You are probably wondering how to beef up your current security practices given the almost never-ending assault on systems. Your in-house team is quite competent; however, you recognise that they could be better by implementing solid advice from well recognised, experienced sources.
Two highly regarded sources are the Critical Security Controls from the Center for Internet Security and the Australian Signals Directorate’s Strategies to Mitigate Cyber Security Incidents. Both of these sources offer so-called best practice security guidance. So your r team knuckles down to implement what they can from the lists.
As they work through them they discover many suggestions need to be actioned by operational teams such as the infrastructure group, the network team and the application support team. Naturally those other teams can resent being told how to do their jobs by the security guys. Suddenly you find yourself in the unenviable position of trying to coax cooperation from other managers within the IT group. How can this be? Surely security recommendations should be handled by security teams?
Take a step back and read the CSC Top 20 or the ASD Top 35 objectively. You will quickly discover that the so-called security recommendations include many recommendations focussed on operational practices.
In fact, the CSC Top 20 is split about 50 / 50 between security and operational items. See the tables below for my categorisation, you may argue with a couple of them but one or two either way is not significant. The ASD list is a little harder to categorise but it also ends up around a 60/40 split between security and operations.
What is this really telling us? If these guidelines are aimed at producing secure environments, then implementing them involves building sensible operational practices as the base level. Effectively if you want to have a secure system you need to make sure you manage your systems from an operational viewpoint.
Look at some common vectors for attack. Intrusion through improperly configured services – operational hygiene – build systems to defined Secure Operating Environment (SOE). Access via a user account with unnecessary elevated privilege – operational hygiene – manage users to have the least privilege they need to work.
The potential here is if companies spent funds on creating a comprehensive operational capability, building and running their systems well, perhaps they could reduce the spend on the latest security toys.
Good security hygiene depends on good operational hygiene!
Peter Sandilands has participated in the Australian IT Security market for many years. He is currently researching, teaching and consulting on security in the real world