Defence in Depth: A 'layered' strategy can repel cold attackers The principle of Defence in Depth (“DiD”), says OWASP, is that “layered security mechanisms increase security of the system as a whole”. That is, if one layer of protection is breached, there’s still the opportunity for the attack to be fended off by one or more of the other layers. If anyone’s ever drawn something that looks …
<quote>The military have a concept called 'counter-attack' but you probably don't want to go there.</quote>
Frankly, if the internet is a "wild west" where anything goes in terms of attacking us and the police can't enforce the law then personally I wouldn't mind counter attacking.
Introducing some elements of risk of hacking people would tend to introduce some factor of cost to a cost benefit ratio that is essentially risk free at the moment.
Actually the military analogy is apt. A determined attacker won't just hit the second layer of your onion and give up, they'll keep poking until they find a way though that layer. Against this form of attack, detection and response (counter-attack) are necessary. Static defences fail eventually.
To use another analogy, on your office block on a quiet industrial estate, locked doors at night aren't enough. Burglar Bill will break the window to get in. At this point your burglar alarm goes off, police respond, and all being well nothing much gets nicked (and they may even catch him). Without the detection and response, contents of locked rooms, the safe, etc. (more layers of your onion) can be breached - your entire business could vanish in the back of a transit van over a bank holiday weekend.
Or worse, they use one layer to leapfrog or otherwise bypass the others.
In this case, they can perform a "Cry Wolf" attack. Trip a bunch of false alarms so that eventually keeping the alarm and responding to it isn't worth the time and/or money. Or trip someone else's (maybe multiple) system(s) as a diversion to keep them busy while you go for the real target.
The concepts shared here are simplistic. My ex-Vietnam WO2s taught me that a deep Defence sucks up the opponents energy and attention, allowing you time to generate the "best" response for the assessed opponent's weaknesses. Yes, it gains you time, but don't think it's foolproof. Historic lessons learned include Maginot Line, West Atlantic Wall, Great Wall of China, South Vietnam DMZ, Troy, etc etc....
Defense in depth isn't the only strategy you should adopt. Also think about the opposition's flanks, their width of attack, exposure of their line of attack, removal of cover from these and your forces for that counter-attack.... If you are on the "righteous" side, you can and should consider CERT and other external resources you have available (and they don't)....
Another lesson I was taught? "Alls fair in love and war."... Hunting is fine; just call it "reconnaissance". :-)
Glad to see others talking about physical security principals with respect to network security. If we want to be frank, yes defense in depth is about delay - with it being the hardest and longest to get to the most valuable posessions. It is one of the key aspects of physical security's four stages:
* Detect - let's you know something is wrong
* Delay - gives you time to do something about the threat before it concludes its aims
* Classify - take a moment to come up with a balanced solution to the problem, have contingencies!
* Respond - act to mitigate/eliminate the threat.
Most articles talk about doing defense in depth, but don't talk about why it's done the way it's done. If network admins considered how physical security handles threats rather than assuming it was possible to prevent bad actors (wise man once said: the only secure machine is the one which is unplugged from any networks, powered off, shredded, then incinerated - and the ashes spread from an airplane into a tornado). The author of the article has a good head-start, understanding what you have and what your risks are - this will help focus the defensive measures towards the "crown jewels". Unique IP, customer data, and electronic business identity (crypto-keys, and the like), are the crown jewels which should be protected at all costs.
Things like the HVAC system are not as sensitive and should not be housed in the same rings of security. Much like a castle would have a town outside the bastion walls which would be abandoned during a siege, as the residents ran inside to help hold the fortification, some parts of a network must be able to be considered sacrificial. You also didn't see a lot of cases where an inner layer was depended on the outer layer to hold up - using the castle reference again, if the castle could only stay secure as long as the soldiers were given food and water, but someone had to go outside to hunt and get to the well to support the soldiers, it wouldn't be long before the castle fell.
A business can probably lose a day of output due to lost productivity (even at a cost of millions), versus having brand damage or IP theft continuously sap trust in an organization. Unless of course losing a day of work is the trigger of said brand damage - see recent British Airways fiasco. That was obviously a serious miscalculation of the risks of each sub-system interacting on combined/simultaneous events - and a further illustration of how each protection layer needs to be self sufficient, not inter-dependent in any way.
It's also important that what is available in outer layers do not become tools for those attempting to overcome the next layer. Have a window to keep people out, but also have large rocks in a planter? That's a burglar's "key". Built a tower to keep knight from getting to Rapunzel, but leave your extension ladder in a shed in the yard? Hygiene is just as important as having the right defenses - if one can't see people walking up to the fence, you can't detect it, thus the delay of climbing over it doesn't do any good. If you clear the trees 1km from the fence and mow the grass, you gain that much more detection and delay capability. Likewise, if one starts looking at the traffic that comes and goes into a facility, control it and filter it - and you will be able to see the obvious attempts to break a window... Being able to define things that shouldn't happen (black-listing) is the result of good planning on what should happen (white-listing). If one has correctly constrained the scope of their environment, anything out of the scope can be considered wrong (attack).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
