Security – A Layered Approach

From a number of recent surveys, it’s clear that more and more organisations are happy to accept that they will suffer a network security breach at some point and it is simply a matter of time.  Clearing up the mess post-issue and how to do it seems to be the focus now – which is a bit of a shame since there are a number of ways to endeavour to avoid the mess in the first place.

Unfortunately, most companies rely on increasing the size and scope of perimeter defences for their security – a bit like widening the moat around the castle or building higher/thicker walls.  Great idea . . . unless the drawbridge is down and the guards asleep.  Or someone tunnels under the moat and walls.  Or they have a friend on the inside who knows where the back door is. Or someone leaves the spare key under the plant pot . . . you know, in case they forget theirs and lock themselves out.

History has taught and continues to teach us many lessons, but if we do not learn from them we are doomed to repeat the failures of the past – what were those Trojans thinking anyway?  Someone dumps a big wooden horse outside the gates and they cheerfully wheel it in without a second thought or at least a cursory inspection?  No wonder Troy was lost.

Now, if they’d parked it somewhere that was isolated from or, at least, had very limited and controlled access to the city, it could have been inspected at leisure to ensure it held no nasty surprises.  Troy would probably not have fallen and Brad Pitt would have missed out on an “epic” movie role.

I know this all sounds a bit left field but . . . the bad guys out there are not attacking organisations for fun, they’re doing it for commercial gain.  Stealing bank account or identity information that they can sell on or encrypting data and demanding a ransom for its release.

However, the more difficult a thing is to do, the less likely they are to do it.  After all it’s a numbers game – the softer the target, the more they extract and the more money they make.  Harden the target and they’ll move on – it’s just too much effort to break down all the defences and it takes too long to make it viable.

To continue the castle analogy – keep the moat and the walls but build additional defences inside.  Ramparts, pits full of spiky things, bear traps etc. and . . .  section it off.  Limit the access to each section to a (very) small number of well controlled points.  Create “one way” systems so that no one section can act as a universal jump-off point to anywhere in the castle.

To put this into IT terms . . . think Security Zones, micro-segmentation, Network Access Control, authentication-based firewall policies, SSL visibility etc.  – the options are manifold and various.

The “serious” bad guys are only interested in one thing – breaching your defences for their gain. They can devote time and effort to this single purpose . . . but only to a point.

Harden the target with multiple layers of defence, create one way systems and implement access restrictions and the bad guys will soon realise they’re wasting their time and move on to something softer, easier, and likely to be easier to penetrate.

Or, you could hire more guards – preferably ones who don’t fall asleep on the job!