Security Basics, what are they?

What does it mean when someone says they believe in security basics? The answer to this question can generate many varied responses. From my perspective here is my response:

Remember the goal of security is to protect the Confidentiality, integrity and availability of information . I believe this is only possible with a mastery of the following areas.. To many organizations purchase a tool and try to develop the three P’s (policy, process and procedures)to match the capabilities of the tool. This way of thinking is flawed and leads to the purchase of expensive security tools that only yield sporadic results and never their full potential.

• Inventory Management - knowing that only the proper systems and devices connected to a network and that they meet the configuration parameters required by that network.
• Configuration Management Defining and auditing the configurations of systems, devices and applications allowed to connect to a network. This should cover mandatory installed software, patching levels, logging requirements and individual configuration settings.
• Identity and Access Management – Knowing what users, systems, devices and applications should be accessing various others data elements and that the access is appropriate.
• Vulnerability Identity and Management – The auditing of the three areas above through scanning, log reviews and correlations, and physical inspections, discovering not only the deficiencies but how they were allowed into an environment. A proper vulnerability management program will develop remediation plans as well as drive process changes to prevent recurrence

improving security is an evolution. Most organizations can get started in these areas by just gaining an understanding of these 4 areas of security then defining actual requirements that lead to policy and procedure review. One piece leads to the next. I plan to post more of these articles diving into the four areas and way they can be used to provide a solid foundation for a security program, and how they should be addressed prior to choosing and implementing tools.