So let's take a would-be bank robber's point of view into a bank. Pick a bank, any bank really, and you'll notice that going outside in you will encounter the following things:
- proper site planning to keep the getaway (escape route) as complex and difficult as possible
- well fortified structure of the building
- surveillance cameras
- armed guards at the entry
- properly separated internal chamber of the building (separated entryway from bank main lobby)
- properly separated and secured teller stations (where the cash, at least some of it, is)
- properly separated back office
- silent alarm triggers strategically placed where the tells can reach without being spotted
- outer vault door locked by a key held by bank manager or designee
- highly fortified, hardened outer vault door
- separated inner vault (with all the trimmings such as hardened steel, etc)
- non-descript inner-vault chamber compartments
- tagged (booby trapped) loot in case it's stolen to help track it and identify the thieves
I will analyze the above thirteen (13) observed physical security measures of a bank, and parallel them with digital or 'cyber' security technologies. The numbers above will match up to the digital equivalent in the analysis below, so pay attention.
- system design to disallow easy exit with stolen data
- a system which disallows servers to initiate communications to the Internet; if a cracker breaks into your server, forces a shell, and wants to ftp the stolen data somewhere off the system your network firewall had better disallow that!
- firewall rules limiting exposure of internal servers, networks, and users; properly configured access lists or firewall rules to allow only absolutely necessary exposure of services to the outside world
- at least an IPS to filter for anomalous traffic patterns, or at very last pattern-based filtering and alerting (with blocking) mechanisms... some way to notify the security operations team something is wrong
- IPS at your perimeter, NAC controls to keep just anyone from plugging in and rummaging around... these are the very very basics
- (see #7)
- (see #7)
- DMZs, containers, or whatever you'd like to call them; compartmentalize, segregate and filter access into different segments or zones on your network. Servers accessible to users should be on a separate network segment from servers used by administrators for all-access to out-of-band management, which should be kept separate from router and switch networks... segregate, segregate, segregate
- workflows, ticketing systems, "response team" phone numbers... anything which can give users who see suspicious activity on your network a simple way of contacting your security operations team
- separate data administrators from data users; the database administrator should have no reason to read the user_full_info table in its entirety, only administer rights to that database, table, etc; take away all privileges which are not explicitly required to perform work function!
- separated (logically at least, physically and logically at best) subnets and containers for servers, away from subnets for general users; these of course should be firewalled and have an IDS/IPS at the gateway into and out of them
- containers for databases, file-servers, and other sensitive servers which are kept well guarded and away from being accessible by the general public via firewall rules and anomaly detection devices such as an IPS
- server labels which look more like USSRVWIN0001A and less like FINANCE_FILESERVER to keep potential thieves guessing and grasping while your detection mechanisms work their magic
- fraud teams and credit bureaus create 'fake identities' which look perfectly real and indistinguishable from others in the system, that when used trigger a fraud alert... brilliant!