We must admit, a network-only approach to cybersecurity is becoming irrelevant and outdated. The vulnerabilities across your communication transactions mesh are expanding from network-vectored only to applications and humans alike. Focusing exclusively on the network layer leaves a range of entry points for cybercriminals on your attack surface. This is why MHE decided to curate this blog post, to give security officers and professionals a full view over the security landscape in a full-fledged digitally enabled and online-facing business.
Back to the basics, when we tried to categorize the cybersecurity domains, we couldn’t start by jumping immediately into the map. We first had to go back to the OSI and the TCP/IP models to have a clearer view over which attacks take place where and where exactly do the vulnerabilities reside.
The OSI and TCP/IP models:
The Open System Interconnection (OSI) model elaborates the 7-layers of communication between computer systems over a network. It was the first standardized model for such communication to be adopted by computer and telecom companies in the 1980s. While the modern communication systems do not exactly follow the same model, a simpler TCP/IP model started to get widely used. There are no differences between both the OSI and the TCP/IP model, but rather a simpler way to categorize the communication protocol and its components with just minor differences. Here is an infographic for simplicity.
The core differences between OSI and TCP/IP models:
TCP/IP is simpler, more widely adopted and is utilized in practical, rather than academic or theoretical settings.
Layers 1 & 2 in the OSI model are combined into the Network Access Layer in the TCP/IP protocol yet sequencing and acknowledgment functions aren't within the responsibilities of TCP/IP but rather of the transport layer.
In the TCP/IP model, applications use all layers by default, unlike the OSI model, where layers 1,2 and 3 are the only mandatory layers to enable any data communication.
How does this relate to the 7 layers of cybersecurity?
By evolving the OSI model to the TCP/IP model, and now that we have established that all layers are used by default, the 7 layers of cybersecurity places the TCP/IP layers in the middle, but encloses it within the human layer, and places "Mission Critical Assets" at the core of the map.
Are there only 7 layers of cybersecurity?
There is no one standard for cybersecurity or framework that fits all purposes. Different entities and organizations categorize the domains or functions of cybersecurity differently. The NIST cybersecurity framework for example classifies the various aspect following a 5-functions model (Identify, Protect, Detect, Respond and Recover) while MITRE ATT&CK and SANS frameworks break those down to 20 Critical Security Controls. On the other hand, The Cyber Kill Chain model uses 7 stages to describe the different changes a cyber-attack typically takes place (Which are different to the layers we are presenting next). In short, all these models are intended to help professionals and businesses prioritize and allocate their cybersecurity strategies however they see fit. We are presenting this blog particularly for that reason. It is a go-to guide to help security professionals with a comprehensive view over the available technologies and layers with the below infographic:
The 7 layers of cybersecurity:
Here is the comprehensive map for preventative, operative and reactive cybersecurity measures and technologies you can start using to map your strategy and find out your security gaps and vulnerabilities:
What Assets are considered Mission Critical?
Those are any form of physical or digital assets that are vital to achieving an organization's mission or business operations. Any loss, damage, or compromise to such assets would disrupt the business operations and cause significant harm to the organization. Which is -naturally- why they are at the core of the cybersecurity strategy and are the most valuable targets for cybercriminals and attackers. Examples of these assets are not limited to the following but could include:
Proprietary software code, intellectual property and patents.
Systems and applications related to customer databases and supply chain management.
Equipment, servers, or industrial systems.
Payment processing systems.
Classified data like personally identifiable information or financial records.
The list goes on, but these are some of the most prominent examples. By prioritizing the most important assets for an organization, cybersecurity strategy has a starting point at least for a methodical approach of drafting and implementation.
Here is a list of the technologies enlisted in the 7 layers of cybersecurity infographic and what they mean:
I. Data security:
PKI: Public key Infrastructure, used to manage digital certificates and public key encryption.
DAR: Dissemination Control And Release, refers to controlling the dissemination and release of information that is classified as Confidential, Secret or Top Secret.
DIM: Destruction, Inactivation, and Disposal and is used for classified information that is no longer needed
DIU: Declassification and Information Security Education, refers to the process used to deal with information that is no longer required to be kept secret or classified.
Identity & Access Management (IAM): Is a framework of policies and technologies that organizations use to manage and control access to resources and data to protect an organization's IT infrastructure. Typically involves 4 key activities: Identification, Authentication, Authorization and Administration.
Enterprise Rights Management (ERM): Also known as Information Rights Management (IRM), which is a technology to control and track access to sensitive data and intellectual property. It is a form of access control applied at a file/document level. Its cycle spans from Access control (viewing, editing, printing or copying rights) to expiration and revocation.
Data Classification: Is a process of categorizing data based on its level of sensitivity, value, and confidentiality. This is to help an organization to apply the needed security controls for protection. The process has 5 phases usually (Inventory, Categorization, Labeling, Access Control & Protection).
Integrity Monitoring: Detects any changes made to a system or data entries that could affect the system's stability, security or function. A baseline is created through a system snapshot before continuous monitoring starts tracking any changes to that snapshot. This includes files, system configurations, and registry settings. Any changes detected are alerted and afterwards Investigation and response can take place in ensuring the ongoing security and stability of the system/network.
Encryption: On data/drive level, encryption could be a crippling measure to stop data breaches. Even if an attacker arrives at the data destination, they will still need the decryption key to interpret and decipher the data.
DLP: Data Loss Prevention (or Leak Prevention) appears in multiple layers of communication. On all layers the goal is to protect an organization's data from being lost or leaked by going through some of the previous mentioned measure/practices. This includes Data Discovery, Classification, Monitoring, Protection and Incident Response.
II. Application Security:
Static Application Testing and Code Review: Both are techniques used by software developers along with DevSecOps on the source-code to identify and fix possible code-level vulnerabilities before the software or application is released to its production version. Such vulnerabilities could include SQL injections, Cross-site scripting and buffer overflows. Security aware developers usually run static tests and code reviews early in the development cycle and address the vulnerabilities soon as they found, to optimize their security budgets as this preventative method is more cost effective. Which will bring us to our next point, the difference between static and ...
Dynamic Application Testing: While static testing is done on the source code, dynamic testing takes place on an already-running application. It involves performing penetration tests and automated scans for vulnerabilities to identify the weaknesses and potential attack vectors.
Web Application Firewall: As mentioned in one of our blog posts a Web Application Firewall (WAF) is a tool that is designed to monitor, filter and protect the servers from HTTP traffic attacks. It analyzes the request headers, payload and other data to detect known attack patterns like XSS, SQL Injection and Cross-Site Request Forgery (CSRF). WAF, however, is not a silver bullet and should not be relied upon as the sole means of securing a web application. A WAF can be bypassed by sophisticated attackers or by attackers who are able to craft attack payloads that are specifically designed to evade detection by the WAF.
Database Monitoring/Scanning: As the name suggests, this is a set of rules and policies for creating and storing data within an organization's database, especially those who store sensitive or confidential data. It involves real-time tracking of the activity on the database system to identify and alert when malicious behavior is detected. This includes failed logins, access attempts and data modification/tampering. Restricting access using strong passwords and 2FA as well as role-based access control to limit accessibility to those who truly have the rights to do is one of the first go-to practices to protect the database, along with encryption, patching and updates, auditing and logging activity on both access and data.
Database Secure Gateway (Shield): Is an interface between a database and the applications accessing and modifying the data within. These gateways are specifically designed to make sure that the applications communicating with the database do not cause any compromise or breaches. Secure gateways can also be used to enforce access control policies and monitor database activity.
III. Endpoint Security:
Desktop Firewall: Is a software-based firewall installed on the organization's endpoint(s) and allows for controlling incoming and outgoing traffic by enforcing rules and policies allowing or denying traffic exchange. It could also include additional features like Intrusion prevention and detection, packet filtering and which applications can be installed on the endpoint.
Host IDS/IPS: Intrusion Detection System/Intrusion Prevention Systems are designed to detect intruders to a device or a network and prevent their access to sensitive data. A host IDS/IPS (Also known as HIDS/HIPS) act the same way as perimeter IDS/IPS solutions with the difference of where they reside within an organization's communication mesh. Host here refers to an endpoint be it a desktop, laptop or a server.
Content Security: Content security/filtering is the act/technology that protects different types of content on an endpoint. Such content can be files, images, documents, video or audio files. Access Control, Encryption, DLP and Malware Protection are all content security technologies. In Firewalls, Content Security could refer to the policies that allow/deny access of users to certain type of content on the web, not just content that is available within the network's endpoints.
Antivirus & Anti-Malware: Antivirus software is one of the oldest known technologies for protecting endpoints against known threats. An Antivirus software refers to a signatures database that marks certain files as malicious and accordingly blocks/quarantines the file's access to other devices or networks. An Anti-malware solution behaves a similar way, albeit targeting a wider range of file types including spyware, adware, trojans, worms and other files that don't necessarily spread like a virus.
EDR: Endpoint Detection and Response could be considered and evolved Anti-Virus/Anti-Malware solution. The core difference is that EDR solutions react to malicious behavior, not just malicious files. EDR solutions are designed to detect and respond to more advanced threats through detailed visibility into activity and behavior on the endpoints. Using machine learning and other advanced techniques, an EDR solutions can detect and respond to threats and perform threat hunting, incident response and forensics analysis. You can read more about EDR solutions in this blog post.
FDCC Compliance: The Federal Desktop Core Configuration standard was established by the US-Government the provide a standard baseline for security settings on desktops and laptops used by federal agencies to meet the minimum-security requirements. This is not widely adopted or relevant to the MENA region except for certain organizations that have contracts with or are partners to US government agencies.
Patch Management: Patches are released by software vendors primarily to address any security gaps or vulnerabilities in said software. It is a key component in Endpoint Security particularly in organization with a large number of Endpoints where users are not well-versed in downloading and installing patches themselves. Effective patch management typically follows a structured process of Patch Inventory, Vulnerability Assessment, Testing, Deployment and Verification.
IV. Network Security:
Wait, do we not consider all the previous "Network" components? They are, they are! But here, when we talk about the network-layer we mean the corporate network. The organization-wide set of hardware, software and applications that are designed to communicate directly with one-another depending on segmentation and access level. Think more datacenters and less internet and endpoints. Here are the components that might make it clearer for you.
Enclave/Datacenter Firewall: Monitors and controls traffic coming in and out of a datacenter. Unlike Endpoint Firewalls, Datacenter firewalls can be offered in a variety of forms including hardware, and as-a-service depending on the organization's topology and setup.
Enterprise IDS/IPS: Intrusion Detection and Prevention systems are solutions that monitor network traffic for potential security threats and remediate with the appropriate preventative action. They are designed to stop attacks such as Denial of Service (DoS), intrusions and malware.
VoIP Protection: A Voice-over-IP system is usually organization-wide and is one of the most vulnerable vectors and the easiest entry-points for cyber-attackers. Typical attacks on VoIP systems include eavesdropping and DoS attacks.
Inline Patching: Is a security mechanism for seamless and immediate installation of software patches to mitigate known security vulnerabilities with little to no downtime. Usually done by advanced IPS systems.
Web Proxy Content Filtering: is a security mechanism used to monitor and control access to web content by enforcing web traffic, based on policies and rules set by the organization to deny access to malicious or non-business-related content on the web.
NAC: Network Access Control is a network-wide, device-specific security solution that allows an organization to control access of devices connected to the corporate network following a set of security policies. Non-compliant devices with outdated software or OS patch versions for example could be a vulnerability, and hence, a NAC solution would deny their access to the network.
Enterprise Message Security: Solutions that are designed to scan and inspect inbound/outbound messages to and from the corporate network, to ensure that the enterprise security policy is met.
Enterprise Wireless Security: Policy, procedures, hardware and software design to defend wireless networks from malicious activity and intrusion. For example, connectivity to the Enterprise wireless network may only be accomplished using a VPN (encrypted tunnel) connection.
Enterprise Remote Access: Commonly enforced by organizations with a large distributed or remote workforce. Such security practice/technology is achieved through a set of policies, hardware and software tools to ensure the security of remote access connectivity. These policies can be combined with Endpoint and NAC policies to achieve higher standards of preventative protection.
DLP: Although it has been mentioned in an earlier section, to further elaborate, DLP refers to systems that identify, monitor and protect data that is in use (Endpoints), in motion (Network) or at rest (data) through deep content inspection. Such systems are especially designed to ensure that data that isn't meant to leave the organization or enterprise doesn't actually leave it.
V. Perimeter Security:
Perimeter Firewall: These are firewall(s) on the extreme end of the network. Such devices are configured with a set of rules and policies that govern data transmission from/to the entirety of the enterprise's network(s). They ensure that no unauthorized access to the network resources happen and hence are the first gate to the network when trying to access it from the internet.
Perimeter IDS/IPS: The difference between Detection and Prevention systems is that the earlier is a passive system that does reside out-of-line of network communication, yet constantly monitors the perimeter of the system, and compares it to a set of patterns (signatures) that are associated with intrusive or malicious behavior. Once detected, an IDS will identify and report the pattern. An IPS system however is the active component, scans the perimeter traffic as it is transmitted and once a pattern/signature is identified it is immediately denied access to the network.
Secure DMZs: Demilitarized Zones are often resorted to by an organization that needs to keep certain services at the edge or internet facing (such as e-mail, web servers or honeypots) since the users of such services have no need being within the perimeter-bounds. This is a widely practiced strategy to keep the serviced guests who can be potential intruders outside the network to protect internal resources.
Message Security: See point 7 in the previous section.
Honeypot: A server or group of servers that reside in a DMZ that imitate servers inside the Enterprise to trick malicious intruders. They are used to observe and obtain surreptitious intruders’ Tactics, Techniques and Procedures (TTPs).
DHS Einstein: DHS EINSTEIN (Emergency Interoperable Nationwide Signal Timing Information Network for the Enhancement of Community Preparedness) is a suite of cybersecurity tools and services developed by the United States Department of Homeland Security (DHS) to enhance the security and resilience of federal government computer networks. It is designed to provide real-time situational awareness and threat detection capabilities to government agencies by monitoring network traffic and identifying known and suspected cyber threats.
Now we've arrived at the human and final layer. The layer that could deem all the previous measures useless and make the efforts and policies of all the security team in vain if not properly educated and informed. Did you know that almost 48% of malicious e-mail attachments are MS-Office files? (According to Symantec, 2018) and that 90% of security breaches in companies are a result of phishing attacks. Which is why both proactive and preventative measures need to be constantly taken by cybersecurity professionals to keep their workforce and consequently their organizations' data safe and secure.
Let's begin the last chapter of this blog with the preventative cybersecurity practices in the human layer:
Prevention is defined by the set of policies, procedures and practices conducted by the organization, directed towards both the human and the technology assets to ensure that its security will not be compromised due to an act of malpractice or ignorance. It should be inclusive, sustainable and continuous as the threats evolve.
IT Security Governance: It is the set of IT/Cybersecurity laws and policies set by an authority or a government body and is communicated to organizations and companies operating within such scope of vulnerabilities as directives or regulations. Example: In Egypt, the CBE mandates all banks and financial institutions to deploy a Web Application Firewall.
Security Policies and Compliance: Companies operating in the finance or healthcare sectors for example may be subject to specific security regulations and standards, such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA). These policies are set by a governing body and are constantly updated. The companies are regularly audited to ensure their compliance with such standard to ensure the security of large amounts of sensitive data.
Security Architecture and Design: This comprises of all the elements and layers of security decided upon by an organization's management or security professional, in accordance with the type of organization, type of data and setup/topology of the network. A security architect doesn't necessarily need to utilize a full array of cybersecurity tools and technologies if the organization doesn't store highly sensitive data.
Continuous C&A: Certification and Accreditation are mandatory in some organizations for cybersecurity professionals and systems. Some need to be updated on annual basis, while others need to be re-accredited every 3-years due to the changing nature of the landscape.
Cyberthreat intelligence: Is the process of gathering, analyzing and examining cyber threat data from various sources including sensors, organizations and other intelligence sources.
Threat Modeling: This can take different shapes, including Qualitative/Quantitative Information Assurance models, Attack Tree Models, Multiple Objective Decision Analysis/Information Assurance Models and more, with the core goal being the development of threat scenarios that could guide and determine the security measures and controls that need to be deployed.
Awareness & Training: This involves training and educating employees at all levels of the organization with varying focus on how to be more security-conscious and how to ensure their own and ultimately the organization's safety in the cyber space. Such training frameworks educate the employees on the importance of data, who wants it and why and hence raise their sense for what to and not to share.
Risk Management: Developed by NIST (Publication 800-37) - A System Life Cycle Approach for Security and Privacy aimed at reducing cyber risks that could occur from misconfiguration and code-level threats.
Penetration Testing: This is usually done by offensive security teams. A system is tested against methodical and ethical hacking techniques that do not intend to take-over or harm the system or application, but rather to find vulnerabilities and security gaps and fix them before a real attack takes place.
Vulnerability Assessment: Similar to penetration testing, but instead of offensively attacking it, the responsible professional or team scans the full system to identify, categorize and prioritize the vulnerabilities found within.
... and Finally, the 10 Monitoring, Operations and Response frameworks/technologies in the top (human) layer of a 7-layer cybersecurity map:
SOC/NOC Monitoring 24x7: Security Operations Center/Network Operations Center monitor all the events, incidents and transactions 24x7. This depends heavily on the expertise that operate within these 2 teams and can be a key factor in detecting, protecting, responding and sustaining the security best practices in an organization.
Incident Reporting, Detection and Response: Also known as CIRT (Computer Incident Response Team) are trained to handle and respond to incidents detected and recorded on computer systems. Detection includes Correct Event Detection, Information Gathering & Historical Review, Event Triage, Escalation, and Optimization & Tuning (to improve detection accuracy). Response encompasses: Preliminary Incident Analysis, Incident Containment, Incident Analysis, Incident Eradication & Recovery, Post-Incident Process Improvement / Lessons Learned.
Security Dashboard: An executive information screen that is designed to collect and present the key information about systems, security and incidents.
Security SLA/SLO: Service Level Agreements and Objectives are just words on paper, reports however are what security professionals are more concerned with. They show the key metrics delivered by said services and whether or not they met the contract terms.
Continuous Monitoring and Assessment: Constantly collecting security data, monitoring security events and alerts, and assessing system security state and status in real or near real-time. some process automation takes place here, with risk scored and displayed on dashboard.
Situational Awareness: The level of awareness to security incidents and their impact on an organization/enterprise depends heavily on people. How an incident relates to other aspects of the systems and the time sensitivity/criticality of the compromise could differ from one person to another depending on how deeply they understand the full map.
Focused Ops: A team that is utilized when an attack takes place. Their main objective is very similar to Forensics, they focus on a specific attacker to analyze his/her Tactics, Techniques and Procedures (TTP's)
Digital Forensics: When data is lost, or a system's security is compromised, the Digital Forensics team analyzes the devices and systems to recover and investigate material found within them that could relate to the incident.
Escalation Management: After an incident takes place, there needs to be a set of clear rules, policies or procedures for how the incident is managed, responded to and escalated.
SIEM: Security Information and Event Management is the real time analysis of alerts and logs generated by the security devices, applications and hardware. They are used for both analysis and reporting of incidents, and sometimes for compliance purposes as well. You may read further into SIEM solutions in this blog post.
Now that you have a broad view on the different layers of cybersecurity, and the practices/technologies that you can utilize to enhance your organization's security posture proactively. In the next blog post we will be further elaborating on the types of attacks that primarily targets unsuspecting human behavior. Social Engineering tactics have been growing both in quantity and level of sophistication and many organizations have fell victims to data breach due to an innocent click from an unaware team member. Stay tuned!