14 October - Infrastructure
How we use microgateways attached to APIs to improve our platform
2 mins read
A platform for financial services must have an extremely high level of security. One of the techniques that we use at Pismo to attain that security level is applying the defence in depth concept for red team engagements. Let’s discuss how we do it.
Before examining our defence in depth practices, let’s think back on what a red team does. If you ask a random person what cybersecurity professionals do, you will likely hear that they help protect companies from “bad guys” such as hackers. Commonly, information security activities are associated with defensive instead of offensive actions.
Moving in the opposite direction, the so-called red team applies cybersecurity and ethical hacking techniques to uncover technical, physical and logical flaws. And this helps protect the company data and assets. The term “red team” is used in contrast to “blue team”, the group in charge of the defensive measures.
Since the internet was born, information security has changed a lot. Many techniques were developed to increase the resilience of defensive mechanisms. Focusing solely on perimeter hardening has proven to be an ineffective strategy. Without other layers of defence, “once the main gate is compromised, the reign may fall into the hands of the outsiders”.
Given this introduction, I present the security (or defence) in depth concept, also known as security onion. This approach is used in information security to protect data or assets by using multiple layers of defence (e.g. web application firewall, DMZ network, intrusion detection system, antivirus software etc.).
The concept was conceived by the U.S. National Security Agency (NSA). It references the medieval defence structures. To invade a fortified city, you had to go through a moat, a drawbridge, a massive wall full of archers, a monumental gate, a middle wall guarded by infantry, and, finally, you would enter a city full of eyes wary of new faces.
As you may have heard before, an attack is the best means of defence. We evaluate and map our protections from the outside and plan attack methods to uncover vulnerabilities. In other words, we reverse-engineer the security onion. Let’s see a few red team practices that we adopt at Pismo.
Map the company’s attacking surface.
Focus on any exploitable path behind the curtains.
You should never just trust that your shield will absorb any blow. The broader the scope of your red team engagements, the more effective your results will be in the long term. Furthermore, you must develop new defence techniques and ideas over time. Having a creative and diverse routine for assessing your environment will help you strengthen it and put the spotlight on security. More and more, we prove that we should never stay inside our comfort zone when it comes to security.