With May Day just around the corner, people across the globe are preparing to celebrate spring and usher in the warmer weather. This means that many are readying themselves for spring cleaning, a time-honored tradition in which households and organizations alike get their affairs in order, such as by cleaning or by making sure that a detail-oriented focus permeates all upcoming activities they have planned.
We recognize the utility of spring cleaning, especially when it comes to organizations bolstering their security. Therefore, in celebration of May Day, we have asked our experts to provide some recommendations on what security teams can focus on for this year’s spring cleaning.
Refresh the Old
“Out with the old, in with the new” is a common adage used to describe spring cleaning. But it does not always offer the best advice. For example, it fails to capture an important job duty that is required of most information security professionals: testing old network appliances to gain insight into an organization’s continuously evolving threat landscape.
Acknowledging this, Irfahn Khimji, CISSP and Senior Information Security Engineer at Tripwire, urges security professionals to use the old during spring cleaning as a means to strengthen their organizations’ security.
“Spring cleaning is a great time to review everything that is installed on our networks, see how each system is configured, and ensure that they are hardened and that vulnerability risks are remediated,” Khimji explains.
“Towards this end, I recommend that security professionals revisit the Top 20 Critical Security Controls and take this time out to go back to the basics.”
Research the New
In addition to revisiting old ideas, security professionals can use spring cleaning to research new concepts that they might not have yet had time to look up.
For instance, security professionals can research to what extent their key management policies comply with some of the latest industry guidelines.
“I recommend that security teams and system administrators review the document ‘Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance’ that NIST published in January of this year,” explains Brad Winckler, who works in DevOps in Tripwire’s R&D organization.
“Once reviewed, teams can then work to see whether their organizations’ policy complies with the latest NIST suggestions.”
Additionally, Ken Westin, Senior Security Analyst at Tripwire, urges organizations to spend a little time investigating their log retention policies.
“In recent discussions with groups of CISOs and legal teams, the topic of logging has come up quite often,” observes Westin.
“Although we often discuss retention times as dictated by various compliance requirements, which can be of varying lengths of time, what is often overlooked are the potential risks and liabilities of storing logs and data for a period of time that is longer than required.”
Westin goes on to explain that now would be a good time to create a clear log retention policy if organizations do not already have one. This would, in turn, facilitate the efforts of security professionals to identify any data that has been collected outside of the required window and to safely dispose of it from systems, backup tapes, and other media.
To learn more about computer security log management, please click here.
Strengthening Security for the Future
Spring cleaning is ultimately about preparing for the summer months that lay ahead. Even so, the significance of this time of year is even more meaningful for the security industry. By taking stock of what appliances are installed on their networks and by reviewing the Top 20 Security Controls, as well as researching and/or revising their key management and log retention policies, information security professionals can use spring cleaning to effectively strengthen their organizations’ security for the foreseeable future.