As much as third party cyber security protection models are handy (i.e NIST Cybersecurity Framework), I personally find them far too complicated for my liking. Complicated generally translates to poorly or not full implemented. That translates into lower levels of security, especially in the SMB space. I think that good security is all about keeping things as simple as possible.
With that in mind, I’ve started to try and nut out my own model. My thoughts so far centre on the above diagram. In the centre is your data. Data is moved and changed via four basic connectors:
2. Connections (i.e. to removeable storage, network connections, Internet, etc)
The Data is normally protected by a Device, being a workstation, server or mobile. However, typically it is a workstation as hopefully most people aren’t browsing on servers. The aim also here is to focus on cloud deployments here without on-premises infra-structure.
For the Connectors to interact with Data they must do so across the Device boundary. In the security context, this means that these Connectors also need access to not only the Data but also the Device. Thus, attacks are going to be targeted at either the Data or the Device via the Connectors as I see it.
If we consider that most Data doesn’t include it’s own defensive capabilities because, typically, it is the container in which the data lives that has the defensive capabilities, then we need to look at the defensive capabilities of the Device I believe. It is also worth noting that data on it’s own generally isn’t a threat, it is only when action is taken with Data that risk arises. For example, a phishing email sitting in an inbox unopened is not an active threat. It only becomes active when it is read and the link inside is clicked allowing a process to take place, typically, on the device. In short, Data typically isn’t the source of active threats, it is actions taken with that data that generates active threats. These are typically activated on the device.
That means the major security focus should be on the defensive capabilities of the Device. It also means that the major threats are going to come from the four connectors; email, browser, connections and applications. Of these four, I would suggest that the most likely source of introduced threats is going to be from email and the browser.
Reducing the risks from both email and the browser start at the source of these two connectors. For email that means appropriately configuring things like DNS, then mail filtering policies to provide protection even before the connection passes onto the device. Likewise for the browser, this means content filtering before results are returned to the browser. However, setting those items aside for the moment and let’s just focus on what threats the device faces from the email and browser connections.
The threat from email is going to be a message that either:
1. delivers a malicious attachment that when opened by the user and takes action
2. delivers a message that contains a malicious link that is clicked by the user and takes action
3. delivers a message that convinces the user to take some risky action
The threat from the browser is going to be either:
1. navigating to a web site that contains malicious content that is downloaded and takes action
2. navigating to a web site that harvests credentials
The interesting thing with all of these is that it requires some sort of user interaction. As I said, a phishing email isn’t a major threat until a user click on a link it contains.
So what’s kind of missing from my model so far is the person or identity. let me go away and think about this some more but I appreciate sharing my thoughts with you and if you have any feedback on this model I’m trying to develop, please let me know.