When it comes to security, it’s easy to fall into the trap of delegating everything to security professionals. Ultimately, a firm cannot successfully protect itself without everyone’s cooperation, from the CEO to the secretaries.
At the beginning of the year, I attended SANS SEC401 (Security Essentials Bootcamp Style), and I have to say, I was impressed. I expected the course to be technically dense, with deep dives into packet header inspections and cryptographic algorithms. While the course addressed the fine details as anticipated, SEC401 was also surprisingly thoughtful in its approach.
Here are some items from SEC401 I found particularly interesting:
- Your security approach should align with the goals of the firm. While it’s easy for a security officer to prioritize security above all else, measures should focus on reducing the business risks while minimizing the cost and impact of implementation. There will always be some level of acceptable risk, in life as well as in business, and information security should seek to control risk given reasonable financial and operational expense.
- Detection and remediation can be as, or more, important than prevention. While stopping a bad actor from ever stepping foot in your network is ideal, the reality is that every network can be compromised. That simple fact means that a good monitoring system and effective response is crucial to maintaining a secure environment.
- Taking inventory of hardware and software is the first step to designing a defense. This task is under-appreciated but critical. After all, attackers prize recon above all else; it is very difficult to attack a server without knowing it exists. Likewise, the onus is on the network administrator to identify not only production devices, but also that one 10-year-old server still plugged into the network. That is the only way for IT to understand all the threats that the firm faces.
- Defense-in-depth is a tremendously strong strategy. In biology, genetic variation promotes resilience in the face of disease and famine, as a single event is unlikely to fatally impact the species as a whole. In information security, the same is true; a dependence on a single, comprehensive system would mean a singular flaw could spell disaster. Instead, a layered approach makes it harder for an attacker to compromise the entire network before being detected.
These are just a handful of insights that SEC401 offered. For anyone considering GIAC Security Essentials Certificate (GSEC) exam, I recently passed with flying colors thanks to SANS. I strongly recommend that any IT administrator take the class to better understand the security concepts that will undoubtedly continue to be useful in this age of data breaches and ransomware.