| Control | Why It Matters | Quick Implementation Tip |
|---|---|---|
| Formal Security Policy | Sets expectations, defines roles, and creates accountability. | Draft a 5‑page “Information Security Charter” covering password policy, patching, and incident response. |
| Security Awareness Training | Human error is the most common breach vector. | Conduct a 30‑minute “Phishing & Password Hygiene” session quarterly for all staff. |
| Regular Pen‑Testing | Finds hidden weaknesses before attackers do. | Contract a regional security firm for a bi‑annual test; budget ≈ USD 10 k per test. |
| Incident‑Response Playbook | Reduces dwell time and limits damage. | Use the NIST 800‑61 framework; assign a primary and secondary responder. |
| Vendor & Supply‑Chain Vetting | Third‑party components can introduce risk. | Maintain a “trusted‑list” of libraries and enforce version lock‑files (e.g., npm package-lock.json). |
| Vulnerability | Why it existed | How it was exploited |
|---|---|---|
| Unpatched MariaDB (CVE‑2023‑29155) | The on‑premise server ran MariaDB 10.3, a version that had reached End‑of‑Life in 2022. No automated patch management was in place. | Remote code execution via crafted SQL packets gave the attacker shell access to the DB host. |
| Weak SSH credentials | Default root password (Sharmuuto2022!) was never changed after initial deployment. | After DB compromise, the attacker used credential‑reuse to gain SSH access, then escalated privileges. |
| Lack of network segmentation | The API, DB, and admin interfaces shared the same VLAN. | Once the attacker entered the network, lateral movement was trivial. |
| Plain‑text storage of phone numbers | No field‑level encryption for personally identifiable information (PII). | Exfiltrated data was directly readable. | sharmuuto somaliland cracked
Date: April 2026
Author: [Your Name / Your Publication] | Control | Why It Matters | Quick