By Michael Adjei (MSc.) Security Trainer & Senior Security Engineer at Wick Hill
So picture this. It is a nice sunny day and you are enjoying the sunshine in the garden on your day off work. You decide to get a drink from the kitchen fridge. While doing so you take a casual look out the window overlooking your cul-de-sac street; now come two different scenarios:
- The Burglar
A man whose face is covered with a balaclava and wielding a baseball bat. He is trying to break into your neighbour’s window. He looks around frantically and tries to smash the window with the bat. There is no one at home as it is a busy working day and the house has no alarm system.
- The Mail Man
The mail man who appears to be delivering mail through the letter boxes around the neighbourhood. A mundane scene to which much attention is not usually paid but all of a sudden the supposed mail man looks around him, reaches into his back pack and takes out a face mask and a crow bar and tries to climb into a neighbour’s partially open window in the front of the house.
The Burglar represents threats that almost force their way through the network and the Mail Man, the more crafty threats that may utilise known or unknown (zero-day) vulnerabilities and is so much harder to detect until after the damage is done.
The “SPICED” Security Checklist Approach
In each threat case, a comprehensive approach of securing every possible entry point is required. This ranges from the Perimeter right through to Data Security. This has to be combined with complete visibility of the whole network from the inside to set a benchmark for normality and with accompanying appropriate alert systems so that abnormal behaviour can be detected more easily.
To this end I present a simple approach to combat these serious scenarios discussed above. This is known as the “SPICED” checklist which is elaborated as follows:
- Security Training & Testing
- Data Security
A periodic review of the organisational security is needed against the “SPICED” approach to make sure all areas are adequately covered to protect against known and evolving threats as well as adequate end-user and IT team training.
In most cases, it is much better to have a full and complete review under your own terms rather than being forced to do so in the public eye especially after a serious security breach.