Skip to main content

Back to (new) Basics

To maintain secure computer systems, in the past the basics have been tasks like keep systems updated, run anti-virus software, use a properly configured firewall,use a filtering proxy for access to the internet.

The advice on basics has been mechanistic in the past - make the machinery protect itself was the ideal and most hoped-for outcome.

The new Basics include the old things and add:

  • Establish a Security Culture
  • Maintain Good Computer Habits 
  • Plan for the Unexpected
  • Control Access to Protected Health Information

(from Top 10 Tips for Cybersecurity in Health Care)

What's interesting about the new Basics is the additional items all have something in common: People. Each item focuses on how people interact with the systems, what they should expect and look for in terms of benefits, risks and dangers, and the fact the use of computers and computerized machinery must always remember the human elements for mistake, misuse and out-right abuse.

Why Is Cybersecurity So Hard? puts it succinctly, attributing it to three reasons. The first reason is that which is being recognized more broadly now: It's not just a technical problem.  Harvard Business Review's The Best Cybersecurity Investment You Can Make Is Better Training documents the problem. The Small Business Administration is gearing up to help in the effort to train small and medium sized businesses and  the AHA is making efforts at training from the top-down and this includes training on and in governance efforts.

It's people that are trying to defeat security, it will come down to people promoting security - as the new Best Practices warrant.

Comments

Popular posts from this blog

Let's Not Mess Around with Security on our Personal Systems Either!

Essential Security Practices for Your Personal Systems Ensuring a minimal level of cybersecurity, privacy, and availability on your personal systems means you need to manage the following essential practices. This is a brief overview of recommendations from sources like CISA, NSA, etc., focused on personal laptop, phone, and other systems' security. Anti-virus  I've found you'll get the best anti-virus protection and usability from a paid product - I've always had good luck with Norton labeled products. If you are looking for current vendor offerings see:  https://www.pcmag.com/picks/the-best-antivirus-protection Regardless of whether you choose to use a commercial product or open-source anti-virus tool, it is absolutely something you need to use. This is the minimally needed level of system security. Once installed, ideally, it should be invisible until there's a security problem it can't prevent or solve.   Backups You need to have at least a minimal level of ...

Threat Modeling Manifesto

Secure Your Code with Threat Modeling As a software developer, security should be a top priority. By proactively identifying and addressing potential vulnerabilities, you can significantly reduce the risk of breaches and data loss. What is Threat Modeling?   Threat modeling is a systematic approach to identifying, assessing, and mitigating security threats. It involves looking at your system from a hacker's perspective to uncover weaknesses and devise strategies to protect against attacks. See the  OWASP Cheat Sheet   Why is Threat Modeling Important? Proactive Security: By anticipating potential threats, you can take steps to prevent them. Risk Mitigation: Identify and address vulnerabilities before they can be exploited. Regulatory Compliance: Adhere to industry standards and regulations. Enhanced Security Posture: Strengthen your overall security posture. How to Get Started with Threat Modeling   The Threat Modeling Manifesto provides a valuable framewor...

RACI, Cybersecurity and NICE Framework

The NICE framework from a RACI point of view The NICE framework ( NIST SP 800-181 rev. 1) established a standard approach for describing cybersecurity work, in order to help stakeholders share a common language and ideally improve how to identify, recruit, develop and retain talent. It breaks down cybersecurity work role categories into: Oversight and Governance; Design and Development; Implementation and Operation; Protection and Defense; Investigation.  Which is very cybersecurity-centric and not related to common tools for project management within companies. Especially smaller enterprises that do not have dedicated people to mange and coordinate cybersecurity needs. A  RACI chart  is   a project management tool used to define and clarify roles and responsibilities within a project team.   It stands for Responsible, Accountable, Consulted, and Informed, and visually represents who is responsible for what, who is accountable for the outcome, who needs to be c...