Most under valued security control?

[Kevin Beaumont 111]

So in the age of ‘you must buy EVERYTHING EVER to be secure’, what’s the most undervalued security controls or products, do we think?

The unsung heroes of InfoSec. 

[Glenn Pegden 25]

Excel

I can't think of a tool in InfoSec that's used more (until you get to a level where you have an excel minion and your most used tool then becomes powerpoint).

As techies we always focus on the technical toys, but so much of what we do in conveying risk (one way or another) to end users and people just understand a nice colourful conditionally formatted excel spreadsheet.

Explain the potential vulnerabilities that may arise from their crappy web app and we're ignored because we're doom and gloom merchants, given them a nice graph showing how they suck at something compared to others and they get it.

So, I'd love to say Metasploit, Nessus, Splunk or something big and shiney, but for me, the most undervalued security control is a security analyst with good communication skills and a copy of excel! 

[Dan Card 8]

windows updates, host based firewalls, av, disabling macros, disabling shit like LLMNR/NETBIOS, using a jump box... all the boring easy (ok relatively easy) low cost shit that most orgs don't do! 🙂

[John Kelly 10]

I'm going to focus on controls/stuff you can do without spending cash. 

1. Patch your shit. Seriously. When I get some more time I'll write up a long form post on how you can "nudge" the server, app and network teams to think it's a really good idea to do this but this should be a key focus for anyone working in blue teams. 
2. When you've finished patching the above go around again and look for all the stuff you've missed. Then patch it. The repeat the process on a regular basis. 
3. Lock down your admin creds (particularly in AD) and reject any app that "requires" Domain Admin/Local Admin or similar to run. Trust me, they don't - it's just lazy implementation guides from the vendor, start digging and there will be a method that allows the app to run via a standard user account.
4. Close the easy gaps first. Attackers are lazy, and they'll use the minimum required to get in. Review your firewall rules for example: any permit tcp inbound 139/445 ones in there? bin them. 
5. Look for/ask for security guides or hardening guides from your existing vendors. They should all have them, and the likes of Microsoft/Cisco/Apple/insert large IT provider here are generally very good at telling you how to secure their stuff if you go and look for it.

[Ian Chisholm 5]

Another one to throw in, for windows environments is windows event forwarding, and sysmon. Lovely.

[james mckinlay 116]

remove local admin privileges 

[Dallas Moore 1]

As others have mentioned, asset management/inventory is vastly underrated. Especially as we continue to develop perimeter-less architectures and expand in to the cloud. Shadow IT was bad when people were just buying their own gear... Now anyone with an unchecked corporate expense card can spin up some cloud resources and you'll never know. Time to start building communications channels with the finance department.

[Ian Chisholm 5]

Excel for sure, or these days, PowerBI, I guess.

another candidate is a good hardware, software inventorying tool. I personally love LanSweeper for a great flexible easy to config app with superb reporting. So to preface @John Kelly post,

0. Know what shit you have 🙂

Edited July 22, 2019 by Ian Chisholm

[Glenn Pegden 25]

10 minutes ago, Ian Chisholm said:

another candidate is a good hardware, software inventorying tool. 🙂

Damn, as somebody who spent 14 years at an IT auditing vendor before coming into Security, that should have been my go to answer 🙂

You can't protect what you don't know you have!

[Chris Oakley 0]

+1 for robust asset management. 

I often hear statements like "we don't even know how many servers we have".  Sadly, it's sometimes said with a 'badge of honour' tone, as in "we're so big and important, we can't possibly keep track of it all".

Beyond that, if we're talking product, honey pots and tokens usually represent good value.

[Alan Coo 9]

Blocking Windows executables from running in data directories and temporary locations (eg. %APPDATA%).  Trivial to implement and potentially stops lots of email-borne malware dead in its tracks.  Anything legit which requires this (IIRC TeamViewer does?) can be whitelisted individually.

[Michael D 11]

Undervalued control? Using an OS patching product that is so easy and simple to use that no one gets behind month to month. People get fancy about this, especially when talking about expanding scope to cover some or all other software, and that's when admins start avoiding it, leave, and new ones never pick it up fully. Or solving the "patched OS" problem some other way (auto spin down and spin up new boxes at a regular cadence, for example).

Honorable control mentions to app execution controls (+1 to Alan Coo!), asset/software inventories, and especially attack surface/exposure inventory. Threat modeling.

 

Undervalued tool? I'm a fan of all tools that are more surgical in nature, than big fancy suites/products that all have built-in blindspots and lack of agility. ("You can do custom whatever using our proprietary markup/WYSIWYG" doesn't count; no one does that shit.) I'll go with nmap, but from an external source. Go home, nmap scan your entire enterprise IP address range. Know what's open and hanging out in the cyber wind.  (Every year this gets a little less important as enterprises move to clouds, open ports consolidate down to web apps, and endpoints become the quicker way in.)

 

Bonus tool: It might not be undervalued around here, but having a percentage of your sysadmins/developers who have a security-centric mindset. A good sysadmin who wants to practice good security is worth several+ dedicated infosec people. Find those people who "get" security, and make them your best allies. They'll allow you to get things done that middle management usually hees and haws about.

 

Bonus: Overutilized? Most risk management practices. (Would make a good panel topic.)  And today's spate of "we'll prioritize your vulnerabilities for you" products and services. IMO, if a company has this need to fill, no additional tool/process is going to really help them much. They probably just need to patch and track patching better.

 

Honestly, there's so many things.... 🙂

[Arun Chauhan 1]

+1, Asset and Inventory managment . It is surprising how late in your organizations security journey you realize that it should have been one of your early investments into security controls

 

Policies and procedures maybe not be the most under valued security control, but could very well be the least invested in security control

[Alan Coo 9]

On asset control,

It's not just about knowing what you have.  It's knowing who owns what you have.

Any pillock can run an nmap scan.  Going "well, who's responsible for that, then?" is what repeatedly bites us on the arse.  Though we're a lot better now than we were.

[Jim Noons 1]

Unsexy but true; it’s the security policy stupid. Many orgs rely on inherited policies or worse just copy others found on the web.

A fit for purpose and maintained policy defines what needs protecting. If you do not define that you’re pissing controls into the wind.