In the age of the expanding network perimeter, advanced persistent threats, bring-your-own devices, and an increasingly mobile workforce, there is a natural propensity for security professionals to start looking to bring in new technologies to deal with these issues. With budgets tightening and threats mounting exponentially, how do you target your spending to get the most bang for your buck? Place that new technology purchase at the bottom of your to-do list and first focus your energy and dollars on ensuring your organization is doing well at the fundamentals.
Effective security starts from the inside out. Ensuring you do not have a soft chewy inside will reduce the ability of attacks to be successful once they have broken through your hard crunchy outside. No one can predict what the next new attack vector will be, but you can minimize your environmental risk by focusing on the following essential areas of your security program:
Asset management. You can't protect what you don't know about, so you need to know exactly what is in your environment. Most asset management programs fail because the inventory is not kept up. Be sure to develop the processes you will need to ensure the inventory remains complete and accurate. Don't forget to include network equipment, printers and mobile devices, even if they are personally owned. If they touch the network, they are your responsibility.
Account management. Who has administrative access to systems in your environment? You need to quickly audit all of the accounts. Implement a strong policy that outlines the job duties that require administrative access, and clearly state that only people filling those roles will have privileged accounts.
Configuration management. When you issue systems to users or stand up servers, do they start with a secure baseline image? Work with your system administrators to confirm they have standard secure builds developed and work with your support team to make certain users are issued secured workstations, laptops and mobile devices.
Security awareness training. How do you prevent phishing attacks from being successful? By ensuring no one in your environment falls for them. Keep updating your training to assure you include current issues, keep finding new ways to say the same things, and keep saying them again and again.
Most organizations can still use some work in one or more of these areas. While threats are constantly evolving, implementing proper security practices in your organization will help protect you against today's risks, as well as tomorrow's.
And, once you have adequately addressed these areas, then go ahead and treat yourself to that next-generation firewall you have had your eye on.