IT Security Is Like an Onion: It Has Layers

The Skin

Your Firewall

The term “Firewall” is a reference to the large insulated fire-breaks in buildings/cars to prevent fires from spreading. A firewall device can be better viewed as the security gate on the front of a store. Without the gate, mere glass exists between the products and potential thieves. It is easy to break the glass and once broken the thief can enter. Keeping this analogy, the gate is not perfect. There may be other external doorways that need to exist but are easier to break into.

For a firewall, this would be open ports to insecure or vulnerable servers. Even if your firewall dictates what can enter through the main entrance, it still makes side-doors available to allow certain programs or services to function.

Notes: The purpose of a firewall is to reduce attack surface: the hacker’s available options for breaking in to your network. Because new exploits are being generated constantly, a firewall alone is not enough.

Email Security

Email security has many aspects designed to verify, filter, and analyze email. Email interacts directly with your employees, and people can be deceived. Methods used for securing email include:

DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) - These together allow other email servers to validate that an email from your domain actually originated from your server. The SPF also defines how those servers should respond (accept, reject, etc.).

Spam block-listing - A maintained list of known-spam-sending servers is used to reject all communications from those servers.

Email Antivirus - Scans emails for embedded or attached threats before it arrives on the user’s system.

Email Encryption - Using pre-shared keys, emails are encrypted and thus unreadable in transit. Once received by the user, it can be decrypted.

Graylisting - This method protects against IP spoofing. When your email server receives an email from a server it has not communicated with recently, it will send a generic ‘email rejected, please retry’ message to that server.

If the server is legitimate, that reply will arrive to notify the sending server. The server will then resend the email and be removed from the graylist.

If the server is not legitimate, it will never receive the request to retry and thus will not retry.

Intrusion Detection: The Outer Layers

Intrusion detection can be viewed as an analog to alarm systems with motion detection, glass break sensors, and door open sensors. Retail stores do not rely solely on their security gates. Most will also have internal security measures that will alert authorities when activity is detected behind the gate. If an employee triggers this system, they have to input a code to disarm it.

Intrusion Detection can have features that detect abnormal network activity, communications with known-malicious or suspicious servers, and authentication failure events (similar to failing to enter the code on the alarm panel).

Notes: The purpose of intrusion detection it to block or send alerts if an attacker gets passed the firewall, even if the attack originates from inside.

The Inner Layers

Anti-malware

Anti-malware, including antivirus, can be viewed similarly to the building access controls. When hiring an employee at a secure facility, that employee will likely be subjected to a background check before receiving an access badge. This badge is both a key and an ID card that allows the employee to freely enter through doors and gates. If the employee fails the background check, they are not permitted access.

For this anti-malware analogy, the employee is an application on your computer. The anti-malware software will check the application to see if it matches any known malicious software. If it does match, it is forcibly removed. Anti-malware can only match against things it has seen before.

Anti-malware/Antivirus are extremely useful because a lot of the methods used by malicious code are reused and repackaged by those not skilled enough to create their own malware. This accounts only for methods previously employed by attacks and studied. It can not prevent new attacks.

Data Execution Prevention

Data Execution Prevention systems are similar to hiring an employee who is under increased scrutiny and has limited access for several months. Some roles require a lot of trust, so employers may choose to ‘see how it goes’ at first before giving them ‘the keys to the castle’.

Data Execution Prevention systems do a similar thing for applications. When an application that has never been seen by the software is run by a user, the system may prevent it from starting. It will then upload a copy of the application to a ‘sandbox’ where the system will execute it and see what it does. If it doesn’t do anything seemingly malicious or unusual, the application is added to the ‘known’ list and the user is able to run it without interruption.

As IT security is a constant ‘cat and mouse game’, the attackers have begun to make their malware detect when it is being run in the presence of security software or on a virtual machine in order to lay-low for this process.

Although a robust and extremely useful tool, it has become an arms race between security companies and hacker groups. As such, this layer does have it’s own flaws, but still increases overall difficulty and cost of attacks.

The Core

Disk Encryption

Disk Encryption serves two main purposes. First, it prevents someone from reading the data from a device without permission. If someone steals a company laptop, they are unlikely to get data from its drive if encrypted. Secondly, it makes disposal/data destruction easier. Instead of spending days writing zero’s and one’s to the drive before physical destruction, just destroy the encryption key and it should be unrecoverable.

Patches & Upgrades

These are all analogous to building maintenance, repair, and upgrades to security systems. Just as building security needs upkeep, so does your network. If you have loose door latches, faulty cameras, bad alarm sensors, etcetera; your security is flawed.

Patches - These fix issues in performance and security.

Upgrades - Unfortunately, software and hardware both may stop receiving updates. Vendors usually refer to this as End of Life (EOL). If you do not replace EOL hardware and software, new vulnerabilities may accumulate on your network.

If you do not maintain your systems and replace out of date hardware/software, you are putting your network at great risk.

The Roots

User Training

This seems obvious, but it often isn’t. As with most security, the weakest link is the human component. Humans are social and trusting creatures. We hold doors for each other, allow access to people who appear legitimate, etc. One of the major attack vectors is called Social Engineering. This particular example overlaps virtual and physical security. Rather than analogies, I will provide examples for this.

Pretexting - Some attackers will walk in your front door. They may wear a uniform that at cursory glance appears to be your usual maintenance company. By these methods, they provide the ‘pretext’ to why they belong there.

They may ask various employees to ‘help them out’ and let them get through secure doors, thus bypassing your security. These people can then sit down at a computer inside your network and infect it directly, or simply steal files or other valuable items physically.

This one can also be done via chat, email, or phone. An attacker only needs to be partially convincing and moderately informed for this. They may call your employee and say they are the IT support. They need the end user to download an update and will read them a url to enter. The user, trying to be helpful to who they think is their IT support, will promptly download and install their malware.

Spear Phishing and Phishing - Phishing has been around a while, but sadly is highly effective. Phishing usually employs the ‘spray and pray’ method. They send out thousands of fraudulent emails, build hundreds of fraudulent sites, all with the goal of stealing personal information or getting users to run malware.

Spear Phishing is a newer beast. With spear phishing, the attacker may invest months into researching their target. They may even gain access to a couple of low-level email accounts. Using the information they gather, they create a phishing email so well crafted it would be very difficult to tell it was not real. Sometimes they gain control of email servers to edit legitimate emails instead. This is how the famous CEO Fraud attack works.

Train your employees on Social Engineering Prevention as soon as possible. Refresh this training every 6-12 months, because people naturally become lax on security to increase efficiency. There is an old saying for this: “Security and convenience are often at odds“.

Bringing It All Together

IT security is a constant battle between hackers and security experts. Every layer of security you add will make it much more difficult for an attack to succeed, so long as you regularly maintain and update your systems and security. Forgoing these security measures will increase your risk appetite significantly. Lastly, when viewing your security posture, be sure to consider all of the humans in the system. They, too, will need updates (to training and procedures) to maintain your security.