Is Seven the Magic Number for IT Security?

The number seven crops up in many contexts: the Seven Wonders of the World, the seven dwarfs, and now the seven levels of cyber security. Let’s start with the different levels of threats posed by hackers. In order of increasing severity, we have: script kiddies (hacking for fun); the hacking group (often the first level of threat for SMBs); hacktivists (politically/socially motivated); black hat professionals (expert coders); organised cyber-criminals; nation states (NSA-style); and finally, the automated malicious attack tools that can infect huge numbers of organisations. With these seven levels of threats, what are the solutions?

Considering IT security as a state of mind as well as a technology is the approach of the Pacific Northwest National Laboratory in the US. It has a seven-level security model to protect its advanced research. The first level is to group systems together by equivalent levels of security requirements (in ‘enclaves’). Next come border firewalls, followed by strong password security – with clear user rules for regularly changing them, too. Level four is configuration and patch management to ensure software is constantly updated and protected. After the level 2border firewalls, level 5 corresponds to host-based firewalls. Level 6 is data encryption and level 7 is user awareness and training.

Compare this with another approach that containerises data and packs security into the container. The first level here is built-in anti-virus scanning of the computer in which the container arrives. The next is virtualization of the computer resources to keep enterprise data distinct from personal data. Strong encryption and copy/tamper protection are the next two levels, then two-factor authentication, and IT department customisability of the security policies (including all of the afore-mentioned). Level 7 is the remote wipe capability to erase the data remotely, for example if the device is lost or stolen. Clearly, this ‘don’t trust the user’ approach is very different to the ‘user education’ concept. Which approach do you favour? And (just as importantly) have you put all seven levels in place?

Tags: , , , , , ,

Comments are closed.