I have been lucky enough to spend most of my Cyber Security career doing startup operations for large companies. I thrive on the energy and passion that teams get when they are given the opportunity and support to design and implement security protections for their company.
One of the things that I am often asked is why do I focus some of my first efforts on locking down the end user system before locking down the servers and databases. This is a great question and one that can spark many hours of debate. Please don’t send me a lot of comments telling me that Databases and servers are where the information is – of course I know that.
For me, and remember my work has been mostly in very large global enterprises with a mix of blue collar and professional staff, it is a matter of evaluating risk. In large companies it is often hard to know where all the servers are and who owns them but it is a pretty safe bet that the person running the server is a techie and has been running and protecting these types of systems for a number of years ergo they have much more knowledge of how to protect a system and how not to fall for a bad actors attack than most end users. I need to consider whether 50,000 or 100,000 attack vectors (i.e. end user systems) , all with email accounts, usually with admin access to their systems and wanting to open attachments and PDFs pose more of a risk than 4-5,000 attack vectors (i.e. servers) that typically don’t surf the web or get email. My choice in the first 12-18 months is to say that the end user systems pose more overall risk than the servers. This leads to aggressively putting in controls and protections for those systems first. Please don’t take this out of context – of course in parallel I drive initiatives to patch server vulnerabilities, get servers logging into a Security Alerting system, setting up a SOC, etc. but given choices with limited resources and time I choose to deploy end point encryption, good AV and HIPs, taking away admin rights, software such as Tanium, 2 factor authentication for email, etc. on the end user system first.