Over the last few years companies have started to realise that cyber security is a loss prevention issue, and whilst it is a board level issue, it is frequently delegated to the security manager for day to day responsibility. They in turn will often then be reliant on IT professionals to provide the technical expertise. For many security managers brought up on walls, fences and gates, cyber security can appear to be a black art. Using comparisons to physical security, I would like to help them understand many of the common issues.
The first thing to understand is that an internet connection may be one cable, but being connected to the internet creates multiple possible ways for your internal computer system to be attacked. If we think of the computer system as being like a building, the internet connection is the public roadway leading up to the building. The entry point to your computer system normally consists of a router which sends the communications entering in various directions depending on the type of data, to separate out the communication streams there are literally hundreds of gateways known as ports. The obvious ports are the ones used for email, but there is a port used for time synchronisation, ports used for various methods of transferring files, instant messenger clients, and the list goes on. Not every system will use every single one of the ports, some are quite specialist and only used by a limited number of systems. Anyway back to our “building”, so we have the roadway leading up to it which then splits with individual paths leading to various entry points: the mail goes to one doorway, parcels get sent to another doorway, people wishing to buy from you go to the trade counter entrance, there is a window through which you can look out at the nearby clock tower, there is a pipe where water flows into the building, another pipe for sewage coming out of the building, and any number of other entrance and exit routes.
So how do we protect our system? In the same way as we protect our buildings! Examine each and every route in, decide whether it is required, if it is not used the preference is to block it off, if it is used then put in place a method of monitoring what is coming through. With our access point for mail, we want to make sure that it is only being used by genuine mail deliveries, further to that we may want to look at each item of mail and filter out the junk mail which wastes people’s time and look for anything malicious and nasty sent with the intention of doing harm.
It may be that there is a gateway into your building that was used at one time, but now is no longer required and can be closed off.
We should also consider the level of protection that you have at the entry points, at home you probably have a basic router supplied by your internet provider, in the same way as the locks on your doors are probably what was originally fitted with the door. You might have installed window locks or decided that the supplied catches are sufficient. Now consider your place of work, the locks on doors, gateways, etc. are proportionate to the contents of the building. If the building contains lots of high value, portable items, you will hopefully have multiple high quality locking devices on all potential access points, with multiple layers of security. Your IT access needs to be the same, somebody might manage to pick or force one lock, but hopefully you will detect them before they get through the next doorway.
It is also important to make sure that all access points are secured, even if at first glance they are not an obvious way in. Cyber attackers will often use one method to get in undetected, and then once inside they can then create other openings. In physical terms this is like sending a small robot up the waste pipe, which once inside can creep about and unlock larger doorways from the inside. Likewise mail attachments and links to some websites can be another method of unwittingly introducing some software into the system, which could then communicate with the outside world and open other doorways from the inside.
Another consideration is how remote workers communicate with the central system. More professional IT networks allow home workers to link direct into the main network using Virtual Private Networks (VPNs) which creates an encrypted pathway allowing for such things as secure transfer of files between the main network and the remote worker, indeed these pathways are referred to as tunnels, which leads to a suitable analogy of if you had a tunnel from your building to an employee’s home, which allowed unchallenged access into your building, you would want to be certain that the home at the far end of the tunnel was equally secure as the main building, likewise any laptops, etc. allowed to connect direct into your system should be secured to the same level.
We should also think about the different aims of cyber attacks. Some attacks are designed for nuisance value and are the equivalent of vandalism – this could be somebody who considers managing to break into your system as a challenge and then once they have achieved it, they leave behind something destructive to show that they have been there. Some attacks don’t even need to get into your systems to create havoc, there is what is known as Denial of Service (DoS) attacks, where there is a massive amount of contact attempted which, blocks usual communication – in the physical model this would be like blocking the street leading to your premises with thousands of people all trying to knock on the door and say hello, then leave. The most dangerous attacks though are the ones that aim to not leave a trace, if a cyber attacker manages to get into your system, obtain information, then leave without you being aware, this could be the equivalent of a corporate spy picking the lock of the Managing Directors office, snooping through corporate documents copying whatever was of interest, then creeping out again locking the door behind them!
We should also mention that despite any protection to the system, there is always the human aspect. A good IT policy about being careful with attachments, not disclosing passwords to others, bringing in unchecked discs, external hard drives, and usb sticks, and being wary of financial transactions, is the equivalent of asking them not to leave windows open, mail out cheques in response to any invoice received, etc.
This has only been a basic introduction into cyber security, but hopefully it has shown that you can find analogies with physical security, and in doing so realise that cyber security is simply more areas of consideration for the security manager, but just because it is happening down cables and in computer systems, it is still a case of controlling access and protecting assets.