The below is a summarized exert from “35 Views of Cyber Risk”, a free book from AXIS’s global cyber and technology team and authored by John Donald, cyber advisor, AXIS Insurance. The book aims to give readers an understanding of cyber risk by approaching it at the intersection of security, insurance and information technology. It can be read in full here.
The Medieval Castle Model
One way to conceive of cyber security is to use the analogy of a medieval castle. Then castle walls and the moat correspond to the firewall with the drawbridge allowing permitted visitors inside. The sentries patrolling the ramparts represent the anti-virus software on the lookout for suspicious events. A Distributed Denial of Service (DDoS) attack would be analogous to a siege engine lobbing boulders.
As in all good Hollywood movies there is a secret way into the castle - maybe a tunnel, a postern gate or a small iron grille over a sewer - which is known only to the people who built it. This is the software ‘backdoor’ created by the original coders of the system which still exists but has been forgotten about. Also bear in mind that the wagons bringing essential goods into your castle are a vulnerable element. In the Hollywood movie, the enemy hijack the wagons and enter the castle in disguise. In a cyber context, this is known as a Trojan attack, named after the Trojan horse that concealed Greek warriors in the Iliad.
The castle model of cyber security is a useful way of illustrating some simple cyber security concepts, but it has a major flaw which is this - where do you put the wall? As the world becomes both more mobile and more interconnected, it is increasingly hard to draw the line between inside and outside from a system standpoint. This issue, known rather clumsily as de-perimeterization, is a big challenge for security professionals.
Most cities in medieval times were surrounded by a wall for their protection. But as global trade flourished, these walls were torn down to improve the flow of goods and services. In London and Paris this happened in the 18th century, in Beijing not until the 1950s. For similar reasons, over reliance on perimeter security and a binary distinction between ‘us’ and ‘them’ is becoming an outmoded approach in the cyber realm.
The drawing of this dividing line can be framed as an attempt to find a balance between business drivers and security concerns. In the majority of cases, it is the business drivers that tend to win in the end.
Inside or Outside the Wall?
It is common for companies to use cloud-based software for client relationship management or accounting. Salesforce and QuickBooks are popular examples of these ‘software as a service’ (SaaS) packages. However, it is debatable as to whether they should be inside or outside the corporate perimeter. Similarly, most companies use contractors and third parties for software development or for website design; are they insiders or outsiders? Due to COVID, many more of us are working from home which exacerbates the perimeter problem. Is every employee’s home now also ‘inside’ the corporate wall?
The conclusion from all these examples is that it is almost impossible to draw a clear line between an organization’s internal and external zones. The concept of a ‘castle wall’ is a useful but outmoded metaphor. There are other more apt analogies for cyber security.
The Immune System Model
A more useful model than the static castle one, is a dynamic model based on the human immune system. The immune system model presupposes that systems are constantly under attack and so the focus is on the speed and effectiveness of the counterattack.
Read more: AXIS strengthens US cyber team
The immune system has two parts – an innate system at the initial stages which is the same for all attacks, and an adaptive system that kicks in at a later stage which is a bespoke response to that specific attack. In humans, the innate system consists of barriers to infection such as skin, mucous membranes, saliva (which has antibacterial properties) and the tonsils in the throat. These are designed to deter and delay infection from germs.
Detect, Respond, Recover
More interesting is the adaptive immune system. Once a virus enters our bodies it causes local inflammation, which is the first warning sign that something is wrong. This in turn acts as a trigger for the production of white blood cells which then go on to produce antibodies that bind with pathogens and killer T cells which destroy the virus. Once these lymphocytes have done their job, the body is able to recover.
The five steps in this process are exactly analogous to the five steps required in a cyber incident response plan: deter, delay, detect, respond and recover. The innate immune system like skin and tonsils correspond to the cyber security policies and the firewall. The adaptive immune system covers the other three steps, which in the cyber world are executed through system monitoring and the security operations center (SOC). Large organizations may have more than one SOC, smaller companies tend to outsource this function to third parties.
At AXIS our policies are based on this ‘immune system’ approach, which we have adapted to call “Prepare, Protect and Respond”. See our website for more details or to download the book “35 Views of Cyber Risk”.