Cybersecurity is one of those topic areas we know is essential because having adequate protections helps prevent significant losses. We will discuss measures we can implement to improve our cybersecurity posture to avoid becoming a victim of attacks. We can leverage the OSI Model as a basis.
The OSI Model
The OSI Model has seven layers:
- Layer 1 - Physical
- Layer 2 - Data Link
- Layer 3 - Network
- Layer 4 - Transport
- Layer 5 - Session
- Layer 6 - Presentation
- Layer 7 - Application
These layers represent how data is transmitted between applications using networks. Although this model was originally meant for communication systems, we can leverage the model to define cybersecurity governance to protect our businesses and systems. We will explore three of the layers and an undefined layer above the Application Layer 7.
Securing the Application Layer (Layer 7)
Our company uses applications and might create applications. We rely on using applications to make us more effective. Imagine a world where you have to write the code to send an email or write documents without autocorrect or even on a typewriter. The applications we use have become more significant and provide us with a lot of value. We will consider our operating systems (OSs) in this section too. Given we rely on applications and OSs in our day-to-day activities (and even our products and services), we will explore what we can do to secure them.
Many of the applications and OSs we use have some built-in security settings, while others might not. The same applies to privacy settings. They might have security and privacy settings we can configure. We can liken these settings to a door. A door has a doorknob with a lock and might have a deadbolt. The door gives us the ability to single or double lock it, but it lets us leave the door unlocked too, and the same goes for our applications and OSs. An application and OS were designed to bring value. They may not have all the security features enabled when you start using it. Understanding what they do and their settings will help us determine how we can secure them.
“The door gives us the ability to single or double lock it, but it lets us leave the door unlocked too, and the same goes for our applications and OSs.”
We should look at all settings (especially the security and privacy settings) and configure them. We might want to engage in information technology or security personnel from whom we can leverage their expertise. For example, an OS might have numerous settings we can configure, some of which are not visible to the user. An IT person who specializes in OS configuration would know all the settings that should be configured. We can also install antivirus, antimalware, and other prevention software to reduce risk. Configuring all our applications and OS settings and using security software will help protect us from common attacks.
Securing the Network Layer (Layer 3)
It seems our lives depend on network connections. We watch our favorites shows and movies using online streaming services. We send emails more than we send physical letters. Our smartphones allow us to look up anything at any time. This convenience might expose us to many threats.
When we connect a device to a network, it potentially leaves it vulnerable to attacks from any device that can access the network. The more connections the network has, the greater the likelihood a malicious actor can gain access. Connecting a device to the Internet exposes it to any other device. Would you willingly put an Internet-connected camera in your bedroom knowing anyone could watch you? Connecting a device to the Internet (or any network) without securing it is like an open invitation to anyone.
“Would you willingly put an Internet-connected camera in your bedroom knowing anyone could watch you?”
We should protect our devices before we connect them to a network, especially the Internet. We should enable a software firewall in our OS, turn on the firewall in our routers (or install physical firewall devices), disable unused services, prevent unknown devices from accessing our internal networks, use intrusion detection and prevent systems and anomaly detection software from detecting and preventing malicious activity, changing default port addresses, and block blacklisted IP addresses. Securing the network and Internet connection settings in our devices and networks minimizes a network-based attack risk.
Securing the Physical Layer (Layer 1)
In the digital world, we might overlook the physical aspects of cybersecurity. We could implement sophisticated security measures in our network, but effectiveness diminishes if we leave the network closet unlocked. We should consider physical security to avoid cyber attacks.
The network closet example highlights a possibly overlooked threat, but there are many others. There are many other examples. Let’s suppose we use a number pad to access a building or enter a debit card PIN. Someone with a thermal scanner can determine the digits from the code. We might have a voice recognition device installed in the meeting room to facilitate meetings. Still, we might want to avoid installing them in spaces where we discuss sensitive information. We should avoid typing passwords in open areas because someone can see or video record the keystrokes or smart screen keyboard. Cybercriminals are crafty in exploiting the physical realm in addition to the cyber realm.
“We could implement sophisticated security measures in our network, but their effectiveness diminishes if we leave the network closet unlocked.”
We should avoid overlooking the physical realm when thinking about cybersecurity. Like how we lock our doors and windows to protect our home and look around to see whether anyone can see our PIN when we use the ATM, it would behoove us to assess how our physical security weakness affects our cybersecurity.
Securing the Human Layer (Undefined Layer Above Layer 7)
Persons make a company and organization though we might associate it with a product, a mission, or a service. Products and services are tangible outputs the persons produce. These individuals are the most crucial part of a company and can become a cybersecurity attack target.
Unlike a computer program, a process, or raw material, a person’s behavior is not 100% repeatable and predictable. This variability leaves the organization vulnerable to an attack. Fortunately, we can leverage training and education to reduce risk. A person’s behavior stems from the sum of all the information, learning, and thinking he or she has participated in from birth. This means we can teach a person good cybersecurity hygiene and practices to positively influence how a person reacts when he or she gets a phishing email, for example. We can encourage them to participate in simulated attacks that can leave the last impression about the potential ramifications of getting a ransomware virus, for example. Cybersecurity training and education can help us build sound wisdom similar to the lessons (such as looking both ways before crossing a street) we learned during childhood.
“We can teach a person good cybersecurity hygiene and practices to positively influence how a person reacts when he or she gets a phishing email.”
We should aim to teach good cybersecurity hygiene and practices using different mediums and approaches, such as text, video, and audio. We can also vary our training programs to leverage the different learning styles: verbal, visual, auditory, and physical. Adapting the teaching to improve the learning retention rates will enhance learning and ultimately secure the human layer.
We discussed top ways to prevent a cybersecurity attack by grouping the threats into four significant layers. Arguably, humans are the weakest link in our cybersecurity posture because we are vulnerable to social engineering and forget our cyber hygiene. The physical realm is possibly an overlooked area when we think about cybersecurity. And the most common attacks target the application and network layers. Protecting and securing these four areas address the top threats to our company and organization.
A Note from the Author
Join my mailing list to receive updates about my writing.
Visit https://goo.gl/forms/mtdRcj3vDJF3qkGo1 and sign up.
Stay secure, Miguel.
About the Author
Miguel is a Principal Security Engineer and is the author of the "Serverless Security" book. He has worked on multiple serverless projects as a developer and security engineer, contributed to open-source serverless projects, and worked on large military systems in various engineering roles.