The security onion - A single entity with many layers.
Effective security demands the strongest possible protective measures, encompassing every aspect of the network. Although technical components are separate items and the organization itself comprises various aspects of the security process, all are bound together to form a whole, like the layers of an onion. Both technical and human components can be at risk. Only by implementing universal security policies and procedures can the entire system be safeguarded.
The corporate layer
The ability to build and maintain effective security begins with the business setting. According to the Forrester study, industry experts cited as an ongoing problem a disparity between business expectations and the ability for IT to deliver on those expectations. Business wants speed, although steadily increasing technical complexity means that security activities take more time than in the past. All parties should reach agreement on realistic goals and expectations, always aware that effective security comes at a price.
Implementing good security practices costs time and money and can alienate employees who feel that their jobs are being made harder unnecessarily. In addition, auditing procedures use valuable server resources and employee time. Policymakers should unflinchingly balance these and other downsides against the potential costs of losing data and IT assets and dramatically disrupting business.
Policy and human error layers
A policy document tailored to the organization is imperative, and will by definition be long and detailed. It should be reviewed quarterly, and updated to reflect changes within the network.
The document should define technical matters such as how operating systems and data should be secured, how files should be configured, firewall specifics, how and when updates need to be applied, what jobs should be run and when.
An essential purpose of establishing polices is to explain security procedures. One of the greatest security threats is human error, usually because employees don’t fully understand the harm that innocent actions can cause. They can react to tempting and seemingly harmless emails, unwisely and impulsively disclose information, and can be careless with passwords.
Reducing human error begins with a well-planned training program that teaches everyone the details of safety policy, as well as the consequences of failure to follow them. Training should be ongoing, as should audits of security policies that monitor activities for adherence to policies. Moreover, restrictions should be placed on specific users’ access to critical data, and they should understand the reasons for those restrictions.
- Vulnerabilities are network flaws through which an attack can penetrate a network.
- Threats are people or automated entities that probe networks in search of vulnerabilities.
- Attacks are threats that are put into action.
- Breaches are attacks that succeed in breaking through network defenses to capture, damage or paralyze critical data. Breaches can be as trivial as social media mischief or as catastrophic as international sabotage.
The target layer
Essential infrastructure components are not immune to threats. Manufacturers of servers, hubs, routers, switches, etc., focus more on performance than security, and IT can overlook the need to update firmware to block vulnerabilities. In planning, as well as periodic testing simulation, infrastructure should always be included.
Endpoint devices connected to the system present significant security risks. Smartphones, tablets, laptops, and USB drives can inject infections into the system as soon as they are connected, so their network access must be controlled. Endpoint security solutions are widely available, but unless every external device is covered, the risks remain.
Software weaknesses invite invasion. Hackers know which outdated packages and plugins have easily penetrable flaws. Updating software with newer editions will not eliminate vulnerabilities if previous versions have not been removed. And if a company uses the same operating system for some or all of its computers, an attack on one piece of equipment could move easily to others.
The hacker layer
Inside hackers have or have had authorized access to the network. They may be current or former employees with a grudge, a desire to steal company assets, make a political maneuver or advance their positions. These people can inflict serious damage, so companies should keep an eye out for irregularities and apply recordkeeping methods that can identify and assess wrongdoing.
Outside hackers do not have access authorization and usually penetrate networks via the Internet. They may use inside accomplices and may attack using multiple threats.
The threat layer
Structured threats are perpetrated by skilled hackers seeking to inflict severe damage. They understand network design, current security technology, network access conventions and hacking methodology, and they can create custom scripts and applications. Structured hacks are not mischievous pranks using readily available tools. Their intentions may be political or commercial, sensible or crazy, but they are always serious.
Targets include major corporations, military operations, financial institutions, governments, and individuals. Perpetrators may be business rivals, foreign governments, private espionage agents or terrorist organizations.
Perhaps the most dangerous are advanced persistent threats (APTs), complex combinations of related processes that quietly attack and damage networks over a period of time. Important current news items report attacks against western governments by Chinese and Russian actors.
Unstructured threats are less ominous than structured ones, but they come in many varieties and can cause severe damage. They can be launched with or without specific targets. Sometimes their aim is simple vandalism, while more ambitious hackers specialize in ransomware. Unfortunately, tools for creating this stuff are available online.
The testing layer
According to the Forrester survey, experts believe ongoing tests and exercises are the most important ways to ensure preparedness. Fortunately, there is an encouraging trend toward more-frequent testing. The survey revealed that 39% of respondents test once a year, and 31% twice a year or more. This is a significant improvement over previous surveys.
There is no magic formula for how often testing should be done, the testing process can cause interruptions, and too-frequent testing produces diminishing returns. The fact remains, however, that the only reliable defense against newly developed malware hacks, which are impossible to anticipate, is regularly scheduled testing.
*In a major study published in 2014, Forrester Research and Disaster Recovery Journal surveyed IT executives and disaster recovery experts to assess industry-wide preparedness, identify best practices and make recommendations. This post draws on selected findings of the study.
Please follow our company page on LinkedIn to get the latest information and news on Data Protection and Disaster Recovery.