Skip to main content


How 2020 Presidential Candidates Can Guard Against Cyberattacks

The 2016 presidential election witnessed unprecedented Russian cyberattacks and disinformation campaigns designed to disrupt the U.S. electoral system by influencing public opinion. The Russian goal is intended to destabilize the U.S.  through ideological activism, advancing their interest and further their political agenda. Their methods compromised computer systems of candidates and political parties using the exfiltrated data to spread disinformation and influence presidential elections.

On January 6, 2017, the U.S. Director of National Intelligence released a declassified report “Assessing Russian Activities and Intentions in Recent U.S. Elections.” According to the report, Vladimir Putin ordered a massive campaign orchestrating attacks from multiple fronts that involved spreading pro-Trump propaganda on social media to hacking the Democratic National Committee (DNC). Their methods resulted in massive data breaches within the DNC that included access to John Podesta's email f…

Layered Security Architecture

The crown jewel in any company is the data, the intrinsic value of any company lies within its data so how do security professionals go about protecting it? To put it in terms everyone can understand it is done in layers. When we go out on a frigid winter day, we wear layers of clothing to protect us from the elements to trap our body heat from escaping preventing hypothermia.

Data security is no different and is now a primary systemic concern with breach after breach affecting every organization and government agencies of all sizes. The sophisticated and advanced threats from cyber-terrorists, military adversaries, disgruntled employees, and hackers demand a methodical approach to data security. In many industries such as highly regulated industries such as banks, utilities, and the enhanced military security is not an option it’s mandatory. Enacted government regulations require organizations such as financial institutions, insurance, healthcare providers and key federal agencies to implement stringent security programs to protect digital assets. This article will explain a layered approach for securing the data from the ground up. The layered approach is both a technical strategy where adequate measures must be put in place at different levels within an infrastructure, an organizational plan, requiring buy-in and participation from the board of directors on down throughout the organization.

It is my goal to provide a fundamental understanding of data security from the network on up to the data and suggest a best-practices approach to protecting digital assets. The audience I am seeking includes the curious who like to understand the basics, IT professionals, business managers, and the high-level decision makers.

The layered-security approach centers on maintaining appropriate security measures and procedures at five different levels within an IT infrastructure:

  1. Perimeter
  2. Network
  3. Host
  4. Application
  5. Data

The above diagram presents the layered security model; technologies that function at each level I will provide a brief overview of their importance.

The Perimeter Layer

The perimeter is the first line of defense from the outside world, it is the entrance and exit door where your network ends, and the Internet begins. The perimeter consists of one or more firewall devices and a set of strictly controlled servers located in a portion of the border referred to as the DMZ (demilitarized zone). Firewall devices can be partitioned to segment off such areas much like separate rooms in a house. The DMZ typically contains web and application (middleware) servers, email gateways, proxies and network anti-malware in addition to DNS servers that must be exposed to the Internet. The firewall has strict bi-directional rules where traffic can enter and exit inside the network as well as rules about how servers in the DMZ can interact with the Internet and the inside network. A compromised perimeter can cripple the ability to conduct business. For example, if your organization relies on your Web servers for revenue generation, and those servers have been hacked and are off-line, you lose money for every minute they are down.

The following technologies provide security at the network perimeter:
  • Firewall — typically a device installed at the border usually behind a router or load balancer/failover device where the internet feed from the Telco (Telecommunications Company) provider connects to the inside and the outside of the network perimeter. It performs three general functions:
  1.  Traffic control filtering
  2. Network address translation (NAT)
  3. VPN termination
Firewalls are stateful (real time) and implement traffic control by examining the source and destination of all incoming and outgoing network traffic permitting and denying requests to pass through. There are several firewall manufacturers, and in most organizations, Cisco, Juniper, Palo Alto, Checkpoint and Dell (Sonicwall) are predominantly deployed. Additionally, firewalls help secure the network by utilizing NAT translating internal IP addresses to IP addresses that are visible to the Internet. It prevents the disclosure of critical information about the structure of the network inside the firewall. With the advent of IPv6 NAT will soon become obsolete. A firewall can also terminate VPN tunnels, these three capabilities make a firewall an indispensable part of network security. Many of these higher-end firewall devices now incorporate all-in-one functionality adding VPN, anti-virus, anti-spam, DHCP, DNS, routing, IPS/IDS, proxy, web filtering, and DLP.
  • Anti-malware — installed in the DMZ, network-based anti-malware software compares incoming and outgoing email message content to a database of known profiles. Network-based antivirus products such as McAfee and Symantec block infected email traffic by quarantining suspicious and infected email messages and then notifying recipients and administrators. These products also detect and block suspicious websites where malware is often encountered. More sophisticated products such as FireEye, Imperva, and Bluecoat provide automated monitoring threat forensics and dynamic malware protection against advanced cyber threats, such as advanced persistent threats and spear phishing.
  • VPN — a virtual private network (VPN) uses high-level encryption to create a secure connection between remote devices, such as mobile devices and laptops to the destination network. It essentially creates an encrypted ‘tunnel’ across the Internet, approximating the security and confidentiality of a private system. A VPN tunnel can terminate on a VPN enabled router, firewall, or server within the DMZ. Enforcing VPN connections for all remote and wireless network segments is a critical best practice that is relatively easy and inexpensive to implement.
  • SIEM — security information event management provides real-time analysis of security alerts generated by network hardware and applications. It is installed as software, as a device or outsourced as a managed service. What also is essential, SIEM is used to read log files generated by the various security infrastructure systems to create compliance reporting. Splunk, HP ArcSight, and RSA enVision are typical installations in many organizations.

The Network Layer

The network layer of the security architecture model refers to the internal Local Area Network (LAN) and Wide Area network (WAN). The internal system includes desktops and servers or may be more complicated with point-to-point frame relay connections to remote offices. Most networks today are relatively open behind the perimeter; once inside, you can travel across the network unimpeded. This is especially true for most small- to medium-size organizations, which makes them tempting targets for hackers and other malicious individuals.
The following technologies provide security at the network level:

  • Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) — IPS and IDS technologies analyze traffic moving across the network in much greater detail than the firewall. Most of today’s new generation firewalls have IPS/IDS functionality built in. Similar to anti-malware systems, IPS and IDS analyze traffic and compare each packet to a database of known attack profiles. When attacks are detected, these technologies take action. IDS tools alert your IT staff that an offense has occurred; IPS tools go a step further and automatically block the harmful traffic. IDSs and IPSs have many characteristics in common. In fact, most IPSs have an IDS at their core. The critical difference between the technologies is implied by their names. IDS products only detect malicious traffic, while IPS products prevent such traffic from entering the network. Do note IDS/IPS are deprecated mainly in most large organizations replaced by SIEM or used in conjunction. In many small organizations, SIEM may not be practical for a variety of reasons, and IPS/IDS are used.
  • Network vulnerability assessment (VA) — VA tools, commonly called penetration or pen test scan devices on a network for flaws and vulnerabilities that could be exploited by hackers or malicious traffic. VA systems typically maintain a database of rules that identify known vulnerabilities for a range of network devices and applications. During a network scan, the VA tool tests each device/application by applying the appropriate rules. The process outputs a list of discovered vulnerabilities, which can then be assigned to the IT staff for remediation.
  • Access control/authentication — access control entails authenticating users who access your network. Authentication is typically performed against the user information in a RADIUS, LDAP, or Windows Active Directory (AD). Both users and devices should be controlled by access control measures at the network level. A considerable amount of overlap and interaction commonly exists among the access control/authentication schemes that function across these levels, and authentication can be passed from one level to the next. Such communication is usually transparent to the user. While we discuss these concepts briefly in upcoming sections, keep in mind that access control and authentication are sophisticated processes that should be carefully managed to provide maximum security throughout the network.
  • Data Loss Prevention — or DLP is a device installed within the network in-line or configured to span internal traffic. Its design is to prevent a potential data breach, data ex-filtration transmissions by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage). Products from Intel (McAfee) and Symantec (Vontu) are commonly deployed in addition to some of the higher end firewall products incorporate DLP technology.
  • Network Access Control (NAC) or Protocol (NAP) — is a device installed in the network or an operating system protocol allowing network access commonly used with mobile devices and laptops to gain internal network access. NAC allows or denies access to a computer network, it is not permitted to access anything unless it complies with security policy including anti-virus protection level, system update level, and configuration. While the computer is being checked by a pre-installed software agent, it can only access resources that can remediate (resolve or update) any issues. Once the policy is met, the computer is able to access network resources and the Internet, within the policies defined within the NAC system. NAC is mainly used for endpoint health checks, but it is often tied to Role-based Access. Access to the network will be given according to the profile of the person and the results of a posture/health check. For example, in an enterprise, the HR department could access only HR department files if both the role and the endpoint meets anti-virus minimums. In some organizations that have visiting guests or contractors, a guest network partitioned from the firewall is utilized for any bring-your-own-device (BYOD) allowing internet access only.
  • SIEM — like the perimeter layer, security information event management provides real-time analysis of security alerts generated by network hardware and applications.

The Host Layer

In the layered security architecture, the host level pertains to the individual devices such as servers, desktops, switches, routers, wireless access points, etc. on the network. Each method has some configurable parameters that, when set inappropriately, can create exploitable security holes. These parameters include registry settings, services (applications) operating on the device or patches to the operating system or essential applications.
The following technologies provide security at the host level:
  • Host-based intrusion detection systems (IDSs) — Host-based IDSs perform similarly to network IDSs — the critical difference being that they monitor traffic on a single network device. Host-based IDSs are fine-tuned to the specific operational characteristics of the host device and therefore provide a high degree of protection when properly administered.
  • Host-based vulnerability assessment (VA) — Host-based VA tools, penetration or pen test, scan a single network device for security vulnerabilities. Host-based VA tools are fine-tuned to the devices they monitor. They are incredibly accurate and make minimal demands on the host’s resources. Because they are explicitly configured for the host device, they provide an excellent level of coverage when properly administered.
  • Anti-malware — Device-specific anti-malware applications provide an additional layer of protection when used in conjunction with network-based tools.
  • Access control/authentication — Access control measures at the device level are a best-practice that ensures device access is granted to authorized users only. Again, there is likely to be a high level of interaction between network access-control measures and host access-control measures.
  • Data Loss Prevention — like the network layer DLP prevents a potential data breach, data ex-filtration transmissions by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).
  • SIEM — like the perimeter and network layers, security information event management provides real-time analysis of security alerts generated by network hardware and applications.

The Application Layer

Application-level security is currently receiving a great deal of attention. Poorly protected applications can provide easy access to confidential data and records. The hard truth is that most programmers don’t code with security in mind. This is a historical problem with many commercial-off-the-shelf (COTS) applications. You may become aware of security shortcomings in the software, yet you may be powerless to correct them. Requests are being placed on the Web for access by customers, partners or even remote employees with increasing frequency. These applications, such as sales force, customer relationship management, or financial systems, can provide a ready target to individuals with malicious intent. Therefore, it is especially essential to impose a comprehensive security strategy for on each network application.
The following technologies provide security at the application level:

  • Application shield — an application shield is frequently referred to as an application-level firewall. It ensures that incoming and outgoing requests are permissible for the given application. Commonly installed on Web servers, email servers, database servers, and similar machines, an application shield is transparent to the user but highly integrated with the device on the backend. An application shield is finely tuned to the host device’s expected functionality. For example, an application shield on an email server would likely be configured to prohibit an incoming mail message from automatically launching any executable, because that is not a typical or necessary email function.
  • Access control/authentication — similar to network and device level authentication, only authorized users are able to access the application. Web access products such as CA Siteminder and Oracle Access Manager in addition to provisioning and governance middleware also come into play.
  • Input validation — Input validation measures verify that application input traveling across your network is safe to process. Although this is crucially important for Web-based information, any interaction between people and a user interface can produce input errors or be exploited if the proper security measures are not in place. In general, any communications with your Web server should be considered unsafe. As an example, consider a Web-form with a zip code field. The only acceptable input from this field should be five characters, digits only. All other information should be denied and produce an error message when submitted. Input validation should occur at multiple levels. In this example, a Javascript could initially perform browser-based validation on the client side, while CGI-bin validation controls could be put in place on the Web server.
  • SIEM — like the perimeter, network and host layers, security information event management provides real-time analysis of security alerts generated by network hardware and applications.
Additional rules of thumb include:

  • Filter keywords. Common command-related terms, such as “insert,” should be checked for and prohibited.
  • Only accept data that’s expected for a given field. For example, an 80 character first name is not standard input.
  • Data Loss Prevention — like the network and host layers DLP prevents a potential data breach, data ex-filtration transmissions by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).

The Data Layer

Data layer security entails a blend of policy and encryption. DLP is essential by enforcing data policy such as encrypting data at rest and as it travels across your network (in motion) and where it is used (in use) is a recommended best practice because, if all other security measures fail, a robust DLP and encryption scheme protects your proprietary data. Data security is highly dependent on organization-wide policies that govern who has access to data, what authorized users can do with it, and who has ultimate responsibility for its integrity and safekeeping. Determining the owner and the custodian of the data lets you identify the appropriate access policies and security measures that should be applied.
The following technologies provide security at the data level
  • Encryption — data encryption schemes are commonly implemented in the data, the application, and the operating-system levels. Almost all plans involve encryption/decryption keys that all parties accessing the data must have. Common encryption strategies include PKI, PGP, and RSA.
  • Access control/authentication — like the network, host, and application layer authentication, only authorized users are given access to the data.
  • Data Loss Prevention — like the network, host and application layers DLP prevents a potential data breach, data ex-filtration transmissions by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).
  • SIEM — like all the layers above, security information event management provides real-time analysis of security alerts generated by network hardware and applications.

Protecting the organization’s data is of vital importance as we physically defend our bodies from the elements of weather. Within an organization, the information is central and has layers of protection surrounding it when at rest, in motion or in use from the outside world. We explored each layer individually beginning from the exterior walls inward toward the data, further defining the types of security measures deployed as best practices. Highlighting only the tip of the iceberg was necessary to gain an appreciation that security architectures are incredibly complex forever evolving to counter Cyber-attacks emanating from outside the organization and from within.