From the White House to the nerdy high school student, everyone is talking about cybersecurity. Domestic and foreign bad actors (and I don’t mean Kristen Stewart in Twilight) continue to poke, prod, and break into infrastructure both at home and work. Up 600% since the start of the COVID pandemic and costing more than an estimated six trillion in damages in 2021, cybersecurity is a pressing issue for 2022. (Cloudwards.net) The difficulty of securing networks has many wondering where to start. Flowstate has some guidance on finding best practices, recommendations on implementation, and what to do when—not if—you get breached.
A new era of network threats
The internet is not what it was 20 years ago. As its complexity has evolved, its dark side has also grown more complex and troublesome. We used to only worry about viruses, and an occasional worm, but now there’s ransomware, botnets, Shodan, onion networks and more. Before we can discuss some of the best practices and strategies available to us, we need to have some background on some of these threat vectors.
The most well-known intrusion is ransomware. There were over 2,000 complaints of ransomware to the FBI’s Internet Crime Complaint Center in 2021, which is a 62% increase from the previous year. In 2021, damages from ransomware exceeded 20 billion USD and affected 63% of businesses globally. (Ransomware Trends) Typically, ransomware uses a social engineering component (for example, phishing emails), followed by some sort of payload (like a program that is downloaded to your system) to penetrate a secure area. These payloads may seem benign, but their nefarious actions range from allowing remote access to encrypting and removing your access to your files.
Botnets are another major cybersecurity issue. A botnet typically consists of a network of infected machines infected with malware and controlled by hackers. At any given moment there are more than 10 billion botnets scanning the entirety of the internet (using services like nmap, zgrab and zmap, etc). (Journal of Cybersecurity) Think “the all-seeing eye of Sauron”, but instead of one, there are millions. As soon as your computer touches the internet, one of these botnets has already scanned and documented its presence and any potential weaknesses it may contain. Furthermore, these botnets can be weaponized and create denial of service (DDoS and DoS) attacks, where a machine, network, or service is made inaccessible to its users. This can bring you to a standstill in minutes.
New security tools for a new era of threats
What can we do to protect ourselves from these sophisticated, modern-day threats? Our arsenal of weapons includes frameworks like Zero-Trust, Defense in Depth, and ‘Assume Breach’ models.
According to Palo Alto Networks, .Zero-Trust is “a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction”. It is best summarized with this ideology: never trust, always verify. In all transactions, verify via authentication and authorization, regardless of the point in the process. We authenticate by receiving credentials (your login username and password), and we verify credential authorization (what your credentials have permission to) for access to appropriate services and processes. In other words, verify that anyone trying to access the system is an approved user, approved for specific things. This architecture should be followed for services and network traffic as well.
For example, consider when you call a provider about an account you own. In this example, we will substitute your phone number for login credentials (username and password). The provider could assume that because the call originates from a phone number that you own, it should be you, and they could trust the call. But because someone else could use that phone number, they will ask you additional security questions to verify who you say you are. It follows that an application should trust that someone logging in with your credentials is indeed you, but may verify by requiring additional measures. Hence never trusting, always verifying. By always verifying and never assuming or ‘trusting’, we ensure that we have a very robust approach to handling security.
Defense in Depth
Defense in Depth (DiD) is a strategy to establish several layers of defense across people, technologies, and capabilities to create a multi-barrier approach to different dimensions of the organization. Similar to a castle’s protection, multiple walls with a variety of defenses ensure that any malicious activity destined for your organization will meet several challenges. This helps ensure that there is no one-size-fits-all attack that can be used against you.
Strategies include providing different layers of physical security (fences, door badges, secured areas), multiple layers of auditing that alert different departments, restricted network traffic, data diodes, etc. The primary purpose being, when one defense fails, there is another ready to take its place. Much like the castle has a moat, ramparts, drawbridge, hot oil, towers, battlements and so forth.
Cybersecurity best practices recommend planning for an eventual system breach, even with the highest security in place. Assuming a breach requires a different action plan than simply defending against breaches. Planning responses for data exfiltration or firewall breaches enables you to better plan your system architecture and respond to a security incident.
One way to prepare for a breach is to ensure you have reliable, frequent backups. First, determine your mean time to recovery (MTTR). This is the entire time it takes for a system-down situation to return to production. (More info on MTTR) Consider the timeframe–is it too long, or too short? Once you have your desired MTTR set, then ensure your infrastructure (back-up capability) supports that recovery time. Having good backups is essential in your defense against the woes of the internet.
Security Information/Event Management (SIEM), and Security Orchestration, Automation, and Response (SOAR) systems can make it possible to find a breach within hours, instead of finding it 300 days later. At Flowstate, we use Microsoft’s Sentinel to help us quickly detect breaches. Sentinel provides telemetry on all aspects of our Azure installation. It detects any anomalies in our networks and uses artificial intelligence to take automated actions and report the incident.
Planning on being breached, adhering to zero trust, and defense in depth strategies are the pillars of being cybersafe. While no installation is impregnable, employing these methods has a proven track record for reducing and mitigating cyber-related incidents. A great resource to get started on implementing these is located at Cyber and Infrastructure Security Agency (CISA). They have a page dedicated to getting your ‘Shields Up,’ and other great resources.
If you have questions about cybersecurity, we'd love to hear from you!