The Neglect of Security Basics

Last week we held a webinar with our good friends from Qualys (you can view the recording here). The webinar discussed the integration between Qualys and AlgoSec that enables Application-Centric Vulnerability Management. One of the questions from the audience asked what happened to device hardening? Why is everyone only talking about things such as advanced threat prevention when it comes to security practices.

The question was very valid, and it brought to light something I have been thinking and talking about quite a bit  – the neglect of security basics.

The problem with our industry is that nothing ever really goes away. For example, we all know that anti-virus is very limited in its ability to prevent modern threats, but few of us are willing to uninstall it from our servers and endpoints. This is similar to locking the door to your house – will it really prevent a determined burglar? Most probably not, but that does not mean we should leave the door unlocked. In similar fashion, many have also proclaimed the death of the firewall, and the firewall market is bigger and better than it ever was (granted firewalls have evolved considerably in recent years.)

With the advanced threats and well publicized breaches of today, it’s natural for the media and analyst community to disproportionately cover the latest shiny toys. You know, those cloud-based, crowd-sourced, next-generation, advanced kill’em all flux-capacitor powered solutions. (If you don’t know what a flux capacitor is – congratulations! You’re not old.) But I argue that you can greatly improve your security posture by not forgetting, and even emphasizing, those boring security basics anybody hardly talks about such as:

• Identifying and patching vulnerabilities
• Hardening systems
• Solid processes for configuring policies across firewalls and routers
• Removing administrator privileges from endpoints
• Security awareness programs
• And the list goes on…

When was the last time you revisited your security basics? If you have a “security basic” to share with us – drop us a line in the comments field.

[Addendum]

I wrote this post  last week as I am attending the Gartner IT Security Summit this week. I was pleasantly surprised to see Gartner’s keynote yesterday address many of the ideas in this blog post. It was refreshing to see the analysts calling out the basics and reminding the audience that they are effective against 80-90% of the threats out there. That said, the sessions and product demos around combating advanced threats were the most heavily attended.

Sigh.