The last article discussed the ways to recognize cyberattacks. This article will discuss layers of security to consider ensuring the maximum defense against cyberattacks.
Picture a castle near the sea where enemies may invade from offshore. The castle is on the highest ground available, with sheer cliffs to slow the enemy. Should these cliffs be scaled, it behooves the castle to be protected by a body of water, or a moat, wide and deep, with the only access to the castle over a drawbridge, raised and lowered from inside the thick outer walls. Yet, if the enemy were empowered enough to breach the moat and the high walls, archers, and other artillery, would greet them in a less than hospitable manner! Such is the approach to modern cybersecurity methodology. We must consider the ways that cyber breaches can occur and provide mitigation for each layer.
Consider the people who utilize the systems daily. People are considered the weakest link when it comes to cybersecurity. Over 80% of reported cyber breaches resulted from employee actions. Employees should be educated, periodically, on the current tactics used by hackers, how to safely work within social media environments and while away from the office.
The perimeter is the first point of entry to our systems. In this instance, defense would be limiting the people who have access to the physical assets. To protect critical assets, we often place them in conditioned, secure environments, air-conditioned, clean, and behind locked doors, in order to control physical access to them – typically, servers, firewalls, and other network equipment.
Endpoint Protection can protect against malicious executables. These executables can steal, encrypt, or destroy data across a network. The protection comes in many forms including: safely encrypting local data, auto-backup of local data, control of which applications get installed and executed, deployment of patches to the operating systems and applications, and scanning for malicious malware. It is installed on servers, desktops, laptops, and other mobile devices. Employees with laptops and phones wander the globe. Not only do they often store sensitive files, but if compromised, could provide a foothold for infiltrating an entire network.
Networks are the next layer. A network layer secures connectivity between devices, closing backdoors, encrypting communications over the network, and monitoring for anomalies in the transmissions. This protection can be found through VPN (virtual private network) and firewalls but can also include IPS (intrusion protection systems) and IDS (intrusion detection systems). Other protection could include NextGen Firewalls and Unified Threat Management (UTM). Both try to add firewall features combined with IPS/IDS.
The Application layer protection is added via the application software, controlling which users can access which parts of the application. This should include testing of the application layer to ensure holes have not been created allowing a malicious hacker access to the system through the software. The remedy for holes is to provide patching to close the vulnerabilities.
The data security layer provides that just the right people always have access to just the right data. Use is monitored, and any abuse flagged in log files. This is accomplished by any, or all, of the following:
- Prevention – allows only authorized users to access data they should
- Detection – flags abusers (intentional or otherwise) before a breach occurs
- Identity and Access Management (IAM) – determines who has access to what on the network
- SSO (Single sign-on) and Federated ID (FID) – allows users to access multiple applications with only one set of credentials; FID uses an identity provider to authenticate the user
- MFA (Multi-Factor Authentication) – prevents someone from using stolen credentials by using a second method of verifying the user.
- The last layer is Mission Critical Assets. These are the primary target of any cyber-attack. Every company should identify the essential organizational resources required for normal operations. Following are a few examples:
- Healthcare – electronic medical records (EMR)
- Engineering – CAD Drawings; Project files; Database of standards, methods
- Manufacturing – OS for computer-aided manufacturing equipment
- Financial Services – customer financial records
- Cloud and IT Services (Managed Service Provider (MSP) – core network and database environment
Using the above information, one can begin to understand duration of allowable downtime (RTO, recovery time objective) and what amount of data needs to be recovered (RPO, recovery point objective). This aids in determination of what is an inconvenient vs. a critical disruption to business, and how to plan each layer of security.