But First Coffee, I Mean The Basics...

Jun 2024

I finally decided to start searching for an answer, and the solution, to a question that began to grab my attention, more and more, over the past two or so years, as security continues to get more complex and humans continue to be the main source of error.

I asked the folks at the Red Team Journal a subset of this question, to see how they would approach it. They have always been my go to for checking my assumptions, their way of thinking is what inspired me to write for the original Red Teams blog and continue here.

The question was:

If you were to list the top 5 fundamentals / baselines for security, the things you always would need to hit to begin to have a good solid ground under you to start working, what would those be?

Their answer was, in typical red teaming approach, so much more than what I expected, so I grabbed their answer, changed it a bit, leaving the core of the message, and created this guide.

It’s nothing new, but sometimes the basics are that: known truths that need to be relearned.

Of course it comes down to the culture.

The Basics

  1. Maintain good security hygiene and risk awareness (including senior management); make it a point to exercise and practice worst-case-scenarios to support and update your guidelines.
  2. Hire and promote the best people, and provide them with the necessary resources. Security is a lot more than just checkboxes and tools. It’s about the guys on the ground.
  3. Nurture and practice good listening and communication up and down the hierarchy (both ways); establish trusted channels and practices. Good security begins by understanding what you need to protect. Build the relationship, force multiply security.
  4. Systematically uncover, track, and address upstream, conditional, and systemic risks. They might point to deeper unknowns. It’s what you don’t see that will get you. Make it a point to always check second-order risks as well.
  5. Build a superior and responsive intelligence capability, to include a red team perspective, threat and market intelligence, and good-old networking with your peers. Remember, proper prior planning prevents piss poor performance.

I’m leaving here also the comments sent with the answer. It’s an additional truth

“My sense is that you can waste a lot of energy if the first three aren't in place. A toxic culture with a lot of turnover is stony ground for even the best security seeds.”



Note: This is part of The Laws Of Security website.