The issues and challenges around cybersecurity are changing. In the past, cybersecurity models centered on placing a firewall around an enterprise and assuming everything inside that firewall was trustworthy and secure while everything outside of it was part of a malevolent world. With IP technology, the Internet of Things, and bring-your-own-device-to-work initiatives, the line between inside and outside an organization is not as clear as it used to be.
When we add external devices to our internal networks, we can no longer assume the network inside the firewall is secure. With the rise of hackers engaging in social engineering, any computer with a person sitting in front of it could be vulnerable.
To address this, we are seeing a new approach to cybersecurity where organizations place independent firewalls around small clusters of servers or userless computers in addition to the firewall around their entire network. In this way, if someone breaks into one cluster of servers, they will not be able to move laterally to access the entire network.
Assessing security and evaluating the trustworthiness of users and devices is also important. As cybersecurity is becoming more dynamic, businesses are increasingly assessing security based on circumstantial factors. Depending on where you are, for example, your computer can be considered more or less at risk.
Trustworthiness varies with time and depends on what we know about the device and the user. For example, if the device does not have the latest patches, its trust decreases. If the user exhibits strange behavior, such as logging in from London and then from Melbourne within a physically impossible timespan, their trust drops. If the trustworthiness of your devices declines, you will have access to fewer resources. Trust can be lost quickly and is often regained slowly.
To aid in this risk assessment process, resources are ranked in relation to the level of trust they require for someone to access them. In some cases, proprietary or sensitive resources require greater trust while, in other cases, how integrated these resources are with the entire network may require more trust. Furthermore, untrustworthy devices are now being isolated with micro-firewalls. Untrustworthy devices include those that were made by countries whose government are considered to be geo-strategic rivals of our liberal democracies.
Establish networks of trust
Security is all about building a network of trust. When it comes to putting devices on your network, each organization must ask serious questions about whether or not the manufacturer and the organization installing the device are trustworthy.
An analogy I like to use is one of boarding an airplane. When security asks if you packed your bag yourself, the best answer is: “Yes, I packed my bag myself.” A not-so-good answer is: “Actually, it was my spouse who packed my bag.” In this case, the rest of us have to hope that your spouse loves you. But the really bad answer is: “No, my neighbor who is on the federal watch list packed my bag.”
It’s the same thing when someone wants to put a device on your network. You should ask: “Did you write the software yourself?” Generally speaking, the answer is: “No.” Then, you ask whether you know the person or people who wrote the software for this device. And, if the answer is “yes,” and it was written by a military/government agency of a geo-strategic rival of your government, then you should think twice about putting the device on your network.
Security is everyone’s responsibility. The goal of an organization should be to not only implement security strategies for themselves but to be cognizant of the “bono pastore” (meaning good shepherd) principle: We must protect the network. The internet is a precious resource, and, if we carelessly put devices on our network that cause a denial of services or worse for other internet users, we are guilty of cyber-negligence. We should be working to improve the whole environment by making networks and organizations more secure. When we understand that we have a fiduciary responsibility to protect the internet—which is as critical as our responsibility to keep the air breathable and water drinkable—we will make the internet a more pleasant and safer place to live and work.