17 Feb

Cybersecurity Is Like An Onion

After so many years working in Internet infrastructure, advising and counseling clients on service options and best practices, I’ve come to the not-very-startling conclusion that everyone hates dealing with cybersecurity. People’s feelings about cybersecurity fall somewhere between tax planning and root canal. Most grudgingly understand that they need it, no one wants to deal with it, everyone loathes spending money on it, and very few ever take the time and effort to address it adequately.

Because of the above, when business owners and IT managers do get around to tackling security concerns, they look for a quick solution, and there’s no shortage of vendors who are more than happy to ply their wares with dubious promises. Install our software and you are 100% protected. Stick this device at the head of your network and you’re good. Hire our team and your problems are over. A famous American circus promoter once had something to say about this level of gullibility. I can’t blame anyone for wanting a fast and relatively painless salve for cybersecurity. Crushing it at security doesn’t grow your business or make you money, but the ever-present fear of being destroyed by a catastrophic breach can keep any business owner up at night.

The painful reality is that there’s no single quick fix that will serve as a comprehensive security solution. Cybersecurity is not a patch or bandaid that can be applied to an existing infrastructure to cure all of its ills magically. Cybersecurity is like an onion: it consists of many layers that work in tandem to protect your systems and data across your network. Each layer addresses one or more security aspects as information makes its journey through your infrastructure, evaluating each potential risk at the appropriate step. Somewhat less seriously (but not really), cybersecurity is like an onion because if it fails, the outcome can genuinely make you cry.

A simple and familiar example can illustrate this layered approach: sending an email with an attachment. Security starts with the sender, who addresses an email message to the recipient with a file attached. Even before clicking “Send,” the sender’s system should scan the attachment for any potential risks and intercede accordingly. Once the message is sent, the receiver’s email system will run a myriad of checks to assess the message’s validity. Does the recipient exist on the receiving system? Are there any unusual character strings or suspicious links in the email body? Do the reverse DNS, Sender Policy Framework, Domain Keys, DMARC, etc. check out for the sending domain? Is the sending IP on any known blacklists? Does the attachment test positive for any known threats or malicious payloads? 

If the message passes all of those checks and is delivered to the recipient’s mailbox, more checks are waiting. Does the message look like spam? Is the sender blocked or filtered by the recipient’s filter settings? Does the attachment appear to pose a threat? Yes, this is the third scan of the attachment, and why not? Attachments are a ubiquitous way to compromise systems, so there’s no such thing as too careful. After all of that, when the recipient downloads or opens the attachment, their computer’s antivirus software, along with any security checks built into the software used to open the attachment, will kick in to further vet the file for any damaging payloads. The recipient is also a final, essential defense layer: having been (we hope) trained in good cybersecurity practices, they visually scan the message headers and content for any signs that it is spammy or suspicious. If any doubt exists, they reach out to IT rather than clicking a link in the email or opening the attachment.

If any of these security layers fail, the potential outcome is a breach – and if you follow current events at all, you have some idea of how damaging that can be. Cryptlocking malware can encrypt all your valuable company data and hold it for ransom. Whether you pay it or try to recover from backups (if you have them and they are not also compromised), the costs will be painful, assuming your business does not become the one in three that never recovers from a breach. Valuable stolen data can end up in black market databases. Operations can be completely disrupted for extended periods. Customers will probably flee to perceived safety elsewhere. 

Why will a security layer fail? Improper implementation or out-of-date technology can be the culprits, but the most likely reason: it was not there to begin with. Security breaches are most commonly caused by the lack of security being implemented in all the places it’s needed. This mistake is usually made because of the perception that cybersecurity is a bandage, a single layer. 

The takeaway: when implementing security, embrace the layer paradigm. Look at all the layers of your technology onion, and enforce all the protection you can at each layer. Do this, and you significantly reduce the chances that your security onion will one day bring you to tears.