A Dystopian Future
Recently, I was thinking about what the world might look like in the face of a nuclear disaster.
In this dystopian future, we would live in radiation-shielded housing. If we were able to leave, we would dawn our radiation protective gear to do so. Whenever anyone or anything came back home, there would be some kind of decontamination process. And when someone wanted to visit, they would be put through some verification process to ensure that they wouldn’t contaminate the house.
The Age of the Internet
There are actually parallels between living in this example dystopian future and living in the age of internet access. The risks of being exposed to radiation sound familiar when considering the risks present in internet access.
When using internet connections, we operate behind firewalls that are designed to keep malicious activity out. Whenever we venture into the internet, we are placing trust that our application will protect us. When we return with something, we are trusting that our antivirus and other systems will ensure that nothing malicious came back with us. When people visit the office—physically or virtually—we need to verify their identity and reason for visiting.
How different would your organization be if the internet were treated as a valuable environment, but also one that is assumed to be contaminated? What does it look like to effectively limit your exposure to something that may be harmful?
Internet Areas Not Necessary for Business
Firewall
Your firewall is key here. Allowing access to something that the business does not need to access can only increase risk. Document what internet resources are actually needed, and then configure your firewall to ensure that only those resources are being used.
Roles and Responsibilities
To reduce the risk of exposure, you may need to consider different needs for different roles in the organization.
Marketing may need access to social networking sites to do their job, but no one else probably needs to access it on an office network. Finance is likely the only group that needs access to banking accounts and sites.
Your developers might need to search the internet to find a solution to a programming problem that they are facing, but do not need access to the internal production resources—only to the development systems.
This segmentation allows teams to access all of the potentially contaminated areas of the internet to find a solution or do their job, but would also keep data protected in the event that they get compromised.
The Point
Document what is needed for whom, and ensure that nothing else is accessible.
This needs to be considered for both inbound and outbound connections, and the firewall should be periodically audited to ensure that it is still in place as expected.
When Internet Access is Required
The Applications
The application you use to access the internet comes into play here. Whether this is your web browser, email client, or some other software that accesses the internet, vulnerabilities in the software can provide a route back into your organization.
Like a tear in a radiation suit, you need to be able to detect and repair this hole before it causes a problem. If not, you need to be able to detect the problem soon after it creates an impact so that you can recover from the exposure.
Decontamination Upon Return
With the strong encryption in use today, this examination is most effective at each endpoint. Firewalls can be configured to intercept, decrypt, and inspect information; however, some applications may not provide an ability to implement such an interception.
- Antivirus and other endpoint security controls should be your focus.
- Sandboxing can help reduce the access that some malicious payload has until after it has been inspected.
- Antivirus can help to identify and remove a malicious payload.
- Application allowlisting can help to prevent the execution of malicious payload.
The Point
In most cases, employees require the internet to do some or all of their job. When it’s not possible to limit their access, measures need to be taken to ensure that the applications they are using are safe both during use and whenever something comes back with them.
Identity Verification and Access Requests
Physical Location
Much like your home in the example of the nuclear dystopia, access to physical locations must be carefully monitored. For those coming into your office building, confirming their identity against a state-issued ID and informing their point of contact can help to ensure that all physical access is appropriate.
Virtual Access Controls
Similar to having sign-in sheets, receptionist or security escorts, and restricted visitor access at your office building, the traffic going in and out of your network needs to be managed too. Like the office building, you need to be able to verify those trying to get access are allowed to do so—and that they are only accessing what they should be.
- Multifactor authentication (MFA) is how we verify identity virtually. By requiring an extra step tied to a personal device or account after inputting credentials, you block anyone who doesn’t have control of that device or account even if they have your credentials right. This will help you ensure that only those with permitted access are able to login to your accounts and systems.
- While authentication is a helpful step in preventing unauthorized access, it’s not sufficient by itself. Authorization informs who gets access to which data resources, how they should be able to access them, and under which conditions they are granted access.
The Point
To limit the amount of exposure your organization faces from potential internet contamination, it becomes critical that you control the access in and out of both your physical location and virtually. To do this, verify identity and intent and be selective when allowing access points.
Building These Concepts Into Your Culture
Extend this analogy to encompass all methods of getting in and out of the organization.
Start with your employees. After all of this is configured, you must train your staff on staying safe while accessing this toxic environment. Without training, you risk people in your environment running outside without a radiation suit.
Then, consider other parts of the business that may pose threats. Consider bad employees, deliveries and shipments, vendors, cleaning staff, acquisitions, and any other method where someone has physical or virtual access to your business and its sensitive data.
Conclusion
There are actually parallels between living in this example dystopian future and living in the age of the internet.
Of course, there is no way to eliminate all risks, so it’s important not to be afraid of internet usage as a business. Your business still needs to be able to function. However, as a business or security leader, it’s your responsibility to limit the chances of contamination wherever possible.
By ensuring firewalls are configured properly, informing access based on roles and responsibilities, decontaminating at endpoints, setting proper access controls and data security technologies, and teaching your staff proper etiquette, you create an environment that is protected from the toxicity on the internet—and one that’s equipped to recover from any exposure.
For more help with training, controls, and technology as it relates to internet safety and data security, contact us at frsecure.com.