The 10 (or so) commandments of enterprise security

  • Small flaws in your systems can create big security risks.

  • Humans are prone to mistakes; automate processes whenever possible.

  • Prevention is by far the preferred security solution.

By Brian Rexroad

I recently was asked if there are any guiding principles for creating an effective security program—the 10 (or so) commandments of security, so to speak. While I’m not aware of an official list, I jotted down a few thoughts and solicited input from colleagues. This is the list we came up with:

  1. Security leadership must start at the top. The leaders of an organization must be well-acquainted with security objectives and communicate them to the rest of the company.
  2. Put motivation for security in the right place. Folks that are responsible for security must also be in a position to make decisions on and obtain funding for security. Put another way, those that have authority for systems should also be responsible for the security of those systems.
  3. Security must be in layers. Inevitably, every layer will have flaws, and it is only a matter of time before an advanced attacker gets through one or more. The layers are in place to buy time so an attack can be detected and eradicated before damage is done.
  4. Analysis of activity is necessary to stop attacks. The objective is to spot threats and eradicate them before they inflict significant damage. You must monitor and analyze network activity, system activity, and application activity to learn what “normal” looks like before an attack. You don’t want to be attempting to learn how to analyze and determine what is abnormal while also trying to respond to an incident.
  5. Pay attention to details. Small flaws in a system can result in big security holes.
  6. Minimize the distance (and resistance) between knowledge and action. For example, threat intelligence needs to be readily accessible to those who can act on the information.
  7. Learn from attacks. Use that knowledge to implement protection measures that detect, inhibit, and/or prevent future attacks. Prevention is the preferred solution by far.
  8. Life-cycle support is a necessity. Over time, new flaws will be found in your systems, operating systems, application software, and applications. These flaws must be corrected to keep your IT environment secure. New security issues also will be introduced as applications evolve in functionality, users, and infrastructure. Review and correct these issues as applications change. Find and get rid of old systems.  
  9. Everyone has a role in security. Education and awareness are essential to assure everyone recognizes their role, can identify indicators of problems, and knows how to respond to suspicious events.
  10. Strive for simplicity. Complex architectures and solutions are difficult to assess for security. However, any architecture that is accurate is better than no architecture.
  11. Automation is your friend. Human/manual activities will invariably be inconsistent, and there will be mistakes. Conversely, flawed machines generally must be corrected only once. Get humans out of the loop where possible.
  12. Use encryption. And keep in mind that robust key or certificate management is the hard part. For example, there have been many instances where SSL implementations fail to validate the server certificate, which can allow man in the middle attacks.
  13. Avoid depending on passwords. Don’t rely on passwords for authentication if possible. Passwords are frequently stolen through phishing or malware key loggers. Use two-factor authentication or public key exchange to help minimize threats that steal passwords.

Again, this is what we came up with. What do you think? Do any of these commandments raise questions for you? Did we miss something important? Leave your suggestions in the comments section below.

You can also learn how AT&T Network Security solutions can help guard your company against cyber threats.



Brian Rexroad Executive Director of Threat Analytics AT&T About Brian