Although our biggest defense is heeding to the Holy Spirit, we must not be ignorant to the tactics of the evil one. Defense in Depth (DID) is a concept that has been gaining momentum for some time now and originated as a early military strategy with the intent of slowing or hindering an attack by requiring the breach of multiple layers before success can be achieved. Defense in Depth is a shift from reactive thinking to proactive thinking. That means instead of reacting to threat incidents, you prevent them and preventing the threats of today require a lot more than fancy firewalls, or web content filters, and spam protection. The purpose of this article is to enlighten and stimulate ideas about information security and how you might improve the security posture of your ministry or organization.

The Playing Field

When thinking about DID, it is important to map the playing field. We call this the Threat Matrix in cybersecurity terms and it is no short task. You should allow your team at least 8 hours to brainstorm all possible threats, be them social engineering, insider, unpredictable events (acts of God), virus, or phishing threats, and acts of terrorism. This is why DID is a group activity. This is not something you want to attempt on your own.

When thinking of defense in depth, it is easier to take it one layer at a time.

The Physical Security Layer

The physical security layer consists of the physical aspects of security, such as: human beings, physical door locks, guest entry procedures, video surveillance, etc.

  1. Human Factor
    • Risks include:
      • Lack of cybersecurity/security awareness
      • Oversight/overworked
      • Insider threat (rogue or disgruntled employees)
      • Outsider threat (vendors, clients, etc.)
        • Competition
        • Legal
        • Disgruntled customers or employees
      • Use of shared credentials/lack of accountability
  2. Perimeter Security
    • Risks include:
      • Breaking/Entering
      • Theft
        • Physical Equipment
        • Intellectual Property
        • Client information (PII, confidential information)
      • Injury/Accident Lawsuits

The Network Layer

The network layer consists of network firewalls, switches, access points and other methods of connecting computers and other technology such as the Internet of Things (IoT) together and the risks that come along with the territory.

  1. Network Firewalls (external protection)
    • Risks Include:
      • Open ports
      • Vulnerabilities due to lack of updates
      • Weak VPN passwords and policies
      • Unauthorized Remote Access
      • Data exfiltration
  2. Layer 2 Switching (internal protection)
    • Risks include:
      • Unauthorized access of local network
        • By plugging into open ports on the wall
  3. Wireless Access Points
    • Risks include:
      • War driving (drive by Wi-Fi stealing)
      • Network Snooping (hackers scanning network traffic for PII (personal identifiable information)

The Host Layer

The host layer concerns third party vendors/organizations that host a particular service or set of Infrastructure as a Service (IaaS) assets. For example, Amazon’s AWS and Microsoft’s Azure are both hosting platforms that can run virtual servers/workstations, virtual firewalls, applications in Platform as a Service (PaaS). Although Microsoft and Amazon data centers are protected like Fort Knox, securing your assets in these environments are not as cut and dry as datacenter security may be.

These risks should be considered:

  • Data breach
  • Unauthorized access
  • Inappropriate access (least privilege)
  • Hostage billing (Hosting company holding data hostage for unpaid bills)
  • Data loss
  • Unknown incident at the hosting provider that causes data loss
  • Accidental deletion
  • Acts of God (flood, lightning strike, tornado, hurricane, etc.)

The Application Layer

The Application Layer involves any software used to access, edit, or manipulate data such as an operating system like Microsoft Windows or MacOS. This includes mobile OS types as well like Android and Apple’s iOS and iPadOS. Third party applications that run on the OS are also included in this such as Intuit’s QuickBooks or Microsoft Office. Unfortunately this layer also includes malicious software such as viruses and malware.

Risks Include:

  • Operating System
    • Vulnerabilities
    • Data corruption
    • Virus/Malware
      • Data exfiltration
      • Ransomware (data taken hostage)
      • Bots (your system could be used in attacks conducted by hackers)
    • Third-party Software
      • Freeware is often used for embedding viruses, you must be careful to research freeware thoroughly and be sure to only use freeware that is updated frequently
      • Data breach
        • Data breaches happen all the time, be sure to read any notices from these organizations if you are ever impacted. Knowing what the impact is and what the recommended actions to take are very important.

The Admin (Administrative) Layer

The administrative layer is the policies and procedures your organization uses to ensure the confidentiality, integrity, and security of the data your organization collects. For example, if your organization has no procedure for storing customers personal information and this leads to a breach of security or leak of information to the public, this could be detrimental to any organization, especially a church who serve their community in many ways, including providing counselling to those who are struggling.

Risks Include:

  • Unauthorized physical or logical access to information
    • Example: use of shared logins can be subject to phishing attacks
      • Phishing attacks are social engineered methods used by hackers to obtain login credentials by tricking the victim into entering their user login information into fake websites that mimic real websites.
  • Legal action
    • Example: confidential information during a counselling session is left on the desk in the Pastor’s office and another member of the church walks into the office and oversees this confidential information.
  • Government fines for breaches of compliance
    • Example: Churches are subject to comply with Child Protection Laws requiring all staff working with children in the church to undergo a background check. Violating this regulation can result in fines or temporary or even permanent church closure.

In terms of cybersecurity, the organization should have the following administrative policies in place at a minimum to ensure a healthy cybersecurity posture:

  • Accountability (ensure everyone has their own account that identifies them personally, don’t use shared accounts)
  • Use strong passwords (minimum 8 characters with at least one capital letter, numbers, and special character and that does not use names or common names, birthdays, or anniversaries)
    • On accounts
    • On Wi-Fi networks
    • On equipment
  • Enroll your organization into security awareness training, there are many organizations that offer this, KnowBe4 is one I have the most experience with and they are great!
  • Have processes/procedures in place to ensure you comply with any required laws (if you are unsure, consult a legal professional)
  • Require maintaining a clean desk policy (no sensitive information out on desks, they should be put away in drawers and preferably locked drawers)
  • Develop a business continuity plan
    • How can the business continue without computers? (paper only plan)
    • What are the critical roles, can others be trained to step in?
    • Is there an alternative location the business can operate from in the event of a building catastrophe?
      • Are there any costs involved with securing this alternative location and what are they?
    • What business data is mission critical and is it being backed up in some way?
      • If it does exist, where does the backup exist and who is responsible for it?
      • How often is this data being backed up?
      • Is the backup geo-redundant? (duplicated on west and east coast)?
        • Is your data backed up as far as the east is from the west?

The Data Layer

The data layer is the last line of defense and this includes protecting the physical medium that holds the data. A good example of this would be drive encryption. On a windows PC, this is a feature called BitLocker and it can encrypt the data on your drive so if someone were to remove it from the computer and try connecting it to another machine, they would need the very long encryption key to get at the data on the drive. This concept is called encrypting data at rest.

There is another concept related to protecting data and that is to protect data in transit. A good example of this is the use of an SSL certificate on your website. This encrypts any input and output data going to and from the website. For example, a customer logging into your website with a username and password or someone submitting a form with information such as a prayer request.

Here are some actions you can take to protect your data at this layer:

  • Use drive encryption on you laptop or PC
    • For a Apple/Mac PC or Laptop it is called FileVault and can be enabled following these Instructions
    • For a Microsoft Windows PC or Laptop it is called BitLocker and can be enabled following these Instructions
  • Encrypt your mobile device
    • Common how to’s:
  • If you use USB storage drives (also known as thumb drives), be sure to encrypt them with a passcode as well, you can do so by following these Instructions:

Key Takeaways

  • Implementing Defense-in-Depth (DID) can improve the security posture of your organization
  • There are six primary layers to be concerned with:
    • Physical: involves the physical aspects of security such as door locks, security personnel, and video surveillance.
    • Network: involves computer network equipment such as firewalls, wireless access points, network switches, etc.
    • Host: involves hosting providers such as Microsoft and their Microsoft 365 product or Intuit’s QuickBooks Online product
    • Application: Involves your computers operating system such as Microsoft Windows or Apple’s MacOS along with any third party applications you might use:
      • Known software like Intuit QuickBooks, Microsoft Office
      • Freeware software
        • Be sure to do your research, use only freeware that is maintained by frequent version updates
    • Admin: involves the administrative procedures for your organization and should at the very least implement:
      • Accountability
      • Strong passwords
      • Security Awareness Training
      • Compliance
      • Clean-desk Policy
      • Business Continuity Plan
    • Data: involves protecting the data on your physical devices by the use of encryption.

References

About the Author

Lucas Reinhart currently works at Atlas Technica as a Sr. Project Engineer and holds a B.S. in Information Technology with an Advanced Cybersecurity Certificate from the University of Phoenix and a Master of Business Administration from the University of Phoenix. Lucas is distinguished in the Information Technology industry with over 20 years of professional experience in the field. Lucas also serves his community by serving as the Technology Leader at That Church in Clinton, IA. Lucas is a father of 5, loves Jesus, his Wife, and his family very much and is dedicated to spreading the Gospel of Jesus to all.

Categories: