Cybercrime is a top concern of many Houston businesses and with good reason. Attacks are becoming more sophisticated every year and the leading security systems of yesterday are now routinely breached. In some cases, all it takes is one employee to take their eye off the ball for a hacker to bring down a network or steal sensitive data.
What is needed is a defense in depth security strategy. Before we explore what that actually means, and how PennComp can help, here are five key security principles you should always keep top of mind:
5 Key Principles of Securing Sensitive Data
There is no perfect security solution
One of the most valuable cybersecurity lessons any business can take on board is that no security solution will ever be 100% effective. Any vendor trying to sell a turn-key security product or service will try to convince you otherwise but the moment you take your eye off the ball, you can be sure a breach will follow.
All information must conform to the CIA Triad
What does securing data actually mean? The infosec community has answered this question by using the CIA Triad model.
This has nothing to do with the US intelligence agency! It simply reminds us that data security must include:
- Confidentiality. Secured information must only be accessed by those who are authorised to use or view it and only for the specific purpose they need it for. This is known as the principle of least privilege.
- Integrity. Information should be protected from both accidental corruption and deliberate tampering. This includes having adequate backup and restore capability.
- Availability. Systems should be protected from attempts to bring them down. DDoS attacks are the most recognized form of an attack on system availability. System loss due to natural disasters like hurricanes also comes under this umbrella.
Businesses should prioritize defense in depth
It is a term borrowed from the military but has total relevance when it comes to the information security world. Defense in depth is based on the first principle that there is no one, invincible security solution.
In warfare, the first line of defense is designed mainly to consume the enemy’s resources so that they are either turned back or severely weakened by the time they come up against the next layer of defense.
A company’s security bench should contain a mixture of securely configured routers, next-gen firewalls, access control protocols, encrypted networks, intrusion detection and prevention (IDP) systems, traffic analyzers, experienced infosec professionals, robust backup solutions and more. We will delve further into cyber defense in depth in the next section.
Assurance testing is critical
When products and systems are tested, it is often on the functional level alone. In other words, we test to find out whether the application or service provides the benefits it is supposed to. To optimize protection, businesses should also include assurance testing in their cybersecurity policies.
One of the most effective methods of assurance testing is to try and hack yourself. This is termed ‘pen testing’ and there are tools you can purchase for this purpose. However, even creating a dummy phishing email campaign can help you to assess and improve your security procedures.
Security by obscurity should be avoided
Protecting your networks and systems by making them hard to find is not a smart strategy. The problem with using clever tricks is that the hackers have access to the same information. You may succeed in delaying an attack but if one does get through, it is likely to go under the radar of your security systems as well.
The best security systems are completely transparent. For example, cyber-currency transactions can be viewed (in encrypted form) by anybody with a computer and any attempt to alter genuine transactions is immediately spotted and rolled back.
Similarly, the open source movement relies on a community of talented coders to spot and patch vulnerabilities in software. Hackers love to sneak around in the shadows so you need to force them to work in the light.
Understanding defense in depth
Defense in depth is more than simply lining up security measures one behind the other. Security layers should overlap so that a weakness in one measure is directly countered by the strength of another.
For example, if one security measure relies on human input (e.g. an account log-in screen), the next might be completely automated. In a phishing attack, for example, an employee might be duped by an authentic looking email into disclosing their log-in credentials. In a layered security system, an automated IDP system could form the next layer to remove the risk of human error. This system might be programmed to automatically deny access to any devices outside of a specific IP range.
This concept of reinforcing security holes with a corresponding strength has been termed the ‘Swiss cheese’ approach (imagine layers of Swiss cheese lined up behind one another so that the holes are restricted to one layer).
Individual security measures can also follow this reinforcement tactic. For example, two-factor authentication protects users if their password or device is stolen because both are required to gain access to an account. However, even this does not violate the first principle. Some cybercriminals have obtained knowledge of a user’s password and cell phone number and used social engineering tactics to persuade a telecoms employee to port the user’s cell phone number to a device the hacker owns.
Preventing a cyberattack on its own is not enough. Any security measure should also incorporate the ability to detect and respond to an attack. Without detection or a suitable response, a cybercriminal is free to try and overcome a defensive system again and again as many times as they like.
A common basic implementation of the prevent, detect, respond strategy is the standard account log-in protocol which detects a mismatch between email and password and, after a specified number of attempts, locks down the account and sends an email and SMS text to the registered account owner.
By slowing down the attack, this consumes the hacker’s time and compute resources. At the same time, more sophisticated software should be looking to track down the source of the attack and take more robust countermeasures.
Two approaches to security integration
When designing your defense in depth security set up, there are two different routes you can explore.
Some businesses opt for vertical integration. This is where you purchase a licensed security solution from one trusted vendor (either a software suite or a managed service). This has the advantage of simplicity, interoperability and convenience. Pricing also tends to be lower overall although not always. These benefits have to be weighed against the risk of being locked into one vendor and potentially missing out on more effective solutions in niche areas.
Other businesses prefer a ‘best in breed’ approach, finding the most effective products in every cybersecurity niche. This provides flexibility and often better overall security provision. The disadvantages are research time, complexity, problems with interoperability and often higher costs.
How PennComp IT Consulting can help you make the right security decisions
No two businesses have the same security needs which is why there can be no one ‘boilerplate’ security design that fits all use cases. Before you enter into the heaving marketplace of security products, speak to PennComp. While vendors are committed to selling a product, our IT consulting service is focused on ensuring whatever security decisions you make, they are grounded in your needs as a business. Having worked with a great many Houston businesses across a range of industries, we have deep insight into what an effective layered security solution looks like. Please call us to find out more.