Have you ever noticed that the average Infosec practitioner only really gets excited, interested and focused on advanced security activities? If you start talking about how to do real time forensic packet inspection across your network, a half dozen security engineer types show up out of the blue to kibitz with you. Talk about how to patch your windows desktop and its like a ghost town around your desk.
This is a serious problem. Very serious. According to both the Mandiant and Verizon reports this year, the vast majority of successful intrusions involved two crucial factors. One was a human that could be tricked in to accessing malware in some way, whether that was a website, a spreadsheet or some other attack vector. Second was a system that wasn’t protected by the basics; like anti-virus, up to date patches or properly configured browsers.
I submit to you that all the vendor emphasis on selling new products, the security fascination with new stuff, and the fact that information security is much too heavily oriented on technology is the core of the problem. The attacks i am aware of could have been, for the most part, stopped with humans aware of the problem and systems that were patched.
We have to move beyond the advanced stuff and get back to basics. We need to understand what our our core, fundamental skills, tools and controls should be and what our common, likely threats are. You really don’t need fancy new tools if your systems aren’t patched, your humans aren’t resilient, your risk assessments aren’t realistic and your incident response is non-existent.
You may laugh and say of course that’s obvious. But clearly some major organizations didn’t do the basics consistently.
If you must buy new tools, have them be ones that help solve those fundamental problems you haven’t gotten good at yet. Figure out where your unmatched systems are, find new ways to increase human resilience, identify the high risk system accounts and strengthen them. These things are far more likely to secure your organization successfully than a shiny new toy that will end up as shelf ware.
Just do the basics, get some due diligence under your belt …. Be a professional who does the hard things, the boring things. Let someone else be the hobbyist chasing the next shiny toy.