Think one-layer cyber protection is enough to handle whatever threat comes your organization’s way? Think again.
Even the most comprehensive cyber defense system can still be vulnerable when dependent on a single layer of security.
Don’t believe me?
This month researchers at Opole University, and the Institute for IT Security, demonstrated a weakness in certain implementations of IPSec.
To be clear, this was not a failure of the IPSec protocol itself; rather the exploit was due to implementations by Clavister, Zyxel, Cisco and Huawei.
However, if your private data is stolen, it doesn’t matter whether the theft was due to a weakness in the hardware, software, protocol, or implementation.
All anyone cares about is whether information has been kept SECURE.
The Myth of “Jack-Of-All-Trades” Cyber Protection
We’ve talked to several companies who deployed state-of-the-art technology for cyber defense. They had top-notch firewalls, digital loss prevention (DLP), IPSec tunnels, or other tools in place.
But they all had one potentially fatal flaw for each solution.
At a financial company we worked with, they were compartmentalizing their network into layers of isolated zones, with firewalls deployed to protect each zone. However, they were using the same brand of firewall at each tier of the architecture. A single vulnerability in the firewall could be exploited at each level of the network. Instead of seven layers of protection, they had one layer of protection, seven times.
At another firm they had deployed intelligent DLP devices to prevent private data from leaking. In their case the traffic was encrypted and exposed to the Internet. Since the DLP equipment could NOT decode the traffic, it was blind to the fact that data was escaping.
Another security team was securing all their traffic with IPSec tunnels. As the report indicates, those tunnels were VULNERABLE. Hopefully the “white hat” researchers found, and disclosed, the vulnerabilities to equipment providers before hackers spotted the weakness.
This is not to criticize those solutions. Each tool is powerful and together can be very effective. The problem comes when a single tool is thought to be THE solution.
Just as there is value in bringing diverse perspectives to a team of employees, we need diverse tools to protect our systems. Each tool brings a different perspective. Even firewalls from different vendors offer better security than using a single product line.
Even better, use different types of products. For example a proxy intercepts data that is allowed through the firewall. IDS and IPS provide behavioral or signature based analysis of traffic allowed through. Identity and access management (IAM) tools validate that users can only access appropriate systems and information. Multi-factor authentication validates the right person has the IAM credentials.
At HOPZERO we offer tools to limit data movement. This addresses some of the same issues as firewall, IDS, IPS, and DLP tools, but in an alternative way. Instead of looking from the outside to keep people out of the network and devices, HOPZERO examines information flow from the inside looking out. Limiting data travel provides a new ability to keep information in the network and detect anyone attempting to breach the travel limits.
What does your cyber protection mix look like? Does it have multiple layers of cyber defense to keep people out of your network? Do you have adequate defenses keeping information inside your network? The right product mix can make your organization more secure.