Cyber Sunday: The perimeter is dead


The term “perimeter” in security traditionally was known as the space between the secure business infrastructure and the rest of the open world.

Brandon Blankenship

Information inside the perimeter would be protected and anything outside that perimeter is a potential threat. Employees would come into work inside the perimeter and, when they were finished for the day, their work was often “left at the door.”

For many organizations today, we live in a world where the idea of working from home is becoming the norm versus the exception. Information no longer lives solely within the perimeter but has stretched into cloud repositories, remote access connectivity, mobile phones, screen sharing applications, video conferences and many other advancements in technology.

The reality is that the perimeter, as it was known to be, is dead.

When experts talk about the perimeter as it relates to security today, what they are really talking about is the access to information.

We no longer are protecting boundaries — we are protecting data. Perhaps, we always have been.

The good news for businesses is that the way to tackle this problem does not always involve highly technical or highly expensive software solutions. It does require a shift in thinking and a little bit of elbow grease.

One action to perform is reviewing the controls in place to curb user access. The concept of “principle of least privilege” means that we grant employees only the privileges and access necessary to do their job functions.

Having unrestricted access to all company information could spell trouble if an employee account is compromised and he or she has unfettered access to all sensitive information.

Instead of a small subset of data at the disposal of a nefarious actor, businesses that allow unrestricted access to employees may be opening the organization up to unnecessary risks. If Alice in Accounting has no business need to review HR documents, then that data should be isolated and access controls should be implemented to restrict this type of access from occurring.

The creation of security groups and segmenting sensitive data inside isolated repositories will go a long way in increasing the organization’s security posture.

In addition to unrestricted access, granting excessive administration rights or creating security loopholes will set a business up for failure. Most attacks today rely on the exploitation of elevated and privileged credentials.

By limiting and protecting those credentials, the organizational risk and attack surfaces are drastically reduced.

A simple exercise could be performed by the business leaders and the IT staff to review all the local administrators on computers, servers and technology systems.

What groups or users have admin rights? Who are in those groups? Does it make sense to give this person admin rights?

An entitlement review process will uncover and yield some surprising results that often include terminated employees with active accounts, vendor accounts that remain active after completed upgrade projects and any other “temporary” access that gets lost in the shuffle.

Information security is a delicate balance between security and convenience. Data classification efforts to understand and isolate information will take time and effort.

Contacting the IT department to perform software installations that would otherwise be done by someone with admin rights can be inconvenient. Documenting systems and performing regular entitlement reviews will seem like an unrewarding task.

However, all these actions are necessary to keep pace with the threat landscape we face working outside the perimeter.

Brandon Blankenship is a cybersecurity consultant at ProCircular and a board member of SecMidwest, a Cedar Rapids based not-for-profit focused on cybersecurity education. Visit SecMidwest.org for more information on attending our free monthly meetings.





Source link

Leave a Reply

Your email address will not be published. Required fields are marked *