Course 10 - Network Security Fundamentals | Episode 7: Implementing Defense in Depth, Data Integrity, and Zero Trust - CyberCode Academy

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Network security is a deeply unequal fight. I mean, think
about it. An attacker, the offense only needs to find
one tiny, perfect crack in the system to succeed, just one.
But the defender, the defense has to be perfect everywhere,
all the time. If you have I don't know, ten
thousand potential access points, you need ten thousand perfect defenses.

Speaker 2 (00:22):
That's an impossible standard, it really is. It is, and
that imbalance is exactly why relying on a single firewall
or a single line of defense is just a recipe
for disaster. So if you want to stack the deck
in your favor, you have to move past specific security
tools and start thinking about the overarching principles, the policy,
the architecture.

Speaker 1 (00:41):
And that's our mission for this deep dive. We're getting
into the core strategies that secure any environment, no matter
what brand of equipment you're.

Speaker 2 (00:47):
Using, exactly. And the very first principle, the one that
governs a truly resilient defense, is this idea that nothing
should ever rely on just one single security control.

Speaker 1 (00:57):
We're talking about layering them up using multiple overlapping controls.

Speaker 2 (01:01):
We are. It's a concept known pretty universally as defense
in depth.

Speaker 1 (01:06):
It faints in depth.

Speaker 2 (01:08):
It's the foundational strategy. The core idea is actually pretty simple.
An attacker has to bypass several distinct security controls in
a specific order to get to your critical data.

Speaker 1 (01:19):
So when they succeed against one layer.

Speaker 2 (01:21):
They immediately run into the next. It's like building a
castle with concentric walls.

Speaker 1 (01:25):
Okay, let's visualize those layers. Then that's starting from the outside.
You don't actually start with technology, do you. You start with people.

Speaker 2 (01:31):
You have to so at the very top you have
your administrative controls.

Speaker 1 (01:35):
So policies, procedures.

Speaker 2 (01:37):
And crucially, user awareness training because the human element is
almost always the easiest target.

Speaker 1 (01:43):
Okay, So if an administrative policy fails, the attacker then
moves down to the real world, to the.

Speaker 2 (01:48):
Physical controls think locks, fences, motion detectors, CCTV cameras, all
the stuff protecting the server room itself.

Speaker 1 (01:56):
Then the moment they hit the internet connection, they face
the digital realm, starting with the perimeter controls.

Speaker 2 (02:03):
Your main firewalls guarding the network. Itch. If they manage
to get past that, they land inside the network. But
they're not done, not even close. Now they're facing the
internal network defenses. And then finally they have to get
past the host and application defenses, so protecting the actual
endpoint or the software itself.

Speaker 1 (02:23):
All of that before they can even touch the database.

Speaker 2 (02:25):
The whole goal is just to mitigate the damage. You
have to assume any single attack will eventually succeed.

Speaker 1 (02:30):
You know, this is where we need a key insight.
You mentioned concentric walls, but we have to make sure
those walls are actually real.

Speaker 2 (02:36):
Yes.

Speaker 1 (02:36):
The security expert Bruce Schneier has written a ton about
the danger of security theater right controls that look secure
but are actually, you know, really easy to bypass.

Speaker 2 (02:47):
And that is the nuance that separates a functional security
team from a tick box compliance team. You can say
you have five layers, but if they all rely on
the same outdated password, you really only have one layer.

Speaker 1 (03:00):
Let's unpack this a bit more. If defense and depth
is about layering your defenses from the outside in, then
zero trust networking is about enforcing what absolute perpetual suspicion
once the attacker is already inside.

Speaker 2 (03:12):
It's a massive psychological shift. The old model is that castle.
You know, Yeah, once you got past the mote, you
were trusted.

Speaker 1 (03:18):
Right, You're in.

Speaker 2 (03:19):
Zero trust assumes the attackers already inside. You do not
trust any user, any device, or any internal connection by default.
The catchphrase here is never trust, always verify.

Speaker 1 (03:31):
That sounds incredibly stringent. I mean, how do you actually
enforce that kind of skepticism across thousands of devices and users.

Speaker 2 (03:38):
It relies heavily on strict identity and access management principles,
specifically what we call triple A authentication, authorization, and accountant
or auditing.

Speaker 1 (03:48):
Okay, break that down.

Speaker 2 (03:49):
Sure. Authentication proves who you are, Authorization determines exactly what
resources you are allowed to touch, and accounting logs every
single action you take, every move has to be checked.

Speaker 1 (03:59):
So they're not just focus on protecting the main gate anymore.
You're focusing security around the most valuable thing Exactly.

Speaker 2 (04:04):
You identify what's called the protect surface, the data, the assets,
the applications that matter most, and you draw a really
strict perimeter around that.

Speaker 1 (04:12):
And the key mechanism to enforce that is network segmentation.

Speaker 2 (04:16):
That's it.

Speaker 1 (04:16):
Can you explain network segmentation for someone who isn't a
deep network engineer.

Speaker 2 (04:22):
Certainly think of your network like a big open plan
office segmentation is like building small, locked internal rooms for
different departments Okay, we use technologies like VLANs or subnets
to do it. So someone in sales opens the malware attachment,
the infection is trapped in the sales room. It can't
just jump across the hall to finance where the crickled

(04:44):
data is.

Speaker 1 (04:44):
So isolation is key.

Speaker 2 (04:45):
Isolation is everything.

Speaker 1 (04:47):
But I have to ask, if you have to check
and verify every single interaction, doesn't that create like crippling
performance issues. Doesn't it slow down legitimate work that must
cost a furtuin.

Speaker 2 (04:59):
And that is the constantention in security right usability versus protection.
Implementing zero trust it does require a substantial investment in
tech and architecture, but the cost of not doing it
a potential data breach that far outweighs the operational overhead.
It shifts your risk from catastrophic failure to manageable isolation.

Speaker 1 (05:18):
Okay, so we've got the architecture down. Now we need
to pivot to what we're ultimately protecting the data itself
across its entire life cycle. We're talking about integrity and availability, and.

Speaker 2 (05:29):
Backup policies are absolutely critical here. We often think of
backups as just protection against a system failure.

Speaker 1 (05:36):
For availability, sure, get the server back online.

Speaker 2 (05:38):
But they are just as important for integrity, making sure
that if data is maliciously manipulated or say encrypted by ransomware,
we can restore a guaranteed clean version.

Speaker 1 (05:49):
And when you're making that policy, you have to consider
the data life cycle. How long does this information actually
need to live. That's not always a technical question, is
it not at all?

Speaker 2 (05:57):
It's often legal or regulatory. For instance, in finance, regulations
often require investment firms to keep everything emails, instant messages
for seven years or more.

Speaker 1 (06:07):
That whole process is sometimes called archiving right exactly.

Speaker 2 (06:10):
Your policies have to align perfectly with those compliance rules.

Speaker 1 (06:13):
And when you're choosing the storage media for those archives,
you have to pick something that's actually going to last.
You can't use something that might be obsolete in a decade.

Speaker 2 (06:23):
That's a great point. You need reliable, accessible media for
the entire retention period, and best practices demand redundancy. You
have to store data on multiple devices, and you have
to account for data growth, and you.

Speaker 1 (06:37):
Need redundancy in location too, both on site and off
site backups.

Speaker 2 (06:41):
Yes, on site gives you the fastest possible recovery time,
but if a disaster hits your building, a fire, a flood,
that off site backup is the only thing that ensures
your data is still available.

Speaker 1 (06:52):
They're necessary companions absolutely so. Speaking of protecting data, if
we're backing up confidential information, it needs to be protected
while it's just sitting there on a drive. How do
we secure data at rest?

Speaker 2 (07:05):
We have to use strong symmetric encryption. We apply high
level algorithms like AES to make sure that even if
someone physically steals the storage media, that data is just
useless without the key.

Speaker 1 (07:16):
And then when the data is finally obsolete, our retention
period is over. Simply hitting delete just doesn't cut it,
does it?

Speaker 2 (07:24):
Absolutely not. Proper sanitization of media is vital. Deleting data,
even overwriting it with zeros often leaves forensic traces that
can still be retrieved.

Speaker 1 (07:33):
So for really sensitive data you.

Speaker 2 (07:35):
Have to use proper physical destruction or specialized wiping processes
that make recovery totally impossible.

Speaker 1 (07:41):
All right, let's talk about data that's in constant motion.
We've protected the information that's sitting still. Now we have
to secure our real time communication channels like voice and email.

Speaker 2 (07:51):
Securing voice, specifically voiceover IP or VoIP introduces some really
specialized thread actors. Historically we have.

Speaker 1 (07:59):
The freaker freaker like a hacker for phones.

Speaker 2 (08:01):
Pretty much yeah, the phone system hacker and today VOYP
traffic itself is vulnerable to sniffing and man in the
middle attacks unless it's encrypted.

Speaker 1 (08:09):
And the social engineering element here is huge with something
called phishing.

Speaker 2 (08:13):
Oh, fishing or voice phishing is rampant. We all get those.

Speaker 1 (08:17):
Called fake IRS calls.

Speaker 2 (08:19):
Right often with spoofed phone numbers. They rely entirely on
social engineering, on manipulating users to get confidential information.

Speaker 1 (08:27):
So what are the immediate defensive measures for a voice network?

Speaker 2 (08:30):
First configuration, reduce the attack surface, disable all the features
you don't need, and immediately change all default passwords. And
second structure. That network segmentation we talked about is essential
here too. Put your phone system and VoIP devices on
their own isolated network segment a dedicated VLAN.

Speaker 1 (08:49):
I know that governments are trying to fight back against
this whole number spoofing problem at a structural level.

Speaker 2 (08:54):
They are. In the US, the FCC has an initiative
called Shaken and Stirred.

Speaker 1 (08:59):
Shaken and stir I like it.

Speaker 2 (09:00):
It's working to use public key infrastructure, so asymmetric cryptography
to digitally sign and verify the source of caller ID numbers.

Speaker 1 (09:09):
Which should make things a lot more trustworthy over time.

Speaker 2 (09:13):
It should, but until then, user awareness training is your
strongest defense, along with telling your mobile users to use
encrypted apps for sensitive calls.

Speaker 1 (09:22):
Okay, let's pivot to email. Maybe the most common, yet
historically the least secure channel. It's wild to think that
until recently, so much of it was sent completely unencrypted, basically.

Speaker 2 (09:34):
In plaintext, and email contains a company's most vital information. Thankfully,
modern encryption is pretty standard now.

Speaker 1 (09:42):
There are two main methods, right yep.

Speaker 2 (09:43):
The first is PGP or Pretty Good Privacy. It's an
asymmetric system invented by the cryptographer of Phil Zimmerman. It
actually got him in trouble with US export laws back
when encryption was classified as munitions. And the more mainstream
option that would be CESS, which is used by popular
clients like Outlook and Gmail. But crucially, companies also deploy

(10:04):
automated server side measures like opportunistic TLS.

Speaker 1 (10:08):
What does opportunistic mean for email encryption?

Speaker 2 (10:11):
It just means the email gateway tries to establish a
secure connection using TLS whenever it sends an email. If
the receiving server supports it, great, the email is sent encrypted,
and if it doesn't, then the system falls back to
plain text. But the system always prioritizes encryption whenever it's possible,
and we.

Speaker 1 (10:27):
Can't forget email is still the number one way malware
and phishing attacks get in.

Speaker 2 (10:31):
Absolutely so a robust anti spam and anti phishing system
is a must have. A lot of them use sophisticated
methods like Bayesian filtering to intelligently quarantine suspicious.

Speaker 1 (10:44):
Messages, and you have to pair that tech with training
you do.

Speaker 2 (10:48):
Systems that run phishing simulations, for example, are vital for
training users to spot these attacks before they click. And
on top of that, deploying something called SPF or sender
policy framework helps make sure that incoming messages are actually
from who they say they're from.

Speaker 1 (11:03):
So what does this all mean? Then we've covered this
crucial architectural shift that has to happen in modern defense.
You have to move from trusting your internal network to
a layered architecture defense in depth combined with that perpetual
skepticism enforced by zero trust principles.

Speaker 2 (11:18):
That's the framework, and then we applied operational principles to
the data itself, ensuring integrity and availability through policy driven backups,
strong encryption, and proper media sanitation.

Speaker 1 (11:30):
And it has to be applied everywhere.

Speaker 2 (11:32):
Across every channel, from voice to email. It's about policy first,
technology second. The critical question you have to constantly ask
is if this one layer fails, what's the next barrier?

Speaker 1 (11:43):
That is the ultimate test of resilience. So to make
sure you've really absorbed these core ideas, consider this scenario.
If a malicious insider who has already successfully logged into
your network and bypassed your main firewall, tries to access
a highly restricted database, which principle is zero trust networking
is specifically designed to stop them, and what mechanism enforces it.

(12:03):
Think about the three a's and that concept of internal
isolation as you implement your next security update.

All Episodes

Course 10 - Network Security Fundamentals | Episode 7: Implementing Defense in Depth, Data Integrity, and Zero Trust

Episode Transcript

Popular Podcasts

Stuff You Should Know

My Favorite Murder with Karen Kilgariff and Georgia Hardstark

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Course 10 - Network Security Fundamentals | Episode 7: Implementing Defense in Depth, Data Integrity, and Zero Trust