Cool as McCumber: Back to Basics

March 23, 2015

My wife was a soccer and basketball coach -- a good one.  She started when a community sports program sought amateur parental volunteers to work with the kids, and her coaching career advanced along with our two daughters.  Eventually, one of our daughters attended a Division I college on a soccer scholarship, and my wife became an assistant coach at a nearby university. 

When she began coaching grade school soccer players, the kids would always swarm toward the ball.  The children would converge en masse and take wild swipes at the ball with their feet; at least after they learned not to use their hands.  She had to emphasize the fundamentals: play your position, own your space, and pass the ball.  Before you tried that amazing bicycle kick, you had to master the basics.  If you watch the UK’s Premier League, you can see how those basics are used to win a hard-fought game on the pitch.

When it comes to the cyber security business, forgetting the fundamentals can get your organization into the headlines – for all the wrong reasons.  Of course, it’s easy to drop the ball on the basics.  Security practitioners can be forgiven for focusing on new analytic tools, Big Data, and threat attribution.  They are all the rage these days.  However, a deeper look at the breaches and attacks that make the news are almost always are the result of missing the basics.  When it comes to protecting your critical information resources, what specifically are those foundational safeguards?

We like to refer to these basics as systems hygiene, and there are four key areas that must be addressed before you can begin to take advantage of all those slick new products and security dashboards.  The first is asset inventory.  That’s where it all begins.  You can’t provide protection of your resources unless you can locate each authorized server, endpoint, and router. 

The second is configuration management – a baseline for each component that accounts for integrity, traceability, and management of the devices that transmit, store and process your vital information assets.  When you don’t control how your systems are deployed, you aren’t able to remediate many of the vulnerabilities that come with this lack of oversight.  Closely associated with configuration management is change control.  Before you change hardware, software, or systems settings, you need to have a single-track process where proposed changes are tested, authorized, and approved with security in mind.

Finally, the last fundamental you need to implement is data discovery.  Once you can address the threats and vulnerabilities, you have to be able to identify and track your critical information to appropriately address the risks.  Also, knowing when your information leaves your environment is a key capability to prevent unauthorized data exfiltration.  You can’t have advanced security without a focus on your basic hygiene.  Begin with the fundamentals.