The Multi-Layered Onion of Computer Security

As most are probably aware, corporate and home networks are typically connected to the Internet 24 x 7, exposing them to the vast array of malevolent software circulating on the Internet.

Because of this, companies design and continuously improve upon network/IT Security architectures which utilize a layered approach to provide security for their networks and computing environments.

To paraphrase (OK… plagiarize) the immortal dialogue between Shrek and Donkey:

Shrek: For your information, there’s a lot more to IT SECURITY than people think.

Donkey: Example?

Shrek: Example? Okay, er… IT SECURITY… is… like an onion.

Donkey: It stinks?

Shrek: Yes… NO!

Donkey: Or it makes you cry.

Shrek: NO! LAYERS! Onions have layers. IT Security has layers. Onions have layers… you get it? Both have layers!

Donkey: Oh, both have layers… You know, not everybody likes onions… CAKES!

Everybody loves cakes! Cakes have layers!

So, take your pick. Whether you choose the onion or cake analogy, a well designed IT Security architecture consists of multiple layers to frustrate and prevent would be hackers from getting into the network to wreak their havoc and compromise confidential data.

To mitigate potential risks to the health of corporate networks and IT environments, most companies use several security layers to help protect against known and unknown viruses and denial of service attacks.

Some of these layers include:

• Firewalls to limit access to/from the Internet

• Intrusion Detection/Prevention system to guard against and distribute alerts of potential attacks against the network

• Vulnerability scanning of critical servers for known vulnerabilities

• File attachment blocking – specific attachment types are blocked from being delivered to end users – based on best practices as determined by anti-virus vendors.

• Bi-directional scanning of Email for known viruses

• Scanning of workstations and file servers for known viruses – both real-time as files are being opened or saved, and on a periodic basis by doing a full disk scan

• Scanning of web sites for potential malware and, if detected, denied access

• Periodic penetration testing to insure perimeter measures are effective

• Black hole DNS – known “bad” websites cannot be accessed

There is always a window of opportunity that exists between the time a misguided techie releases their creation into the wild and the time it takes for the Anti-virus vendors to identify it and release new pattern files to their subscribers. That is why a majority of companies block specific types of files from being automatically delivered to recipients.

Contrary to what some folks believe, most IT departments do not try to prevent users from getting their jobs done! They do, however, try to take appropriate steps to minimize the risk to their entire network and, therefore, all the users, by utilizing the different layers of the security onion.

After all is said and done, end users provide the final layer of protection. Each user is the “heart of the onion.” Regardless of the steps taken to protect the corporate IT infrastructure, IT departments ultimately rely on an informed and educated user population to be aware of the dangers presented by unsolicited Email, file attachments, embedded links, and web sites they access.

Without an informed/educated end-user population, companies’ and individual users’ confidential/personal information is at risk.

Does your company have a security awareness campaign to inform and educate the heart of your security onion? It should!