What tool can encrypt a laptop's data instantly when it's closed, and how do you set it up?

[mraleph]

You have not described what the "hack" was so all of this is educated guess.

only ports for SFTP and HTTPS were opened.
firewall was activated and was restricting everything

it was a VPS(virtual machine on famous hosting provider's server)
it was managed through browser interfaces like many otherd VPS/droplets
SSH was done on a standard way, i made random keys with putty, uploaded private key through browser intreface...

bad thing i didn't have any logging except the standard one enabled, since i was very confident that issues can't occur

what i did not do, is changing default ssh port to some other, but still by not doing this, it could be a cause for server being down due to ddos, and not for someone to gain access to files

all scripts had input sanitized, and it was not able to deliver a hack that way

I am pretty much clueless when it comes to networks, but I think i covered most of the bases

If you don't have a specific knowledge, you should deploy a solution proposed by @0xDEADBEEF - a Teleport.

It sounds like your web application might have been vulnerable in multiple ways, not just to injection attacks [1]. Exposed HTTP(S) services often provide attackers with a foothold to infiltrate a server and escalate privileges to cause more damage. For the SSH part, I recommend setting up a jump server that is the only machine allowed to access your servers over port 22. You can then tunnel into this jump server and from there ‘jump’ to the rest of your infrastructure. Ensure that access to your jump server is tightly controlled with strict access policies. This approach significantly mitigates the risk of unauthorized access, brute forcing or password spraying.

A solution you can use is Teleport: Easiest, Most Secure Infrastructure Access (GitHub - gravitational/teleport: The easiest, and most secure way to access and protect all of your infrastructure.), which your IaaS provider can likely auto-deploy for you.

Also a WAF like Cloudflare is the easiest to setup and will block threats on the application side. I don't want to go off topic too much, so if you want to go more in-depth about this, feel free to send me a message.


[1] OWASP Top Ten | OWASP Foundation

Ofc, never expose critical service or infrastructure to public. We don't know if you used that VPS for internal needs or were simply hosting a public facing website.

If you used Ubuntu as Linux O/S that means that you can filter traffic properly with default policy DROP - not REJECT (higher CPU usage and notification to adversary) - for all chains and allow only specific ports with both packet state and source and destination address filtering.

 

[sergeylim88]

like i said, my network knowledge is far less competent than some other security aspects.
the https port has to be opened, since the web site has to be served to visitors (like on any other server)
the application was something fairly trivial using cgi, nothing complex, so i am sure any kind of injection was not possible

keep in mind server was set to communicate with SSH (RSA), and passphrase.
bruteforcing that is possible, but you and I would never try that, i am sure with a reason

jump server is a great idea, no question about.
cloudflare was something i implemented later to prevent them even knowing server's ip

anyhow, my point was that even as a above average user who pays attention a lot, things can go south.
below average or average people are better of using something secure out of the box like Apple does, and i am sure @0xDEADBEEF agrees with me
@mraleph i am not saying you are not right, but that type of security(IBM) is very hard to implement

****EDIT****

You have not described what the "hack" was so all of this is educated guess.

i wish i knew more. i just know files leaked. that is all.
it was my guess server got hacked, but did it actually happen, or not - it is just a speculation right now.
this example is far from ideal, i was just sharing my experience in a bar manner, none of this can't be used for a proper professional debate since a lot of things are missing (including the log of access).
sole purpose was to say that bad things can happen no matter what (but in fact we do not know if they actually happened on the way I think they did)

 

[mraleph]

Back to OP's question; zero-day vulnerability may exist - even for cryptographic primitives and systems, CA and HA systems, network and system management services. It's up to architects and manager to identify risks and threats.

But, in our line of business - we already identified possible vectors for even those zero-days. There are no black swans - unknown unknowns - even regarding quantum computation and its impact on security of cryptographic systems. With properly segregated users, services and networks you can either limit damage or mitigate the risk completely, even for black swans.

Standard procedures starting with "update system on a regular basis", "implement security upgrades" and similar are for average users. We are facing polimorphic threats - for those, we don't have off the shelf solution. Just like a complex corporate and banking setup across jurisdictions

Rest assured that there are deployed and operational robust secure HA systems facing public network for which we didn't need z/OS and its ecosystem to have a leverage over adversaries.

Hell no, who would do a brute force. Some script kiddies maybe. Encrypted certificate is a good choice Rainbows for RSA, perhaps ed25519 would be a better choice... Both will be degraded when QC is deployed so why not use faster solution?

Apple is a black box. For average user it's secure until it isn't. And, you should not be complacent - it isn't secure - not by IBM definition

With @0xDEADBEEF an OPSEC thread will be written and possible about security of Apple and other declared-secure products and services.

I actually believe that you know a lot - Elbrus comment was very good, beside others - quite a lot and it is a pleasure discussing with you.