Secure By Design

WHAT DOES IT REALLY MEAN?

More than a buzzword:

Secure by design means a complete overhaul of conventional security.

With collaboration and business as a whole now primarily taking place online, cybersecurity is paramount to businesses. But too many businesses rely on vulnerable “secured” systems that require extensive upkeep and compatibility checks rather than opting for secure-by-design options. So what’s the difference? Is the distinction insignificant, or is one truly more secure than the other?

The reality is that while a secure system can in theory be protected from malicious actors, vendors often fail to ensure all parts of their comms are secure, leading to critical vulnerabilities.

How Do Systems Fail

One of the most common points of entry for a hacker is through a username and password. These can be obtained through two main means: phishing and through the use of default passwords.

The US CISA notes that “poor security configurations, weak controls and other poor cyber hygiene practices” allow cyberhackers to exploit systems.

These rely on the human element, often someone taking shortcuts in setup or perhaps being a little naïve when it comes to answering emails. As any administrator knows, human error is highly prevalent, no matter how often they warn users and conduct training sessions on basic security.

And a user with incorrectly applied privileges and permissions, especially a C-level executive who doesn’t really need them or know how to use them, can be especially problematic. If their account becomes compromised, they are especially vulnerable. Imagine a hacker being able to get control of your email or communications systems and pose as you?

DDoS attacks are almost as bad: They prevent users from accessing systems by flooding points of failure with data. According to Kaspersky, there were 91,052 DDoS (distributed denial of service attacks) in Q1 2022 alone, and 44% were aimed at targets in the US with 5% at those in Germany and 4% at those in the UK.

A common point of attack focuses on older versions of software and firmware. Many devices need to be manually updated, which means they’re rarely running on the latest software. As a result, there may be publicly available vulnerabilities that create an opportunity for a hacker to seize control.

Remote services, such as VPNs, are also often vulnerable to attack, especially at the end-points. A compromised endpoint means malicious actors have access to the entire system, resulting in massive security vulnerabilities. Most available systems lack the security needed to prevent cyberattacks on their own, which means you need to layer in other forms of cybersecurity. All this layering can create further incompatibilities, especially when you have to make everyone remote suddenly. VPNs can also require partners to have direct access to the LAN for configuration purposes.

Worse, when you set up VPNs, you need to do it on a per-user basis. What happens when you have 200 people to migrate to a new VPN? All of these issues can potentially be mitigated through sufficient time, money and effort. But there’s a faster, easier and all-round better way.

ELIMINATING POINTS OF FAILURE THROUGH A SECURE BY DESIGN APPROACH

The UK government advocates for strong security to be built into internet-connected products from the start. These products should be “secure by design”. Secure by design fundamentally means ensuring that security is considered from the start of the design process. You limit the points of failure, whether it’s by reducing human input (and therefore human mistakes) or ensuring the design is efficient and doesn’t require extra pieces of security hardware to remain secure. And you make it easy to use and install.

SSO: Secure sign-on. This is built on a trust relationship between a service provider and an identity provider (e.g., Google or Facebook). The SSO identity provider authenticates the person’s identity, and then they can sign in.

2FA: Two-factor authentication. This uses two factors, often a username/password combo plus another factor, such as a code delivered to a pre-registered device. Typically, SSO identity providers will use 2FA to authenticate users before they use SSO (e.g., how Google sends a message to your Android phone before you can use Google on a new device or browser).

These help prevent unauthorized use. In addition, they help remove the need for extensive password libraries, ensuring people only have to remember a couple of essential passwords. Overall, 2FA and SSO reduce the first point of failure: Passwords.

Encryption

Only 17% of companies have encrypted more than half the data they store in the cloud, despite 40% reporting a breach in the 12 months to October 2021. But there’s little point in being secure at the beginning if you’re not secure the whole way through. That’s where encryption comes in. A typical set of security protocols might include the following:

• TLS - Transport Layer Security encrypts data as it moves between applications and server.

• SHA512 - Secure Hash Algorithm 512 converts text into strings to secure it, including digital records.

• AES128 - Protects data as it’s at rest, ensuring security throughout the system.

Taken together, these encryption methods render exchanged data unusable to hackers, as if messages are intercepted, they will be in an unintelligible state. Using multiple up-to-date encryption procedures increases the complexity of the messages and thus makes them more difficult for unauthorized parties to decipher and use.

System Monitoring

Even the most secure system requires some form of monitoring, and good secure-by-design principles accept there’s always a risk of intrusion. This means things like:

● Automatic alerts across all devices managed by the PBX

● Alerts for attacks originating from within the system

● Integrations with common monitoring software, such as Zabbix

● Behavioral-based alerts where possible

When you’re a local MSP, you must ensure your data is protected and that the systems you install are appropriately monitored. Secure by design systems either integrate or make it simple to add monitoring tools without fuss. In this particular instance, secure by design systems don’t have to be that different from secured systems, although many secured systems do not automatically include monitoring capabilities or automations.