Defensible Space For Your Network
Riverbank Ruminations; Observations from The Banks of The Technology River
Tom Evans ~ Ashton Engineer Emeritus
My sister lives in California and has some issues with asthma. Consequently, even though she is not that close to where most wildfires break out, she is still affected by the ash in the air. She is in a more urban area and so far, the current set of fires haven’t been a direct threat. For the people in the fire zones, however, it is a much different story. The fires result in substantial damage to property and in some cases deaths of residents as well as firefighters. Entire towns have been destroyed.
To help reduce the effects of these wildfires, California passed a law in 2005 requiring a 100 foot ‘defensible space’ around dwellings. The picture shows the result of someone who took that requirement to heart. Note the ashes surrounding an intact home. If the fire had jumped the gap, there was good space available for firefighters to work.
What about your business and home networks? Do you have a ‘defensible space’? In California the law broke the defensible space into two zones; 30 feet from all structures and the next 70 feet (or to the property line if that was closer). The configurations of those two spaces are different.
When it comes to security on a network you have at least two zones, public and private. If you do any kind of development, you would have a third zone for test and development. When it comes to fires, the goal is to prevent the fire from destroying the home. Making it hard for the fire to get to the structures is what drives the design. In your network, preventing the exposure of your company data is the goal. You don’t want the bad guys to get into your network, exfiltrate and encrypt your data, and then hit you with a double ransom, one to get your data unencrypted and then another one later to prevent the public display of the same data. On the other hand, we live on the internet now. Most businesses conduct all sorts of transactions via the net. Employees do research using the net. Email is the lifeblood of businesses. As important as that all is, it needs to be kept separate from the core of the network that runs the business. How do you do that?
Zero Trust
The first step is to recognize that you need to keep these two zones separate. “Zero trust” is getting more press these days, especially in light of the increase in successful supply chain attacks. Zero trust essentially means treating everyone and every process as untrusted unless they can prove otherwise. The technology is not there yet. Unless someone comes up with a better plan, it should be possible to get there eventually. In the meantime, do you know what is private and what is public on your network? That may sound like a simple question to answer but it needs to be asked. Then you need to see how to keep the two separate without preventing normal day-to-day operations.
Employees Need to Be Educated
There are the usual suspects; firewalls, anti-virus, spam filters, endpoint protection, and other things. Don’t forget the people. You have more exposure via employees than any other vector. There are articles about how we shouldn’t expect employees to be secure, we should employ software to keep them secure. That is a nice sentiment but there are a couple of problems with it. First, bad guys are always one step ahead of defenders. Protection by software will always be a catch-up game. Second, security never comes without some loss of convenience (or perceived loss). While a spam filter may not inhibit an employee’s ability to send and receive business-related emails, it may filter out non-business emails the employee wants to get/send. One thing that is clear from studies that have been done, if employees perceive that something is inconvenient, they will find a way to bypass it.
Employee training on security awareness needs to include more than how to spot a phishing email. Do your employees know what your policies are on internet use? (You do have policies, don’t you?) Do they understand that what they do may impact them having a job next week? Not from the fact that if they make a mistake they will get fired (BAD POLICY) but that if they aren’t careful, they could put the company out of business? Statistically speaking, about 50-60% of businesses that suffer a successful cyber attack go out of business in the next year. Does training encourage people to speak up when they get questionable phishing emails? Do you have procedures in place that will prevent an email from the ‘CEO’ from triggering a purchase of $2,000 worth of gift cards? Can an email from the ‘CFO’ initiate a wire transfer without further crosschecks?
Always Be Ready to ‘Go’
In California, even with defensible space guidelines followed, a fire still could jump the fire break and ignite the structures. Californians are urged to have a ‘go bag’. This has things like food, water, clothes, even a tent, and sleeping bags ready to take along if there is a need to evacuate in case of fire or earthquake. What would be the equivalent for a network? Backups come to mind. Backups are great when they work. Bad guys know this so when they get in the first thing they head for is destroying the ability to restore from backup. Sadly, some have found that even when backups are not compromised, they don’t work. The food in your go-bag should be rotated out periodically so it is not spoiled. Backups should be tested regularly to make sure they work. They should be stored off-site. You should have a DR plan that includes which computers need to be restored and in what order. The plan should include who is responsible for declaring a disaster, who does what, and when. The plan should also be tested to the extent possible to find out if it is workable.
Having a defensible zone is a necessity. When it works it can prevent disaster. Unfortunately, defenders can be overrun. Make sure your go-bag is packed and ready. Give Ashton a call if you need helping getting that bag together. 216 397-4080