you want a source-backed version

A more defensible way to present it would be:


Those are real sources. My earlier ordering was a synthesis, not a quote from one of them.

Bottom line

The prioritization came from combining common framework themes with practical small-team constraints, not from a single document. It is a reasoned heuristic, and it should be adjusted to your environment and threat exposure.

Sources
 
@simmerskool The bot is offering pretty good advice across his 2 posts.

I have done many things that Bot suggested on Windows, but have not considered same for my Surfing box, which I classify as having low security requirement. For example I didn't do CIS baseline for Fedora. And it is a quick way to bring security up. On Windows, I use DSA STIG. And it posts a DoD Warning notice at login which I think is quite fancy.
 
Last edited:
Create unique passwords for every account. A strong password should:
  • Be at least 12–16 characters long.
  • Include uppercase and lowercase letters, numbers, and symbols.
  • Avoid common words, names, or birthdays.
  • Never be reused across multiple accounts.
Consider using a password manager to generate and securely store passwords.
 
I found one way to improve my security is to list out all the security configurations that I make - AV and it's settings, Hard Configurator settings, all hardening steps into a document and upload it to AI, and then ask it to criticize the security, identify the security gaps and attack vectors I've missed, and suggest compensating controls that addresses the security gaps.
 
Last edited:
Always RDP into a server into a foreign country, looks like legitimate traffic to any security solution. Then you have VPN, shadowsocks, or SSH. Residential proxies (y)

Windows = H_C or CL or AppGuard + VM or Linux = Firejail.

Having thousands of hardening scripts is not the answer in the age of A.I. You don't make it easy but just accept you can not defeat serious targeted attacks.

What you should really be doing is unplug and shred your PCs, put a bullet in your hard drives and buy a ⛵ and sail to Kokomo and sip cocktails 🍸🍹🥂🍾.
 
list out all the security configurations that I make - AV and it's settings, Hard Configurator settings, all hardening steps into a document and upload it to AI, and then ask it to criticize the security, identify the security gaps and attack vectors I've missed, and suggest compensating controls that addresses the security gaps.
Amendment to AI query, replace "attack vectors I've missed/',. with "after all controls are stacked, what credible attack paths remain?” And suggest compensating controls that addresses the security gaps.
 
  • Like
Reactions: Sorrento
One Must have good operations security. The golden image must be isolated and prepared offline all the way thru the revisions. Security updates must be downloaded from MS Update Catalog website manually and copied over to offline image so that the golden image never steps online. Most AV's have an offline installer for their Business version. Or you make installing the AV the first thing to do when the image is used. NEVER make an in-use image into a golden image; it is pointless to restore to a potentially infected version when you want to recover from an attack. An intruder may be lurking or doing reconnaissance while you did the image, and you would have inadvertently backed up his backdoor. This has long term security consequences

You may not need a golden image. But if you are like me and update your security every now and then, then pretty soon your configuration notes will grow very long. And when you have several PC's then it becomes worthwhile.
 
Last edited:
One Must have good operations security. The golden image must be isolated and prepared offline all the way thru the revisions. Security updates must be downloaded from MS Update Catalog website manually and copied over to offline image so that the golden image never steps online. Most AV's have an offline installer for their Business version. Or you make installing the AV the first thing to do when the image is used. NEVER make an in-use image into a golden image; it is pointless to restore to a potentially infected version when you want to recover from an attack. An intruder may be lurking or doing reconnaissance while you did the image, and you would have inadvertently backed up his backdoor. This has long term security consequences

You may not need a golden image. But if you are like me and update your security every now and then, then pretty soon your configuration notes will grow very long. And when you have several PC's then it becomes worthwhile.
Not only for security. When you install Windows 11 it asks you to sign in using MS account and then starts downloading Windows Updates and mostly generic drivers, which cause endless issues. One should start offline, adjust Windows and Windows updates settings in GP.

Regarding installing AV offline, unfortunately most "home" Vendors no longer allow offline installation. Most product nowadays has some sort of online console to download and activate the product. Business products are a completely different story.

What I personally do after I configure Windows, I add my secure DNS to monitor the queries until I finish my security config. I download the updates from MS Catalog and install them, then I install my AV and then update the drivers using the manufacturer tool (Dell Command Update and Lenovo Vintage).

I have offline installers ready for most of the apps I use. I also activate Office using Phone Activation.

The most important thing I do is when I first Install Windows and login for the first time, I create a full system scan using O&O Disk image. Then install updates and configure Windows settings and create another full system image. When my config is completely ready with apps installed and Windows and Drivers are up to date, I create one last full system Image.
 
  • Wow
Reactions: Sorrento
Create unique passwords for every account. A strong password should:
  • Be at least 12–16 characters long.
  • Include uppercase and lowercase letters, numbers, and symbols.
  • Avoid common words, names, or birthdays.
  • Never be reused across multiple accounts.
Consider using a password manager to generate and securely store passwords.
If your system is infected, using strong passwords or a password manager won't help. And according to many studies, password managers are not secure.
 
My all time favorite tool that has never let me down sandboxie free basic and works.
I believe such software gives a false sense of security. First you never know if Sandboxie is doing its job perfectly. Moreover, reducing or containing the concept of security to one product is never a right call to make.