Spam, phishing attacks and infected attachments; malware infected downloads; compromised websites hosting exploit code; USB thumb drives purpose-built to exploit unwitting users. In how many ways can one of your network’s hosts become compromised? Well, according to independent security testing company The AV-TEST Institute, somewhere north of 300 million.
Let that number sink in for a moment.
Since 1984 when the institute’s records start, they have registered over 300 million types of malware. In the past year alone, that number grew by well over 100 million, showing on average 12 million new variations of malware each and every month. How can any one single solution keep up with the growing numbers of threats?
Defense indepth is a security term used to describe a security approach involving multiple layers of defense throughout an information system. They can include technical and procedural controls, and rely on software, hardware and humans to be most effective. Taking a defense-in-depth approach to your systems’ security is the best way to defend against all those millions of potential threats. This will provide you with redundancies and overlapping layers as well as help to minimize the chances of something getting through.
The seven layers
Just as castles included high walls, moats with drawbridges and portcullises, towers, barbicans, hoardings, murder holes and baileys, your network should have multiple defenses as well. Defense in depth means layering your defenses rather than relying on any one solution. Here are the layers you should use.
Every system – from end-user workstations to servers – should have antivirus software which runs full-time, performs real-time scanning of all traffic and files, regularly scans the system and checks for updates multiple times per day. A single system running without antivirus is an easy target for malware to find its way into your network.
Some of you may remember the phrase, Garbage in, garbage out. That’s a computer and so true if you give someone local admin rights when they shouldn’t. There is so much damage one person can do that you need to take steps to prevent it. Augment your antivirus software with endpoint protection to prevent users from connecting unapproved USB devices and enforce encryption on approved devices so that when they are lost, you don’t have a data leakage scenario to deal with. Nothing should get in or out of your network without you knowing.
Web monitoring and filtering
One of the biggest risks to your ‘castle’ can come from unrestricted Internet access. With your users able to go to any website, you have opened the gates so that anything can come or go as it pleases. You don’t have to be in a state of siege to protect your systems, but you should have strong web monitoring and filtering in place so that if anything tries to sneak in or out, you can stop it before any damage can be done. Given the malware threat, having a web filtering solution that can use multiple antivirus engines to scan downloads is a great way to minimize your risks.
Another way the barbarians try to get through the gates is through email. Whether it is spam, targeted phishing attacks or malware laden attachments, email is a prime attack vector and has been implicated in many of the most prominent attacks of the past few years. To defend your realm you must protect your email systems and your users from all of these. Deploy a messaging hygiene solution that scans for spam, phishing, and malware, and look for one that again uses multiple anti-virus engines for the most effective defense against email-borne threats.
Not all malware requires user interaction. Many variants of malware automatically scan for vulnerabilities in accessible systems, like the ones hosting your websites, VPN, email and other external facing systems and find their way in. From there it can be a short hop into other systems. See your network the way the attackers do by performing regular vulnerability scans of all your systems, from both the inside and from outside your network. Consider it the captain of the guard checking all the posts to be sure they are secure.
Most vulnerabilities come from problems in the code, which once discovered should be patched. The more systems you have, the harder it will be to patch every system by hand. You’re sure to miss something and that leaves a chink in your armor or a crack in your wall. Use a patch management system to help automate and verify that each and every one of your workstations and servers are fully patched at all times, for both operating system and application issues. It’s proper castle maintenance after all.
User awareness and education
And never forget that your last line of defense is made up of the men and women who use your network. When all else fails, their decision to click or not to click is all that stands between your healthy network and an outbreak, so take the time to ensure your users are fully trained on safe computing practices, well aware of the threats and completely understand the need for absolute diligence.
There is no such thing as 100% secure but by taking a defense-in-depth approach to network security you are making it extremely hard for the bad guys to get in. Network security is a combination of education, technology, common sense and regular audits. With millions of pieces of malware out there, you cannot afford to put the faith of your network in a single solution or measure.