This article will answer the following questions:
- Why has IT infrastructure become so vulnerable?
- How can a cybersecurity manager learn to think like a hacker?
- What is the difference between white hat, black hat and grey hat hackers?
- What is a kill chain model and how can I use it?
- Why should I make an IT architecture diagram?
- What is included in a Cyber security Architecture blueprint?
- What IT infrastructure security policies should my company have in place?
- Where can I find resources to create technical baselines?
- Who should be allowed to make what changes in our change management policy?
- Is network segmentation an effective security measure?
- What gateways protection should my company have in place?
Protect IT infrastructure Part I: IT Infrastructure
Companies must protect IT infrastructure, including cloud services, internally maintained servers and related equipment, computers, and other internal and external networking resources. From a security point of view, IT infrastructure used to be like a medieval castle with a wall around it and one big gate for entry and exit. The gate controlled traffic in and out, so the soldiers had a single choke point to monitor and control access to the castle. It was pretty safe from intruders.
Today, in a multivendor environment where workers access data remotely and through the cloud, that solid wall around the castle now has a hundred doors in it that all grant twenty-four-hour access. With so many access points, it becomes impossible to make the fortress impenetrable.
Customers might have many ICT vendors, who usually maintain their services, as well as cloud services. Everything’s in one big mesh network like a spider web where all nodes can be connected to others. Employees are also using third-party services semi-professionally or just personally, and those aren’t controlled by the company in any way. As a result, the old fortress model has been breaking down for years. This is the IT infrastructure world we’re now living in. It’s a whole kingdom to control and secure, but there’s no solid perimeter wall.
Think Like the Attacker
We can barely scrape the surface of how attackers think in this article since our topic is mostly about how to be a successful cybersecurity manager, and we talk a bit about how to work as a defender. But understanding the enemy is paramount to success. The cybersecurity manager needs to hold in mind a few key facts about attackers and their mindset. They tend to think and feel quite differently from how IT people feel. Let’s compare.
IT cares about people and the company. They want to make information available and its usage easy—attackers want to steal it, destroy it, or make money off of it. IT wants to deploy new services and tools fast and easily, build new things, and in the process, they make the company more visible to the internet and attackers. Attackers take advantage of anything visible from the company and use it against them. They have no intent to make things work, only to make the technology and people work the way it was never intended to work for their own benefit. IT needs to be successful in defending every day, in every single service, and with every single person using the services. Attackers only need to succeed once to penetrate the defence. Evidently, the mindsets are opposite to each other.
The cybersecurity manager has to understand how to think like the adversary and wage his defence battle against the attacker’s mind, not just the technology that the attacker is using. When doing so, the cybersecurity manager will need support from professional penetration testers, also known as white-hat hackers who help to bring in the attacker’s perspective to the game and help the company to test their defences. One bit of advice, though—pay attention to the professional ethics of whom you employ to do your security testing. Crooks can’t be trusted.
When planning your penetration tests, consider the coverage of the testing you’ve done. Have you covered single points in your infrastructure, like web applications, or did you cover it all, performing a full-fledged red team exercise that inspects your whole infrastructure and tests all your defences in depth like real attackers would? Perhaps there are gaps in your understanding that need to be covered by further testing.