How Significant is your “But”—Evaluating the Impact of Every Crack

 When the word “but” is used in a phrase, it nullifies the words that come before it, placing the focus on the statement that comes after it. Similar to the “but,” a small flaw in your security composition might make all of your other efforts pointless. The adage “security is deployed in layers” illustrates how each layer contributes to total security. In order to address system vulnerabilities, a number of controls and safeguards are implemented.  

Security is deployed in layers to ensure that the confidentiality, integrity, and availability of a system are preserved. Any weakness in any of the layers can lead to an irrecoverable security breach. To explore in-depth these layers, I have used a different approach to bring home the message.

Composition of Security

For a system to be secure, three components need to be involved in ensuring the confidentiality, integrity, and availability of enterprise data. You cannot leave one out and claim that you have done your due diligence to ensure a secure system. Security encompasses technology, process and people

Technology layer

These refer to the technical devices or components used to secure a system. Such as firewalls, intrusion protection and detection systems, web application firewalls, endpoint detection and response, and so on and so forth. There are several weaknesses too in technological components, which include.

1. Software vulnerabilities: Flaws in software code, such as buffer overflows, SQL injection, or cross-site scripting (XSS).
2. Hardware vulnerabilities: Weaknesses in hardware design or implementation, such as Spectre or Meltdown.
3. Network vulnerabilities: Flaws in network protocols, configurations, or devices, such as open ports or misconfigured firewalls.
4. Cloud vulnerabilities: Weaknesses in cloud infrastructure, platforms, or services, such as misconfigured storage buckets or inadequate access controls.
5. Internet of Things (IoT) vulnerabilities: Flaws in IoT devices, such as weak passwords, outdated software, or insecure communication protocols.

Misconfigurations are one of the top vulnerabilities in technology.

Mitigating Technology Vulnerabilities

1. Patch management: Regularly apply security patches and updates to systems, software, and applications.
2. Configuration hardening: Implement secure configuration best practices for systems, networks, and applications.
3. Access controls: Implement robust access controls, including authentication, authorisation, and accounting (AAA).
4. Encryption: Implement encryption for data at rest and in transit.
5. Incident response: Establish an incident response plan to quickly respond to and contain security incidents.

Process layer

Without the right processes, technology alone cannot help you. What is the purpose of a misconfigured firewall or a protection tool? Process is used to define the acceptable operating mode of a device, people, etc. When safe operating procedures are defined, it makes all other controls effective.

Below are cracks in the process layer.

1. Inefficient processes: Complex, manual, or outdated processes can lead to errors, delays, and increased risk.
2. Lack of controls: Insufficient or inadequate controls can allow unauthorised access, data breaches, or financial losses.
3. Inadequate training: Poor training or lack of awareness among employees can lead to mistakes, non-compliance, or security incidents.
4. Inconsistent execution: Variations in process execution can lead to errors, inefficiencies, or non-compliance.
5. Key man Risk: Over-reliance on individual employees can create single points of failure, leading to disruptions or losses.

Mitigation of cracks in the process layer

1. Process optimisation: Streamline and simplify processes to reduce complexity and errors.
2. Control implementation: Establish and enforce controls to prevent unauthorised access, data breaches, or financial losses.
3. Training and awareness: Provide regular training and awareness programs to ensure employees understand processes and potential vulnerabilities.
4. Standardisation: Establish standardised processes and procedures to reduce variations and errors.
5. Continuous improvement: Regularly review and improve processes to address vulnerabilities and ensure ongoing effectiveness.

People Layers

This is one of the most significant layers. While I say significant, it does not make others less significant. The people’s function of security ties technology and the process together. Without the right people, no one forces the process and operates the technology. People

Types of People Vulnerabilities

1. Lack of awareness: Insufficient knowledge or understanding of security risks, policies, and procedures.
2. Social engineering: Vulnerability to phishing, pretexting, or other forms of social engineering attacks.
3. Password management: Weak passwords, password reuse, or inadequate password management practices.
4. Data handling: improper handling, storage, or transmission of sensitive data.
5. Compliance: Non-compliance with organisational policies, procedures, or regulatory requirements.
6. Insider threats: Malicious or unintentional actions by employees, contractors, or other insiders that compromise security.
7. Lack of training: Inadequate training or skills in specific areas, such as cybersecurity or data protection.

Identifying People’s Vulnerabilities

1. Security awareness training: Provide regular training to educate employees on security risks and best practices.
2. Phishing simulations: Conduct simulated phishing attacks to test employees’ susceptibility to social engineering.
3. Password audits: Regularly audit password strength and usage to identify weaknesses.
4. Data handling assessments: Evaluate data handling practices to identify potential vulnerabilities.
5. Compliance audits: Conduct regular audits to ensure compliance with organisational policies and regulatory requirements.
6. Insider threat assessments: Identify potential insider threats through behavioural analysis, monitoring, and reporting.
7. Skills assessments: Evaluate employee skills and knowledge in specific areas, such as cybersecurity or data protection.

Mitigating People Vulnerabilities

1. Security awareness training: Provide regular training to educate employees on security risks and best practices.
2. Phishing simulations: Conduct simulated phishing attacks to test employees’ susceptibility to social engineering.
3. Password management: Implement strong password policies, multi-factor authentication, and password management tools.
4. Data handling procedures: Establish and enforce proper data handling procedures, including encryption, access controls, and secure storage.
5. Compliance training: Provide regular training on organisational policies, procedures, and regulatory requirements.
6. Insider threat mitigation: Implement measures to prevent, detect, and respond to insider threats, such as monitoring, reporting, and incident response plans.
7. Skills development: Provide training and development opportunities to enhance employee skills and knowledge in specific areas, such as cybersecurity or data protection.

Most of the time, technology is where all the attention is focused on. As a result of this, there are lots of assumptions that security is in place when they have invested. Contrary to that fact is that we need the human factor and the process factor to build formidable security. Any weakness or vulnerability in any of the layers can have major consequences.