Professor Michael Porter (Harvard Business School) once wrote in a classic 1996 Harvard Business Review article:
<aside> 🧠 The essence of strategy is choosing what not to do. Without tradeoffs, there would be no need for choice & thus no need for strategy.
</aside>
We may have done all the right things (e.g. investment in technical controls, training people to comply to policies & so on), but a single wrong move can nullify all efforts. It is only as strong as the weakest link. Let’s walk through the attack process to see what NOT to do with respect to Threat Accessibility, the “oxygen” of cyber attacks & what do we mean by defending “tactically”.
Once again, we revisit the necessary & sufficient conditions of attacks. A quick recap from the 1st part of this series, NUMBER ONE thing you want to do is cut off “oxygen” of cyber attacks; anything related to your systems that Threat Actors can access for their advantage!
Attackers have to act & the 1st phase will be Reconnaissance, to gather information (establish Value & Vulnerabilities) related to your networks, services & even people.
Examples of low-hanging fruits (for attackers but what NOT to do for us):
All the above is a subset of any basic Vulnerability Assessment. I sound like Captain Obvious but it still happens repeatedly.