Replacing the Front Lines of Cyber Defense with Concentric Circles
On the premise that the best defense is understanding the real nature of the offense – or, in this case, offenses, since cybersecurity addresses a multi-front battleground – it’s useful to think in terms of concentric circles, broad steps any small or midsize business can take to maximize safety. It may also help organizations match the level of protection to the class of threat they face.
Companies need to be familiar with online threats and at least somewhat conversant with tools to arrest them; no single system can circumvent vulnerabilities that haven’t been patched. Still, there are things that businesses can and should do to maximize their safety:
- First line of defense: The first line should consist of perimeter technologies – a firewall supported by intrusion detection and prevention software; anti-virus and anti-malware software, which is limited to blocking items downloaded over unencrypted protocols; and anti-DDoS service.
- Second line of defense: The second line is comprised of patch management and locally- installed anti-virus and anti-malware software, working together to effectively block attacks. Proper implementation of second-line defense means fewer bugs and optimized performance.
- Third line of defense: The third line centers around the trained, educated user – someone sufficiently cognizant of threats to think before executing a link or downloading an attachment: a user, in other words, attuned to the real and present danger inherent in viruses and malware, and who acts accordingly.
- Fourth line of defense: Obvious as it may seem the fourth line involves a good backup strategy. As part of that strategy, it’s essential to install application-consistent snapshot technology, a rollback process that takes just minutes and restores the server to its exact state prior to the attack.
The human element remains the most important social engineering piece of this construct. It’s always best to stop a problem early, before it festers and productivity suffers; think smoke detectors vs. sprinkler systems.
Enter the Capital One/AWS data hemorrhage, just the latest (albeit potentially the most egregious) example of data security gone bad. That the culprit in this case was a misconfigured firewall only proves the point that when technology and the human element don’t mesh, trouble often ensues. Any number of other missed connections could have been responsible. While some might look to AI as a preventative, that’s a false flag. Tech alone won’t rescue any organization, and everyone is susceptible. Human error is invariably the gateway into any “secure” system.
Rank-and-file users tend to think of security as binary: either you have it or you don’t. If you don’t recognize that you have opening in your security, you’re vulnerable forever. Acknowledging vulnerability is the first step toward containing it. Even if you can’t eradicate breaches for all time, periodic (preferably frequent) security reviews and a deployed network intrusion detection and prevention system need to be mandatory. As conceived by security engineers and network engineers, this is a multi-disciplinary approach, harkening back to those concentric circles around the user’s data.
The process must be ongoing, an imperative that many organizations miss. Because attackers never sleep, there really is no endpoint. Of course, there are different strokes for different folks; no one size fits all, whether your data is on-premises or housed in a data center. Not to frighten anyone, but if you ever think you’re secure, you’re erring on the side of delusion. It’s already game over. Complacency serves as the key to unlock your network. Human error is always the number one issue wherever you’re housed. The mission is to find and close the security gaps.
Now for the reassuring part: you and your organization have agency. If you begin with the conceptual model of constant and continuous improvement -- security audits, risk assessments, processes that are proactive and focused – and undertake these with a level of seriousness, you can eliminate any number of threats. But throwing your hands up in response to Capital One won’t deter the next cyber perp with a plan.
Instead, be attuned to emerging threats and new ways to blunt them. If you’re not taking all the necessary precautionary steps, you’re not safe, wherever you may be hosted. India is no less at risk than Indiana, since bad actors typically sweep every IP on the planet, whether on-premises or off.
If you enlist a security partner – a host that is vigilant and a proven good steward for company data – off-premises can be more secure. The host has choices to make, and those choices make a difference. By dint of those choices, you could be much more secure, or much less. Most cloud providers know how to draw the concentric circles, and for their customers, that diligence typically is baked in, often for free.
In sum, then, each organization is capable of making itself as safe as it possibly can be. And to get there, users on the “front lines” (understanding that “users” here applies equally to the rank-and-file and the C suite) need to internalize these four “circles” of defense. That’s how companies determine precisely what “safe” means in their environment. These measures and counter-measures represent a trend affirming that users still have a high degree of control – if they have the wherewithal to claim it.