“What a cliché!”, you say. Well, it became a cliché for a reason. People keep saying that because it does describe many situations. It’s a useful way of thinking about the world.
In cyber security, we have a crucial security chain with links forged from technical systems — firewalls, intrusion detection systems, complex access control rules on file servers, Kerberos, and many more. But all of the people in your organization form another crucial security chain.
Every employee, from CEO to entry-level, plays an essential role in protecting your organization’s data and systems.
Information security can get pretty abstract. Cryptography — cipher algorithms for encryption, hash functions for integrity and authentication — all of that is an advanced area of mathematics. Risk analysis gets into game theory, something that may sound fun but gets into very serious logical and statistical analysis. Whew, this is getting academic…
It is analogy is easier to get our heads around a physical analogy!
Imagine that your sensitive data is all printed on paper and stored at the center of a large building. We use traditional brass keys to lock and unlock doors. The executives park in reserved spaces and enter through the formal lobby. Most of the engineers come in through the side doors so they can stop by the break room and get coffee. The workers who unload and load supplies and products come in through the shipping doors in the back of the building.
Yes, the executives control the company and we think of the valuable data as their responsibility. But you don’t have to march in through the fancy lobby to get into the building and access the data. Any door will get the intruder into the building. Slip in through the loading dock, walk through the building, and now you can read (or modify, or remove) the sensitive papers.
In cyber security we talk about horizontal movement, breaking into a weak platform as a first step and then moving from there to access sensitive data on nearby systems.
Internal systems will generally be more trusting of each other. In the physical world you might say “Oh, that person just walked out of the storage room, they must work in this building.”
In cyberspace, it’s “Oh, that connection is from another host on our internal trusted network, it must be legitimate.”
Any form of access can be a risk, they must all be protected. You will often hear people say something about “reducing the attack surface.” This is what they’re referencing.
Networked information systems are complex, and what you think is a minor risk in an unimportant system might lead through some horizontal steps to valuable information. Every staff member must do what’s needed to protect their personal accounts and data.
Learning Tree’s System and Network Security Introduction course introduces these concepts of securing various cyber avenues of access. But another benefit is that it gives you some ideas on how to pass this along to co-workers, suggesting ways they can also do their part.