Thinking Like a Security Minded Professional
A few weeks ago, I sat for the CompTia Security + Exam. Studying was grueling, since keeping information systems secure is difficult, to put it mildly. There was discussion about various topics such as access control lists, firewalls, VLAN design, and layer 2 security at the switch port level. Application security using TLS, HTTPS, and the CIA triad were also reviewed. So many terms were included: IPS, IDS, AES, 3DES, VLAN, ACL, DMZ. Luckily, I have been doing this IT thing for a long time, so learning what IPS (Intrusion Prevention System) meant was not a hard concept to grasp.
It did get me thinking though, passing the exam suddenly means I am a security professional (hold your laughter - those of you who are true security warriors ). As a security minded professional, I began to panic a little bit when I thought of all those systems and potential breach points with access to intellectual property, human resource records, and credit card transactions. Where can I find a list of best practices, suggestions, or criteria by which I can determine if I am being vigilant?
Of course, you don’t have to search far to find standards like CIS, NIST, and FEDRAMP, but like most academic and technical writing, the texts typically leave you struggling to apply them to real life standards that will actually keep you secure. If you work in a larger organization, there is a networking team (one professional in the data closet), application development staff (highly caffeinated people, that never look up), and data storage personnel each struggling in their silo to keep your company out of the media limelight, while avoiding the dark underbelly of the web.
OpsCompass (shameless plug here), enables you to be more secure. Not through on-premises software, or hardware , but by monitoring your cloud implementation though our SaaS software. It scans your environment, and compares it against the current security standards for NIST, CIS, and others. Our easy to view dashboards, and proprietary compliance score, combined with baselines and change histories can actually make you more secure. I won’t promise it makes your job easier... but it makes your job easier.
P.S. I nailed the exam!