Building Defense in Depth
A strong cybersecurity strategy includes multiple layers across the physical and digital worlds
In the first blog of this series, we talked about the fact that a layered approach to security is required to minimize the attack vector. With all the different ways hackers can access sensitive systems, multiple types of solutions need to be included at the user and administrative levels.
There are many different approaches and standards to layered security and nearly all of these are aimed at the IT profession and/or organization. Our next few blog entries will look at the layers from a user’s perspective.
- We shall start with looking at the physical security: what do we need to do to secure the hardware as the first line of defense?
- Secondly, we shall look at authentication and authorization: what can we do to help keep access to our software as secure as possible?
- Then we will discuss the applications themselves and how we can ensure they are well behaved and add to the overall security posture of the environment they run in. Our next installment will look at applications being run on the Edge and the following one will look at applications run in the Cloud.
- Then we will pivot our focus to IoT specific concerns, looking at devices and best practices on connectivity and management.
- We will wrap up this series by bringing everything together to show how the constant flow of data, connections, and changing environment require our constant vigilance.
Let’s start with physical security. This is the most ignored and least talked about aspect of cybersecurity; however, if the device is compromised, all the other layers of security become meaningless. A recent article in The Telegraph reports that lost laptops pose a bigger financial threat than ransomware hackers.
Devices come in many forms. At a corporate level, any on-prem servers need to be kept in locked rooms with limited and appropriate access. At the individual level, we are responsible for our smartphones, tablets, laptops, and computers, all of which can provide a gateway to corporate assets and data, and many of which are carried with us nearly all the time. What can we do to help ensure these devices are not compromised? Part of the answer must include the passwords we store in common web browsers or applications, and that are synchronized across devices so we can sign in quickly. If somebody gets hold of just one of our devices, they will have access to all our accounts. So here are some simple steps we can all take to protect our devices.
Separate your work and personal devices.
Sounds obvious, but with dual SIM phones and BYOD at work, it is easy to blur the lines between work and personal lives. However, if somebody suggested you take your work computer to a music festival or a nightclub, you would think they had lost their marbles. But that is precisely what you are doing if you use the same phone for work and personal purposes. The safest route is to leave your work phone at home when you are on personal time; if that is not possible, use a separate phone.
This does of course come at the cost of flexibility – you must carry 2 phones when you are working.
Consider a phone lanyard case.
Most of us now have Apple or Google wallet, so all you need for a night out with your friends is the phone and your house keys. It is easy, when you are out and enjoying yourself, to take out your phone, set it down, and forget about it for a few minutes. A phone lanyard case is a very simple way of ensuring you do not lose your phone.
Use a privacy guard in public settings.
When you are using a work laptop in a public place, consider using a privacy guard. They make your laptop look cool as they display a gold screen to anybody not directly in front of the screen. The security benefit is precisely that nobody can see what you are working on from a distance or an angle.
Phase out old devices safely and securely.
Think about how you dispose of your old devices. Most work devices are returned to the IT department where they are reconfigured and either disposed of or re-purposed. Your home device might just languish in a drawer gathering dust until you throw it out. In all cases, you should always sanitize the device so that no data remains on it or can be recovered.
To summarize, taking some simple but effective steps for physical device security is the first line of defense for both your personal and work data.
If after taking these precautions, you lost your device, make sure you know how to wipe it. The major manufacturers have a “lost mode” which allows you to log on to your account and block or, in extremis, wipe the data from your device. You should then re-set all your passwords. We will talk more about that in our next blog. If you have your corporate device stolen, contact your Security Department as soon as possible; they will tell you precisely what you need to do.