“Back to Basics”: What does this mean?
Recently, a pretty good-sized conference was held over in Europe called Infosecurity Europe 2014, and quite a few people I know were attending or speaking there. Two colleagues at SANS, James Lyne and Dr. Eric Cole, were both in attendance and talking to the press. At some point during their respective chats, both mentioned the idea that we should “get back to basics” in infosec. It really got me wondering, “WTF does that even mean?” This is such a cliché today, I think we may have lost sight of what the hell we’re even talking about when we say “let’s all just get back to basics”.
To be clear, both Eric and James are friends, and people that I have a lot of respect for. This really has nothing to do with them – they were just catalysts for me pondering the issue. In a post about Eric’s comments, he states that “…organizations seeking good security must return to the basics: asset identification, configuration management and change control.” In an article discussing some of James’ research and thoughts on security today, he states, “Security issues that we’ve known about for more than a decade are still a widespread problem that needs resolving. We need to get back to the very basics.”
So what ARE “the very basics”? And how exactly do we “get back to them”? Before giving my opinion on this, I think we run a real risk of oversimplifying what has become a very complex discipline. Times change, and “basics” do too. In the 1980’s or 1990’s, infosec “basics” were likely all about hardening operating systems and setting passwords for accounts, as well as limiting access and privileges. Today? I’d argue that only scratches the surface of “basics”. To adequately cover the “basics” of infosec, I think any organization, regardless of size, needs to include the following in their program:
- Inventory management
- Configuration management
- Change control
- Network access control and traffic filtering
- Network intrusion detection/prevention
- Host-based malware detection/prevention
- Security policy
- Security awareness
- Incident response
- Vulnerability management (emphasis on scanning and patching)
This can easily be argued, likely successfully. Should web app assessment be on this list? Secure coding? Pen testing? Forensics? The list could go on and on, but in my opinion, these are the foundational elements that every security program must have. So here’s the question – have we really gotten away from these? If so, what are we spinning our wheels with? Next-Gen thingamajigs? “Advanced Malware” detection and prevention platforms? Cloud and virtualization security architecture and design? Identity management? Encryption and PKI? DDoS defense? I don’t think we’ll solve our problems in infosec by trying to categorize one or more activities or tools as “basics” and focusing there, candidly. Not anymore. All of these things have merit, depending on your organization. No, I don’t think we need to get back to the basics. I think we need to get there for the FIRST TIME. Let’s face it, we’ve never had this licked. Things are more complex than ever, and we didn’t have a grasp on security when the environment was much simpler. The solution? There’s not one – not an easy one, anyway. We need more tools, more people that have real technical skills and who understand security across a lot of technologies, and more commitment from operations teams to help nail this down. So let’s drop the word “back” – let’s GET to basics first, and then we can optimize.