Why You Can't Afford to Ignore Security Basics
By Bill Podborny, CISO, Alliant Credit Union
Cyber security incidents have almost become a daily news event. Between the increase in incidents and the pressure from executive management and boards to protect organizations, it’s easy to get caught up in all the hype surrounding the latest cyber security buzz.
"While some tools may make it easier and more efficient to operate security functions, they can’t take the place of basic security principles"
Who wouldn’t want to rush out to acquire the latest silver bullet?
As a security professional, I constantly get calls from vendors offering the latest and greatest security tools, services, and processes available on the market today. Not unlike other security professionals, I enjoy seeing the latest technologies, and the chance to tinker with something new.
I’m not suggesting that, one or more, of these offerings wouldn’t improve the security posture of any organization—but I think a lot of these advanced systems and techniques are being introduced in lieu of some of the basics.
Most organizations are strapped for qualified security professionals. As a result, the time and attention needed to investigate and implement new tools can prove distracting from the required security hygiene fundamentals.
When you hear about the next security breach, there’s a good chance that it may be a new attack vector— but the root cause was exploiting a fundamental function, such as login credentials.
There is a reason why best practices like ITIL and ISO exist and have stood the test of time. If implemented correctly, they work. As we look at the latest regulations and guidance, such as PCI and FFIEC, they are all emphasizing the same thing: start with a good foundation and mature security practices over time.
So what do some of the basics entail? What constitutes a good foundation? For starters, think about people, process, and technology and consider these five tips:
1. Know the risk to your organization and the tolerable risk you are willing to accept. Defining how much protection to put in place could save time and energy from unnecessary tasks.
2. Inventory what your critical assets are and ensure that they are restricted to only those who need them to perform their job function. How many times have you seen someone’s laptop loaded with all sorts of security protection tools, but the end user has administrative permissions to their own machine?
3. Protect assets according to their risk level. It’s likely that not all assets are of equal value. This is where the meat of many basic security principles are potentially ignored, such as access control and regular patching.
4. Have the ability to detect threats. While this is critical, I think this is where a lot of time is spent while ignoring the basic protection methods. Monitor the environment for suspicious activities, which may involve capturing more than just security logs. Remember that anomalies can take on many forms.
5. When an issue arises, have a solid incident response plan that contains repeatable processes to follow through to resolution. I can’t say enough about practicing your response plan to ensure the first time you’re looking at the plan isn’t right after an incident.
The basic premise for security should be to protect critical assets by having the ability to detect malicious behaviors and respond to threats. While some tools may make it easier and more efficient to operate security functions, they can’t take the place of basic security principles. After you have the basics running smoothly, you’ll have a good foundation to work from. At that point, you can enhance the process or look at advanced capabilities.