“We can no longer count on keeping the hackers out, ” WIRED Magazine’s Mike Gault wrote last year. “Let’s work on ensuring we can catch them once they break in.”
Yes, definitely. Networks must be vigilantly monitored to not only catch attackers, but to also detect their tactics.
But if we know hackers are going to get in eventually, shouldn’t we doing more to keep them from doing maximum damage once they do?
The strategy is called “containment” — and our cyber security advisor Erka Koivunen thinks it’s the aspect cyber defense that your business is most likely to be ignoring.
Prevention, detection and recovery are all key aspects of a security strategy. But if you focus on these areas exclusively and you may miss out on limiting the damage your users may enable by making inevitable human errors more likely.
“Creating boundaries and limits to what a given user or a system can do and what data they can access enforces those same limits on any successful attackers,” Erka tells me.
What does this look like, practically?
“A laptop in London office should not be able to access another laptop in the Tokyo office,” he says. “The network should not even give the computer a chance to attempt such access. And it should not be able to access another laptop in London, either, for that matter!”
In a world of advanced threats, it just makes sense that server should not be able to initiate connections on its own.
“It should just do its job, which is there to sit and wait for incoming connection attempts – and serve them,” Erka says.
And this principle isn’t just about limiting the access machines have.
“An admin user should not have access to anyone’s e-mail box and vice versa,” he says. “Surfing while admin/root is equally bad.”
Remember this: When you design for convenience you’re also making life easier for intruders.
“Relaxed user privileges and ‘flat’ network topology — that is, everybody can access any asset in the network from anywhere in the network — is often a key factor contributing to successful initial injection, establishment of persistence and subsequent easy data acquisition and exfiltration.”
So how do you begin the process of containment?
Erka suggests that you start by going “old school”:
“I would recommend old tricks that are unfortunately less commonly used nowadays: ‘separation of duty’, ‘principle of least privilege’ and ‘limited user access’. That would mean that user and service accounts, applications and systems are given as small set of permissions and access right as possible and that completely distinct tasks should always be performed using distinct set of credentials and separated systems.”
This mode of thinking isn’t just something to dabble in when you’re thinking about minimizing the damage if the next attack.
“Compartmentalization is a design principle that should be adhered from day one in order for your endpoint protection to be able to perform at its best,” Erka says.
Limiting the potential for human error and intrusion also has the happy side effect of minimizing failures, as core tasks even when are disconnected from external systems and data sets.
Want to make “containment” a key part of your approach?
Check out this webinar from Erka to see how it fits into an overall approach to controls in cyber security.
[Image by Terry Johnston | Flickr]