The parfait approach to cyber defense: It’s all about the layers

Adobe was back in Flash-induced damage control mode again last month — which is a role that has become all too familiar for the company since Steve Jobs crafted his 2010 manifesto identifying 6 reasons why Flash should disappear.

This latest round of anti-Flashism was driven, ironically, by a company that was apparently on Jobs’ “hit list” as far back as 2007: The Mozilla Foundation, which took the bold step in early July of blocking Flash Player by default on Firefox. However, unlike Jobs, who bristled at Flash’s drain on battery life, lack of integration with touch devices, restrictions on the “full web,” and so on, The Mozilla Foundation’s move was to protect its users from three zero-day vulnerabilities in the latest version of Adobe Flash Player.

Although the vulnerabilities have since been patched and Firefox has given Flash the all-clear (at least until next time), many businesses have either opted to block Flash from their environment or are seriously considering doing so. Unfortunately, this isn’t a viable move for two reasons: end user expectations, and security problems with HTML5.

End User Expectations

While Flash has a growing list of detractors – such as Facebook’s CSO, who has called on Adobe to announce an end-of-life date — it’s nevertheless here to stay for a while. As Infoworld.com senior writer Serdar Yegulalp lamented on behalf of infosec professionals around the world “Flash has burrowed into a slew of niches, each of which has allowed it to stay alive for a given target audience. Sometimes that audience is narrow or increasingly endangered, but it attracts an audience all the same.”

The impact of Flash’s continued prevalence is that end users want and expect to have access to Flash Player as part of their daily work experience. Blocking it can cause significant productivity and performance issues and can trigger an endless stream of calls to the help desk as frustrated users don’t know why web pages aren’t loading, videos aren’t playing, widgets aren’t functioning, and so on. Even worse, some more IT savvy users (or those with IT savvy teenagers at home) may succeed in circumventing the block altogether.

Security Problems with HTML5

At the same time, HTML5’s much-vaunted security advantages are coming under fire following a recent report by security researchers from Italy’s University of Salerno and Sapienza University of Rome, who discovered that it could be used to mask drive-by attacks (i.e. attacks used to trick end users into accessing web pages that contain malicious JavaScript code).

And as security consulting firm Security Compass wrote in early 2014, for all of its advantages, HTML5 isn’t bulletproof and shouldn’t be viewed as such: “HTML5 applications regardless of deployment can still be plagued with the same vulnerabilities as web applications (SQL injection, cross-site scripting, weak encryption, business logic attacks, etc.).”

Prevention Strategy: Adopting a Layered Approach

If blocking Flash and embracing HTML5 aren’t enough to protect businesses from unknown threats – because, as we all know, it’s just a matter of time before another zero-day vulnerability is discovered – what can you do that’s practical, reliable, and cost-effective?

Businesses shouldn’t assume that their existing prevention-based tools are doing the job; because chances are, they aren’t. But it’s not because the tools in themselves are necessarily flawed or out-of-date. It’s because they aren’t working together to cover as much of the attack surface as possible. And that’s where adopting a layered approach makes all the difference.

A layered approach involves implementing defensive measures at the four most vulnerable points on the attack surface:

1. Endpoints

Because there are so many of them in use, endpoints — and the employees who use them — occupy the largest piece of the attack surface. Some attacks, such as drive-by malware downloads, are broad-based and indiscriminate. Others, such as spear phishing campaigns, are highly targeted and can be quite detailed.

2. Company Network

Through the email server, network router, gateway, and so on, the company network is where attack traffic enters the system and typically attempts to establish a foothold before flowing laterally to infect multiple devices, including servers. The network is also where threats communicate back-and-forth with their command and control server, often receiving instructions to download yet more threats or carry out additional stages of a multi-phase attack.

3. Cloud Storage and Applications

There’s plenty to like about storing data in the cloud and using cloud-based apps, such as scalability, efficiency, affordability, flexibility, and so on. However, security doesn’t make the list, which is why businesses must have adequate controls for safeguarding their data in the cloud, including who has and doesn’t have access to it.

4. Sensitive and Valuable Data

It may seem self-evident (though don’t tell that to the folks embroiled in the OPM breach), but applying protection directly to and around sensitive and valuable data is critical. What’s more, this understanding and focus needs to go beyond thwarting cyber attacks from the outside. A recent CompTIA survey found that old fashioned human error – and not cutting-edge cyber criminal activity – was the root cause of 52 percent of security breaches.

The Bottom Line

With a layered approach, businesses have the multi-dimensional capacity and visibility the need to prevent, detect, and respond to breach attacks.

But remember: it all starts with smart, strategic prevention. Because on an ever-worsening threat landscape, where the costs of a breach are the stuff of nightmares, the best offense that businesses can mount is – without question – a good defense.

Israel Levy is the CEO of cyber security company Bufferzone.