Ad-hoc and Random

Cybersecurity Executive Briefing – Why Defense in Depth

This started as an email to a few people but as the word count climbed, I started thinking that there may be other SMB IT folks out there trying to explain cybersecurity to Executive teams. I am NOT a security ‘expert’, but I do keep as up to date as possible. I hope this helps.

There are two key concepts in cyber-security today – Defense in Depth and Assumed Breach.  To understand them fully is an entire career of knowledge and research but we can boil it down to a few base principles.

Back in the Olden Days,  there were no smartphones, a few laptops, and the main concern was Keep the Bad Guys Out.  We installed firewalls to block access into our networks, some filters for email viruses and called it done.

Alas, the villainous hordes were not so easily defeated! The increasingly mobile user started being a Typhoid Mary, carrying in bad things from the outside.  Since it’s on a ‘trusted’ device, it’s welcomed into the ‘safe’ network.


Like a sick child brings home colds and flu, these mobile devices coming back from the outside world brought back various malicious software ( MALWARE ).  Some were like viruses and spread from machine to machine by infecting documents or programs. Some were worms that moved through the network by tunneling around the files and folders accessible to a “trusted machine”. Some simply downloaded remote control software and awaited instructions as part of a robot network of attackers (BOTNET). All of this happens inside the ‘safe’ perimeter.

The way to defend against this is a posture of “Assumed Breach”. Stated simply, this is acknowledging that at some point an infected machine/file will be on your network. Now what? Detections and Containment are usually the first steps. This is done by implementing machine level firewalls, restricting network shares, routine backups and scans.

The best practices of today all recommend a ‘Defense in Depth’ strategy. Conceptually this is pretty straightforward, but a little trickier to implement. The base idea is like a soldier in a hostile country.

  • At the most personal level, our trooper has a helmet and body armor. On your laptop, this is limiting administrative authorities, disk encryption, and anti-malware software.
  • Next out are the protections for the group. For our troopers, it’s walls and gates with guards. Your network has a firewall with intrusion detection and filters to keep the bad stuff out.
  • Finally, there is air support. For our trooper, this may be a group of fighter jets flying around to detect and intercept incoming ‘bogeys’. For our network, this is a cloud-based filter that stops problems before they even get to the perimeter.

The issue with many corporate solutions goes back to the whole “mobile” concept. When our troopers are out in the jungles of the cyber world (aka the Airport Lounge), they don’t have the group protection of the firewall layer. With no cloud-based systems, it’s down to just body armor or what security they have locally installed.

Just like how our troops have more advanced body armor than their great-grandfathers in World War II, advances in weapons require advances in protection. It’s an arms race between the security experts and the bad actors, and it’s a fast-moving one.

Keeping up is difficult even for large companies with dedicated security staff, and it’s exponentially more difficult for smaller companies where the technical staff are forced to wear more hats. That’s why SaaS ( Software as a Service) offerings are so attractive. Most well reviewed SaaS products are very good at early detection and protection from outside attacks. The best will also prevent a botnet compromised machine from ‘reporting back’ for instructions. A few thousand per year is still cheaper than a very public breach or hiring a dedicated security person! Some Executives will have doubts if it’s worth it to have all this security. Sure, responsible leadership has a cybersecurity clause on their business insurance. Even with multiple layers and backups, you may still get hit. To switch analogies a bit, we all have a theft clause on our homeowner/renter insurance, right? We also still lock our doors when we leave.

So what’s the answer?  What is the solution that fixes all of this so we can move on with business? Sadly there is a no one size fits all solution. The answer is ‘It Depends”.  What is your budget? What is your tolerance for risk? A very small business with few digital files would likely be ok with a daily or weekly backup to a drive stored off line. You could call that 1.5 layers. Larger businesses with a larger digital presence and less tolerance for loss of files and capability will need more protection. 


2018 – Ready, Set, GO!

We all know the usual platitudes around the new year. We’ve heard them, we’ve said them, and it’s the same every year. “New Year, New Me”, “This is my year!” or the ever-increasing spate of diet and fitness articles books and well-meaning resolutions. It’s our traditional or perhaps even natural tendency to look forward optimistically, to prepare to succeed in the New Year. Sometimes, that’s where we stop.

Our seemingly bottomless pit of procrastination seems to be dug with a shovel labelled “Preparation”. We have phrases like “Proper Preparation Prevents Piss Poor Performance”, and “He who fails to prepare, prepares to fail”. These truisms exist because they are true.  But coupled with an overactive ‘inner critic,’ preparation quickly spirals into the abyss of procrastination.

Most people have experienced this. We plan to do things. We make lists, we study, we prepare. But then things slip to the side a bit. We feel uncertain or hesitate for whatever reason. So, we review the lists and plans. This of course leads to revising the lists and plans and the cycle starts again. Notice what is missing? The ‘doing of the thing’.

Stop preparing to prepare!  –Matthew Parks, Sr  (paraphrased)

We’ve all been guilty of it to some degree, but it seems to be far worse when venturing into unfamiliar territory. We want to be certain that we’re not making a mistake, or that we won’t look foolish. In short, we fear failure.

How do we break the cycle? Honestly, I’m not sure the ‘best way’. Trying to find the best method/cure/path to righteousness/whatever is how we get stuck in that cycle to start with! So I propose to simply pick a path, perhaps not the “best path”, just “a path”.  Take a few steps and see if it hurts. See if there are any obvious pitfalls ahead. You can usually change course if it looks too bad. Meanwhile each step takes you further from the Pit of Procrastination.

I’m not saying to go against all the truisms and advice and just jump into things without preparation or caution. That would be foolishI’m saying let’s try to not get stuck in the prep and never do the thing.  How will it turn out? We’ll just have to see, won’t we?

Meanwhile I’ve written an entire blog post on procrastination, based on my thoughts about how to stop procrastinating on writing a blog post. <shakes head>

“Dilly Dilly!”

Have a great year!