Due Diligence

When it comes to information security many organizations, no matter their size, lose sight of the basics.  Performing the proper due diligence around the “basics” can provide a solid foundation for advancement in computer resources and protection against the so-called advance persistent threat.  The question most likely weighing on many organization’s minds is, “What constitutes due diligence?”

The answer to this question is not as easy as many Security Practitioners would like you to believe.  Many organizations tout “Best Practices.”  But how can you be sure that one person’s Best Practices are the best practices for your organization?

The answer:  Due diligence is a relative term; properly inventorying assets and assessing risk will allow an organization to identify gaps and implement controls and/or mitigation processes and polices.

Understanding the business objectives, processes, and data provide organizations a foundation for how to build the proper controls, processes, and policies.

For example:  What type of data are we collecting?  How is it being processed?  Do we need to keep it after it has been processed?  Do compliance regulations drive our need for policy and procedure – i.e. encrypting data at rest.

The “basics” – such as requiring strong passwords, monitoring, disabling and filtering unnecessary services, and least privileged account access are still being missed today.  How we implement these items is relative to our business.

Implementing these “basics” takes resources and discipline, so it is not an effort to be taken lightly.  Often these basics get swept under the rug and forgotten about – a server is built with extraneous services available and/or developer’s administrative credentials are left on that box when it goes into production.  It’s these “basic” things that add up and present risk to an organization.  Everyone knows what happens to a server once it’s built and in production – nobody ever has time to go back and “fix” the issue, or it is seen as too much of a hassle – we have to put in a change ticket, perform the work during an outage window – that’s if you even have a change control process.

The “basics” might seem like a much easier task for an organization with a small technology footprint, but it is just as important – it is in my experience that once technology is injected into a culture, it will not be going away anytime soon – business and user requests will drive the need for more technology.

Not to be lost in the “basics” is security awareness and training for the end-user.  It is not uncommon these days to walk into a small shop/office where the employees are surfing the Internet, checking Facebook and their personal email, on the same system that they will swipe your credit card on when you check out.  Providing basic user awareness in a fun and positive way can go a long way.

I would also recommend to any small company that it ingrain into its culture the idea of the basics and that security is a real part of the organization.  Cliché’ as it may sound everyone has a part to play in securing an organization no matter the size – the IT guy building a purpose built server is just as important as the CEO checking his/her email and not downloading that unknown file.