I have a daughter who is four years old and super into anatomy. We often sing that old tune; “the knee bone’s connected to the femur, the femur’s connected to the hip bone...” sorry for planting that tune in your head for the rest of the day but it serves a point, I swear...
For those who have read even the shortest snippets of cyber news blurbs, you have come across the term: “moving laterally”.
For those American Football fans out there, it doesn’t mean what you think it means. Moving laterally is when a hacker finds a way into your systems and can move across your network and infect other areas along side the original point of access. Think of a house fire that starts with an ember jumping from the fireplace and quickly moving throughout the living room, up the stairs, and engulfing the bedrooms. You might remember from your most recent visit to a school built in the 70s or 80s that fire-doors were the norm at the end of corridors to specifically prevent fire from spreading should it break out; modern networks are designed the same way. Yes, there is an outer barricade, the firewall, but internally, traffic is monitored and managed by a set of rules that segregate certain areas from one another. But who sets up these rules? Well, technical people can certainly code them into hardware, but who designs the rules? What systems need to be cordoned off? And, most importantly, how connected are things inside the firewall in the first place?
If your organisation doesn’t have a meaningful map of critical systems and the connections between them... spoiler alert... you should!
Completing such a map shouldn’t be onerous. It takes about a day with people from all over the organisation popping in and out. It starts with a two-part question – what business are you in and what systems do you rely upon to deliver value to your customers? After the big ones are identified – accounting, POS, email, file sharing, etc. – you can move to the ancillary systems like your sensors and Business Intelligence and that awesome new widget the CFO just had to have.
IT plays a critical role in this process but so does sales, accounting, operations – just about everyone. You are mapping your network but not the physical machines, the systems that keep your organisation running.
I once ran a cyber security audit of a municipality in the US. It was not a small city, for sure, as they had more than 200,000 residents. On the city’s website, a person can register a storm shelter so as to be located by rescue workers in the event of a major weather disaster. As it turned out, the form that was filled out on the city’s website was just a few lines of code and some clicks away from the system that managed the payroll files for all the city workers. Let’s just say the City Manager was less than pleased when we handed him last month’s payroll on a flash drive along with the news that his network wasn’t as segregated as he thought.
It really streamlines operations for the accounting system to speak with the ERP. A worthy connection to be sure, but be cognisant of the risk you introduce by building a pathway for those systems to communicate. The same bridge that cuts hours of work from your accounting staff provides a pathway for the nefarious.
