Take a layered approach to security
Call it layered security or defense in depth, but just make sure that you use it. While the concept is as old as IT security thinking itself, that doesn’t make applying layers of security any the less relevant today. Choosing the correct layers, of course, is paramount. Think of defense in depth as being a risk mitigation construct applying multiple layers of control across the length and breadth of your IT environment, and you will be pretty much on the money.
Doing this will not guarantee attack prevention, but it will slow down the bad guys and help protect your organization against the inevitability of those attacks. Done properly, a layered approach to security will buy you time; the time you need to respond effectively to any attack and mitigate a potential breach. In other words, it makes you harder to hack. Read on for seven ways to make this happen.
Network visibility leads to proactive protection
Network visibility enables you to “scan all the things, count all the things, spot the anomalies, and apply policy accordingly.” security event monitoring of this kind can actually be very cost effective in providing meaningful analysis that leads to proactive protection of infrastructure and the data within it. Think of this as providing network visibility in a way that helps you fight off the bad guys by spotting them almost before they get started.
If you want a degree of network visibility for free, then tools such as Alien Vault’s ThreatFinder is powered by the Open Threat Exchange (OTX) and will check for compromised systems and malicious communication by correlating log file data against the live OTX database.
Knowing what’s connected to your network is also part of the visibility layer, and TripWire offers a free tool called SecureScan that will scan up to 100 IPs on your internal network and reveal lost or hidden devices. Remember, the more Internet-facing devices there are on your network, the greater the opportunity for compromise.
Web protection should be policy-driven
CONTROL, MONITOR & ENFORCE WEBPOLICIES
Web protection is another essential layer of security, providing a window into controlling, monitoring, and enforcing client web policies through a single front end. In fact, web protection is best thought of as being a policy-driven approach to security. Multiple devices can then point to a central policy that can be edited and scaled to suit a range of such devices rather than having device-level settings across the board.
Doing this enables you to apply website filtering by time or content, perform bandwidth checking to prevent network throttling, and ultimately help protect the business against legal liability.
Patch management expands your safety net
KEEP UP WITH THE BAD GUYS
You can scan for attack patterns and apply all the policies you want, but with new vulnerabilities being exposed seemingly on a
daily basis you will be hard-pressed to keep up with them all. Although patch management isn’t a silver bullet and will not prevent zero day exploits or, indeed, unpatched vulnerabilities from hitting home, it will help you keep up with the bad guys.
A good rule of thumb is to subscribe to vendor notifications, keep an eye on security news sites, and patch as soon as it’s safe to do so. That’s where patch management enters the equation, as you need to not only know a patch is available but also that it’s stable. Throwing an unstable patch at your live working environment without testing could do more damage to the business bottom line than the exploit it’s trying to prevent.
Encrypt what needs encrypting
FOCUS ON THE DATA THAT IS MOST VALUABLE TO YOU
The problem with data encryption is that it is almost always seen as being a step too far—far too complex, far too expensive, far too much. The truth is that if you identify the data that’s most valuable to your organization and then focus on encrypting that, it doesn’t have to be any of these things.
Data that is encrypted strongly enough will be beyond the abilities of most hackers outside of the Government Secret Squirrel types, and most likely them as well. And it’s not difficult; be sure to check out the following:
- Tablets and smartphones: Firmware encryption built into the OS makes them useless to thieves. Use it.
- Websites: Hyper Text Transfer Protocol Secure (HTTPS) encrypts information transferred between it and client browsers.
- Web browsers: HTTPS Everywhere rewrites requests from unencrypted HTTP sites to secure HTTPS ones.
- USB memory sticks: VeraCrypt has become the open source encryption container product of choice. It’s easy to use, it works, and it’s free.
Become a data Dalek: authenticate authenticate authenticate…
APPLY A MATURE AUTHENTICATION POLICY
Authentication refers to the use of password managers and multifactor authentication. Strong passwords are a no-brainer. Unfortunately, any password that is lengthy, complex and random enough to be defined as strong is impossible to remember, throw multiple secure passwords into the equation and even someone with an incredible memory would struggle; whereas password managers do not.
LastPass Enterprise is a business-grade example; it’s not free but prices start from just (US) $18 a head. It allows you to manage a password policy from the cloud and generate truly secure passwords at the touch of a button. Even that, though, is not enough. You need to throw multifactor authentication into the mix. As it happens, you can add two factor authentication (2FA) to LastPass in the form of a physical token or smartphone app generated code. Whatever the added security layer, 2FA should be a baseline for any mature authentication policy.
Secure erasure is more than hitting delete
REMOVING FILES SECURELY ISN’T THE END OF THE STORY
Secure file deletion is the last item on our list of suggested layers, and it’s often the last thing on the mind of otherwise security-savvy folk. After all, if you’re removing something from the data equation it’s no longer a security problem, right? Wrong! Hitting delete doesn’t delete data securely, and nor does formatting a drive for that matter. It is forensically possible to retrieve data very easily, very quickly, and importantly very cheaply.
Your mission is to make that as hard as possible. At the very least encrypt your data then use secure deletion tools, such as Eraser, on individual files and folders. It overwrites drive space with a series of 35 random patterns. That’s a free tool and towards the bottom of the paranoia-delete scale, but coupled with encryption is a good way to go. And at the top of the scale, you could do the job properly by employing the costly services of hard drive shredders to chop your legacy drives into little bits of metal.