Security Is Like An Onion

post thumb
Security Program
by John Svazic/ on 08 Sep 2020

Security Is Like An Onion

Oen of the things that drive me absolutely crazy is when a security vendor advertises their solution as an “all in one” solution that will meet all your needs. I’m sorry, but there is no such thing. There are some excellent solutions out there, and they solve some very specific problems, but none of them are “all” that you need.

Security Is Like An Onion (Or A Cabbage)

It’s common for security folks to talk about the concept of security like an onion, or a medieval castle, with moats, gates, drawbridges, etc. When it comes to the onion (or cabbage) analogy, we often talk about layers of security. That is in order to protect our most sensitive information, we have layers of security around it.

Each layer has a certain level of protection that it offers. Right now you have multiple layers within your own organization. You have usernames and passwords, roles, and staff who have access. Maybe you include MFA in the mix. You have firewalls, routers, and switches for your networks. At home, your staff have modems, WiFi access points, and routers. VPNs and anti-virus software abound! Maybe you’re a progressive organization and you include some EDR software on your endpoints as well! Log centralization, use of IDS/IPS, hiring an MSSP to monitor your logs/network, and so much more!

Each level of security has it’s own purpose and driver, but they build on each other. There is no single solution that will solve everything, but there is a solution for each level. The trick is to identify what is necessary versus what is nice-to-have.

The “Cream Egg” Principle

I have a saying that I’ve been know to share with clients. I call it the “Cadbury Cream Egg Security Model”. A Cadbury cream egg is a hollow chocolate egg that is filled with white and yellow fondant, that are an Easter-time treat. The confection is a nice, sweet treat which tempts me every season, but it also serves as a great analogy. You see, the hardness is on the outside - once you break past that hard chocolate shell, you reach that wonderful gooey middle. Most corporate networks are setup in the same way - a hard outer shell (firewall), and a nice gooey center (a flat network where everyone has administrative access to their machines).

For many organizations, they will focus on securing the perimeter. They take great care to ensure that their users are on a secure network and that nothing from the outside can make their way in. Inbound data flow (known as ingress in network speak) is limited, normally to things like HTTP, HTTPS, and DNS so that people can access and use the internet. Some websites may be blocked as well. However, when it comes to outbound connections, everything is game. Likewise within the network itself, once you get inside the network there is generally nothing stopping you from reaching another computer, since everyone is on a “trusted” network. Power users will demand to have full access to their machines, and so IT groups offer local administrator access to them so they can install apps and the like.

This creates the hard outer shell (firewall, IDS/IPS, etc.), but the gooey center (local admins, flat network, etc.). This is not ideal, and attackers have been taking advantage of this for years. Think of the hard ransomware has caused in the last few years. The entry point is often a user who opens an email attachment. We can’t ban email, people need it to do their work, but it’s a vector that bypasses those hardening controls on the perimeter.

Must-Have Layers Of Security

There are a number of controls that I consider to be “must have” for any organization, especially in these times when users are working from home and corporate networks are more-or-less empty. Thankfully this isn’t a huge list, but hopefully it will help get your own organization in order:

Anti-virus software

Any corporate asset, or really any type of computer that is going to connect to your organization, needs to have a modern, up-to-date anti-virus solution. Yes, there are plenty of viruses and other malware that are not always caught right away, but there’s plenty more variants that are caught. There is no reason not to run any form of anti-virus software on your endpoints. It’s a type of insurance policy that will pay for itself when it catches some malware before it hits your system.

Patch Management for Endpoints

Patch, patch, and patch some more! Yes, I can hear the groans of system administrators everywhere speaking of the pains of patch management, the broken Windows patches that cause outages for weeks on end, etc. It’s also 2020, and while Microsoft has been known to still have the odd bad patch, it is still a far cry from what we saw in the late 90s and early 2000s. It is my opinion that the risk of an attack far outweighs the risk of a bad patch. Don’t believe me? Consider the WannaCry ransomware outbreak of 2017, which was based on the vulnerability disclosed in CVE-2017-0144. Microsoft released a patch for this vulnerability in March of 2017, and by May 2017, we had a destructive piece of malware that caused $4 billion in losses around the world.

If you’re still not convinced then I’d recommend setting up a patch process, where patches are first evaluated before being pushed out. The risks are quite real, and attackers definitely keep an eye out for patches when they are released so they can reverse engineer them in order to take advantage of un-patched systems.

Host-Based Firewalls

This is something that I personally advocate for whenever possible, but perhaps even more so now that we have corporate assets in home networks. Setting up a host-based firewall, that is a firewall that is part of the endpoint device, is strongly recommended. There is little-to-no reason to have computers communicate between themselves on a network, since most sharing is done through an online service like Dropbox, Google Drive, or Microsoft One Drive now. Blocking communications between computers can help reduce the risk of one compromised machine on the network (either corporate or home) to affect another machine on the same network.

Multi-Factor Authentication

Passwords are good, but adding an extra authentication factor is even better. This is especially true for critical systems like email. Business Email Compromise (BEC) is a big problem, so adding an extra layer of security certainly helps. I would follow-up on this and try to mandate MFA on any system that supports it. There may be a small cost in terms of training, but the protection you get from it is very much worth it.

Use A Password Manager

Passwords are hard, and the temptation to re-use passwords is even greater. While I do recommend using multi-factor authentication whenever possible, the truth of the matter is that not every system supports it. As such, the next best thing is to ensure users do not re-use passwords. Using a password manager such as LastPass, 1Password, or BitWarden is definitely something I would consider as must-have for any organization, regardless of the size.

Wrap It Up

Ensuring your organization is protected isn’t difficult, but it does take some work and planning to get done right. As much as we all wish there was a single solution to solve all our problems, the sad reality is that there is no single solution. Working with a trained security professional can help you find the necessary controls for your own business that will meet your unique needs without wasting time, effort, or money.

– John


At EliteSec, we would be more than happy to discuss this topic further and help you build out your own security controls for your organization. Contact us today and we’ll be happy to chat with you!