Perimeter, Office & Database Security.

Perimeter (external-facing web)

• Discoverability. Your domain is enumerated by Censys, Shodan, FOFA, plus every recon tool. Assume 100% of your external surface is known. Inventory continuously — what you don't know about, you don't defend.
• Exposure budget. Every public endpoint = attack surface. Catalog: hostname + port + service + owner. Decommission orphaned surface aggressively. "Temporary" subdomains live forever.
• Subdomain takeover. DNS record points at decommissioned cloud resource (S3 bucket, Azure web app, Heroku app). Attacker claims the resource = controls subdomain. Quarterly DNS audit; automated subjack/nuclei templates.
• Credential-stuffing baseline. 99% of login traffic on a popular endpoint is malicious automation. Counters:
  • HaveIBeenPwned integration — reject known-leaked passwords on signup/change.
  • Passkeys / WebAuthn as primary; password as fallback.
  • Per-IP/JA4/User-Agent rate limit on login; progressive captcha; account-lockout with sane recovery.
  • MFA mandatory for any non-trivial action.
• Scraping cooperatives. Distributed residential-proxy botnets scrape protected content. Heuristics: behavioral biometrics (mouse/scroll patterns), browser-feature inconsistency, request-velocity per identity.
• Abuse-traffic patterns. Cross-protocol noise — same IP block trying SSH, FTP, RDP, HTTP login — auto-block at network layer. Reputation feeds (AbuseIPDB, Spamhaus, GreyNoise) reduce noise.

Office network

• BYOD admission.
  • 802.1X with certificate-based auth on wired and wireless.
  • NAC posture check (OS version, EDR running, disk encryption on) before issuing IP.
  • Failed posture → quarantine VLAN with remediation portal.
• Segmentation.
  • Corp VLAN — managed devices only.
  • BYOD VLAN — personal devices; cannot reach corp resources except via VPN/ZTNA.
  • Guest VLAN — internet only, isolated from everything corporate.
  • IoT/printer VLAN — restricted egress (print server, NTP, vendor cloud only).
• Printer reality. Printers have OS, web admin, default creds, telnet/FTP open, and CVE history. Treat as untrusted: dedicated VLAN, no inbound from corp, firmware on schedule, default creds changed.
• IoT noise floor. Conference-room displays, smart TVs, sensors. Default behavior: phone home to vendor cloud, broadcast mDNS. Mitigate: per-device-class allow-list egress; block broadcast/multicast bridging across VLANs.
• Guest segmentation that survives. Separate SSID + separate VLAN + separate egress + client isolation (no peer-to-peer on guest). Social-engineering bridge (employee plugs guest device into corp VLAN port) caught by 802.1X.
• Useful audit trail. DHCP leases (IP → MAC → switch port mapping), DNS query logs (catches malware C2 and shadow IT), 802.1X auth events. Compliance-theater audit trail = uncorrelated raw syslog with no analysis surface.

Database security beyond injection

• Replication topology.
  • Primary-replica async — replica lag means RPO = lag at incident. Don't promise zero data loss.
  • Synchronous multi-region — slower writes, zero data loss on single-region failure.
  • Logical replication — selective tables, cross-version. Useful for migration and audit feed.
• Backup posture (3-2-1 + ransomware-resilient).
  • 3 copies, 2 media types, 1 off-site. Modern addendum: 1 immutable/air-gapped.
  • Off-host: separate machine.
  • Off-network: not reachable from production network.
  • Off-account (cloud): separate AWS/GCP/Azure account with one-way replication and object-lock immutability.
  • Tested restore: quarterly tabletop, annual full restore exercise. Untested backups are aspirational.
• Role-engine quirks per vendor.
  • Postgres: GRANT with options, default privileges, role inheritance, ownership chains — audit requires SQL not point-and-click.
  • MySQL: per-database / per-table / per-column grants. SUPER = root-equivalent.
  • Oracle / SQL Server: complex role hierarchies, schema ownership, application roles. Audit tooling vendor-specific.
• Encryption-at-rest trade-offs.
  • TDE (Transparent Data Encryption) — disk-level, defends against backup/disk theft, not against in-DB compromise.
  • Per-tenant column encryption — defends against in-DB read for other tenants; query patterns limited.
  • Customer-managed KMS keys — customer can revoke; operational complexity.
  • Key rotation — operationally expensive at scale; envelope encryption (DEK + KEK) decouples.
• Audit logging. Per-query audit at scale = expensive; per-privileged-action audit affordable. Capture DDL, GRANT/REVOKE, login from outside maintenance window, failed-auth bursts.