Layering in cyber security means putting more barriers in the way of cyber-attacks.
Instead of cyber-security existing as a single perimeter barrier, cyber-security can offer layers of differing forms of protection.
The idea can be most easily seen in castles **
- First the attackers have to get up a big hill.
- Then there is a deep moat.
- If they get past that, there is a very secure very thick door.
- That leads into a small space with only one small door.
- If they get past there they are in a space with very little of any worth.
- Then they get to the difficult, really well protected areas....
The layering of security makes it difficult for the attacker at each step, and each step gains the attacker very little in terms of benefits.
Layering of cyber-security is enhanced if undertaken in collaboration with Segregation (see future article on Segregation).
Layers in Cyber-Security
Traditionally, cyber security has not been highly layered. One of the preferred approaches has been securing the outside perimeter with firewalls and the like.. Failures in this approach led to increased cyber security on each computer (e.g. antivirus software). The realisation that this also did not work very well has led to the current three versions of layering of cyber security.
Having layers of cyber-security forces attackers to adopt more sophisticated methods. Many hacking attempts are fully automated and for the simplest hack attempts, layering cyber-security will restrict the level of business access simple hacking achieves.
Whole-of-business layering of cyber security
Whole-of-business layering of cyber security is based on risk analysis across the business and its boundaries. Typically such risk analysis covers business processes, financial management, marketing, information management, practical business realities and IT systems taken together.
Its aim is to minimise losses from cyber attacks. It accepts that it is relatively impossible to avoid some cyber-attack breaches. However, its aim is to make it as difficult as possible for attackers and minimise how far the attackers can reach towards assets that will result in higher levels of losses or liabilities.
Working in this way reveals how different aspects of the business can be protected differently. It reveals how important assets can be arranged to be protected by multiple layers of security.Typically, such layering and enhanced security can be enabled by small changes to business processes and practices to significantly reduce cyber-risks.
Whole-of-business layering of cyber security locates cyber-security within the management realm of business risk management.
This is the most recent approach to layering cyber security and is increasingly held by cyber-security institutions to be currently best practice and deliver better outcomes. It is, however, currently, rarely available except by the top tier of American cyber-security businesses (we are one of the few businesses in Australia to offer it). In part the lack of availability of whole-of-business layering of cyber security is because cyber-security has to date been IT security only, and cyber-security staff are primarily IT trained.
It is particularly suited to smaller high-value SMEs (less than 250 people).
Whole-of-business cyber security is our focus and preferred approach here at the Design Out Crime and CPTED Centre.
Network/software-based layering of cyber-security
The classic IT security version of layering is layers of different kinds of software protection each covering up for gaps in other cyber-security software. This is currently one of the most established approaches.
It is preferred by cyber-security software vendors as it allows a modular approach to software provision and sales. Vendors sell different kinds of software (firewall software, threat analysers, anti-malware, antiivirus, access control, intrusion detection, patch updating software, network surveillance, password managers, spam filters, database security, etc) for different parts of a business's network and it also offers them the potential to offer integrated packages combining software modules in various ways or incorporated into physical computer appliances containing integrated collections of cyber-security software.
Advantages include that this approach can scale well for companies with larger numbers of computers (starting at around 250 computers). Disadvantage is it forgoes the benefits offered by whole-of-business layering of cyber security.
Defense in Depth
Defense in depth is the military approach to layering IT security. Its focus is IT only, but within that it has much the same philosophy as whole-of-business layering of cyber security.
Defense in depth seeks to use layers of cyber-defenses to slow down rather than stop cyber attackers and offer time to identify that an attack is occurring and time for cyber-defenders to put in place strategies to block the attack. In fact, a Defense in Depth strategy might well use network/software-based layering of cyber-security as an element of the defense in depth.
Defense in depth with its focus on delays, attrition, surveillance and building response time, makes much more sense in a military cyber-warfare setting. It makes less sense in commercial settings. Especially as, currently, average time for companies to identify a breach is 205 days and 69% of companies identified their cyber breach by being told about it by others (although these figures may be transformed by new software aimed at identifying breaches earlier).
- Layering cyber security involves placing multiple barriers in the way of cyber attackers. It works well with segregation, particularly of assets.
- Whole-of-business layering of cyber security is emerging as the preferred cyber-security approach for reducing business losses and achieving better levels of protection. It is especially well-suited to high-value smaller SMEs of less than 250 staff. It can, however, scale down to micro/nano businesses. It typically requires management involvement.
Network/software-based layering of cyber-security is currently the approach preferred by cyber-security vendors. It offers relative turnkey solutions and is typically located wholly within IT department. Cyber-security institutes indicate that this IT only approach is less successful than whole-of-business cyber security.
- The Defense in depth approach to layering IT security is an effective approach that is pragmatically similar to whole-of-business layering of cyber security. The intentions of Defense in depth, however, seem to align it philosophically more with cyber-warfare than the practicalities of business cyber-protection.
** Caerlaverock Castle (Scotland) by Simon Ledingham, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=8861479