THROUGHOUT THIS SERIES, I have focused on products and services; the toolbox we use to protect our sites. There has been the occasional detour into more metaphysical areas, discussing the Zen of things, but for the most part, I have stuck to the nuts and bolts. For this final installment, I want to step back and take a wider, more philosophical view of security.
It is important to separate this discussion from one of frameworks such as NIST, CIS, CMMC, and others. It is hard to categorize these frameworks as a group, but in general, they are more descriptive than prescriptive and do not usually provide actionable SMB security guidance. They are valuable but this will not be a discussion of those frameworks.
Defining the Issue
Most of us who secure SMB businesses approach it from the standpoint of what tools to use to protect which processes. But we also need to look at SMB security from a standpoint of pathways and processes. That means focusing more on the ways that information is stored and transmitted, how it is secured during those processes, and finally, how these processes may fail or be subverted.
You can think of this as an exercise in imagining how someone might enter or otherwise infiltrate a secure building or installation. Doors and windows are obvious, but roofs, tunneling, utility entrances, and more are also part of the equation. For example, if you allow a delivery person into your building, do you verify that he or she is actually working for UPS or FedEx? If you receive a package, do you verify its sender and that it was expected? Do you open it and confirm contents?
What about repair people, especially if they are working on cabling or power or, for that matter, in any space that electronics could be planted? Do you watch them work? And we should not forget to consider external efforts, from dumpster diving to using lasers to measure windowpane deflection, to good old physical taps to capture voice or network data.
We have to visualize doing IT security this way too. There are plenty of obvious analogies with email: verifying the sender through DMARC, DKIM, and SPF; scanning attachments and attached URLs (email filtering); and even package inspection upon opening (endpoint protection, for the most part). But there are many more useful analogies here too. Building ingress can be thought of as firewall ports, remote access, Wi-Fi, and even Bluetooth (which works in our parking lot from some of the phones). And we can compare the ubiquity of remote work, with its many unknown, unprotected endpoints, to letting folks we not only do not know but cannot even see into the building.
Rising to the Challenge
What does this mean to us as IT security professionals, other than day drinking and lawyers, guns, and money? Again, I see this as an argument for stepping back from the way we do things now and reconsidering our strategy. In my own case, I have spent years trying to design, implement, and manage overlapping layers of security products and services. This has worked very well so far. But just as signature-based endpoint detection has hit the wall, device-based security is running out of runway as well.
To start, we should consider what we are defending and how it has changed. It is almost cliché now to point out that the perimeter has effectively dissolved. Between wireless and remote access, work from anywhere, and the proliferation of cloud service “destinations” we all support, the word “perimeter” no longer carries the same meaning. When we look at our endpoints, another traditional component in the equation, many of us have moved from managing a fleet of known, secured, and monitored machines to what can best be described as a motley crew of unknown threats.