Conversations about information security are so awash in the myriad details of shiny objects, silver bullets, attacks, threats, risks, tools, tips, hacks, and one-size-fits-all solutions, it’s easy to lose sight of the fundamentals of security. For example, if I had to perform a physical security assessment for a home, I’d need to know the people who use the home, and the ways they use it. Then I’d need to know the locations and types of doors and windows, perimeter fences and gates (or lack thereof), and other possible entry and exit points and their locking mechanisms. That’s all. The fundamentals are the same for an information security assessment, whether for a home or a multi-national organization.
Once we cut through all the noise, that’s the crux of information security, and those are the first questions to ask and answer. If these questions aren’t answered, or are answered incorrectly, no gadget, gizmo, or silver bullet can be properly configured or do its job effectively:
Who Are The People And What Do They Do?
“People” includes anyone with physical or virtual access: emergency service personnel, vendors, contractors, owners, directors, and anyone else who ever received and still may have physical or system access.
“What They Do” requires understanding every individual’s every organizational role; every organizational role, process, and person that manipulates data; the rules, policies, standards, and procedures that govern their behavior; the rules, policies, standards, and procedures they actually follow; and the overall culture of the organization. Some companies and people love rules, and they fall all over themselves to create, learn, and follow them. Some companies and people make a lifestyle and art form of bending, breaking, and ignoring rules, like it’s a sport.
What Are The Devices?
“Devices” include every piece of networked or connected hardware: servers, routers, firewalls, switches, PCs, laptops, iPads, phones, printers, automated lights and doors, televisions, signage systems, security systems and badges, conference room scheduling apparatus, refrigerators, toasters, Amazon Dash buttons, pacemakers, and “wearable” devices.
Finally, can you name more? I bet! Internet of Things, anyone?
What Are The Applications?
“Applications” include every installable or updatable piece of software running on any device that is accessible to or from a network: operating systems, device drivers, desktop applications, enterprise applications, helper applications, games — if it was installed and resides on a system as software and can be launched by a human or another piece of software, it must be inventoried and recognized as a part of the organizational footprint and a risk.
What Are The Points Of Access?
Every person, system, and application with a need to “phone home” or reach out to another system, inside or outside the periphery of the business, requires a point of exit or entry. Every one of these access points, if ignored, forgotten, improperly configured, or unmanaged, is a risk. This includes physical, virtual, and wireless access.
In summary, an increasing number of unknowns above reflects an increasing amount of information security risk. I’ve seen two organizations that appeared willing and able to answer these four questions accurately and consistently over time. Some wouldn’t have a prayer of accurately assembling the data in a month. Others couldn’t do it in a year of Sundays.
Consider And Act
- Do you see a risk in your home’s or organization’s security posture?
- Can you answer the 4 questions accurately, for your department at work, and its users?
- Do you believe your company can answer these questions accurately for all its systems and users?
- Can you answer these questions accurately for your home and its users — family, friends, maids, lawn or pool service, exterminator? Who else?
- How do you know your answers are correct?
- What would be necessary to know with certainty?
- Finally, would the cost of measuring the risk or securing the assets exceed their value?
Also published on Medium.