In a world where everything is connected via the internet, companies continue the battle to keep their digital assets protected. Retail chains work relentlessly to keep customer credit cards from being stolen. The medical industry is tasked with keeping HIPAA and PII (Personal Identifiable Information) data locked down. Small businesses battle to keep their systems alive to maintain business continuity. Every business is tasked with protecting the CIA (Confidentiality, Integrity, and Availability) of their data. While each entity is responsible for keeping their data safe, a company’s budget for securing their network is often a bottleneck. This is true regardless of a company’s size. For example, at an enterprise level large retail chains can easily spend a quarter of a million dollars on just one firewall appliance when on a much smaller scale, small businesses can have tens of thousands wrapped up in appliances to protect their network. Sadly, the money spent on firewall appliances satisfies only one small piece in protecting their digital assets. Typically, Defense-in-Depth is a strategy that companies enable. Defense in Depth is the methodology of using multiple layers of defense to ensure that there are multiple layers of security to protect data. How can we put this into Perspective? To put it into perspective, think of how one can protect their own home. If a burglar were to try and break into a well protected home, he would first have to climb the fence. Once inside the gate, he would then have to get past the two German Shepherds that are awaiting. While wrestling with the dogs, the burglar is then blinded with motion sensor lights. Once on the front porch, a locked screen door must be broken followed then by a steel multi-locked door. While someone may break through all of those defenses, each one made the attempt longer and harder to accomplish. Even with all of those defenses mentioned above, there is one that has not been mentioned but remains the most important. That layer is called the human. In order to protect the house, the human had to determine how high of fence to purchase in order to be effective. The right breed of dog, a strong screen-door, and heavy locks needed to be purchased. A human thought process was used to build this protection. To protect a network, employees must be trained appropriately to think like an attacker would. It is scary to think that even a small mistake by an employee has the ability to allow an attacker to totally jump through a firewall. To describe an example, I recently did a presentation to the technology department of a large grocery chain to show them just how important security awareness training is, even for the IT department. My basis for this presentation was to explain that even though their firewalls were configured properly to prevent attackers from getting in from the outside, it is extremely easy for an attacker gain access from misleading an employee. To show the example, I spoofed an email the Director of IT to look as if it came from the President of the company. Yes, the President was in on the idea. The Guts of the Email I titled the subject of this email (Change in Dress Code Policy, Please Distribute). Within the email I had attached a coded PDF file that when opened, it would create an inside-out connection reaching out to my eagerly awaiting server on the outside of the network. Because this connection was initially established by an internal user’s computer reaching outside the network, the firewall had no chance of stopping it. To the firewall, it was just normal internet traffic. Connection Established Once the connection was established, the rest was history. The Director of IT happened to be using a laptop, so I was able to take over his camera and audio and record. A keylogger was then put in place to log any commands that were input into the keyboard such as passwords, website logins, or other information. Root access to the machine was also gained, allowing for total administration of a laptop that was being used by someone who most likely had administrative access much more confidential information. Train Employees for Clues In this effort to gain access, but still give the Director of IT a chance to detect something wrong, I made a misspelling on the President’s last name, and also made a few grammar errors. Many times, when an attacker is trying to send you something misleading, mistakes are made. They may use different grammar than they normally would. Upon close look, maybe the email address it is being sent from is slightly misspelled or incorrect. Employees should always watch for anomalies, aka, something that just isn’t normal. In an environment that you typically get to know your co-workers well, it can be rather easy to pick up on something that isn’t normal. In summary Prioritize security training over security appliances. Companies will find that if they have employees trained correctly, they will see less incidents and ultimately spend much less on disaster recovery. There is not one magic appliance or purchase that a company can make to protect their data. By training staff and using many layers of defense, a company can find confidence that that an attacker would have to jump through many obstacles to gain access. Written by: Michael Miller