Defense In Depth

I was watching an automotive program earlier today – Autoweek out of Detroit – and there was a panel discussion about how to protect automobiles from hacking attacks.  And during the discussion there were terms being thrown out that resonate in the IT world, just as they always have, with the most resonant being “Defense in Depth”.  This is a term that I have heard again and again over close to 35 years in this wacky business.

To over-simplify a complex concept, Defense in Depth means you have layers of security in place within your IT infrastructure.  You don’t simply install a firewall and announce that you’re done; rather, you have firewalls and anti-virus and anti-malware and secured wi-fi and segmented networks and security policies and local machine firewalls and so on and so forth ad infinitum.  You build your castle and moat to keep the bad guys out.  And while most larger enterprises “get it” and do this, many smaller organizations do not.  And, to add fuel to the fire, everything “Cloud” adds another layer of complexity to the situation.

To be very clear, there is only so much any organization can do to protect their systems.  There is no such thing as “perfect security” regardless of what many might tell you.  The bad guys are always working to find new ways to defeat the security systems and the good guys, meaning most of us human beings, are generally sloppy.  So it is the job of the IT pro’s to do as much as they can, with management’s backing, to build as secure a system as organization size and budget will allow.

So, how does a small organization do this?  How do you build defense in depth?  I think the answer is actually pretty simple; you do what you can from a technology point of view and then you educate the hell out of your people!  It may sound odd but a big part of the problem is actually simple ignorance on the part of your users.  Most users simply don’t have any idea about the relative dangers of borrowing their kid’s USB stick to transport a file from home to work or, worse, why you shouldn’t let your 10 year old use your work laptop!  This isn’t a slam against the kids, it’s just a simple statement of fact.  Uncontrolled access to organizational assets is a very big problem.  As an organization you can put all sorts of defenses in place such as anti-virus and anti-malware scans but this just isn’t enough if your users ignore all the rules.

Definitely add the technology that you can afford — install the UTM firewall, install commercial-grade anti-virus and and-malware systems (no, the free stuff just isn’t good enough), control access to USB ports on client machines, secure and segment your wi-fi, ensure you have domain security controls in place regardless of where the domain lives on-prem or in the Cloud, control and secure remote access to your resources.  But, most of all, educate your users!  If your users understand the why behind a security policy then they usually will do their best to comply with it.  Security policies fail when users have no clue why you have made their lives “difficult”.

Small organizations generally don’t have the high profile that invites external parties to “attack” their systems.  The threats that small organizations face come more from ignorance, the suspicious email that carries a cryptolocker-style payload when opened or the infected USB stick that gets plugged into the network.  Education is your biggest defense against these kinds of attacks.  it is one more layer in your defense in depth.