
Infosec fundamentals - iafrikan
https://www.iafrikan.com/2018/05/09/information-security-fundamentals/
======
badrabbit
> Being PCI-DSS compliant does not in itself mean that your company will be
> secure and not suffer any breaches, but it does go a long way in ensuring
> that you have good security and have measures in place to prevent, detect
> and respond to any breaches that may occur.

You should comply but too many orgs just check boxes and leave it at that.

Beyond regulations there are a few good guidelines (NIST's special
publications for example).

Being aware of your data,it's users,their relationship and being able to
perform proper risk analysis is the first step. Then you can prioritize using
your risk assesment and allocate budget and staff where needed.

A good corporate security policy, well crafted security procedures and well
reviewed guidelines are a must as well.

I equate compliance to learning and doing things to avoid shooting yourself in
the foot, as opposed to learning how to protect yourself against attackers who
are targeting specific assets and data.

Case in point: A windows server has been compromised,it hosts your credential
db,what do you do?

What is the risk posed by the compromise? What impact will it have on the
business? What is your incident response procedure? What guidelines are in
place to aid in responding against specific threats?

Would you respond the same way if it was an APT as you would if it was an
untargeted cryptominer infection?

Compliance helps and it should be done but your security shouldn't start
there, compliance should be one of your many goals as part of acheiving a
healthy security posture.

One should not underestimate the importance of agility -- Compliance is coarse
and does not easily adopt to changing threats and vulnerabilities.

Something basic like how fast patches are applied can pass compliance but
leave you with an equifax like breach (they had a months old vulnerability
that caused the breach)

------
cypherg
smh...this is terrible security 'advice'. tl;dr security via compliance is
better than nothing; do 'the basics'.

