The 8th Layer
Updated: Mar 6, 2019
What is the OSI Model?
The OSI Model as defined on the wiki page https://en.wikipedia.org/wiki/OSI_model:
"The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to their underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard protocols. The model partitions a communication system into abstraction layers. The original version of the model defined seven layers."
This is the definition as we are taught in all of the cyber security courses I have taken as well as throughout my IT training.
The Layers of the OSI Model
As stated we are taught that there are 7 layers to the OSI Model:
Application - 7
Presentation - 6
Session - 5
Transport - 4
Network - 3
DataLink - 2
Physical - 1
Well because there is an 8th layer that isn't taught and is only known about once you research, get your hands dirty, and actually start working in the industry.
What is this mysterious 8th Layer?
That my friends is the HUMAN layer. Yes those that biological organisms that interact with computers and networks on a day to day basis.
What is the point to bringing up the 8th Layer?
I am talking about this layer because right now they are the weakest link in any organization. I am not just talking about the end user that works in e-mail and is on Facebook all day. Nor am I just talking about the Executives that are prime targets due to the information they may have access to. I am speaking of the system administrator, the helpdesk, and everyone from the highest executive, to the lowest paid employee with computer access. Every single person that has access to a computer is a risk.
What is the risk they pose?
Every human is susceptible to social engineering and/or laziness. Administrators of networks have a bad habit of leaving either default or easily guessable passwords for application services or admin accounts. All users have the capability of being fooled by phishing e-mails and clickbait links on sites that lead to drive-by downloads. As well the possibility of having rogue USB drives being plugged into your network that have malware preloaded.
How do companies mitigate layer 8 vulnerabilities?
Truly the only way to help mitigate these issues is policy enforcement, regular awareness training, as well as lunch and learns or even all day training where users actually see the effects of phishing e-mails, sites, and rogue USB drives, as well as how to recognize them. Companies like Scheller Cyber Security and Cover6 Solutions offer employee training where they come on site, and show how easily these campaigns can be setup as well as how to recognize them.