A Hitch-Hacker’s Guide to the Galaxy – Developing a Cyber Security Roadmap for Executive Leaders
In this blog series, I am looking at steps that your organisation can take to build a roadmap for navigating the complex world of cyber security and improving your cyber security posture.
There’s plenty of technical advice out there for helping security and IT teams who are responsible for delivering this for their organisations. Where this advice is lacking is for executive leaders who may or may not have technical backgrounds but are responsible for managing the risk to their organisations and have to make key decisions to ensure they are protected.
This blog series aims to meet that need, and provide you with some tools to create a roadmap for your organisation to follow to deliver cyber security assurance.
Each post focuses on one aspect to consider in your planning, and each forms a part of the Cyber Security Assessment service which we offer to our member organisations in the UK Higher and Further Education sector, as well as customers within Local Government, Multi-Academy Trusts, Independent Schools and public and private Research and Innovation. To find out more about this service, please contact your Relationship Manager, or contact us directly using the link above.
View all episodes.
Episode 8: It’s a Zero Trust game
“Arthur: If I asked you where we were, would I regret it?
Ford: We’re safe.
Arthur: Oh good.
Ford: We’re in a small galley cabin in one of the spaceships of the Vogon Constructor Fleet.
Arthur: Ah, this is obviously some strange use of the word ‘safe’ that I wasn’t previously aware of.”
Douglas Adams, A Hitchhiker’s Guide to the Galaxy
[ Reading time: 13 minutes ]
In episode 4 (Who goes there, friend or foe?), I talked about how access controls are important in limiting the amount of damage that can be done in the event of a user account becoming compromised.
They are just one of a range of tools at your disposal for achieving this.
Thinking the unthinkable
Imagine your house.
Now imagine an intruder getting in via an open window. How far could they get? What rooms could they get into? What might they find in cupboards and drawers? What kind of mess would they leave behind?
Where do you keep your most valuable items? Passports, jewellery, or treasured heirlooms? Are they locked up, or hidden away?
Possibly both. You know that an intruder would be interested in finding them, so you make it harder for them.
Anyone who has ever been in the unfortunate position of having suffered a home break-in knows the feelings of insecurity that result. It takes a long time to rebuild a sense of trust and changes how you think about your home security.
You could make things much more difficult for an intruder by having everything behind lock and key. A lock on every door, cupboard and drawer, requiring a separate key for each, would stop a lot of the damage.
Of course, we don’t do that at home because it’s cumbersome, it’s not the way we want to live, and results in too much friction to everyday life. So we accept a level of risk by going without those additional protections.
Putting your house in order
Let’s translate from home to work. The physical security risks are pretty well understood. We have fences, barriers, reception desks, ID card operated doors, locked filing cabinets and CCTV. Making it difficult for intruders to get in and get around, and having eyes which are watching. So far, so secure.
The same physical security principles apply to your network and information security. Except the risk response needs to be very different, because the potential damage from an intruder is very much greater.
Having a lock and key on every door, cupboard and drawer might not be the solution at home, but that idea forms the principle of good network security. Access controls are your ID cards to say who can go where, and your fences and barriers are firewalls and VLANs (virtual networks). Anti-malware and logging software is your network CCTV.
Taken to its fullest extent, it’s called “zero trust networking”.
Let’s unpack some of these concepts.
1. Firewalls
A well built house has external walls which are stronger than the internal walls. These external walls protect the house from the elements and from intruders. And internally, some walls are stronger, and can also prevent the spread of fire through the building. The original “fire wall”.
(Of course, you also need locks on the doors and windows – more on that when I discuss penetration testing in episode 18 Inviting trouble).
All organisations should have a perimeter firewall which sits between your internal network and the internet. When we talk about ‘the’ firewall, this is usually what we’re talking about. It scans all communications going in and out of the network, looking for unusual or malicious activity. Typically it will be programmed to recognise and block malicious web addresses hosting malware, or to scan email attachments and block suspicious attachments. But it will also examine the low-level “packet” communications that go on between computers, looking for unusual or irregular packets or behaviour, like network port scanning, or denial of service by flooding with requests.
Perimeter firewalls have come a long way and are powerful defences. So called “next generation” firewalls recognise communications traffic associated with applications, not just individual packets, and can isolate and test suspicious files, like web downloads and email attachments, in a safe “sandbox” environment. Many are incorporating AI and machine learning techniques to better detect and protect against unusual or malicious activity. Many of the more advanced features require additional licensing (and cost). Most “enterprise grade” firewalls come with a 3 to 5-year licensing and support package, so you should expect to be budgeting for renewal in that timeframe.
2. Firewalls on the inside
Just as a building has internal physical firewalls, so can a network. An internal network firewall provides additional protection to a segment of your network (or subnet). It might do this by restricting which computers can access the subnet and what forms of communication or activity are permitted. And it protects that subnet from “insider threats”, from the rest of the internal network.
In addition, Windows and Apple devices ship with a software firewall installed. If configured appropriately, these “host-based” firewalls can provide additional protections against internal threats.
Some firewall and anti-virus vendors provide host-based firewalls, and some of these are available for Linux systems as well as Windows and Mac.
Unless you have very good reasons not to, you should have host-based firewalls enabled and configured on workstations and servers.
3. End-point Detection and Response (EDR)
In the old days, we called this anti-virus or anti-malware. Because the nature of the threat has evolved beyond just viruses and malware to more sophisticated and targeted threats like phishing and website vulnerabilities, the tools to recognise and response to these have similarly evolved.
Virologists use indirect virus detection methods such as observation of the effects of a virus; for example, the production of antibodies in an infected individual. EDR tools similarly use behaviour analysis to detect unusual or anomalous behaviour of files on computers. Malware variants are being developed using “Ransomware as a Service” tools and AI tools (including ChatGPT) which can evade detection by traditional AV and EDR software. It’s always a game of cat and mouse, and it’s the job of senior leaders to ensure that your organisation has invested in appropriate tools to meet the threat.
EDR vendors and solutions which are common in the education sector include Microsoft Defender, Sophos Intercept-X, Crowdstrike, Watchguard, ESET Inspect, TrendMicro and Fortinet EDR.
Alongside installed EDR software, you can subscribe to Managed Detection and Response (MDR) and Extended Detection and Response (XDR) services which outsource the monitoring and response, which provides 24×7 coverage which is beyond the scope of most IT and security teams to provide in house.
4. VLANs – virtual networks
Modern networking equipment (so-called “layer 2 switches”) support the concept of “virtual local area networks” or VLANs. What these do is essentially split your organisation’s single physical network into multiple virtual networks, as if they were physically separate. They also allow you to join devices in different locations to the same “logical” network, as if they were in the same room or building.
VLANs were designed originally to improve network performance, by reducing the amount of traffic circulating in large networks. They also have a security benefit by reducing the scope for “lateral movement”, that is preventing an attacker who has gained access to one part of your network from being able to launch attacks across the whole network.
For example, a ransomware attack launched from one VLAN may not reach other VLANs, so the scope for compromise—what we call the “blast radius”—is reduced.
Read this carefully
What I didn’t say there is that having VLANs in place will stop a ransomware attack.
Now, if you’ve read all the preceding episodes in this series, you’ll have picked up that there are two sides to every story in the technology world, and it’s no different with VLANs. Setting them up is pretty straightforward, but the reality is that in most cases, you need those logical networks to be able to “talk” to each other. They are not actually completely separate, because they are all part of your organisation.
To enable that to happen, you need to put in place some rules that specify which VLANs can talk to each other and what sort of communication is allowed. These are called “access control lists”, and they are tricky to define; get it wrong, and things stop working. And it has to be done for each and every VLAN, so it’s not a quick or easy job.
What we find in our Cyber Security Assessments is that many organisations have VLANs in place, but very few have any ACLs defined, other than one which allows all VLANs to talk to each other. In other words, the VLANs might provide some operational efficiencies, but aren’t really doing much to help segment the network or provide protections.
What we recommend is that you work out what your “risky” networks are, and your “high value” assets, and focus on putting these in VLANs with defined access controls.
Risky networks include your Guest WiFi, printers and copiers, digital telephony, building control systems (CCTV, door access systems) and other so-called “smart” devices. Each of these should be segmented into their own VLANs.
Your high value assets are those which store and process confidential or sensitive data. Database systems, like Finance, HR or Student Records, executive leadership data files and email mailboxes, research activities and intellectual property. Each of these should be segmented into their own VLANs.
Thereafter, it’s a judgment call. Typically, you might want to segregate student devices from staff devices, and isolate your core IT systems.
For you high-value assets, you might want to put these behind an internal firewall too for extra protection. That’s a risk-based judgment, based on the value of the assets you want to protect.
5. Never trust, always verify
The Russians have a rhyming proverb which means “trust, but verify”. This is the way that computer networks were designed in the early days. The idea was that the firewall defined the network boundary edge of the organisation. If a computer was “inside” the firewall, it was trusted. If a computer was joined to the organisation’s network domain, it was trusted. Once a user had logged in to a computer, to verify their identity, they were trusted.
No more. Zero trust networking is the new watch word. The principle is “never trust, always verify”. It’s happened for 2 reasons.
First, the boundary of the network is no longer defined by the firewall. We’re all using mobile and personal devices to access organisational data from various places, inside and outside the network, so we can no longer rely on the firewall to protect those devices and data.
Second, there’s always been the insider threat. A bad apple with privileges is a dangerous combination.
Zero trust networking puts more checks and balances in place to ensure that every access to every resource from every device by every user is always verified. The secret is to do all the verification seamlessly so that you get the security benefit without any friction. That doesn’t come without cost.
Most organisational networks are built around Microsoft Windows. Windows has been with us for at least 25 years in its current form, and was built on trust. There are lots of vulnerabilities that come with that, and we’re not going to be able to flick a switch to move to the world of zero trust overnight. So you need to be planning for this as part of your security roadmap, and that includes resourcing it.
And that’s the heart of the issue. For all the technical measures outlined above—firewalls, endpoint detection and response, virtual networks, zero trust—what good cyber security comes down to is an assessment of risk against the value of the assets you need to protect, and making the appropriate investment in the technologies, people and processes to deliver the protection levels you need.
Putting your house in order. Making sure that your organisation can function the way it needs to, while ensuring that the unthinkable doesn’t become a reality.
A Final [Deep] Thought
In the next episode of A Hitch-Hacker’s Guide to the Galaxy, we’ll be looking at extra protections you need to have in place for your IT team and other key personnel. “The keys to the kingdom”
For now, you should review your network architecture. Do you have an external firewall in place? Are software firewalls enabled on servers and endpoint devices? Does your network have VLAN segmentation? Are access control lists defined? Do you have AV/EDR in place? Are your risky networks (guests, students, building management systems, printers) in their own network segment? Do you have plans to implement a zero trust network architecture?
James Bisset is a Cyber Security Specialist at Jisc. He has over 25 years experience working in IT leadership and management in the UK education sector. He is a Certified Information Systems Security Professional, Certified Cloud Security Professional, and is a member of the GIAC Advisory Board.