Guidelines for Developing Recommendations for Mitigation Strategies

When developing recommendations for mitigation strategies:

• Consider people, processes, and technology when recommending mitigation strategies.
• Recommend strategies for common findings, such as:
• Shared local administrator credentials: Randomize credentials or use LAPS.
• Weak password complexity: Configure minimum password requirements and use password filters.
• Plaintext passwords: Use protocols that hash or encrypt passwords.
• No multi-factor authentication: Implement or require multi-factor authentication for access to critical systems.
• XSS attacks: Sanitize user input by encoding/escaping special HTML characters.
• SQL injection: Sanitize user input by parameterizing queries.
• Unnecessary open services: Perform system hardening.
• Physical intrusion: Incorporate guards, security cameras, motion alarms, and other physical security defenses.
• Recommend end-user training to mitigate social engineering attacks on end users.
• Recommend system hardening techniques like patch management and firewall configuration to secure hosts.
• Recommend MDM solutions for mobile infrastructure security.
• Recommend SDLC and best coding practices for secure software development.