Have you ever felt completely overwhelmed in a cybersecurity discussion? You’re not alone. Many executives understand how critically important proper cybersecurity defenses are for their organization, but they dread the planning conversations because it all seems so complicated and ever-changing. But what if we told you it’s actually simpler than most make it out to be? While the technical details of an effective cybersecurity strategy are unquestionably complicated, creating a high-level plan is quite logical. To understand the logic, though, we need to go back to medieval times.
The Medieval Castle
Beginning in the 11th century, rulers, lords, and noblemen of Europe constructed extraordinary castles to demonstrate their wealth, power, and strength. As these rulers sought to protect their property and conquer new land, castles quickly evolved into giant fortresses with thick stone walls and towering keeps. Castle defenses were far more strategic than you might think, though. Every aspect of their design was in anticipation of an attack from any angle by large armies, catapults, battering rams, and more.
These sophisticated castles were one of history’s first examples of a multi-layer defense strategy. Mid-century architects and military experts knew that an attack would inevitably break through one defense. And so, through a mental game of chess, castles were designed with moats, outer walls, inner walls, barbicans, fortified gatehouses, and keeps. If you tour one of these castles today, you can almost hear the thoughts of the architect as they designed the defenses. As they anticipated the specific events that would lead to one defense failing, they added another defense to slow down or stop the attack.
The genius of these medieval castles wasn’t the thick stone walls or moats, it was the designer’s foresight and ability to play these mental war games. It was their ability to think logically about an attack, predict outcomes, and understand consequences.
Modern Cybersecurity
Surely, today’s cybersecurity is completely different from medieval castles, right? From a technical implementation standpoint, yes, of course, it’s different. But the planning and design require the exact same approach. You must think about what you’re trying to protect, consider the various methods by which a bad actor might try to infiltrate the organization, construct a defense, anticipate the consequences of that defense being broken, and then construct another defense behind it. Does that still sound too complicated? Let’s break it down with some examples.
Email Threat Protection
It’s common knowledge that email is the #1 source of cyber-attacks today. Therefore, it seems obvious that implementing some sort of security on your email to stop phishing attacks, spoofing, malicious links, and malware is a good starting point for any defense strategy. Business executives don’t necessarily need to know how to implement such a solution. They just need to know that this layer of defense is mandatory.
Of course, no single solution or defense layer is going to be 100% effective. Something will inevitably slip through the cracks. So, in this mental game of cybersecurity chess, what if an email with a link to a phishing website makes it through to an end-user?
Cybersecurity Awareness Training
If an end-user receives an email with a malicious link to a phishing website, how do we stop them from clicking the link? Once again, it seems logical that we should train users how to identify suspicious emails. If users know how these types of attacks work, what motivates bad actors, and how to approach unsolicited emails with caution, then we can easily stop an attack from succeeding.
Users aren’t vigilant 100% of the time, though. So, what happens if the user clicks the link?
Internet Security (aka “DNS Security”)
The next step in this hypothetical game of cybersecurity chess is to stop users from being able to reach those known-malicious websites. If the email security platform fails to stop the email and the user fails to identify the email as suspicious, then a defense layer on the internet request itself will stop the user from reaching the bad website. While bad actors are always creating new websites to evade detection, you’d be surprised at how many modern cyber-attacks use known-malicious websites and other tactics that are well understood by the cybersecurity community. If the website has already been identified as malicious, then an internet security/DNS security solution will prevent the user from reaching the bad website.
What if the website isn’t already known to be malicious, though? What happens if a user clicks the link and lands on the bad website?
Multi-Factor Authentication (“MFA”)
Typically, when a user lands on a malicious website, the bad actor is trying to “phish” for the user’s email credentials. The user will be presented with a login prompt in order to proceed to the next step. Hopefully, if the user has been participating in cybersecurity awareness training, they will know not to enter their credentials on this website. But what if they do? We need to make sure that when the bad actor gets the user’s credentials that they’re not enough to gain access to the account.
To accomplish this, we must enforce MFA. This means that, in order to access the user’s email account, it requires a username, password, and a temporary code from the user’s phone. Even if the bad actor successfully collects the user’s password, they won’t have physical possession of the user’s phone and therefore won’t be able to get the temporary code.
MFA isn’t perfect, though. Some clever bad actors have a way of phishing that from the end-user as well. So, what happens if the attacker gets the user’s MFA?
Conditional Access
For our next move in this cybersecurity chess game, we need to stop a bad actor from logging in even if they have a user’s password and MFA method. On the surface, this seems like a challenging move to defend against. After all, how can we possibly know if it’s the actual user or a bad actor logging in since the credentials are the same? Well…what about their device? We know the end-user is going to be logging in from a company laptop or their smartphone.
So, we implement a security measure called “Conditional Access” that essentially prohibits login to accounts from anything other than a trusted device or location. Even if the bad actor successfully authenticates the user account with their password and MFA code, the bad actor’s device won’t be in the trusted list, and they will immediately be rejected.
What if the bad actor is also able to compromise the user’s computer and use that to log in? Well, you get the idea. We keep working down this path, adding defense layers each step of the way.
Summary
This little exercise is just one method of cyber-attack, but it demonstrates the logical thought process of designing an effective defense strategy. As you anticipate one layer of defense failing, you add another layer and repeat the process until you have mitigated the risk as much as is reasonably and financially possible. No organization can ever expect to completely eliminate its risk of cyber-attack. However, this method for evaluating risk, anticipating attack vectors, and designing a multi-layered defense strategy is a tried-and-true process followed by top security agencies and organizations all around the world.
Now that you understand what goes into designing an effective cybersecurity defense strategy, it might now be apparent that there isn’t a “turn-key” solution to this problem. Every organization must evaluate its risks based on what it is trying to protect, understand the modern threats it is vulnerable to, and create its own defense strategy accordingly. It may also be obvious now that simply implementing endpoint security (“EDR”) or a few other basic tools simply isn’t enough to defend against today’s attacks. This is where a mature managed security services provider (“MSSP”), such as Digital Boardwalk, can help. With your new understanding of this cybersecurity process and an MSSP’s knowledge of security technologies, the two organizations can work in partnership to create a comprehensive and effective security solution strategically designed to meet the organization’s defense objectives, compliance requirements, and budget.
