The criticality of basic IT security hygiene


One of the interesting aspects of IT security is that the industry seems to possess a short attention span. Every year we move from one dominate focus to the next.

We have all experienced the year of PKI or the dawn of the IDS and of course, NAC and DLP were going to radically change how we secure the enterprise.

With each New Year, the latest widget drives even more vendor hyperbole until it reaches a fevered pitch. But as IT security professionals navigate their way through the operational realities of budgets, politics, and the logistics associated with actually maintaining the health and improving the security of their organisations, it becomes clear that next big thing in IT security might just be doing the old thing better.

The reality is that although the attackers are more sophisticated and organised the vectors used for attack are the same methods used over a decade ago; yet, nonetheless most IT security departments appear to be completely unable to implement even a base level of security hygiene across their entire computing environment.

Every IT organisation must be able to answer these fundamental questions and ensure that the information is accurate, timely and can be gathered quickly against the dynamic nature of IT environments:

1) - How many computing devices are deployed in and out of my environment right now?

Believe it or not, it is quite common for an organisation to be blind to 15-30% of their computing devices at any given point in time. Imagine if every decision you make to improve security, provide transparency or accountability for compliance or deal with upgrades, licensing or refresh cycles was based on a 15-30% margin of error.

This is the standard. The reasons are many and run the gambit from platform heterogeneity to legacy systems from mobile and intermittently connected devices to the lack of converged visibility between disparate technologies driven by disparate groups within an organisation.

2) - How many of these do I “actively” manage? How many adhere to basic corporate policies, such as running a standard corporate AV engine with the latest dat files, up to date security patches, standard configuration guidelines, etc.?

How long does it take me to answer these questions? How accurate is the information? How do you know?

Even if you believe you have an accurate count of all your computing devices (and I am willing to bet that you probably don’t), the next question would be “Of these deployed devices, how many do I actively manage?”