There I was, ankle deep in raw sewage, incredulous that for the second time this summer, my basement was filling up with foul smelling murky waste. As I looked hopelessly at my wife while the water level continued to rise, I angrily thought to myself, “What else can I do?” Didn’t I shell out some major money to protect the basement against groundwater by installing drain tiles? Didn’t I reduce the chance of overloading the sewer systems by removing my gutters from draining into the city’s drainage system? And that crawlspace, I just spent several thousands to waterproof the last (what I thought) area that was susceptible to water. Yet here I was, again, plagued by unwanted water in my house.
After a few hours of clean-up, I realized that I had fallen into the same trap that some businesses do when it comes to protecting their most valuable assets. I did not have a holistic approach to address all the risk. I did not have a defense in depth strategy. Like my situation, many of the businesses I encounter focus on just one area of protection. In my case, I focused on protecting the perimeter, strengthening the border. Similarly, in perimeter security, many focus on firewalls, intrusion detection, two-factor authentication access via VPN, and web application firewalls to enhance their perimeter security. These enhancements significantly help reduce the risk of a breach, but just like my water problem, unauthorized agents and malware still often find a way.
So, what should one do to protect their valuable assets?
Regarding my water issues, I took a step back and conducted my own personal risk assessment for my basement. I identified the threats, evaluated the likelihood that those threats would actually happen, and considered what controls I could put in place to reduce the risks. I quickly came to the realization that I could never completely eliminate the threat of water infiltration, but I could still do a better job of protecting the perimeter, responding to a water incident and limiting the damage. I assumed that, at some point, I would be “breached” again.
The actions I took were as follows:
- The areas where water could do damage were isolated by waterproofing the basement materials around the ingress points and the area where water could spread. This is akin to segmenting your network to contain the damage a “breached” segment could do to the rest of the network.
- A portable ejector pump was purchased to allow the removal of water from the breach point in case of infiltration. I would consider this to be part of my incident response with the assumption that I will get unwanted water again. In security, it is also important to make the same assumption and confirm that there is an incident response plan in place to ensure that damage is contained and remediated as quickly as possible.
- The perimeter was enhanced by having a backflow check valve installed to prevent the backup of water. In security, advanced malware detection and prevention systems can prevent the flow of sensitive data out of the corporate boundaries.
Other defense in depth controls that should be considered in security include data at rest encryption and privileged account management. Again, assume you will be breached and protect and contain at the next layer. By taking a strategic look at protecting your assets and conducting an appropriate risk assessment you can not only proactively enhance your security but better prepare and react to the inevitable breach…And maybe you can avoid continually standing ankle deep in raw sewage.