Confidentiality
One of the most common questions we get is “so, what even IS cybersecurity anyway?”. This is often paired with comments about how overwhelming it all is and an understanding that while cybersecurity is important, it’s so laden with jargon and industry-speak that a typical small business owner has no idea where to start or who to trust. This blog post is intended to take some of opacity out of cybersecurity and give you a more solid footing to start from.
Before getting into the “cyber” aspects of cybersecurity, let’s focus for a minute on the “security” part of the word. In the most basic of senses, not much has changed in security over the last couple millennia. Yes, that’s right, millennia. If you have something that someone else wants, you must find a way to protect it. For the sake of this article – and in keeping with the theme from our name – we’ll use a medieval metaphor here.
For the sake of this blog post, let’s assume that most of the value that kingdoms held was in the form of gold. For the most part, it was protected by locking it away in vaults inside of castles. Layers of defense were added – for example: hiding the vault deep inside the castle, fortifying the walls, adding soldiers, using traps, and ringing the castle with a moat. Of course, no castles were completely impenetrable, so the gold also needed to be distributed across multiple locations to minimize risk. And the gold did the queen no good unless she could spend it, so it still needed to be accessible enough that it could be used.
Now, you may be asking what this has to do with cybersecurity – after all, it’s unlikely your datacenter has a moat! To get into that, we’ll first introduce a couple of cybersecurity topics. The first is the CIA triad. CIA stands for Confidentiality, Integrity, and Availability. The second topic is defense-in-depth, meaning taking a layered approach to security to protect your assets. We’ll get into each of these topics below as we discuss how to protect your company’s gold.
First, think about what you would consider to be your “gold”. Perhaps it’s quite literal and the thing you need to protect most is your financial capital. Or perhaps you are collecting a lot of data about your users or patients and your “gold” is your data. Maybe you’re a research organization and your most valuable asset is your intellectual property. Or you’re a services organization and need to protect your reputation above all else. Most likely, it’s some combination of these things. The important point here is that you need to understand what you are protecting to devise a strategy for how you will protect it. For the sake of this article, we’ll just call all of your protected assets “gold”.
Confidentiality describes the actions you need to take to make sure that only authorized users can access your gold.
Integrity ensures that your gold isn’t modified in any way.
Availability is the mechanism(s) by which you ensure that you can get to your gold when you need it.
Let’s look at some specific examples.
In the medieval example, gold would have been stored in a guarded vault, which would have limited access to only those people authorized to access it. A royal treasurer would have kept ledgers tracking the quantity of gold held, who owned it, etc. That likely would have been kept securely in a separate location so that it was more easily accessed but would still have required a level of security necessary to protect the information contained in it – think encoding the list of assets in a way that only select people would have understood.
Today, we use similar approaches to protect our data. We store the data in digital vaults and databases, encrypt it, and enforce passwords and multi-factor authentication (MFA) to access it. Access to data is typically limited to a select few individuals / teams at your organization using the “Principle of Least Privilege”, meaning only granting a user access to the data they absolutely require for their job and nothing else. The data itself should be encrypted “at rest and in transit”. Essentially, this boils down to making sure the data is encrypted where it is stored – in the data vault – and while it is traveling across the internet to the person accessing it. You have probably seen the “Not Secure” label in your browser bar if you visit a site like http://httpforever.com using an unencrypted connection. To further protect the confidentiality of your data, use a Virtual Private Network (VPN) connection to create a private tunnel for your data to travel through. This is especially important when using public Wi-Fi connections, such as at a coffee shop or the airport.
Integrity
Once upon a time, the integrity of gold coins was established by weight, purity, and imprint. In other words, a clever thief could shave bits off coins to make them slightly smaller, thus devaluing the currency little bits at a time while enriching themselves. Or they could melt the coins, siphon off some of the gold, and remake the coins with a less pure alloy that was the same size and shape, but lighter-weight due to the lower density. This might mean that the stamp (heads and tails) was no longer accurate. An even more clever thief with a great deal of access might be able to adjust the ledger entries and sneak off with gold from the vault that might go unnoticed. These issues would have been addressed by maintaining duplicate ledgers, weighing coins, assessing purity, and evaluating the stamp on them to ensure only the most accurate coins were in circulation.
Today, we worry about similar issues in protecting the integrity of our data and we use similar methods to ensure its integrity. We use audit logs to track who changes data, when it was changed, and what it was changed to/from. This is essentially the modern ledger system. More sophisticated approaches include cryptographic hashing. In this approach, we use a standard function to convert a file or piece of data to a “hashed value” or “checksum”. This is a 1-way process that always creates the same result from a given input, which means both the sender and the recipient can execute the same function on the same data and compare the hash to make sure the original and received version of the data are the same.
Availability
A castle didn’t necessarily need to be completely overrun to make the valuables it protected be completely unavailable. Just by besieging a castle, an enemy could block access to the gold and resources contained within. And even if someone could gain access to the valuables, they couldn’t use them for anything if they had no way of getting them out of the castle. This highlights the problem of availability – it doesn’t matter how valuable your assets are if you can’t use them for anything.
Availability in the digital era is typically blocked using Denial of Service (DoS) and ransomware attacks. In a DoS attack, an attacker tries to overwhelm your service using so many requests or so much activity that your servers just can’t keep up. This forces your system offline and means your data are no longer available. With a ransomware attack, the attacker gains access to your data and encrypts it using a key that only they have. This means your users get back gibberish when they try to access the data. We also face challenges unique to the modern era: power and connectivity outages. You have a couple simple means of defense against these types of attacks. First, you’ll want to distribute your data or service across multiple datacenters, ensuring even if one datacenter is attacked or taken offline, you have redundancy that allows access. Second, you’ll want to back up your data and distribute your backups in multiple locations. We had a customer hit with a data attack recently but because their data backups were stored in their primary datacenter, they lost access to both their data and their backups at the same time.
Defense in Depth
As you’ve seen, there are many ways to protect your gold. By themselves, none of the approaches is infallible. However, by layering defenses on top of each other, you can gain a more secure environment. Historically, we built castles on hills, surrounded them with moats, distributed gold across multiple castles, made sure there was a secure vault that was guarded, that trusted representatives maintained a ledger of assets, etc. Today, we take a similar approach with our data by fortifying our defenses, encrypting our data, backing it up, distributing it across multiple data centers, training our staff, and more. This approach is also sometimes called the Swiss Cheese defense – if you look at a slice of Swiss cheese, you’ll see a lot of holes, but when you stack those slices on top of each other, there won’t be any holes to get through.
Your People are Your First (and Best) Line of Defense
One thing you’ll note in the examples above is how important people are. In medieval times, these people included the guards outside of your vault, the knights and soldiers manning the walls, and the treasurers maintain records of what was stored. Bribery, extortion, and espionage were all effective means of breaching this line of defense. If you were able to get the right person to change their allegiance, you could wreak all sorts of havoc. But even a relatively low-ranking guard could have completely subverted your defensive efforts if they simply “forgot” to lock a side gate at a designated time or accidentally shared too much information at the local pub after work. Thus, it was imperative to pay and treat your people well to ensure their ongoing loyalty. It’s also no surprise that many royal kingdoms incorporated an element of divine right into their mandates – if you betrayed your queen, you weren’t just a traitor, you were a heathen and subject to both secular and religious peril.
Today’s threats are no less dire and can come from seemingly innocuous sources. Accidentally clicking on the wrong link in an email, oversharing at happy hour, or kindly holding the door open for that flustered person behind you at the office could land your company in a dangerous situation. And that’s before we get to insider threats from disgruntled or malicious employees. Again, fortunately, we have preventative techniques and remedies, even if we lack the divinity of the medieval era. Step one is to educate our users through regular training and simulated phishing emails. Step two is to put some guardrails in place. To protect your network and devices, you’ll want some sort of Endpoint Detection and Response (EDR) or Managed Detection and Response (MDR) tool which incorporates the anti-virus approaches from the late 20th century with more modern technologies to provide comprehensive protection on your corporate devices. To protect against theft, you’ll need some sort of Data Loss Prevention (DLP) tool, which will alert you if suspicious file transfers or data access occurs. Adding in some email security tools to validate links, check for suspicious emails, and provide a simple and effective approach to reporting suspicious emails is also critical.
The Importance of Planning for Cybersecurity
Without proper planning, a castle would have been completely indefensible. This involved a comprehensive, thoughtful approach that included landscaping, architectural blueprints, encoded ledgers, and counter-espionage techniques. And that planning wasn’t just a “one and done” approach – it involved regular reviews of the systems in place, evaluating the political landscape, testing the system, and learning from failures both in tests and in watching what happened to others. This rigorous approach meant that things were continually evolving and additional layers were added.
If you fail to plan, you are planning to fail
If you take nothing else away from this article, we hope that you’ll recognize that while bolting on various elements of the alphabet soup that is cybersecurity acronyms will certainly improve your security posture, you’ll probably want to take a more comprehensive approach. This means sitting down and planning out your cybersecurity journey. This begins with establishing policies that represent your plan to protect your business. These policies can then provide you with a roadmap for becoming more secure. However, the policies are meaningless if they are not rigorously followed and regularly reviewed and updated.
This is where Blacksmith can help. Our all-in-one security platform will help you craft customized security policies. From these, we automatically generate a prioritized security roadmap for you to follow as you make your business more secure. We help you track risks and the systems you use for your business, ensuring you’re staying on top of those regular reviews. And we provide end user training to ensure your staff are kept abreast of the latest in defensive techniques they can use to protect both your business and their family. We stay on top of the threat landscape and regularly update our policy templates – and notify you of those changes – so you can continue to keep your security plans up to date with far less hassle and research.
