Welcome to October, it’s Cybersecurity Awareness Month! Of course, for a cybersecurity trainer and assessor, every month is cybersecurity awareness month. But this month gives us an opportunity to pull ourselves out of our day-to-day activities and get an idea of where we are in protecting our organizations and their assets.
One of the easiest ways to look at cybersecurity is from the perspective of a concept called Defense in Depth. Defense in Depth is so foundational to cybersecurity that we cover it, at varying levels of depth (pun intended) in nearly every cybersecurity course. From Security+, CySA+, through Microsoft’s SC-200, SC-900, and our NIST Cybersecurity Framework training courses, Defense in Depth is everywhere!
You know, it’s rather convenient that October is Cybersecurity Awareness Month and has the Halloween holiday on the 31st. This leads us to the question: how can we raise our awareness of the ways attackers might get into our organizations, and what controls can we put in place to prevent them from carrying out their evil intentions?
Let’s go back to our Defense in Depth (DiD) concept and apply it to protecting ourselves from nefarious actors! To begin, we need to look at a few of the ways these ghouls and goblins can wreak havoc.
- Swipe a laptop with customer data
- Mount a cyberattack directly from the Internet
- Get hired on as an employee and use internal access to steal critical databases
- Exploit a weakness in software we purchased to knock a critical service offline
- Implant ransomware through social engineering and encrypt our data, including all backups, and require us to pay millions of dollars in cryptocurrency to get it back
Of course, listing some of the threats won’t get us to a secure state, it just gives us a few ideas of what could happen. The core principle of DiD is recognizing the layers through which an attacker must pass and putting in place controls at those layers. Here is a list of layers and controls, taken directly from our NIST Cybersecurity Framework Practitioner/Bootcamp course, to raise YOUR awareness for Cybersecurity Awareness Month.
Policies and Procedures: HR background checks, security policies such as password polices, acceptable use policies, and social media policies.
Physical: guards, gates, barriers, cable locks on laptops, mantraps, bollards, locked doors, keypad entry systems, secure racks and cages.
Perimeter: firewall, DMZ, proxy, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Unified Threat Management (UTM) systems.
Network: VLANs, airgaps, centralized authentication, internal routers and firewalls, jump servers, privileged access workstations.
Host: host-based firewall, antimalware, patching, smart cards, mutual authentication, certificates, boot integrity protection, host specific authentication, operating system logs.
Application: application firewall, updates, authentication, authorization, input validation, secure coding practices, logging.
Data: encryption at rest, access control lists, data masking, tokenization, attack target minimization, backup, data resiliency (redundancy).
The point of the above list is not to tell you that you need to implement these specific controls. In fact, this list is a very tiny subset of the many thousands of controls available at each layer. Truth be told, even the list of layers is not exhaustive. The real purpose of the list is the same as the overall purpose of this blog post, to raise awareness.
Every year, during the month of October, people in organizations around the world are reminded of what those of us in cybersecurity think about nearly every day. We know our organizations could be more secure. We know our organizations must be more secure. And we all know a large part of having more secure organizations is making everyone, in every role, aware of cybersecurity in relation to what they do.
A minor side note as we wrap up. Some of the terms in the list above may not be familiar to you. If you’d like to learn more about them, or any other aspect of cybersecurity in this post, I invite you to visit our website at https://www.lrseducationservices.com/ and check out the Cybersecurity section. Alternatively, you could send us a note at GetSmart@LRS.com or call our helpful staff at (217) 793-3800 ext. 1493.
Have a wonderful Cybersecurity Awareness Month and a Happy Halloween!
-Troy Stoneking