Before 1980, a limited number of companies and universities were connected to the network from which the Internet developed. The developers of the past could never have imagined that the network would grow so much.
Trust in the user community
The inventors of the IP/TCP stack protocols designed the network to be used efficiently by an educated, good-natured group of people (developers, researchers). Research documents and data were to travel over the network.
Because the system worked so well, the network grew rapidly. More and more users exchanged information on the network. The users were not only researchers and computer scientists, but also normal people…
A computer should be functional. Software from the 1960s – 1990s was delivered at feature completion. Nobody used to worry about exploits via the Internet that criminals could smuggle in. The softwareshould simply work!
02 Coding with good humour
The computer scientists created the technology with the intention of ensuring that only well-behaved people operate the technology and do their work.
At some point, the good-naturedly designed computers were connected to the Internet, where criminals were located. What could possibly go wrong?
Steffen Lippke
What does that mean?
The computer scientists were unable to develop new technologies because insecure standards had become established on so many devices. They had to secure the existing standards with additional new standards. Computer scientists had to ensure compatibility between old and new software.
Today, we live in a mixed world of new and old protocols, technologies and standards that are cumbersome and slow.
What is Zero Trust?
Zero Trust assumes that you cannot trust anyone and must scrutinise everything:
If you receive an email with the sender chef@meinfirma.de really comes from my boss?
Have you ever thought about the fact that the server cannot be real?
A hacker can spoof a server so that your programme / browser assumes that the hacker’s server is the real server. Kerberos authentication makes it possible to log in without the user revealing their password (password hashes). The server recognises this password hash and proves to the user that the server is genuine.
02 Kerberos makes it secure
# 2 Privileged Access Workstation (PAW)
In a company, there are employees with very extensive and important authorisations in a company network.
If the passwords of these important people fall into the hands of a hacker, the entire company network is compromised. To ensure the best possible protection, there are one or more physical computers that are only intended for the administration of the company network.
An e-mail programme, the browser and the connection to the public Internet make a normal employee PC an insecure area. The isolated machines are designed for one purpose only:
A virtual machine simulates an operating system with all its programmes within a programme in a host operating system.
These can work encapsulated from each other. This protective layer makes the hacker’s work more difficult. In the past, hackers have been able to jump from the host operating system to the guest operating system by exploiting gaps in the virtualisation software.
A physically separate device is considered more secure.
Steffen Lippke
# 4 Use a multi-tier architecture
Not every device in an IT infrastructure is equally important. Devices are categorised according to their application and function. A customer database is more important than an employee PC, the file server is more important than an IoT sensor. The administrator sorts the devices according to application and importance to the different animals.
01 The network is not secure
Compartmentalisation can make sense:
Why should an IoT sensor communicate with the customer database?
These should be located in a separate network. Only authorised employees are allowed to access the database via just-in-time access. The database strictly logs employee queries and changes.
The IoT sensors can be set up in a separate sub-network so that a server collects and aggregates the measurements from the sensors.
#5 Reduce the attack surface
Every server, every port and every application is at risk from hackers.
Minimise the number of servers needed to power your infrastructure.
Has no employee been using this application for 6 months? → Then get rid of it! (or archive the data).
Do we really need 5 instances of this service? → No, the employees only access one and it is under-utilised. Get rid of it! This saves valuable patch time.
Do the services necessarily have to be publicly accessible? → No – then only set up access for authorised users?
Does the programme have to run around the clock? No! Shut it down after work!
Minimise the services you host. Minimise the servers you run because every piece of software can contain enough zero-days that you need to patch quickly.
When have criminals tried to log in using a brute force attack?
A SIEM can answer these questions. Scripts aggregate all the SIEM’s indexed log files into meaningful key performance indicators (KPIs).
# 7 Automate the remediation of threats
If the SIEM detects conspicuous behaviour by a user in the company network, the SIEM can pass the incident on to the SOAR in artefacts (case files).
Python scripting
The SOAR automates these incidents with scripts. The scripts are called playbooks by the Security Guys, which the server executes when it receives an artefact. Each playbook requires parameters that originate from the artefact.
This is followed by a logic flow with API blocks, if branches and loops (as in normal programming. Manual “human” building blocks such as a confirmation by a system admin enable intelligent human-machine interaction that is automated.
Leave a Reply