The Onion of Cyber Security: 6 Layers of Digital Security

We cybersecurity bods love onions.

They’re delicious, they’re full of folic acid, and you run into a lot of “onion” based language when talking about networks and security. “Onion routing” is just one of many examples you may see out in the wild.

So, in keeping with the theme, we’ve identified 6 onion-like layers of cyber and network security that are essential to any organisation. When you get all 6 in top shape, just trying to cut through them is sure to make any cybercriminal’s eyes water.

The 6-Layered Cybersecurity Onion

Layer 1: Physical Security

This is the outermost layer of our hypothetical onion. It’s easy to think about cyber and network security as completely technical. However, the truth is quite the opposite. Your human resources are your softest, most visible attack surface. The ongoing success of phishing and social engineering attacks is testament to this fact.

Regardless of how robust your firewall and antivirus defences may be, they could all be for naught if a member of staff downloads a piece of malware, responds to a phishing email with sensitive details, or if they simply hold a card-secured door open for a mysterious, disarming stranger.

Humans will always be a soft target for cybercrime because of our emotionality – this is why cyber-awareness training is so essential. Let’s take a look at a few examples:

  • If a stranger turns up on your doorstep claiming to need to use the loo or call the police – you may instantly switch into empathy mode. But who’s to say they aren’t using that time to give your office (and its physical defences) a once over for a further in-person cyber attack or a robbery?
  • Say someone lower down in your company’s pecking order receives an oddly worded email that claims to be from a senior manager demanding that a strange, new invoice be paid immediately. They’re likely to think “I’ll be in trouble if I don’t do this” – which may even lead to loss-aversion – “I might lose my job if I don’t!” So, the invoice gets paid, the criminal laughs all the way to the bank, and the manager in question is totally oblivious.
  • You receive an email claiming to be from your company’s cloud productivity suite of choice, stating that your account will be deleted unless you change your password right now at this specific link. The time limit alone puts you under duress but the prospect of work being deleted is likely to send a chill down your spine. So, you click the dodgy login link, enter your credentials, and voilà – a cybercriminal now has them.

We go into much more detail about the psychology behind social engineering attacks in our post “What Is Social Engineering? And How Can You Stay Safe?”

Part of Network Concerned: Your human users and personnel.

Solutions Required: Ongoing cyber-vigilance training, Penetration testing, Physical penetration testing, Policy & Alert Management.

Layer 2: Perimeter Security

This layer is our first proper technical onion layer – it’s the point at which your network touches the outside, online world. It helps to think of this layer like the defensive wall around a medieval town (the town being your network) – the wall that keeps the bad guys out and authorised parties safe within.

You need to define your network and infrastructural boundaries in order to defend them. So, ask yourself – where does your organisation’s infrastructure and traffic end and the public network begin? Many organisations are finding this tough to nail down now that remote working is so popular! It’s also tricky to navigate if you use IoT or ICS systems that need to interface directly with the internet rather than having a security layer in between.

Your aim is to keep your perimeter as watertight and well-patrolled as possible, so this is where solutions like firewalls, remote access VPNs, Intrusion Prevention Systems, Network Access Control, and managed security services come in.

You could even implement a DMZ or “demilitarised zone”. A cyber-DMZ is a network buffer zone that can house external-facing resources like email servers and web servers. It is usually formed by placing these resources in between two firewalls – an external one which interfaces directly with the web, and an internal one that connects to the internal network.

Part of Network Concerned: Routers, firewalls, any hardware that interfaces directly with the internet.

Solutions Required: Firewalls, Remote Access VPNs, Intrusion Prevention Systems, Network Access Control, Multi-Factor Authentication, DNS Filtering, Managed Security Services, DMZs, Policy & Alert Management.

Layer 3: Network & Data Transit Security

As we edge slightly further into the core of our security onion, we get to the network’s moving parts – the data that moves in, around, and out of your network.

The goal here is to ensure that all network use, behaviour, and traffic is above board – only occurring within certain pre-set, predetermined parameters. This isn’t just a case of forbidding network users from accessing certain websites or cutting off certain types of port activity. It involves:

  • Proper, secure vetting and authentication of new network users, ensuring that the only devices on the network are ones that are supposed to be there; especially those that access the network remotely.
  • Securing sensitive data in-transit against snoopers by using robust encryption technologies – both within the network and as it travels over the open internet.
  • Ensuring that all points of ingress to and egress from the network are kept secure, only allowing set port activity in and out, and employing Deep-Packet Inspection, network monitoring, and heuristic gateway antivirus tools to keep the network as watertight as possible.

Part of Network Concerned: New Users, Network Behaviour Monitoring, Shadow IT.

Solutions: Deep-Packet Inspection, DNS Filtering, Network Access Control, Remote Access VPN, Separate Guest WiFi, Managed Security Services.

Layer 4: Endpoint Security

Now we’re at the layer of cybersecurity that most people are aware of: the layer concerned with securing and defending endpoint devices like PCs, laptops, and smartphones.

It’s a good thing that this is the most well-known part of network security; this is real mission-critical stuff. Your endpoints are crucial to productivity – your team use them day-in, day-out, almost like an extension of their physical selves! However, this direct interface with human users is also what makes endpoints so vulnerable. Poor user behaviour and bad cyber habits can leave the door open to cyber attacks. If a criminal is able to gain access to a networked device, it can serve as a powerful foot in the door for them to carry out their nefarious plans.

Malware and phishing are particular worries here. New strains of zero-day malware are being released every single day, and phishing attacks are becoming increasingly more believable, more targeted, and more dangerous.

This layer of the onion is chiefly concerned with keeping your devices clean, safe, and as well defended as possible. Antivirus software installed on every device is essential, and can be further augmented with managed detection and response (MDR) tools.

Part of Network Concerned: PCs, Laptops, Smartphones, Guest Devices, ICS/SCADA Devices, Shadow IT.

Solutions Required: Antivirus Software and Gateway Antivirus Tools (both as heuristic as possible), Managed Detection & Response (MDR), cyber-awareness training, DNS Filtration, Email Filtering, Network Access Control.

Layer 5: Data Security

Once a cybercriminal gets through to the data layer of the cyber onion – it’s really time to worry. This layer is most concerned with your data stores. Your data is a valuable, tempting goal for hackers and an expensive thing to lose – not just in terms of the value inherent in the data you use every day, but in the punitive costs and fines that can arise from data theft and breaches.

The core concepts of data security are remarkably simple:

  • Maintain the confidentiality of data so it doesn’t fall into the wrong hands,
  • Allow data subjects access to their own data on request,
  • Maintain the integrity of data so all records are present and correct (and are being used consensually),
  • Ensure that the data is available to authorised parties only and strictly off limits to unauthorised parties.

… yet the execution can be remarkably complex. Data isn’t just stored in central servers – it’s scattered across data servers, local endpoint drives, cloud storage, and email inboxes (as well as their respective email servers). So, like Layer 4, it’s simple to understand, but difficult to define and corral fully. You also need to be mindful of data handling best practices that will keep you on the right side of data protection legislation too.

Under the UK GDPR, the ICO can issue fines to organisations who don’t keep personal data properly secure depending on the severity of the infraction. Serious, wide-scale breaches can incur fines of up to £17.5 million (or 4% of annual global turnover). However, it’s important to stress that this is an ”up to” figure and that the ICO seems keen to help organisations do the right thing rather than automatically punish every single breach.

Part of Network Concerned: Data servers, Local Endpoint Drives, Cloud Storage, SaaS Applications, and Email Servers.

Solutions Required: Cyber-Awareness Training, Robust Password Policies, Network Access Control, Multi-Factor Authentication, Managed Security Services, Managed Network Monitoring, Web Application Firewall, Data Encryption (in transit and at rest), Penetration Testing.

Layer 6: The Core

Code Error - critical data.

This is the finest and most delicate layer that becomes accessible once all other layers have been sliced through. The core represents the place where all of your mission-critical data and operations lie. It’s the cyber equivalent of an all-access pass – truly the point of no return!

If a hacker has bypassed all of the defences before this, then they’re either a) bloomin’ determined, or b) they found an unfortunate security loophole somewhere that enabled them to go for the jugular.

NEVER give this level of access out if at all possible – even internally. Too much power in one person’s hands can be a security issue in and of itself, never mind an operational problem if their magic, omnipotent credentials are needed whilst they are on holiday or sick leave!

Solutions Required: Post-Incident Response Services, Possible PR Disaster Handling, and a lie down in a darkened room once it’s all over.

We sincerely hope you are able to defend all of the layers on this list – especially those last two. But if you’re worried about any of your own network’s onion layers, just give us a call! Just Firewalls and Just Cyber Security are here to keep you safe. Simply call 0808 1644414 to speak to one of our technicians today!