Intended Audience
This document is designed for the non-technical, and it should provide sufficient information to allow the reader to understand the scope of what’s required and be able to decide whether what a supplier is proposing is a secure infrastructure.
The scope of the document is not intended to build an infrastructure hardened to Tempest standards; which is a military standard.
At the time of writing there is no European wide security standard, although the commission is working on a common security certificate to be recognised across all EU states.
The UK Cyber standard has two levels; Cyber Essentials – an independently verified self assessment, and Cyber Essentials Plus which consists of a technical audit.
The US government uses NIST-800, and it’s the standard my client adopted in this instance.
Introduction & Background
I was recently working for a specialised consultancy who dealt with very sensitive information. They required a secure infrastructure. A request for proposal was issued to a number of IT companies for the supply of same.
We were underwhelmed by the responses received (or didn’t receive). So we changed tack designed a secure infrastructure, and selected the supplier with the best proposal to install and configure the design.
The core security framework can be split into 5 concurrent streams;
- Identify
- Protect
- Detect
- Respond
- Recover
Business cannot stop whilst adopting a secure posture; so the project started with the “protect stream” and focused on the weakest link – People
Cyber-awareness Education
Starting with education was taken for four reasons; firstly, people are genuinely the weakest link, and the uneducated in cyber-awareness are a liability.
Secondly, your people need to know how to protect your assets.
Thirdly, they can spot an oddity – something out of the norm; and lastly educated people ask questions – i need to share this file securely how to i do that rather than just emailing the file.
Cyber Education can be carried out online or using traditional methods. It’s not a one off event; it should form part of every employees continuous professional development plan.
What follows is a link to the documentation for a hackers toolkit – it’s available online for free; It should give you some idea of how easy it is for even a novice to generate a sophisticated attack.
Implement Multi-Factor Authentication
A username and password is simply not enough to secure a system; passwords can be stolen or broken so easily.
Multi-factor Authentication adds in something you have – a face recognition, finger print, mobile phone, a hardware key, or a onetime password.
In combination it makes an aggressors task much more difficult. MFA is not unbreakable; say for example a banking transaction requires a one time password sent via SMS or generated from a security app on a phone. It can be broken by a technique called simjacking or phone call from the aggressor asking for the onetime password or a hacked phone can automatically send a picture of the onetime password to the aggressor.
People tend to forget about security when It comes to mobile phones. Remember Jeff Bezos had his phone hacked via a whatsapp message.
Inventory
A register needs to be kept of all equipment with make/model serial number, location, user (if appropriate), the firmware/software versions of all software installed on the device. The devices should be updated to the latest software/firmware that’s available and any devices which are not longer supported by the manufacturer retired.
There are plenty of software tools to assist in performing the inventory so it’s not as big a task as it might first seem. There are software tools to detect and manage inventory (solarwinds, spiceworks,Microsoft Defender)
At the end of its useful life it needs to be disposed of professional; and a certificate of secure destruction obtained and kept.
Classify your assets
Identify a small number of classifications for your data assets; the US Government use 7 classifications; I’d suggest 3/4 is appropriate for most companies; The centre for Internet security suggests three (public information, sensitive, highly sensitive)
3 is typical but 4 in instances where an organisation’s proprietary information is their lifeblood – e.g. games manufacturers software
|
Risk Level |
Classification |
Example |
Disclosure Impact |
|
Low Risk |
Public Information |
blogs, marketing material |
Disclosure would not have significant impact |
|
Medium Risk |
Internal Use Only |
policies and procedures, non-identifiable personal information |
Disclosure would not be catastrophic |
|
High Risk |
Highly Protected |
personal information (Tax IDs, social security numbers), Bank account details, Health Information, Personal performance data, This data is likely to be protected by law (GDPR, CCPA, HIPAA) as disclosure could cause significant harm to an individual |
Disclosure would have a significant impact on the business, and may have legal implications and reputational damage |
|
Extremely High Risk |
Extremely Highly Protected |
Business Plans, Research material, patent applications, proprietary designs/software |
Disclosure may have an existential implication for the business. |
The more risk the higher the number of layers which need to be implemented to protect it. Classifying data sounds like a long tedious exercise, but there are automated tools that can classify data for you, both in real time and batch. There are also tools which examine data sent through the email/ file sharing system which can identify classified data and prevent either single instances or over a set number of instances being sent without additional authority.
Now you identify policies, procedures, and risk mitigation techniques to protect the differing classifications, at this stage stakeholders need education in risk classifications and tagging data with classifications as its created or modified.
At some time the organisation will be breached
You must assume that your organisation is going to be successfully attacked at some stage; so it’s imperative to have a plan in terms of who’s going to what/when; and how are you going to recover from the attack. So identify a team from your organisation, IT project manager, forensic security consultants, legal advisors, and a PR consultancy if you don’t have them in house;
An incident response plan is an imperative. There are six phases: preparation, detection, containment, investigation, remediation and recovery. The phases are defined in NIST SP 800-‐61 (Computer Security Incident Handling Guide). Wright University’s incident response plan is amongst the best I have come across and worth learning from.
Cybersecurity is War
Cybersecurity is like warfare, you put in a defence and the attacker tries to circumvent that. It’s important to remember that it’s a constantly changing threatscape, you don’t design a secure infrastructure, deploy it and forget it. It needs to be maintained and evolve; and that takes continuing investment – both in terms of time and continuing financial investment.
Aggressors want to cause as much disruption/chaos as possible; for some it’s the kudos, for others its financial reward.
Types of Cyber Attack
There’s essentially two types of attack; active and passive. Passive attacks are extremely difficult to detect since they usually use some form of trojan horse to monitor network or system traffic, so you need to assume all traffic is being monitored. Active Attacks are attempts to break into your network and systems; there are essentially five types of active attack; system access attempts, denial of service, spoofing, cryptographic attacks, and social engineering.
There is also accidental or intentional disclosure of information.
The Infrastructure Security Eco-System
The security eco-system consists of everyone who works in your organization; all of your IT system and software suppliers, the people who work in the suppliers, the software and hardware both you and they use. So you need to examine the entire eco-system for potential threats.
If your IT partner does not have better and more secure tools, policies and procedures than you have or plan to have; then you have to question whether you should be using them.
A successful compromise of your IT provider or the software they use to manage clients infrastructure has the potential to spread to all their clients.
For an aggressor that’s a potentially very rewarding target (known as a supply chain attack); and it’s been successfully executed several times notably Kaseya in 2021; Solarwinds 2020
Layered Defences
If an attacker gets through one layer, there’s another layer and another. The more difficult you make it the less financially attractive it is to a perpetrator.
The traditional defence layers are system level, network level, application level, and transmission level layers. I’m going to add one to that and I’ll call that physical level defence; say a person (could be a visitor or social engineer gained access to the premises and put a usb in a phone or device into a network port; in a way it overlaps with network and system security; but I do believe it deserves its own layer.
The teensy USB HID attack uses a USB stick which the aggressor inserts into a port or persuades someone in the organization to; the computer believes you have attached a keyboard; so disabling USB storage will not prevent the attack, nor will disabling autorun. Once installed the USB inserts the payload and takes over control of the machine. The USB stick can now be removed. Some endpoint security suites provide for device security to prevent this type of attack on computers; I’m not aware of similar on other devices – like voip phones and printers.
There may need to be multiple defences at each layer involving defences from more than one supplier. (so multiple firewalls from differing manufacturers, multiple anti-virus defences on computers and firewalls, and devices, multiple threat detection systems; with all inbound, outbound and internal traffic being monitored by an AI based threat monitoring system. A segmented network, so CCTV on one segment, phones on another etc, PCs with access to highly sensitive access on another etc, printers on another. Using this approach if a device is compromised it does not have total access to your entire network.
If you think of the number of devices in an organization; with each one being a threat you will understand the nature and scale of the challenge at hand. In a building there may be thousands of access control points, sensors, cameras, phones, meters, as well as the devices you’d traditionally associate with cyber threats.
It’s for this reason that automated internal threat monitoring using AI is a must. Consider a device that suddenly starts sending messages on an open port (typically http) to a server with a Chinese IP address – a passive attack, and it’s never done that before; that’s the kind of anomaly that would be normally missed and which AI based systems typically detect.
One of the most effective defences are checklists, and written procedures.
Adopt a Security Framework
The first step is adopt and implement a security framework. The framework and policies may be dictated by what standards/legislation your business may need to comply with. (e.g. Federal US standards, ISO standards, GDPR, PCI DSS, IEC, HIPAA). In this particular case the majority of the infrastructure was to be outsourced, so it was necessary to ensure suppliers conformed to the required standards for the geographies in which this organisation conducts business and stores data.
All of the frameworks adopt pretty much the same framework streams.
Recent Comments