Cybersecurity 201

There was great feedback and some questions about our Cybersecurity 101 blog, this 201 blog will answer those and help you to continue improving your cyber resiliency. The assumption here is that you have done all that is in the 101 (aka, the minimum) and you are curious (anxious?) about what else you should be doing. We are now starting to focus on efficacy, not just adding more checkmarks to a to do list.

One of the key principles in cybersecurity is what is called “defense in depth” or “layered defense”. Building on the zero trust concept, we assume that defenses will fail and that attackers will be able to progress further, so we add more layers of defense to slow them down and increase the likelihood they will be detected. Think of your classic medieval castle, there the moat surrounding the entire castle, followed by the ramparts, and should they pass all that: you then are in the courtyard, still exposed and not yet inside (and all along being watched and defended from towers and all).

From a cybersecurity perspective, your last line of defense is the local anti-malware. Should all else fail, you are counting on it to stop the attack (covered in 101), we are now adding more defenses in front of it. The most common attack vectors are email and web, so that is where we start:

• Email: All inbound emails should be scanned for known and unknown malware before they ever get to you email server (which should also be scanning, but having it before offers multiple safety and workload advantages). This includes all attachments and web links. This is also a good place to stop all evil file types (exe, com, ps1, scr, xlsm…) and we recommend also blocking all non-essentials too (encrypted zip, html, shtml …). We also recommend doing all of this for outbound emails, it will save your reputation and avoid potential legal issues.
• Web: This is business, web traffic should be filtered (DNS) to block known bad sites and ones with bad reputations, a block more and open as needed is usually the best option (rather then being permissive “just in case”). All downloads should be scanned for known and unknown malware, and yes that means scanning encrypted (https) traffic via DPI-SSL. If you firewall does not support it or is not powerful enough to scan it all, time to upgrade. This is also another good place to block evil and non-essential file types.

Now that we have improved the outside, let’s start looking inside. One of the key improvements you can do on your network, is called network segmentation: you divide you assets in multiple networks based on types and risks (and ideally use a firewall in between). Should (when) an attacker starts roaming around on your network, it will make it harder for them to perform lateral attacks and improve the likelihood that their actions would be detected promptly. You should at least have the following networks:

• Regular users: these are the corporate owned devices used by trusted users.
• Guest users: people using your internet, but that you don’t trust (no access to internal system, need to accept a usage policy before surfing, very limited internet access)
• Employee owned devices: this one is optional, but helps keeping employee happy (no access to internal system, limited internet access) (employee should already have signed an acceptable use policy, so you can drop the prompt for usage policy).
• Servers: local servers (limits ports to what is essential between client devices and the servers to reduce the attack surface and having a firewall in between them will help to detect attack patterns).
• Management: many device types should not be accessible by users (switches, vm hosts), having all those interfaces on a closely guarded network that can only be reached by specific devices (like a management jump station) makes it harder for an attacker to perform lateral movements.

Lastly, this one was originally planned to be part of our 301 blog, but based on the state of the world and the fact that there are now affordable options, we have elected to now make this a 201 recommendation: Managed Detection and Response (MDR). Speed of detection is key, you want to detect an attacker when they are trying to develop a foothold, not one month after when they unravel their nefarious plan.

As always, please reach out to us if you have any questions!

(If you represent a group of businesses (like a chamber or an association) and you would like us to present this content to your member at an event or via a lunch and learn, contact us, we might even pay for lunch!)