A common theme amongst many engagements and discussions are “we are having issues maintaining control over our environment what products can solve this problem for us”. Questions like this are tackling the problem by jumping to a solution without identifying the cause and they can usually be addressed without buying a new security product.
Improving information security maturity requires strong foundations to be effective and strong foundations will ensure tools can be implemented correctly to utilise their full potential.
The Center for Internet Security (CIS) publish a list of the Top 20 security controls, which are prioritised list of controls to implement to improve an organisation’s information security maturity level. The first two items on the list relate to hardware and software inventory, which is the most important foundational aspect of securing the information technology environment.
System inventory is so critical because it is very difficult to secure an environment that is unknown and uncontrolled – how does someone secure something they know nothing about? For example, how will your new automatic patching product work if you don’t understand the system it is patching and the risks involved. The most likely outcome will be the new patching tool will be put into manual mode and the value of the new tool is diminished.
The other issues with poor inventory management are systems not getting patched because the administrator did not know they existed, increased operational costs through management of assets that are not required, and systems being exposed to the Internet when they shouldn’t be.
When the information security system is well known and understood, security risk can be significantly reduced by applying basic hardening, decommissioning unused services, patching, migrating unsupported services and removing unrequired public access from internal assets. Discovery of the environment can be done using a combination of interviews with various departments and free scanning tools.
This article has just touched on the crucial first step of improving information security. If this step is done well, the following steps to improve will become significantly easier.