Call it layered security or defence in depth, but just make sure that you use it. While the concept is as old as IT security thinking itself, that doesn’t make applying layers of security any the less relevant today. Choosing the correct layers, of course, is paramount. Think of defence in depth as being a risk mitigation construct applying multiple layers of control across the length and breadth of your IT environment and you will be pretty much on the money.
Doing this will not guarantee attack prevention, but it will slow down the bad guys and help protect your organisation against the inevitability of those attacks. Done properly, a layered approach to security will buy you time; the time you need to respond effectively to any attack and mitigate a potential breach. In other words, it makes you harder to hack.
Here are seven ways to do this and make your company hard to hack:
1. Network visibility
If you’re pro-actively monitoring and maintaining their clients’ servers and workstations, then you’ll know that an integral part of this is event log management, alerting and detective controls. Think of this as providing network visibility in a way that helps you fight off the bad guys by spotting them almost before they get started. Network visibility enables you to “scan all the things, count all the things, spot the anomalies, and apply policy accordingly.” Of these, perhaps the most important factor is implementing proper event log management in order to turn boring data into patterns that can alert you to a breach before it has a chance to succeed. Security event monitoring of this kind can actually be very cost effective in providing meaningful analysis that leads to pro-active protection of infrastructure and the data within it.
If you want a degree of network visibility for free, then tools such as Alien Vault’s ThreatFinder is powered by the Open Threat Exchange (OTX) and will check for compromised systems and malicious communication by correlating log file data against the live OTX database. Knowing what’s connected to your network is also part of the visibility layer, and TripWire offer a free tool called SecureScan that will scan up to 100 IPs on your internal network and reveal lost or hidden devices. Remember, the more Internet-facing devices there are on your network, the greater the opportunity for compromise.
2. Web protection
Web protection is another essential layer of security, providing a window into controlling, monitoring and enforcing client web policies through a single front end. In fact, web protection is best thought of as being a policy-driven approach to security. Multiple devices can then point to a central policy that can be edited and scaled to suit a range of such devices rather than having device-level settings across the board as it were. Doing this enables you to apply website filtering by time or content, bandwidth checking to prevent network throttling, and ultimately help protect the business against legal liability.
3. Patch management
You can scan for attack patterns and apply all the policies you want, but with new vulnerabilities being exposed seemingly on a daily basis you will be hard-pressed to keep up with them all. Although patch management isn’t a silver bullet and will not prevent zero day exploits or, indeed, unpatched vulnerabilities from hitting home, it will help you keep up with the bad guys. Rule of thumb is to subscribe to vendor notifications, keep an eye on security news sites, and patch as soon as it’s safe to do so. That’s where patch management enters the equation, as you need to not only know a patch is available but also that it’s stable. Throwing an unstable patch at your live working environment without testing could do more damage to the business bottom line than the exploit it’s trying to prevent.
4. Cover communication channels
Email protection is vital because just as email is baked into the DNA of your business, it’s also baked into the DNA of the bad guys (check out this blog for more insight). Just look at how email is used as a distribution channel for spreading malware and even a direct launchpad for some malicious applications, not to mention social engineering through phishing attacks. The same is increasingly applying to social media channels such as Facebook and Twitter which, you could argue, are as much business communication tools as they are social ones these days. Look for a system that can apply blacklisting of known malicious senders, and anti-spam/anti-malware applications that can greylist email based upon contextual analysis.
When it comes to social media, the mantra to repeat is not to link accounts. By which I mean truly social and truly business profiles should be kept truly separate to help prevent ease of cross-infection should an attacker be successful in compromising one. Quickly follow this mantra with a ‘educate your employees’ one, because security-aware staff should be thought of as another layer in the security onion. See my “blame the messenger” blog for further advice.
5. Encrypt that which needs encrypting
The problem with data encryption is that it is almost always seen as being a step too far in the security faff stakes; far too complex, far too expensive, far too much. The truth is that if you identify the data that’s most valuable to your organisation and then focus on encrypting that, it doesn’t have to be any of these things other than secure. That’s secure if the worst does happen and the hackers breach your hardened attack surface. Encrypted data, which is encrypted strongly enough, will be beyond the abilities of most hackers outside of the Government Secret Squirrel types, and most likely them as well. Tablets and smartphones have firmware encryption built into the OS these days, so use it and they become useless to thieves.
Make sure your website is Hyper Text Transfer Protocol Secure (HTTPS) protected so the information transferred between it and client browsers is encrypted. Make sure to use HTTPS Everywhere, a collaboration between the Tor Project and the Electronic Frontier Foundation, so your web browser rewrites requests from unencrypted HTTP sites to secure HTTPS ones. And finally, checkout VeraCrypt, which has become the open source encryption container product of choice these days, following the demise in support terms of TrueCrypt from which it forked. It’s easy to use, it works and it’s free; use this to secure your USB memory sticks.
6. Become a data Dalek: authenticate, authenticate, authenticate…
Authentication, has anyone mentioned the authentication layer yet? Well they have now, and by this I specifically mean the use of password managers and multifactor authentication. Strong passwords are a no-brainer, or at least they should be, The problem being that any password that is lengthy, complex and random enough to be defined as strong, is impossible to remember unless they call you Rain Man. Throw multiple secure passwords into the equation and even Rain Man would struggle; whereas password managers do not.
LastPass Enterprise is a business-grade example, it’s not free but with prices starting from (US) $18 a head it’s as close as. This can allow you to manage a password policy from the cloud and generate truly secure passwords at the touch of a button. Even that, though, is not enough. You need to throw multifactor authentication into the mix. As it happens, you can add two factor authentication (2FA) to LastPass in the form of a physical token or smartphone app generated code. Whatever, the added security layer that is 2FA should be a baseline for any mature authentication policy these days as it adds something you have to something you know for a double whammy of hacker protection.
7. Secure erasure
No, not a geeky nineties pop duo tribute band, but rather the not so small matter of secure file deletion. It’s the last item on our list of suggested layers, and it’s often the last thing on the mind of otherwise security-savvy folk. After all, if you’re removing something from the data equation it’s no longer a security problem, right? Wrong! If you have not securely erased the file in question then it remains a potential security threat should the device it is on get into the wrong hands. Hitting delete doesn’t delete data securely, and nor does formatting a drive for that matter. It is forensically possible to retrieve data really very easily and quickly, and importantly very cheaply now if someone wants to.
Your mission is to make that as hard as possible so that the investment in time becomes more than the likely profit in data restored would amount to. So at the very least encrypt your data then use secure deletion tools on individual files and folders, such as Eraser, which employs the Guttmann algorithm to overwrite drive space with a series of 35 random patterns. That’s a free tool and towards the bottom of the paranoia-delete scale, but coupled with encryption is a good way to go.
Employ the costly services of hard drive shredders to chop your legacy drives into little bits of metal to do the job properly.