The Basics …. or …. Be a Professional, Not a Hobbyist

Have you ever noticed that the average Infosec practitioner only really gets excited, interested and focused on advanced security activities? If you start talking about how to do real time forensic packet inspection across your network, a half dozen security engineer types show up out of the blue to kibitz with you. Talk about how to patch your windows desktop and its like a ghost town around your desk.

This is a serious problem. Very serious. According to both the Mandiant and Verizon reports this year, the vast majority of successful intrusions involved two crucial factors. One was a human that could be tricked in to accessing malware in some way, whether that was a website, a spreadsheet or some other attack vector. Second was a system that wasn’t protected by the basics; like anti-virus, up to date patches or properly configured browsers.

I submit to you that all the vendor emphasis on selling new products, the security fascination with new stuff, and the fact that information security is much too heavily oriented on technology is the core of the problem. The attacks i am aware of could have been, for the most part, stopped with humans aware of the problem and systems that were patched.

We have to move beyond the advanced stuff and get back to basics. We need to understand what our our core, fundamental skills, tools and controls should be and what our common, likely threats are. You really don’t need fancy new tools if your systems aren’t patched, your humans aren’t resilient, your risk assessments aren’t realistic and your incident response is non-existent.

You may laugh and say of course that’s obvious. But clearly some major organizations didn’t do the basics consistently.

If you must buy new tools, have them be ones that help solve those fundamental problems you haven’t gotten good at yet. Figure out where your unmatched systems are, find new ways to increase human resilience, identify the high risk system accounts and strengthen them. These things are far more likely to secure your organization successfully than a shiny new toy that will end up as shelf ware.

Just do the basics, get some due diligence under your belt …. Be a professional who does the hard things, the boring things. Let someone else be the hobbyist chasing the next shiny toy.


About Eric Cowperthwaite

Nearly 30 year security professional, 11 years in the US Army, and another 18 in the civilian world. Worked for EDS for 9 years, then for Providence Health & Services as their CSO for 7 years. Now I work for CORE Security as their VP, Advanced Security & Strategy. This blog is not just about security, either physical or information. You can expect to read about cigars, my life, things I think are funny and much more. And I will rail about the FUD that so many security practitioners toss around on a regular basis. Plus, once in a great while, I might actually share a thought or two about security. Did I mention that I will probably blog about cigars? Just to be clear, nothing that I write here represents the position or opinion of my employer. Nothing I write here is proprietary or confidential to my employer. Everything I write here is my personal opinion.
This entry was posted in InfoSec and tagged , , . Bookmark the permalink.

2 Responses to The Basics …. or …. Be a Professional, Not a Hobbyist

  1. I agree that we need to get back to the basics but what you are describing is sysadmin basics not security basics. Patching, AV, and browser configs should be a routine part of sysadmin work just like changing default passwords or configuring backups. Infosec professionals should be focused on architecture, identifying improperly configured systems (testing), and intrusion detection and response.

  2. I think you missed my point. Security professionals need to work on the basics, not get distracted by shiny toys.

    Also, it’s important to note that not every organization does things the same way. In some orgs, security engineering runs anti-virus, in others desktop engineering, and so forth. The key is not to argue over specifically who does what. It is to solve the basic problems. If your organization sucks at patching, then the security professionals need to get focused on that, even if they aren’t the ones who actually patch the boxes.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s