Time and time again, whether reading the news about the latest breach, or performing an assessment, it seems that it’s the simple things that so often get missed or neglected. Patches, network segmentation, default configurations and misconfigurations. Ensuring the security basics get covered isn’t a panacea for our security ills, but it can go a long way toward preventing incidents. The thing is, the simple things often aren’t as simple as they may first appear. As a security practitioner, it can be easy to give an organization a list of security best practices and then walk away. However, understanding why the organization is not following security best practices is essential. Are systems not patched because there is a lack of understanding of the importance of patching or lack of resources available, or is patching not performed because patches cause business critical software to no longer work? Are users local administrators on their machines because they need to use software that requires local administrator access to function correctly or at all?
Without understanding why things are the way they are, it is usually impossible to effectively make changes. This is why security practitioners need to ensure they understand the organization and how it functions. If security basics aren’t implemented due to a lack of understanding of the risk, then we need to educate the organization about the risk. If resources aren’t available then we need to make the case for additional resources, or look for other controls that can provide additional security. If business critical software precludes patching, we need to look for compensating controls. While it is tempting to tell an organization to find new software that allows patching and updates, experience tells us that this is generally not possible due to licensing, training, and implementation/integration costs.
We often have to work with (or around) what resources we have. While this can require a lot of creativity and effort, the results are usually worth it.
This article was written by Alex Hamerstone (@Infosecdoc) of TrustedSec.