From Italy to the server room, anything you build needs to begin with a solid base. Is the very foundation of your organization’s security putting you at a greater risk of being toppled over than you realize? When was the last time you thoroughly reviewed your fundamental security hygiene? Do you often find yourself saying, “I would, if I could get around to it”?
Let me hand you this virtual Round Tuit. The history of the Round Tuit isn’t exactly clear but one thing is certain… there’s a good chance some of your IT security projects have been put off, and it may be time to refocus on your foundation, so your security won’t lean too far off base.
There are several reasons fundamental security hygiene tends to get put on the back burner. One reason is how we are wired as a society. It can be easy to focus concern on the latest news story about sophisticated threats and high-visibility vulnerabilities. After all, those stories sometimes read more like a thrilling movie plot.
These threats are certainly important to pay attention to. However, as stated in Verizon’s latest Data Breach Investigations Report, most of the attacks still seen out there are not particularly sophisticated. They’re tried-and-true methods that we should be protecting against, detecting and responding to already. Yet for some reason, many organizations still don’t employ the fundamental practices needed to address and respond to these less sophisticated – but effective – attacks.
I recently had the pleasure of attending an intimate CISO event and heard security executives state firsthand that they’ve been guilty of spending too much time and effort chasing advanced, sophisticated threats. In doing so, the effort distracts from what they know is also very important – fundamental security hygiene. This admission mirrors conversations I have had with many organizations about security, and perhaps you’re hearing the same your in organization, as well.
The problem is sort of like a bank working to protect its vaults against the team of Ocean’s Eleven, but not really making sure to protect against a bank worker walking out the door with bags of money, or someone handing the teller a note that says they are being robbed.
Nonetheless, it would be incredibly unwise to ignore sophisticated threats. Take some time to reflect with your team on what sort of attacks you really need to prepare for, discuss where your potential blind spots are, and determine how to best prioritize your time – be honest.
So, what are the fundamentals? Consider starting with a framework, such as SANS/CIS 20 Critical Security Controls, NIST/FISMA, etc. A framework will give you a great structure and plan, which has already been thoroughly vetted and validated by a team of security researchers. It will also help you break down your security goal into achievable parts.
Then, determine the importance of the pieces of that framework within your organization. Next, do an honest gap analysis to find out what you don’t know, and determine where you need to make changes and improvements. (A good place to start is Adam Shostack, author of Threat Modeling: Designing for Security).
Plan to stay focused. You’ll be pulled in a thousand directions – people may fight you on prioritization of solving your gap issues,and you may need to defend your position against their questions. Be prepared to have that conversation with your executives in a way they can understand, stressing that you’re focusing on first things first – in other words, what protects the business most.
Next, is maturity. Have an honest assessment of your current situation, as you would find in the CIS/SANS 20 CSC (which is prescriptive and in prioritized order), and determine what additional items you can take on. This can greatly increase your chances of using that Round Tuit and achieving the results you need.
Evaluating your team’s skills, bandwidth and capabilities now could save you a lot of headache down the road. It’s better to master what you can handle now, and then move to the next level than to try to jump into something that may fail. Otherwise, the technology you take on may be sound, but the failure may be on the people and process part of your security equation, which isn’t good for anyone.
Still not sure what to do or where to start? It’s time to learn, and don’t feel like you’re alone. There are more resources out there about IT security than there are threats. Ok, that’s probably not accurate, but you get my point. Consider leveraging trusted advisors and/or trusted resources, such as the Center for Internet Security.
Find the people or resources that speak to you and what you’re trying to solve. Find those who challenge your thinking, or conventional wisdom, and who help you solve problems in ways you may not have thought of before.
Once you get a closer look at what you’re trying to build, it may not seem as daunting when you stop looking at it as a huge tower but as a process that can be broken down into achievable, fundamental parts. To summarize: find a security framework that makes sense to your organization, determine your gaps, prioritize your gap remediation by importance, decide what your team can realistically handle, and execute on your plan. Build one floor at a time, beginning with a solid foundation.
Whatever the reason fundamental security hygiene tends to get put off at your organization, the fact remains that one of the only things you can truly control is how you (and your team) use your time. If you still have that “Round Tuit” from the beginning of this article, go stick it on your calendar before you close this browser tab.