The theory behind protecting company sensitive information from attackers has not changed much in close to two decades, yet a shocking number of organizations still deploy inadequate defences.
They simply don’t cover the basics of information security by demonstrating IT hygiene—including things like dual-factor authentication, encryption, network segmentation, firewalls, user access control, and information governance.
Truth be told, protecting anything of value is the same as it was 2,000 years ago. What we see today with data is simply the extension of the same common sense principles into the digital world, and it’s nowhere as complex as you may think.
It’s a Battle
In my former career in the US Army, one of the positions I held while I was a Sergeant in the Field Artillery was called Reconnaissance. Part of my job was to establish an Area of Operations (AO) for my platoon which consisted of three MLRS (Multiple Launch Rocket Systems, aka ‘Steel Rain’), LLMs (Launcher Loader Modules), three ammo trucks, and a POC (Platoon Operations Center). To do this, I would identify the area that I wanted to protect and place defensive countermeasures around it, such as concertina wire, land mines, an OP/LP (Observation Point / Listening Point), and a roaming guard.
As the platoon was conducting fire missions, it was my job to operate under the assumption that the enemy was poised to attack at any moment, and prepare my team to defend our AO. If we apply those same concepts into the digital world and replace the MLRS platoon with critical value data, the steps that would be taken to protect that data are no different.
- Establish a segment of the network that contains the data you want to defend,
- Build a defensive perimeter around that data with defensive countermeasures such as firewalls, IDS/IPS, user access control, and endpoint security solutions.
- Operate under the assumption that you will be hacked today, and plan accordingly. Always be on the lookout for would-be attackers.
It’s an Ongoing Journey
I have often heard and reiterated that security is not a destination, it’s a journey. Yes, this is a bit cheesy, but applicable nonetheless. Knowing you have a long way to go, and lot of things to do, means you have to prioritize which countermeasures are going to have the greatest impact.
Based on my experience, the things that are most often lacking are information governance, network segmentation, user access controls, and properly configured firewalls. Harkening back to our military example, it’s the equivalent of knowing what assets you have to protect, establishing your AO, determining who is allowed into the AO (everybody else is NOT allowed), and deploying concertina wire, land mines, and the roving guard.
After you take these first few steps, if you really want to make certain your data is protected (as opposed to just telling people you want to protect your data), then the best thing you can do is hire an external penetration testing team to conduct actual, no kidding, "come at me bro" penetration testing.
In the Army we called this OPFOR (Opposing Forces). I’m not talking about vulnerability scanning or Dolly Parton ‘9-to-5’ testing against a pre-defined set of systems (none of which are critical assets), but as close as you can get to real-life threat simulations. This will help you to understand your attack surface in that you will know which controls work, which ones don't, and which ones are completely missing.
This is the only way to give yourself a realistic picture of your defensive posture. Once you know what your organization looks like from the eyes of an attacker, you can begin to make yourself a harder target.
Once you have reached this Threat Ready state, you have to maintain it. In the Army, we did not train for battle once, take one PT (Physical Training) test, or go to the firing range once. We trained over, and over, and over again so that we would remain mission ready. For us, this meant that we stood ready to deploy anywhere in the world, anytime of day or night, to engage and destroy any enemy on any field of combat.
For you (and somewhat less dramatic), this means that your cybersecurity posture is ready to deflect, detect, react, respond, and recover from any attack, launched against any system, from anywhere in the world, any time of day or night.
There is no question that cyber-criminals are waging an all-out cyber-war against organizations that store, process, or transmit critical value data. To date, they have been successful due in large part to a collective inability to adequately protect ourselves.
If we expect to stem the tide of these breaches and make ourselves harder targets, then we have to get serious about security, take a page from the military’s -10 (that’s a field manual), protect our AO, and allow (insist on) OPFOR-style pentesting.
It is only through this combination of countermeasures and real world threat simulations that we have a chance of protecting our organizations from cyber-criminals.