Vicki Ames, former information system security officer at a federal medical research agency •
November 01, 2011
CSO's desk

Back to basics for enterprise defense

Back to basics for enterprise defense
Back to basics for enterprise defense

In the age of the expanding network perimeter, advanced persistent threats, bring-your-own devices, and an increasingly mobile workforce, there is a natural propensity for security professionals to start looking to bring in new technologies to deal with these issues. With budgets tightening and threats mounting exponentially, how do you target your spending to get the most bang for your buck? Place that new technology purchase at the bottom of your to-do list and first focus your energy and dollars on ensuring your organization is doing well at the fundamentals. 

Effective security starts from the inside out. Ensuring you do not have a soft chewy inside will reduce the ability of attacks to be successful once they have broken through your hard crunchy outside. No one can predict what the next new attack vector will be, but you can minimize your environmental risk by focusing on the following essential areas of your security program:

Asset management. You can't protect what you don't know about, so you need to know exactly what is in your environment. Most asset management programs fail because the inventory is not kept up. Be sure to develop the processes you will need to ensure the inventory remains complete and accurate. Don't forget to include network equipment, printers and mobile devices, even if they are personally owned. If they touch the network, they are your responsibility.

Account management. Who has administrative access to systems in your environment? You need to quickly audit all of the accounts. Implement a strong policy that outlines the job duties that require administrative access, and clearly state that only people filling those roles will have privileged accounts.

Configuration management. When you issue systems to users or stand up servers, do they start with a secure baseline image? Work with your system administrators to confirm they have standard secure builds developed and work with your support team to make certain users are issued secured workstations, laptops and mobile devices.

Security awareness training. How do you prevent phishing attacks from being successful? By ensuring no one in your environment falls for them. Keep updating your training to assure you include current issues, keep finding new ways to say the same things, and keep saying them again and again.

Most organizations can still use some work in one or more of these areas. While threats are constantly evolving, implementing proper security practices in your organization will help protect you against today's risks, as well as tomorrow's.   

And, once you have adequately addressed these areas, then go ahead and treat yourself to that next-generation firewall you have had your eye on.

From the November 2011 Issue of SCMagazine »
Similar Articles
Related Topics
close

Next Article in Features

Sign up to our newsletters

More in Features

Suspect everything: Advanced threats in the network

Suspect everything: Advanced threats in the network

Are there ways to catch sophisticated malware that hides in trusted processes and services? Deb Radcliff finds out.

Urgent care: Safeguarding data at health care providers

Urgent care: Safeguarding data at health care providers

Health providers have pressing reasons to now embrace security, says INTEGRIS Health's John Delano. Karen Epper Hoffman reports.

Deciphering cloud strategy

Deciphering cloud strategy

There are steps security pros can take to achieve greater peace of mind with cloud implementations, reports Alan Earls.