Cyber Security

 

We often told by asked by customers "what is the one solution that will work?" The answer to this is simply none. The current buzz words of Layered Security of Defense-in-Deth all have their merits, but there is no magic bullet.

We prefer to take the Defense-in-Breadth approach an approach that uses combination highly effective, complimentary and overlapping products and services can have a "higher" success rate. This approach has been called "Defense in Depth." But bear in mind, even this approach will never be 100% effective, but will minimize the successful attacks. Formally

A planned, systematic set of multi-disciplinary activities that seek to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or sub-component lifecycle (system, network, or product design and development; manufacturing; packaging; assembly; system integration; distribution; operations; maintenance; and retirement). Source: NIST.GOV NSSI 4009-2015

The key point is that is is not a magic bullet, "implement and forget" strategy. It is a sustained ongoing active approach that is actually relies on a a "siege" mentality that employs multi-vendor approaches to technology, services, security processed and human resources. It will take a large number of IT professionals to collaborate and work together, not within a single organization, but across companies and industries. The status-quo needs to change and IT professionals need to drive change and create market pressures to effect such changes.

 

Layering security defenses in an application can reduce the chance of a successful attack. Incorporating redundant security mechanisms requires an attacker to circumvent each mechanism to gain access to a digital asset. For example, a software system with authentication checks may prevent an attacker that has subverted a firewall. Defending an application with multiple layers can prevent a single point of failure that compromises the security of the application.

 

The principle of defense-in-depth is that layered security mechanisms increase security of the system as a whole. If an attack causes one security mechanism to fail, other mechanisms may still provide the necessary security to protect the system. For example, it is not a good idea to totally rely on a firewall to provide security for an internal-use-only application, as firewalls can usually be circumvented by a determined attacker (even if it requires a physical attack or a social engineering attack of some sort). Other security mechanisms should be added to complement the protection that a firewall affords (e.g., surveillance cameras, and security awareness training) that address different attack vectors. Implementing a defense-in-depth strategy can add to the complexity of an application, which runs counter to the “simplicity” principle often practiced in security. That is, one could argue that adding new protection functionality adds additional complexity that might bring new risks with it. The total risk to the system needs to be weighed. For example, an application with username/password-based authentication may not benefit from increasing the required password length from eight characters to 15 characters as the added complexity may result in users writing their passwords down, thus decreasing the overall security to the system; however, adding a smart-card requirement to authenticate to the application would enhance the security of the application by adding a complementary layer to the authentication process. Source:

Yet, as Prescott E. Small argues in his 2102 SANS Institute paper, "Defense in Depth, in its original concept, works for a kinetic world defense. The problem with Defense in Depth in the world of Cyber -Defense is that it is unsustainable.....as a result of Defense in Depth implementation s individuals, corporations, and government entities are being made victims of an attack strategy that is really more akin to Defense in Depth in reverse. The attackers provoke the maintenance of a layered defensive stance that is massive, difficult to manage, requires extensive skill sets and is extremely costly. In essence , the attackers are forcing an unsustainable posture, exhausting resources and adapting advanced persistent and advanced evasive techniques to slip right past People, Process and Technology. No matter what actions are taken and what tools are used , even if an attacker is ejected , that attacker is simply sitting at the perimeter trying new strategies . Unless the attacker is somehow permanently removed from the threat lanscape, then the threat posed by an attacker is only temporarily mitigated. Considering the supply of attackers in the world, the evidence shows how the attack model has really evolved into a Sustained Cyber - Siege . "

The evidence seems to be true given the high profile attacks.

Why has it failed?

Well the answer is complex. Defense in Depth when applied to the kinetic world relies at it is based in removing the enemy. In the cyber world, that world be impossible. There are millions of diversely located hackers so elimination o the enemy is simply not possible. Could it the usual suspects? Poor training, lack of procedures, no active monitoring, poor tools, etc. etc.? While all these can be true in varying degrees, the are merely only partially responsible in most cases. The root cause is the internet itself. Security was ad-hoc, ex post facto to the internet design. Sound familiar? It is similar t what is seen in the networks of most IT organizations: i,.e, security is an ad-hoc "bolt-on" after the fact consideration and implementation. Further complicating the landscape is the fact that the attackers have the same tools and strategies and also have state sponsored attack tools. Defense in Depth and its sibling, Layered defense describe IT security as as an onion.

This approach and that description combined with the business practices and standards like ISO, COBIT or ITIL have resulted in creating silos that are no longer actually connected but rather handled like the baton in a rally race. This creates an opportunity for attackers to fly under the radar and establish persistence in a network. This can occur because a narrowed scope can also result in a limiting view of activities. This lack of a seeing the big picture and understanding lots of different yet related events can result in missed detections giving the advantage to the attacker Op cit

What is the Answer?

There is none. Nothing, no magic bullet, no one solution. Understand this, and you will be further along in understanding IT Security than most. Of course, we are not saying adopt a 'do nothing" approach. On the contrary, we are if you think a there is one simple shrink wrapped package, one vendor, service to solve modern cyber security issues, you have already lost.

Defense in Breadth

An approach that uses combination highly effective, complimentary and overlapping products and services can have a "higher" success rate. This approach has been called "Defense in Depth." But bear in mind, even this approach will never be 100% effective, but will minimize the successful attacks. Formally

A planned, systematic set of multi-disciplinary activities that seek to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or sub-component lifecycle (system, network, or product design and development; manufacturing; packaging; assembly; system integration; distribution; operations; maintenance; and retirement). Source: NIST.GOV NSSI 4009-2015

The key point is that is is not a magic bullet, "implement and forget" strategy. It is a sustained ongoing active approach that is actually relies on a a "siege" mentality that employs multi-vendor approaches to technology, services, security processed and human resources. It will take a large number of IT professionals to collaborate and work together, not within a single organization, but across companies and industries. The status-quo needs to change and IT professionals need to drive change and create market pressures to effect such changes.

The carrot

More private and public sponsorship will be needed like Special Cyber Operations Research and Engineering (SCORE) Interagency Working Group. Tax incentives for businesses who adopt recommended strategies and which invest in overlapping "breadth" defenses - especially in industries critical to the U.S. Infrastructure like electrical utilities, defense, healthcare, telecommunications finance and energy sectors. Vertical market strategies must be developed that reflect the unique cyber footprint of the vertical. Intra-vertical cooperation and communication is essential so that all members of the vertical community are informed when an attack occurs and as such more effective management of the attacker can be had. Intra-vertical is also essential and be set up so that data is anonymized. yet pertinent enough so that other verticals can be informed and take defensive actions. Cooperation is federal agencies is critical. Sharing is essential because the hackers are extremely good at this themselves by sharing and selling data and hack tools.

Stick

Pressure must be brought upon governmental bodies to implement regulations that promote changes that support needed changes across industries and mandate intelligent reporting so that breaches can be effectively measured. Fines for non compliance/breaches need to be stepped so that repeated breaches are fined progressively higher and companies resist seeing the fines as "cost of doing business"

 

 

 

 

 

 

 

 

 

 

 

 

 

Layered?

Traditional approach has spend prevention. Not bad, but often in effective over the long term. A layered approach includes preventions but also employs defenses recovered in the event of a successful attack.

Layered and is a close cousin to Defense in depth. He goes on to say: "To be fair it needs to be point ed out that the Defense in Depth concept has been co -opted by many different industries and no longer resembles the original strategy for the kinetic world of the military."

 

 

Defense in depth, by contrast, arises from a philosophy that there is no real possibility of achieving total, complete security against threats by implementing any collection of security solutions. Rather, technological components of a layered security strategy are regarded as stumbling blocks that hinder the progress of a threat, slowing and frustrating it until either it ceases to threaten or some additional resources — not strictly technological in nature — can be brought to bear.

 

Case: The Target Stores breach: substandard network design, inadequate access controls, lack of monitoring - were all contributors to this breach.     Read more on the Target breach here.

Viruses, worms, trojans, ransomware, pfishing, hackers - Attacks on your network can happen anytime without warning and come from anywhere (from the inside and from the outside). Any one of them could compromise vital company data, cripple important business systems and applications, leave you open to lawsuits, and in the worse case, put you out of business.

Guarding your data security against threats and monitoring network security is a complex task. Even large enterprises have difficulties and fail to properly engage I.T. Security experts, perform staff training on best security practices, develop and enforce security policies, and deploy the right technology to assist in securing their assets. More often than not, this responsibility is either ignored or left to vendors not qualified to perform these tasks. With more business using cloud services, cloud security is a must, but is often, unfortunately, "out of sight out of mind" until it is too late.

Common Customer Quote: "Our Internet Service Provider gave us a firewall so we are protected, right?" Right or Wrong?

L4 Networks employs highly experienced security professionals, certified firewall and network engineers.

We have built and monitored secure systems for customers in some of the most demanding and secure environments (medical, education, financial & manufacturing to name a few). We tailor our solutions to fit your organization, and deliver cost effective yet highly secure solutions to protect your infrastructure. We can help you identify and secure your information assets by implementing responsive IT security solutions that includes the three critical eliminates of people, policy, and technology. Details