Skip to main content
banner image
venafi logo

IT Security: ♫ It’s all About the Basics, ‘Bout the Basics, No Trouble ♫

IT Security: ♫ It’s all About the Basics, ‘Bout the Basics, No Trouble ♫

August 6, 2015 | Tammy Moskites

Okay—stop laughing, everyone (and I mean everyone) knows I am no singer, but IT Security professionals really need to ensure they have the basics in place and I liked the attention this title brought to light as the foundation for this blog.

As I think back over the high-profile (and some of the not so high-profile…) hacks and breaches that have occurred over the last 18 months, I asked myself:

  • How many have been the result of the smartest, most ingenious hackers in the world?
  • How many have happened because someone just did something by accident?
  • How many have happened just because they didn’t have visibility into their network and security dashboards?

As I sat down and did some research and consulted with my peers around the world, I came to this conclusion: we are truly neglecting the security basics and need to get back to them fast. So what are the basics exactly?

Step #1 Take Careful Inventory of Your Assets and Software: You can’t protect what you don’t know you have and many organizations often skip this basic but fundamental step. I’ve seen several instances of this recently while working with companies to improve their key and certificate security. Many companies simply do not have a complete inventory—they have no idea how many keys and certs they have or how they are being used or misused. In a recent survey that Venafi commissioned with the Ponemon Institute, the results revealed that the average enterprise has almost 24,000 keys and certificates and 54 percent of security professionals admit to being unaware of where all of their keys and certificates are located. This is just one example, but it underscores the reality that organizations need a good inventory of ALL IT assets, identities, hardware, keys and certs, and software.

Almost 24,000 Keys and Certificates per Enterprise

Step #2 Establish A Trusted Baseline: Organizations need to establish and update a known good state, or baseline. Baselines can be used to identify when security issues arise and provide a means to return the organization back to a known good state after a breach.

A few years back, I read an article with an analogy that struck me. Coupled with the old saying when trying to find something that seems impossible: “It’s like finding a needle in a haystack.” It was changed a bit to be more relevant and has held meaning for me ever since:“You don’t need to know what the needle(s) look like; you just have to know what the hay looks like. You take all the hay out and only the needle(s) are left.”

So how does this relate to baselining? If you take the known good out (your current baseline), then you’re left with the needle(s).  Those needles can be good or bad, but now you know about them and can take proper action, and are able to begin remediation or restore to a known good state.

Step #3 Deploy a Strong Security Foundation: Once you have a complete inventory and you know what you need to protect, the next step is to deploy a good security foundation to build upon. Today, many companies are spending money on expensive “Next-Gen” or “Threat Intel” solutions and are not putting enough emphasis on the basics. You need to know what you have in order to protect it. There are many guidelines out there such as the SANS 20 Critical Security Controls. SANS starts with an “Inventory of Authorized and Unauthorized Devices, and Inventory of Authorized and Unauthorized Software”—obviously to my earlier point, visibility into your inventory is crucial. There are many other standards, guidelines, etc. out there, and it is up to you to determine what you want to work with for the regulations that you must comply with in your industry.

Step #4 Beef Up Your Detection: We tend to become overly invested in and overly reliant on our preventative capabilities to mitigate cybersecurity threats. This is often at the cost of good detection capabilities. In addition to inventories and baselines, IT security teams need to establish strong processes and procedures in incident response plans, triage/analysis tactics, and log monitoring. When there is a breach, organizations need to be able to quickly identify anomalous behavior and remediate, and to return the systems/networks to a good, trusted state while minimizing damages, recovery time, and costs. This need for detection applies across all technical, administrative, and procedural domains regardless of whether the compromise impacts hardware, software, user IDs, privileged access, keys and certificates, or any other IT security asset.

When was the last time you tested your incident response plans? People come and go; processes are always changing, and those changes need to be taken into consideration each and every time you exercise your plans; and don’t forget to follow-up with a postmortem analysis to see what worked and what didn’t.

These are a few easy steps that security professionals should always consider when it comes to establishing the security basics. Without these foundations to build upon, how can we ever hope to keep up with the bad guys who are always two steps ahead?

Remember—It’s all about the basics, ‘bout the basics—and hopefully no trouble!


P.S. Don’t forget to follow me on my new Twitter handle: @QueenofCandor

Like this blog? We think you will love this.
Featured Blog

What Is Encryption Key Management?

Why Is Key Manag

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Tammy Moskites
Tammy Moskites

Tammy is Managing Director, Senior Security Executive at Accenture. She has 30 years of experience and is noted for her expertise leading IT security organizations. She was previously the CIO/CISO of Venafi Inc.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more