Leave a review for our podcast & we'll send you a pack of infosec cards.
Get the Free Pen Testing Active Directory Environments EBook
Layered security refers to the practice of combining various security defenses to protect the entire system against threats. The idea is that if one layer fails, there are other functioning security components that are still in place to thwart threats.
In this episode of the Inside Out Security Show, we discuss the various security layers.
Cindy: Hi and welcome to another edition of The Inside Out Security Show. I’m Cindy Ng, a writer for Varonis’ Inside Out Security Blog, and as always, I’m joined by security experts, Mike Buckbee and Kilian Englert. Hi, Kilian.
Kilian. Hi, Cindy.
Cindy: Hey, Mike.
Mike: Hey, Cindy. You call us security experts. I’m actually, where I don’t know if you can see it, “I have a fake internet job”…because I still haven’t been able to explain my job to my mom and dad. “He does something.”
Cindy: We’ll see who’s most fake at the end, okay?
So recently, Rob wrote a layered security guide and I thought it would be interesting for us to go through each of the layers and share stories that we’ve read or heard as it relates to each of the layers.
The idea with layered security is that you want to make sure that you have many different layers of defense that will protect you. If there are any holes, just in case something gets in, you might have a security layer that serves as a backup that will catch it.
So the first layer to start is the human layer. So that layer is all about educating people to spot scams and be cautious about the passwords that they give out, their social security numbers that they give out, their credit card information.
This layer, Kilian, you talk about this a lot. I feel like, increasingly, criminals are using and exploiting services that we rely on and turning it into like an attack vector, like there is an article recently about people texting you pretending to be Google and saying, “Hey, there was this suspicious attempt to get it in.” And we talked about passwords and alternatives and using two factor and it’s kind of like, “Oh man, I have to check my text messages and make sure I’m not scammed again,” like another thing to worry about.
Kilian: Oh, yeah. People, by nature, want to be trusting of other people. We kind of have been trained since day one to feel kind of bad about being suspicious … The bad guys out there know this and they exploit it. It’s so much easier to go after a person and just kind of play off of emotions because they’re far more malleable than a system, and people often are not trained or educated around security practices. And even if they are, they’re kind of trained into a certain mindset.
So if they see something that looks semi-legitimate like, “Hey, a text from Google. Oh, they’re protecting me. They have my login name or my IP address or something, NIC address,” because most people are not going to investigate that closely, it’s going to look fairly legitimate like, “Oh, hey, Google’s looking out for me. This is great.” It’s very easy to, just with a little bit of a legitimacy, to get people to kind of go along with it and it’s…the con of that sort is as old as time basically and it’s only getting easier any more, too.
Mike: I’ll go with something that you said Kilian, which is that it’s really about our mindset. And I think from a security practitioners’ standpoint, we’re typically very focused on exploited time and this and do this things and so we forget a lot about on the human layer which is education and like how to educate your users and to help make them part of your line of defense.
I think a fun activity for that is actually to do phishing, and there is a couple of companies that do this, that do like fake phishing attacks, and then basically, so I go, “You clicked on this so we are reporting you to IT.” And it’s kind of almost like in hospitals where they like shame the doctors into making sure they wash their hands all the time. You’re kind of like trying to enforce this IT hygiene aspects on all of your users, and either hire a company or you have some free time, you can just try to phish your users individually to mess with them.
Cindy: Our next layer is the physical layer, and you know, I would be like the worst security person to hire because I wanted to skip talking about this layer. There are so many layers and Mike’s like, “Why aren’t we talking about it? It’s the most important one.” And Kilian is like, “It’s often overlooked.” And I said, “It’s just the physical layer, like everybody gets that.” Tell us a little bit more about the physical layer.
Kilian: I guess I’ll jump in. It is so often overlooked. We worry about firewalling the data off to protect from external attacks and stuffs that come in over the wire. But how many times in businesses do people check badges? You can walk into a corporation. If the guy sitting at the desk is distracted for a minute, and then you’re inside and nobody looks twice at you. If the doors aren’t locked in the server room, you walk in, plug in a USB device.
Basically, once you have physical access to something, it’s game over. There’s no other layer of security that they probably can’t get around at that point. And we rely so much on just kind of observing people and we put a lot of faith in locks, too, like physical key locks. They’re such a terrible false layer of security. Most front door locks or bike locks or anything else are easily defeated within seconds. The physical layer is often overlooked but it’s such a false layer of security, too, that we know we have somebody watching the door. Because again, we are relying on people and people want to be trusting.
Mike: What I was going to mention with respect of the physical layer was I think a lot of things are changing. So businesses are much more just personnel, lots more different, just physical branches, places, people working from all sorts of different remote situations, as well as it used to be everything was hard wired, and now, most every place has WiFi. And so you have this very different situation of like everyone in the office walking in with the WiFi radio that’s connected to the internet. But we don’t think about that. We just like, oh, we are on our cellphones, but if there’s malware on there that potentially perform an attack or some form of disruption.
There are some real interesting exploit tools that basically do things like DHCP exhaustion on a network and so you have to do things like MAC filtering. I worked on a high security environment on the military. They have things like if you unplug a computer from the wall from the CAT5 and plug it back in, it won’t let it back on the network as it lost the MAC connection. You can’t just bring a laptop in and plug it into the Ethernet port in the waiting room. Things like that, like very good sensible suggestions.
Cindy: I just had a paranoid thought that when I go home, I want to like install 10 locks, put on a password, and I need somehow to after-authenticate myself to get in. So in terms of a business security, like can you go overboard in terms of putting like a trillion locks on something? And then what’s kind of a good balance for an extreme paranoia or paranoid person like me?
Kilian: I’ll get dogs with bees in their mouth so when they bark, they shoot bees at you.
Mike: From a business standpoint, I think the biggest thing is actually more procedures, procedures around access to servers, access to changes, that kind of thing. And then from there, the procedures are implemented that helps with the recognition of what’s a threat and what isn’t.
On a personal level, something that I’ve been seeing a lot more in terms of physical stuff is skimmers on ATMs. That’s probably like we were talking like a personal sort of physical attack. That’s probably the big one, that every ATM you go to, you sort of want to tap at the card holder to see if it falls off because it’s so easy to put a skimmer on.
Kilian: That kind of distilled… it’s situational awareness, kind of being observant of the people and things around you, what you’re interacting with.
Cindy: Another thing we need to be alert and aware of are endpoints – protecting devices, PCs, laptops, mobile devices, from malicious softwares. People really like using endpoint protections to guard against a ransomware, and people’s found out it’s not really effective. But if it’s not ransomware, malware can really sit on your system for like six months before it’s even identified. But people also really want to protect their endpoints. What are your response and thoughts on this?
Mike: I’ll go. I guess my first thought is we’re talking about layered security, and so no solution is going to be a homerun 100% of the time. And so what we are really trying to work on is percentages, reducing the surface area we can be attacked on, reducing the opportunities for an exploit.
An endpoint security can certainly be part of that but it’s not a complete solution. But by limiting the types of apps that can be run, the type of traffic that can come in, it’s a way of helping to manage that risk.
And that’s what we’re talking about with all layers, is how can we manage risk at all this different layers? And hopefully by doing that simultaneously at all the layers, we really improve our security much more than if we thought, “Okay, it’s just endpoint security or it’s just doing training of the users.”
Kilian: The way I would think about it, too, is if you ever see the machines for like looking for gold or sifting rocks, like you have the different size of screens.
Endpoint protection antivirus, I would think, is like the biggest size of screen. It’s gonna get like the bigger rocks out, so the kind of most obvious, most basic vulnerabilities. And kind of, as you go through and sift out the different pieces, that’s exactly what it is. You can just, multiple layers, sift out different things that one might not catch until you get it.
And then just good patch management, too, on endpoints and servers, things like that. If you leave vulnerabilities that have been patched for 10 years on your system, that’s kind of inviting trouble in a lot of ways. But then people often overlook it.
Mike: Those are the big holes in your screens as your trying to through all the data and everything is falling through these unpatched systems.
Cindy: But there are a whole bunch of alerts. People get thousands of them, like daily and weekly. That’s another annoyance. You can’t actually check thousands of alerts every day.
Mike: And for all this sort of systems that monitor the things, all the vendors, us included, are trying to…people talk about alert fatigue. If you get an alert every 10 minutes, like, “Oh, something’s happening, something’s happening,” like you just cease to care about. It’s not something that actually needs responded to or thought about. So there’s a lot of work with like machine learning, better filtering, and better tracking on how to handle that to reduce that amount of alert fatigue. But you’re absolutely right, Cindy.
Cindy: And also make alerts that are really worth alerting on so that you’re not like, “Oh my God, my blood pressure is increasing,” and then you end up in the hospital or something.
Mike: What kinds of alerts are you getting?
Cindy: No, listen, it’s not me. I’m just hearing all these stories when I go to conferences and I go, “If I had that many alerts, I will just be like…ahhhhh! Watch out for the crazy woman.”
So another layer we should talk about is network security. I’m thinking firewalls, intrusion prevention, detection system, VPNs. And I was kind of tricked to read an article that says “Utility board hears about network security.” And I was like, “Oh, they’re really serious about network security.” Like, “What about the other stuff?”
So I went through and I read it. I clicked on it and I read it and they take security seriously. Like in the article, the IT director talked about network security. He made references to all those different layers that we’re talking about so far. And he made the analogy of a Swiss cheese as security and you put layers upon layers of them and said, “That even then with all the layers of cheese, a small hole, so a small hole in your security can be catastrophic.”
And I thought it was just really great that they’re talking about it. And further on in that article, it mentioned that a board member requested that presentation because he had heard about a utility at a utilities conference that there was a hacking of an electrical system in Colorado.
So we hear a lot about things that go wrong in companies and they’re not doing anything about it. But I really liked that they’re saying, “Hey, I’m protecting our utilities network.” And it’s a great way to get more of like security funding, too, because security systems are expensive, like whether it’s network. Even if it’s like a $200 thing, you still have to be like, why do you need this, and explain. So back to network security, the talk that they had, presentation they had, it’s a great way to just get money like, say, there is an article in Rob’s layered security guide about “What’s the difference between a $1000 one and a $200 one?”
Mike: For a firewall, you’re talking about?
Cindy: For a fire…yeah. I went on a tangent. I think someone…
Kilian: I mean, you brought up an interesting point. That article, I thought, was really kind of fascinating because the one thing that kind of really, if I can pick one thing a security thing that scare me on a daily basis, it’s a lot of this, like command and control type, or not command and control but the SCADA systems or the industrial control systems that run a lot of our infrastructure.
And back to the unpatched systems, these things are from the whatever, ’80s, ’90s, that they said, “Oh, well, hey, we can monitor whatever, our damn controls online, stick it on a network with an IP address,” and then it controls kind of a vital piece of infrastructure, like something in the physical world that can cause a lot of damage. Or the controls at the electrical system, you can wipe out power and that will cause a lot of problems in the physical world.
Network security is, again, one of the critical layers. Again, if you have to connect it to a network, at least run it through something. You still need the defense and depth across the whole board, but that’s kind of the first line of defense for a kind of network connected systems.
Mike: The only other thing I was going to mention is that I think a lot of times, people think of network, especially with from a lot of employees, it’s like, “We need VPNs for very everyone. We have VPNs for everyone. We’ll be protected.” But you have to remember that also, it’s sort of like punching a hole in your firewall because VPN, it’s like making a home computer as if it was on your network, and all the ensuing issues that that can cause.
Kilian: And then we can tie it right back to physical security then. On your VPN at Starbucks, you walk away for a few minutes, someone walks up, plugs something in, or you don’t lock your laptop, then the internal network’s compromised.
Mike: I know for sure there has been multiple reports on people getting ransomware on their networks from, like someone at home and they get like an infection, they bring it to the IT group.
Like, “Oh, Bill in IT, he’ll help me out. He’s always such a nice guy.”
They bring it in.
Like, “You look at this real quick? It’s real weird.”
“All right, let’s plug it in the network.”
And, boom, the network is now infected with ransomware. Good intentions gone awry.
Cindy: Oh my God, I’m so scared that whenever you guys just share stories and I get like extra, extra scared.
Okay, the next two on application security, that, there’s a lot to talk about in that one. I wrote a blog post about it, that our IT people won’t let me install anything on my computer. When we talk about application security, it refers to the testing and doing the work to make sure apps work as they should. But there are some drawbacks to that, which is why IT won’t let me install anything, and I have to get permission. I have to tell them why. That, I understand it’s a dangerous world out there.
What are some things about application security that we need to be worried about or concerned about?
Mike: Most companies, they have a mix of things. They have a mix of applications they built in-house, third party systems that they bought off-commercial, off-the-shelves of, or cut software, and then now, sort of cloud systems. We joke about cloud doesn’t exist, It’s just other people’s computers. It’s just other people…our software are running other people’s computers or software as a service type application. There’s different considerations for each of those.
I think, across the board, one of the things to really think about for all of this is single sign-on, that the procedures for provisioning access to this and then removing it as people’s role change or as they come into or leave the company is incredibly important.
And if it is one place where that’s most often missed, it’s in those kind of things where…I use to work at a company. I won’t say the name of it.
But there phone system was separate from everything else and so that a salesperson that left, removed all their computer access, left them with their phone access, and they changed their outgoing voicemail, which for months, was just a harangue against the company, and like what blood-sucking horrible people they were and how unprofessional and incompetent. And it stayed that way for months as people called in to talk to this salesperson he was known over there.
But that can happen anywhere, with timesheets software, that can happen with reporting software, the project management software.
All of these things can exist somewhere on the spectrum. And without that single sign-on and really strict procedures, it’s very difficult to control.
Kilian: Just kind of a little bit of side, too, as we’re developing more software and it gets more complex and we expect more out of it, that just increases the chance that there’s going to be a bug and it’s a guarantee that every piece of software you run is going to have some type of issue or bug in it.
Again, especially as the citizens gets more complex and more interconnected. So it’s being cognizant of that and, again, we’ll go back to a couple of topics ago, is good patch management, making sure that the bugs are reported and then the software vendors you deal with take it seriously and patch it eventually, or soon rather than eventually.
Cindy: And the next layer on the data layer, we talk about that a lot. I think it’s the crown jewels. We want to make sure that our health data isn’t stolen, our PCI data isn’t stolen. People are really…you hear it often in every kind of podcast or show that you hear. You kind of expect data breaches to happen. People are really hurt that that’s happening. “Oh, they’re not doing enough.” But the reality is data security is tough. What are your thoughts about this layer?
Mike: We, at Varonis, we deal with structured data. Structured data, for the most part, falls under application security, so that structured data is anything that’s in the database, typically in the accesses, typically mitigated and arranged and managed through an application. I just want to make sure there isn’t direct database access somehow through the network where I exploit tools. But for the most part, that’s fairly sane.
Our niche is the unstructured world which is the files and where typically, what we see is the end results of all the structured data. So the structured data is the giant Oracle database that says like, “Yes, we should actually acquire this company,” and then the unstructured is the Powerpoint that says, “We’ll do this next Monday.” And that got out, has huge implications for stock price, and Sarbanes-Oxley, and reporting, and governance, and all these things. So there’s different risks involved with those.
Kilian: The thing about the unstructured data is that, there’s so much of it and it just grows so constantly. Every second of every day, at every business, somebody is putting some type of information out, sending an email, writing a document, editing a Powerpoint, any of this stuff. It’s just constant and that’s how businesses evolve and get better because they share information. They just keep producing and producing and producing it and it never seems to go anywhere. It’s like the internet never forgets. Well, your data center never forgets either. The project might be forgotten but it’s still out there somewhere, the Sharepoint site. All this team collaboration is over but it’s still up there and contains a lot of information. There’s some life cycle information on that.
But things like social security numbers, those never change. There might be or there is an age on credit card information, but it’s still fairly long, several years, depending on how long it’s out there. The life cycle of this data is often overlooked and you expose yourself to a lot of risk because it ends up…again, it’s created for some legitimate reason and it’s out there for some legitimate reason, but it’s forgotten about or it’s not dealt with or disposed or even secured properly.
Cindy: So to kind of wrap up, you both shared stories that I’m just like, “Oh, it’s nerve-racking,” but the overall goal is security. So we make sure we educate the people. We make sure that they don’t have access to stuff that they don’t need. We make sure they don’t get in. We make sure we protect ourselves from malware, make sure we protect our data, make sure that apps are working properly. What are some kind of wrap-up conclusions or things that I’ve missed that you want to share your thoughts on?
Mike: I think we should go back to your Swiss cheese sandwich metaphor because honestly, I think it’s actually viable because the big challenge of all this is communicating this to people who are not in our business, it’s communicating it to the executives and to the users that we need to deal with. And so we say exactly that, but it’s like stacking a lot of pieces of Swiss cheese, and the more layers we have, the fewer holes there are, the less vulnerable we are. It’s a very easy to understand metaphor. Hopefully, they are lactose intolerant. But I think that is really the case. The more layers we have and the more all these things work together, the safer we are. That’s like an old powerful thing.
Cindy: Kilian, do you have any last thoughts?
Kilian: No, I like the metaphor. I think it’s great. I have other metaphors I use for thinking about security, but the Swiss cheese one, I think, is very visually pleasing. I guess it’s something people can recognize.
Cindy: That is from the IT director in Nebraska. Like maybe he’ll listen to our podcast or join our show.
Mike: I thought we decided we’re just going to start sending packets of sliced Swiss cheese to all our customers… “Stack this together until you’re secured.”
Cindy: Make sure your bad guys don’t go in.
Our Parting Gift
Cindy: So to wrap up, our parting gift, what are some things people should check out? For me, I’m pivoting to something else. Back to our show last week, we talked about the EU’s general data protection regulation. We just published on our blog an infographic. So if you do not want to read long texts, Andy and I, we created a really informative infographic describing consumer rights, as well as obligations companies have to the consumers. So head over to our blog and check it out.
Mike, do you have any parting gifts for our listeners and viewers?
Mike: I was going to recommend; I was going to say I just looked at the infographics you’re talking about. It’s at www.varonis.com/blog, and I think it really is great. And we’re talking about educating other people, it is the perfect thing, that if you are an IT, to send to an executive or to send to some stakeholder on your company to try to get help get their minds in the right place for dealing with the new regulations.
My suggestion for a parting gift was going to be a game, actually.
It’s called Hack Net. It’s probably one of the few games you could get expense by your company. It looks so much like one of those, like in the movies when they’re like hacking into a system and it has everything scrolling and doing stuff. So it’s the simulation of that but it covers actual exploits, the concepts of how they are exploited, what is done. So it’s very educational but super fun to run through and has a little scenario and you actually hack into all these different systems.
It’s called Hack Net. And right now, it’s $10. But I mentioned it last week, during this…summer sale, I think we’re going $5. But it’s very cool and interesting. And if you’re interested in this as a general topic, I know we have a lot of people on the IT side and not necessarily like security pentesting side, it’s a great way to really like deeply understand all those concepts. So, cool, check it out.
Cindy: Cool, thanks. Kilian, do you have a parting gift?
Kilian: Actually, what Mike was saying just reminded me of something. The other week, I was in Uber. I was taking a ride to the airport or train station or somewhere, and on the screen, they popped up a little thing like, “Hey, code while you go,” or something like that. And they gave you like little snippets of code and they wanted you to find the error in the code. And I thought it was a really, you know, crowdsourcing something, information, maybe for a potential job offer. But I just thought it was really interesting they were kind of doing this little application security type of initiative within the app itself like while you’re on the trip. I don’t know if the pops are for everybody but I saw it. I thought it was interesting to look at while I was on my ride.
Mike: Are you saying you got a job offer from Uber? You’re leaving Varonis? You figured it out?
Kilian: The next time you’ll see me with my dash cam and my car driving around.
Mike: Oh, man…
Cindy: Kilian might be doing both. He might be driving and working at Varonis. You never know because you know he’s fake.
Thanks so much, Mike and Kilian, and all our listeners and viewers for joining us today.
If you want to follow us on twitter and see what we’re doing or tell us who’s most fake on the show, you can find us @varonis, V-A-R-O-N-I-S.
And if you want to subscribe to this podcast, you can go to iTunes and search for The Inside Out Security Show.
There is a video version of this on Youtube that you can subscribe to on the Varonis channel. So thanks, and we’ll see you again next week.
Mike: Thanks, Cindy.
Kilian: Thanks, Cindy.
Cindy: Thanks, Mike. Thanks, Kilian.