When I was in the US Navy, I learned most of the time, the weak points in security were usually people. Attackers know this and exploit it. And it usually wasn't movie plot style "do this or your wife gets it" exploits. Those seemed to get blown up easily. It was mundane things. Distracting a watch stander with something that was actually stupid. Making someone late for duty. Putting something really gross in the garbage hoping the inspector would skip that bag. So many little lapses in human judgement. Most completely innocent. This was with vigilant, uniformed people subject to military discipline, and those thing happened.
So you have to focus on process and systems. Some easy stuff:
* Never ask customers/employees for a password. If someone does it's a scam.
* Refund money only to the payment method used to pay for the product/service.
* 2FA is your friend no matter how much the VP of Sales whines about it.
* have a way to expire tokens and force reset of passwords.
That's why it's easy. People think "I'm not important enough" to be targeted, or "My job isn't that important", but that's what adversaries are counting on. Their "unimportant" job or whatever is just a stepping stone.
What's the threat scenario where forcing a password reset increases security? I'm genuinely curious, because I feel it's often the case that password expirations might introduce more threats than they mitigate.
> What's the threat scenario where forcing a password reset increases security? I'm genuinely curious, because I feel it's often the case that password expirations might introduce more threats than they mitigate.
Not every reset is due to expiration... e.g. if you know a user reused a password from a different service that got hacked on your service, you should probably make them reset it...
So you have to focus on process and systems. Some easy stuff:
* Never ask customers/employees for a password. If someone does it's a scam.
* Refund money only to the payment method used to pay for the product/service.
* 2FA is your friend no matter how much the VP of Sales whines about it.
* have a way to expire tokens and force reset of passwords.