June 17, 2021•574 words
In principle, protection of IT systems can be separated into 4 levels. These are prevention, detection, assessment and response. In the proper combination, they can secure the IT platform of any company as much as it is possible to do.
The area of prevention is probably the most comprehensive area for IT system security. It can be fundamentally separated into data protection and system protection. Data protection includes things like data encryption, transport encryption, backups and even access protection to IT systems. System protection, on the other hand, involves things like hardening systems or patch management. Unfortunately, too many companies still focus exclusively on the area of prevention when it comes to securing their IT systems. This then makes forensic work more difficult if a system does get breached. Because...
It's no secret between hackers that there is no such thing as 100% security for IT systems. A simple bug can already provide an attack vector. And in most cases it takes at least a few hours until a suitable patch is available. In addition, there are exploits that are only passed on by hackers under the table, so that it sometimes takes days or even weeks for the gap to become known. Remember the Exchange bug some months ago? It was known to intelligence agencies long time before. So it's necessary that anomalies in an IT system are detected.
This is where detection comes into play. It includes firewall systems that validate traffic, as well as intrusion detection systems and prevention systems that detect anomalies in the systems themselves. Furthermore, modern intrusion detection systems are also capable of analyzing statistical data from the systems and using this to detect unusual processes. Good defense systems can also block typical attacks (like bruteforces for example) and thus already prevent worse.
However, even the best intrusion detection systems and firewalls can falsely identify processes as attacks. They are already quite good at automatic assessment and are also getting better and better, thanks to artificial intelligence. Nevertheless, control by a human should also take place. The evaluation should therefore never be left to the automated systems. Automated assessment should only ever be a part of the assessment process, using alerting to draw attention to the fact that an unusual process has been detected in the system. A human review is always required.
Depending on how the assessment then turns out, a reaction is, of course, necessary. If an attack is detected that is still in progress, appropriate defensive measures should be taken. If a system has already been successfully compromised, a forensic investigation must be carried out to find out how the attack took place and what data was manipulated or stolen. Furthermore, a report must be made to the Data Protection Official and, if necessary, to the responsible authorities. It is usually not a bad idea to inform the customers, because experience shows us that data breaches are always published somehow. It's better if the company keeps control over the publishing.
If you implement this 4-level-model in all IT systems and your risk management and have appropriately qualified employees, you can at least assume that attacks will not go unnoticed and that in many cases they can be averted in good time. In today's world, this is vital for companies. After all, in addition to high fines and possible lawsuits, the loss of image is often difficult or impossible to repair.