I was eating dinner in Washington, D.C. with former national cybersecurity czar Richard Clarke, now chairman and CEO of Good Harbor Security Risk Management, when he explained that good perimeter security isn't enough to protect your network. "The bad guys," Clarke explained, "are already inside your network."
Continue Reading Below
Clarke's point was that cyberattackers, especially state-sponsored actors, have the ability to penetrate most perimeter security protection, at least to some degree. This is not to suggest that perimeter security is unnecessary. That's an important aspect to shore up, as I pointed out in last week's column. Although it's critical, it's not sufficient. You need layers of security so that, when the bad guys break through the perimeter, they still can't do anything to hurt you.
Layered security is something that you've probably heard about before, but for many in IT, it's still a mystery. How do you create layers of security? How do you decide how many layers you need? What should the layers protect? Can there be too many layers?
The answer will depend on your network, the nature of your business, and your level of risk. But it's important to remember that your level of risk may be affected by your business partners. So, if you're a supplier or contractor, for example, then your level of risk will be the same as theirs because those bad guys will try to use you as a pathway to your business partners.
Layers are based on the data you need to protect. This means that you need to make sure your data is preserved, and you also need to make sure it can't be taken from you. And, of course, you need to make sure your network is protected from harm so that your business isn't affected.
Preserving Your Data
Data preservation is the first critical layer. This requires you make sure that a copy of your important data is in secure storage where it's inaccessible to hackers or others, including disgruntled employees. For most companies, such backups should exist in the data center where you can get to them easily when needed, and also in the cloud where tampering is much more difficult. There are a number of public cloud services that will handle backups, including Amazon Web Services (AWS), Google Cloud, and IBM Cloud, as well as dedicated backup services such as Carbonite, which recently acquired its competitor Mozy.
Those backups can then be backed up to geographically diverse locations, which helps ensure they won't be compromised in a single disaster. Usually the entire backup process can be automated so, once it's all set up, the only thing you need to do is confirm the integrity of your backups as needed.
Then there's data protection, which means it has to be inaccessible and unusable if someone finds it. To make your data inaccessible, you need to segment your network so that gaining access to one part of the network doesn't mean you can reach everything. For example, had Target segmented its network when it was breached through its HVAC system in 2013, then the hackers couldn't have accessed other data.
Network segmentation requires routers that deny access by default and only allow network connections from specific network nodes, which the routers filter by using their Media Access Control (MAC) or IP addresses. Internal firewalls can also perform this function and may be more flexible in complex applications.
Overlooking Encryption Is a Big Mistake
In addition to segmentation, your data must also be encrypted, both while it's being transferred across the network and while it's being stored. Encryption is easy to accomplish because it's performed by default in wireless and cloud access software, and all modern operating systems (OSes) provide encryption as a standard service. Yet, failure to encrypt critical data is perhaps the single greatest cause of data loss in recent breaches.
The reasons such data is not encrypted, despite legal requirements in many cases to do so, can be summarized in four words: laziness, incompetence, ignorance, and stupidity. There simply is no excuse for failing to encrypt your data.
Finally, there's network protection. Along with protecting your data, you also need to ensure your network isn't used as a platform to launch attacks, and you need to ensure your network devices aren't used against you. This is especially an issue with networks that include machine controllers in your warehouse or factory, and it's an issue with your Internet of Things (IoT) devices.
This is a major issue because so many network devices have little or no security of their own. Therefore, it's fairly easy to use them as a platform to launch a denial-of-service attack (DoS attack) or to siphon off their data as a way to perform surveillance on your company's operations. They can also be used as a base of operations against your network. Since you can't eliminate these devices, the best you can do is put them on their own network, protect them as much as possible, and then don't let them connect directly to your internal network.
Here we've discussed several layers and, in some cases, your network may require more. But it's important to remember that each layer requires management, and that the protection needed for each layer has to exist on a network with other security layers. This means it's critical that you have the staff to manage each layer, and that the security in each layer doesn't adversely affect the security in another.
It's also important to avoid the solution of the day, meaning one-off security to fight a specific threat. It's easy to get sucked into a sort of security whack-a-mole and end up with an unmanageable mess. Instead, pick a broad-based approach in which the threat of the day won't require yet another layer.