In Passwords 101, we looked at what is likely your first line of defense against cyberattack: the humble password. There are a lot of fairly simple things you can do to make sure you have the best password possible. However we also noted that passwords are just the beginning of your cybersecurity program.
The obvious next question is: what else is there? In this conversation, we’re going to introduce you to the hardworking cybersecurity soldiers known as controls.
Preventative controls are the road barriers of the information highway. They are designed to stop an attacker from getting to an asset. If the asset involves physical protection, then a good example of a preventative control would be security guards. Digital equivalents of the security guard include:
Antivirus and antimalware applications. These applications scan site traffic and compare it against a known database of threats, and decide accordingly. These applications are as good as their databases and their frequency of update, although the best-of-breed versions employ heuristic analysis to predict possible malware as well as sophisticated interfaces across applications (such as email, web browsers, and mobile apps). Don’t turn on a computer without one installed and up to date.
Cybersecurity awareness training. Employee awareness is one of the most effective preventative controls. Training should consist of both on-site and on-demand training for all employees. The most effective versions employ a blend of delivery methods, repeat at least twice a year, and include follow-ups such as short quizzes to keep everyone on their toes.
Data loss prevention systems (DLPs). Designed to ensure that sensitive data stays where it belongs, these systems operate across several layers in an organization. Depending on its configuration, a DLP will look for specific types of data (credit card numbers, Social Security numbers, account numbers, etc.) and make sure they are being accessed by authorized users only. A DLP can also inspect traffic to make sure that sensitive information is not on the move—be it on a network, an external storage device (e.g., a USB drive), or even a printer. DLPs are only as good as their configuration and upkeep, so you need to be particularly sensitive in making sure that they constantly know your data environment and your security policies. When correctly deployed, they can be a powerful preventative control, which plays well with others and is one of the few that can alert you to a possible insider threat.
Firewalls. These are appliances meant to segregate the inside (company) network from the Internet. They come in several flavors that range in capabilities, configuration options, and complexity. There are firewalls that encrypt data as well as monitor traffic. Still other firewalls do all of the preceding and more. Keep in mind that, as with DLPs, a firewall is only as good as its configuration. An erroneously configured firewall, or one that is poorly maintained, is useless. Your specific control requirements will dictate which kind and how many firewalls to deploy, as well as how they are configured.
Gateways. Gateways monitor and control Internet traffic coming and going from your company servers. Let’s say you call up a web page on a company computer. You can have a gateway that senses your request for a web page, segregates it from other traffic, disguises it, even encrypts it, and then sends it out. Why do this? Because if the request is intercepted, the intercepting person doesn’t get your address; he or she only sees the gateway instead. In this example, this gateway would be called a (web) proxy server: a device designed to hide the other internal devices from the Internet by managing each session and exposing only itself to the outside world.
Intrusion prevention systems (IPSs). These systems complement the panoply of firewalls, antivirus, and antimalware systems by introducing a systems-monitoring layer. An IPS will be tuned to what constitutes normal behavior on your networks; the moment something happens outside that frame, an IPS raises the alarm. An “alarm” in this context includes not only logging the event but also the ability to terminate connections. An example of a well-tuned IPS response would be the immediate termination of file-encryption activity taking place unexpectedly, usually the result of a ransomware attack. Of course, if your normal is all over the map and no baseline can be established, then the IPS may become difficult to tune and could produce many false positives as a result.
If the preventive controls are akin to locks on your doors, the detective controls are the motion sensors that let you know that someone has gotten into the room. The idea behind them is to detect abnormalities and raise the alarm. Some controls listed as examples under preventive controls work here as well—for example, antivirus and antimalware systems and intrusion prevention systems can be considered both preventive and detective. Other examples of detective controls include:
Intrusion detection systems (IDSs). These are essentially antivirus and antimalware systems on steroids, using a combination of signature-based analysis (comparing traffic to not only known signatures of viruses and malware but to specific attack patterns), and anomaly analysis (comparing expected normal system behavior to current state). IDS can vary in intelligence and efficacy, depending on which system you deploy. Some use artificial intelligence applications to learn from their environment and therefore become better at detecting an attack.
Security information and event management systems (SIEMs). These are applications that combine both detection and response management. They combine analysis of event logs across multiple systems, event correlation, abnormal event detection, notification, automated actions, and response event tracking. As you can imagine, the volume of logs and events has risen exponentially and can be properly managed only by a good SIEM.
Like the name implies, these are controls that focus on repairing damage during or after an attack. Many targeted controls fall in this category: for example, vulnerability patching is a corrective control. Keeping your systems current—meaning, most recent operating system release as well as application releases—also represents corrective control, because it patches (corrects) known vulnerabilities.
But the ultimate corrective control is backup, and that’s worth spending some time on. There is no substitute to the feeling of relief that you will have when you know that you have a good, solid, backup set from which you can restore your data. To get there, you need to understand the kinds of backup that are available to you, and when to use which kind.
There are three main kinds of backup: full backup, which as the name implies is a complete and total copy of all of your data; a differential backup, which copies only the data that has changed since your last full backup; and finally incremental backup, which involves only the data that has changed since the last backup of any kind. Which backup you use and when depends on the size of your organization, the amount and type of data, and the values that you established for your recovery time objective (RTO) and recovery point objective (RPO). Generally speaking, small organizations do a daily full backup, while larger organizations tend to employ periodic (e.g., weekly) full backups as well as a combination of differential or incremental backups.
A full backup has the benefit of the fastest restore time, since all the data is in one place and you don’t have to go hunting among differential or incremental backups for that one file that’s missing. On the other hand, if you’re backing up several terabytes’ worth of data, then, irrespective of method, you’re using multiple and complex strategies to ensure timely restores.
The one thing you need to be concerned about, no matter your size or strategy is: Make sure that your backups are absolutely solid and 100 percent verifiable. Check often! Trust us on this! You will thank us later.
These are the types of controls you put in place when you know that all your other controls cannot mitigate one or more risks all the way down to a desired level—be that a level required by regulators or simply your own peace of mind.
In a perfect world, every company would address every vulnerability in a perfect way with perfect timing. But that’s not our world. You may find, for example, that you cannot apply a necessary security patch or upgrade because doing so will cause havoc with your systems downstream. Or you may have a recovery-time objective that’s so short, no backup strategy can meet it. Maybe you are dealing with such highly classified data that your system must be completely “air-gapped” (i.e., no Internet access ever).
Typical examples of compensating controls include hot failover sites (mirror sites where duplicate systems and facilities exist and can go live instantly), access controls (e.g., access depending on your clearance and the data’s classification, function, geography, etc.), and the extremely important one, especially for insider threats: segregation of duties. Segregation of duties is a very powerful compensating control and one that you can easily implement.
Defense in Depth
Now you’ve got a basic sense of the huge variety of approaches to keeping your business protected. At TMG, it’s our view that the right way to use all of these controls is by deploying them across systems in a way that achieves defense in depth. This has the effect of putting multiple and diverse barriers (controls) between the attacker and the asset. This strategy looks different from case to case (e.g., cloud-based versus office versus mobile), but we believe it is the best way to protect yourself and your assets. If you want to find out how cyberCTRL can help you employ defense-in-depth controls to protect your business, get in touch with us!
That said, it’s only fair for us to note that not all cybersecurity experts view the world in the same way we do. In Defense in Depth: Is it Right For You?, we talk about the ins and outs of defense in depth, to help you figure out what makes the most sense for your specific business.