Every new security engineer wants to know how to properly secure the environment they've been tasked with protecting. By asking yourself some basic questions, you can begin to narrow down what and how to protect your environment. Protect your company by asking these 3 security questions.
What do you have?
Where is it?
Who can see it?
This can feel very overwhelming -- when we think about how to defend an environment, we often don't even know where to start.
Start here: What do you have?
Understanding why adversaries target your company is half the battle. Knowing what they may target and how to defend it can stop them in their tracks.
Every organization is designed different, looks different, is managed different, and has different data that attackers are targeting, so knowing what to protect and where to start will nearly always be different. However, knowing what data you have that attackers might be targeting is a key first step to protecting your assets.
For instance, in the below image of a user database for a cloud based application, you can see usernames and hashed passwords.
This information seems fairly benign, until you realize you're able to pair that information with a long list of passwords (below is a commonly used list of passwords known as rockyou.txt) and begin to piece together the path an adversary will take to steal confidential information about your clients and/or proprietary information about your company.
Once you've identified and categorized the critical data by severity of business impact, you can then begin working your way backwards from most important to least important.
You do this by mapping out, for each set of data, where it's at and who can see it. This can be done by visualizing network based user-access controls.
Go here: Where is it and who can see it?
Understanding where your data is stored and who can see it are the next most critical points to protecting business continuity.
Where's my data?
In our example, we've identified the database shown above is stored in a cloud based application. Understanding that 'the cloud' is relative can be very important.
A sales engineer might say, "the application is cloud based" to a potential client, but you really know that means the application is sitting on a server in your company's server farm back at work. This means the security staff is responsible for protecting, updating, patching, and securing the data on the server.
Data visibility is generally broken up into two major data types:
Data at rest
Data in transit
Data at Rest
The database above is a good example of data at rest. If you know where the data lives, the next step is to identify if the data is encrypted when it's not being used or accessed. In the above example, you can see the data is being hashed using the MD5 hashing algorithm, which provides an additional layer of security from attackers being able to visually see plaintext passwords.
Data in Transit
Images like the one below are commonly used to show fun and "sexy" examples of advanced cyber techniques being used 'in action.' In reality, they are a simple but effective way to explain advanced 'data in transit' encryption techniques to non-technical people. The concept of 'data in transit' is simply encrypting data as it's being accessed where it is stored, from where the end user is located.
As data and information traverses the internet, it routes through many different places where people without authority might have the ability to read the information if it's being transmitted in plain text. This is why visibility of data in transit is crucial when asking the question 'Who can see it?'
Who can see/access my data?
This question is regularly asked when dealing with internal user-access control rules that govern who has access to data at rest. However, as shown above, it is very important to think about who can see the data in transit throughout your network, and especially once it leaves your network.
Developing strong user access controls governing internal access to data at rest, and ensuring data in transit is properly secured using industry standard encrypted algorithms, is an important aspect of securing your company's proprietary data and your clients' personal information.
With these 3 questions and the action steps that follow, you have a good start to making your network more secure. Contact us to add our services to your team, or to increase your own capacity.
David Evenden is our CEO and an experienced offensive security operator/analyst with 10 years of active work experience inside the Intelligence Community (IC). During his time inside the IC, he learned Persian Farsi, worked at NSA Red Team and was a member of an elite international team operating in conjunction with coalition forces to aid in the ongoing efforts in the Middle East. While he currently works with an ISP and DHS to aid in the efforts to enhance the bidirectional sharing relationship between the US Government and Commercial entities, his passion is educating network administrators and security engineers on best practices when securing your network. David currently holds Pentest+ and CySA certificates.