Cybersecurity Philosophy

There are many different approaches and frameworks when it comes to cybersecurity philosophy. At 3kill, our approach is based on First Principles. Keep it simple. Only allow the necessary access and nothing more. Monitor everything. Encrypt sensitive data. Continous education of all employees. Minimize your attack surface and reduce your blast radius. Use layered defense with Zero Trust. Patch and update your applications and infrastructure on a weekly basis.

Cybersecurity Is As Hard As You Make It


Most companies simply have too many different computer systems, applications, APIs, libraries, and computer languages in use. They don't have nearly enough knowledgeable cybersecurity employees or a strong enough focus on cybersecurity. Complexity is the enemy. You can see this yourself by using our Website Security Headers - Firms. Even well known cybersecurity companies aren't implementing obvious cybersecurity measures. Most companies have applications & systems that age out faster than they can keep them up to date. Usually the budget priority and focus goes into developing new applications and features over updating existing applications. The older an application gets, the harder it is to patch and keep the software stack up to date. Weakenesses & vunerabilities grow by the day. Most companies also have too big of an attack surface.


Why are hackers successful?


Hackers break into computer systems by finding an opening or weakness. Think of your house. A burgler could break down the door, pick the lock or just break the window and enter your house. You could take many different counter measures to prevent this. You could get a security alarm and put up a sign saying "House Protected By Alarm", you could get security doors and windows. You could install automated sensor lights and security cameras. You could build a panic room and buy a gun. You could buy a safe. You could build a castle with a moat.

In order for a hacker to pull off a systems breach, they have to either 1) open a locked door 2) break down a door 3) walk through an open door, or 4) find a way in that isn't a door like a window, or tunnel under.

In cybersecurity, hackers can steal passwords and open a locked door. They can crack passwords which is the equivalent of breaking down the door. They can use default credentials and get right in. Alternatively, they could find a way in that isn't a door like a software bug that allows access that it shouldn't. Time to close and lock all the doors. Time to build a castle.


Castle & Moat Cyber Security


Traditionally, most companies used a "castle & moat" model of cybersecurity with the goal being to prevent hackers from entering the castle. This is a layered defense strategy. One of the criticisms you'll see mentioned of ths approach is that traditionally, once you were allowed in the castle, you could have generally done as you pleased. This isn't really a problem with the approach in general, this is a problem of not having further safeguards in place. You've left doors open that shouldn't have been open and you took no further security measures. The layered defense approach is fine, it just needs to go further. This is where Zero Trust comes into play.


Zero Trust Security


Zero Trust Security adds to the "castle & moat" approach by putting guards at every door & every hallway entrance in the castle. These guards constantly check IDs of everyone walking around. No one is trusted just as it sounds. Zero Trust as defined by NIST's Zero Trust Maturity Model is designed to "prevent unauthorized access to data and services coupled with making the access of control envorcement as granular as possible."

Zero Trust is the right approach, however there is a wide variety of companies providing "zero trust" security and many different implementations of it. Some are just focused on users. While others focuse on users, applications and devices. As it stands today, not all devices & applications have to present credentials everytime they access data. Not all devices even have the capability of supporting Zero Trust in the first place. Furthermore, many Zero Trust applications will authorize user access and keep it valid for 24 hours, a week or a month without re-verifing credentials. If you're trusting something for 30 days, that isn't Zero Trust. This is still leaving doors open that you shouldn't. You need real Zero Trust. There are a few Established models include Forrester’s Zero Trust framework, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207 and the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model (ZTMM).


Think Cybersecurity


In order to maintain strong cybersecurity defenses, you must eat, breathe and think cybersecurity. It must be a priority. Policies must be put in place. Extremely knowledgeable engineers must be hired or trained. Systems and applications must be patched to the latest levels. For more information on securing a typical web application, follow our tips in Full Stack Defense.