Security 101: Fundamentals

Never Go Out of Style

October 18, 2018 by Mark Murphy, Practice Director for Security Services

All Covered Security 101 The world of information security can be a scary place if you believe what you see in the news. Daily headlines brim with fear, uncertainty, and doubt: daily breach reports! Malware! Spyware! Trojans! The NSA and China!

How can you possibly be smart enough, fast enough or prepared enough to stand a chance against your digital adversaries?

Here’s our secret: you don’t have to be that smart or fast – but you do have to be prepared.

Security 101

The answer lies in a regimented and diligent security program: one built on the principles of Layering, Diversity, Limiting, Obscurity, and Simplicity that make up the fundamentals of security.

A security framework that follows these principles can protect you against a surprisingly wide variety of attacks: social engineering, backdoors, DDoS’s and phishing expeditions can be turned with a vigorous defense based on the fundamentals we explain in detail below.

  • Layering. Defense in Depth” operates on the premise that a single layer of defense is just as effective as none at all. The most secure assets must be protected by multiple layers of security. Like bulletproof Kevlar body armor, more layers offer more protection – halting most attacks before they break through.

  • Diversity. Unlike Kevlar, each of your layers of security should be different. You should deploy a variety of security systems, protocols, and controls, all working in concert to protect an asset from multiple attack angles. Think of a medieval castle with a moat, giant stone walls, a drawbridge, scores of archers and an inner keep. “Have fun storming the castle!” you might call out, throwing in insults about their fathers smelling of elderberries for good measure.

  • Limiting. Users should not have more access than necessary. Operate on the “Principle of Least Privilege”: give users, groups, processes, and programs only the specific access they need to do their job and nothing more. Keeping access minimal will also allow for a better baseline view of access, which will help you spot privilege escalation.

  • Obscurity. This principle is often misunderstood; when used alone, it provides no real level of security. However, when it's part of a security program, it becomes extremely valuable: a system with hidden vulnerabilities can be very difficult to penetrate. The principle of obscurity is probably best realized in passwords, codenames, key generation, and cryptographic salts. Just remember that it’s only necessary – but never sufficient on its own.

  • Simplicity.  If your layers of security are too complicated or intrusive, they will be either misunderstood or circumvented by your users. This means all of your hard work, effort, and funds have been wasted on a system nobody uses. User-friendly security systems and protocols are necessary to support business, not hinder it.

Security Fundamentals Never Die

These fundamental ideas may seem very simple – maybe too simple. After all, in my experience, only a few companies do them, and an even smaller number of companies do them well.

A great way to start understanding your security posture is to run your security systems, protocols and controls through the SANS 20 Critical Controls Checklist and see where you’re covered, where you’re lacking and where you can score some quick wins.

To get started, call 866-446-1133 or visit to learn more about the SANS 20 Critical Security Controls, along with other cybersecurity services that can further harden your systems against attack.