You are the Internet.
It’s easy to get lost in the jargon, or the acronyms, or the fast-paced upgrades, but it doesn’t make it any less true. The Internet isn’t just a bunch of servers sitting in a dusty warehouse somewhere, or the flickering bars on the corner of your phone (which hopefully don’t flicker too much), or the persistent bill that your provider asks if you want to make paperless every month. Life has migrated online. It’s where we get our news. It’s where we go to be entertained. It’s where we meet each other and fall in love. Maybe the Internet used to be a luxury, but now it is a fully-ingrained way of life. It’s an ever-growing, ever-changing, vast frontier of human potential.
And frontiers always have outlaws.
Just like in real life, you have to protect yourself online. Take your cyber vitamins. Do your cyber exercising. Make sure to wear your cyber seat-belt on slippery Internet superhighways. There are bad entities out there that want your information. Maybe they want to steal, maybe they want surveillance, or maybe they want to burn your whole website to the ground. Whether it be intellectual property, bank accounts, or sensitive conversations, there are always things that adversaries can benefit from: for personal gain on their end, or personal loss on yours. You need to take the proper precautions to protect yourself from an attack.
Thankfully there are several ways to do that.
Here are five that we at CyberDefenses highly recommend.
1. ESTABLISH A SECURITY MINDSET
You might have the best immune system in the world, but it’s still not smart to go around licking the subway steps. It’s a mindset thing, more than a software thing. Know where you’re making yourself vulnerable. Having all the the latest tools in place is great, but you need to be constantly vigilant towards your points of attack. If you’re a company with fifty or more employees, get yourself a CISO (Chief Information Security Officer) or outsource one via an hourly service arrangement called a Fractional CISO. A good CISO will be able to speak clearly to both tech-savvy first adaptors and layman. If you’re a small organization, make sure you have a dedicated employee that will take up the cybersecurity mantel and guide dialogues. The most important thing is to make sure security is in the forefront of the company’s mind.
2. CRAFT A DETAILED INCIDENT RESPONSE PLAN
In the unlucky occurrence that you break a bone, you probably want to have a detailed plan in place. Know where your health insurance card is. See a doctor. Get the bone set. Rest. Multiple check-ups. This is a much healthier approach then shrugging it off and trying to walk around with excruciating pain, while things only get worse. It’s the same with your cyber health. If you have to be reactive rather than proactive, than you need to have an Incident Response plan. Being reactive can be quite costly in general. It can be even more costly if you don’t have a strategy in place for both recovery and further defense. This needs to be a living document that’s constantly tweaked (preferably by a CISO). You need to find out how and where you were left vulnerable. You need to know how you will protect yourself in the future, and what specific actions to take.
3. DEFENSE IN DEPTH
Visualize a house. Will a single picket fence around the exterior protect it against an invasion? Perhaps, if it’s being intruded upon by the burglars from Home Alone, but odds are, the adversary won’t be incompetent oafs mostly experienced at pratfalls and comedic timing. Now picture a fortress. What sort of precautionary measures might they have in place? Multiple walls. Checkpoints. Sentries. Sensors at every door. This is serious business in the world of fortresses. The National Security Agency initially developed the ‘Defense In-Depth’ approach to defend against attacks by using multiple independent methodologies. Fortunately, this approach works for cybersecurity as well. Here are a few specific, independent measures you might put in place to protect yourself. They might not prevent an attack, but they can buy you serious time to get your ducks in a row.
- Antivirus software
- SSID/ Infrastructure Diversification
- Multi-factor authentication and password security
- Intrusion detection symptoms (IDS)
4. FOCUSED GATEWAYS
Ancient generals and legendary warriors of all ages knew that funneling techniques could in themselves be an enemy. It’s the same reason high ground was always in demand: strategic location that offered skewed odds. In desperate situations, even wagons were thrown in the way of invaders to help control flow. Control the landscape and control the battle. When it comes to defending, funneling the enemy into narrow, practically inescapable corridors can even the odds between giant armies and tiny little ragtag squads (ever see that movie, ‘300’?). The same can be said for your cyber landscapes. Whether you’re a small home network, a giant campus network, or even a regional ISP network provider, things can be done to strengthen your defenses. Micro-segmentation is the first and foremost tactic that one can put in place for funneling. Instead of having a completely flat network where every segment can see (and possibly access) every other segment, you can have routers and firewalls put in place on certain fragments of your network to make unlimited funnels. You can monitor what devices actually have Internet capabilities. You’d be surprised what sort of things can serve as secret gateways in and out (who knew that toasters could be nefarious?). You can also use multi-factor identification for access through the funnel, like passwords, random number generator encryptions, and fingerprinting.
5. THE YIN/YANG SECURITY BALANCE
Think about going on a road trip. If you put too many bags in the car, not only will you not be able to see the road behind you, but there won’t be any way for your passengers to get in. With security, you don’t want to forget your bags, but you also don’t want to take only luggage and forget your people. You have to make sure you find your security balance. Too much and you won’t be able to get any work done. Too little and someone else might steal your identity and stay those three nights in the cabin for you. Consult your CISO to find the right level for your organization.
When it comes to health, both in life and in cyber life, there’s no miracle pill. All you can do is stay vigilant and make good decisions. Be bold and get your company out there, but try to be proactive in regards to potential problems instead of having to be reactive. The most important thing to remember is that nothing is one-and-done. There’s no single Vitamin C pill that lasts a lifetime. There’s no firewall or proxy server that never needs reevaluating.