Home > Information Security, Musings > “Back to Basics”: What does this mean?

“Back to Basics”: What does this mean?

May 25th, 2014

B2BRecently, a pretty good-sized conference was held over in Europe called Infosecurity Europe 2014, and quite a few people I know were attending or speaking there. Two colleagues at SANS, James Lyne and Dr. Eric Cole, were both in attendance and talking to the press. At some point during their respective chats, both mentioned the idea that we should “get back to basics” in infosec. It really got me wondering, “WTF does that even mean?” This is such a cliché today, I think we may have lost sight of what the hell we’re even talking about when we say “let’s all just get back to basics”.

To be clear, both Eric and James are friends, and people that I have a lot of respect for. This really has nothing to do with them – they were just catalysts for me pondering the issue. In a post about Eric’s comments, he states that “…organizations seeking good security must return to the basics: asset identification, configuration management and change control.” In an article discussing some of James’ research and thoughts on security today, he states, “Security issues that we’ve known about for more than a decade are still a widespread problem that needs resolving. We need to get back to the very basics.”

So what ARE “the very basics”? And how exactly do we “get back to them”? Before giving my opinion on this, I think we run a real risk of oversimplifying what has become a very complex discipline. Times change, and “basics” do too. In the 1980’s or 1990’s, infosec “basics” were likely all about hardening operating systems and setting passwords for accounts, as well as limiting access and privileges. Today? I’d argue that only scratches the surface of “basics”. To adequately cover the “basics” of infosec, I think any organization, regardless of size, needs to include the following in their program:

  • Inventory management
  • Configuration management
  • Change control
  • Network access control and traffic filtering
  • Network intrusion detection/prevention
  • Host-based malware detection/prevention
  • Security policy
  • Security awareness
  • Incident response
  • Vulnerability management (emphasis on scanning and patching)

This can easily be argued, likely successfully. Should web app assessment be on this list? Secure coding? Pen testing? Forensics? The list could go on and on, but in my opinion, these are the foundational elements that every security program must have. So here’s the question – have we really gotten away from these? If so, what are we spinning our wheels with? Next-Gen thingamajigs? “Advanced Malware” detection and prevention platforms? Cloud and virtualization security architecture and design? Identity management? Encryption and PKI? DDoS defense? I don’t think we’ll solve our problems in infosec by trying to categorize one or more activities or tools as “basics” and focusing there, candidly. Not anymore. All of these things have merit, depending on your organization. No, I don’t think we need to get back to the basics. I think we need to get there for the FIRST TIME. Let’s face it, we’ve never had this licked. Things are more complex than ever, and we didn’t have a grasp on security when the environment was much simpler. The solution? There’s not one – not an easy one, anyway. We need more tools, more people that have real technical skills and who understand security across a lot of technologies, and more commitment from operations teams to help nail this down. So let’s drop the word “back” – let’s GET to basics first, and then we can optimize.

Categories: Information Security, Musings Tags:
  1. May 27th, 2014 at 10:41 | #1

    Good points Dave but is it anatomically correct to do it first. Seems the way the specie develops is enable then secure at which point you are putting toothpaste back into the tube. Particularly from a development perspective and particularly for web and mobile applications. I guess its possible but few have the guts to hit reset. Personally I think that much of this needs to be built in and automated to the extent possible. The skill gap and inability to focus on security as priority makes it difficult. It may be the case that the current environment provides a chance. Thanks for providing the list for the willing.

  2. Richard Steven Hack
    June 3rd, 2014 at 12:10 | #2

    “In a post about Eric’s comments, he states that ‘…organizations seeking good security must return to the basics: asset identification, configuration management and change control.'”

    That statement indicates to me that what he means is that organizations that can’t even manage their networks on a fundamental level aren’t going to have secure networks.

    I agree with your list – and I agree it doesn’t go far enough. But these are things that need to be added onto the basics of running a network. And these days, your list IS also “fundamentals.”

Comments are closed.