Article Details

Simple Steps for Attack Surface Reduction. Story teaser text: Cybersecurity leaders face mounting pressure to stop attacks before they start, and the best defense may come down to the settings you choose on day one. In this piece, Yuriy Tsibere explores how default policies like deny-by-default, MFA enforcement, and application Ringfencing ™ can eliminate entire categories of risk. From disabling Office macros to blocking outbound server traffic, these simple but strategic moves create a hardened environment that attackers can't easily penetrate. Whether you're securing endpoints or overseeing policy rollouts, adopting a security-by-default mindset can reduce complexity, shrink your attack surface, and help you stay ahead of evolving threats. Cybersecurity has changed dramatically since the days of the "Love Bug" virus in 2001. What was once an annoyance is now a profit-driven criminal enterprise worth billions. This shift demands proactive defense strategies that don't just respond to threats—they prevent them from ever reaching your network. CISOs, IT admins, and MSPs need solutions that block attacks by default, not just detect them after the fact. Industry frameworks like NIST, ISO, CIS, and HIPAA provide guidance, but they often lack the clear, actionable steps needed to implement effective security. For anyone starting a new security leadership role, the mission is clear: Stop as many attacks as possible, frustrate threat actors, and do it without alienating the IT team. That's where a security-by-default mindset comes in—configuring systems to block risks out of the gate. As I've often said, the attackers only have to be right once. We have to be right 100% of the time. Here's how setting the right defaults can eliminate entire categories of risk. Require multi-factor authentication (MFA) on all remote accounts Enabling MFA across all remote services—including SaaS platforms like Office 365 and G Suite, as well as domain registrars and remote access tools—is a foundational security default. Even if a password is compromised, MFA can prevent unauthorized access. Try to avoid using text messages for MFA as it can be intercepted. While it may introduce some friction, the security benefits far outweigh the risk of data theft or financial loss. Deny-by-default One of the most effective security measures nowadays is application whitelisting or allowlisting. This approach blocks everything by default and only allows known, approved software to run. The result: Ransomware and other malicious applications are stopped before they can execute. It also blocks legitimate-but-unauthorized remote tools like AnyDesk or similar, which attackers often try to sneak in through social engineering. Users can still access what they need via a pre-approved store of safe applications, and visibility tools make it easy to track everything that runs—including portable apps. Quick wins through secure configuration Small changes to default settings can close major security gaps on Windows and other platforms: Control network and application behavior for organizations Strengthen data and web controls Go beyond defaults with monitoring and patching Strong defaults are just the beginning. Ongoing vigilance is critical: Security by default isn't just smart, it's non-negotiable. Blocking unknown apps, using strong authentication, locking down networks and app behavior can wipe out a ton of risk. Attackers only need one shot, but solid default settings keep your defenses ready all the time. The payoff? Fewer breaches, less hassle, and a stronger, more resilient setup. Note: This article is expertly written and contributed by Yuriy Tsibere, Product Manager and Business Analyst at ThreatLocker.