Every device, including boundary firewalls, desktop computers, laptops, routers, servers, and cloud services like IaaS, PaaS, and SaaS, must be secured with a properly configured firewall. This reduces exposure to attacks by restricting access through firewall rules that allow or block traffic based on source, destination, and type of communication protocol. Software firewalls should also be used on devices connecting to untrusted networks, like public Wi-Fi hotspots. Key requirements include changing default passwords, preventing unauthorized access, and blocking unauthenticated inbound connections by default.

Default configurations often have vulnerabilities such as default passwords, unnecessary user accounts, and pre-installed applications that can be exploited. By proactively managing and regularly updating these settings, you can reduce vulnerabilities and ensure only necessary services are enabled. This includes removing unused user accounts, changing default passwords, disabling unnecessary software, and implementing proper device locking controls.

Regularly discovered security flaws, if left unpatched, can be exploited by attackers as seen, for example, during the LastPass breach. Make sure all software is licensed, supported, and updated within 14 days of a critical or high-risk update release. Automatic updates should be enabled where possible, and unsupported software should be removed from devices. Applying these updates promptly helps mitigate security risks and maintain the integrity of your systems.

Only authorized individuals should have access to your organization's applications, computers, and networks. Assign user accounts only to authorized individuals and limit their access based on their roles. Special access privileges, such as administrative accounts, should be carefully managed to prevent unauthorized use. Measures include having a process for account creation and approval, authenticating users with unique credentials, implementing multi-factor authentication (MFA), and removing or disabling accounts when no longer required. Proper password management and user education are also key components of this requirement.

Malware protection aims to restrict the execution of known malware and untrusted software that can cause damage or access data, using anti-malware software or application allowlisting to prevent malware from running on devices. Anti-malware software should be updated regularly and configured to prevent the execution of malicious code and connections to malicious websites. Application allowlisting ensures that only approved applications, restricted by code signing, can execute on devices, thereby reducing the risk of malware infection.