In a post from 2015,, I write about some of the “Security 101” issues I considered to be fundamental.
Since 2015, I've been exposed to several environments where I have seen the same basic security fails. In addition to my previous Security 101 items (2FA, avoiding password reuse, using a password manager, being mindful of what gets posted on social media, and inspecting email links) I would like to add the following new items to my “Security 101”:
Create and maintain an asset inventory of your network
This is the number one basic security fail I've encountered in nearly every environment I've encountered. Often, sys admins will say “We do have an inventory: Microsoft AD!". To which I reply “how do you track your infrastructure devices, IoT devices, BYOD devices, and any assets running an OS without AD integration?”
I don't care what tool is used to obtain an asset inventory, but one should be created and maintained so the security team knows what devices need securing!
If you're reading this and you don't have authority to set direction, I would encourage you to do whatever is in your power to build some form of asset list.
Security Education Awareness
Training your users has never been easier. With the proliferation of high-profile security breaches in the news since my original post in 2015, users are more aware of security hygiene than ever before. Some users may be confused about what security best practices they should follow, and most users are probably ignorant of what is technically protecting them vs putting them at harm, but I have found that users are more receptive to being trained than ever before.
Making the security training relevant to users by including best practices they can apply in their personal lives, as well as their professional lives, will help drive this message home.