DefenseinDepth What Is It

1
Defense-in-DepthWhat Is It?

• Peter Leight and Richard Hammer
• August 2006

2
What is Defense-in-Depth?

• There is no silver bullet when it comes to
  network security
• Any layer of protection might fail
• Multiple levels of protection
• must be deployed
• Measures must be across
• a wide range of controls
• (preventive and detective
• measures)

3
Focus of Security is Risk

• Security deals with managing risk to your
  critical assets
• Security is basically an exercise in loss
  reduction
• Impossible to totally eliminate risk, we settle
  for residual risk
• Risk is the probability of a threat crossing or
  touching a vulnerability
• Risk is managed by utilizing defense-in-depth
  (DiD)
• Risk threat x vulnerabilities

4
Key Focus of Risk

• Confidentiality / Disclosure
• Integrity / Alteration
• Availability / Destruction

Confidentiality
Availability
Integrity
5
Prioritizing CIA

• While all three areas of CIA are important to an
  organization, there is always one area that is
  more critical than others
• Confidentiality
• Health Care Organizations
• Hospitals
• Integrity
• Financial Institutions
• Banks
• Availability
• E-commerce based organizations
• Online banking

6
What is a Threat?

• Possible danger
• Protect against the ones that are most likely or
  most worrisome based on
• Intellectual property
• Validated data
• Business goals
• Validated data
• Past history
• Main point of exposure

Insider
Malware
5 Primary Threats
Health Epidemic
Terrorism
Natural Disasters
7
Vulnerabilities

• Weaknesses in a system
• Vulnerabilities are inherent in complex systems,
  they will always be present
• The majority of vulnerabilities are the result of
  poor coding practices
• Lack of error checking
• Vulnerabilities are the gateway by which threats
  are manifested
• Vulnerabilities fall into two categories
• Known, those you can protect against
• Unknown or zero day

8
Approaches to DiD

• Deploy measures to reduce, eliminate or transfer
  risk
• Five basic approaches
• uniform protection
• protected enclaves
• information centric
• threat vector analysis
• role-based access control

9
Uniform Protection - DiD

• Most common approach to Defense-in-Depth
• Firewall, VPN, Intrusion Detection, Anti-virus
  etc
• All parts of the organization receive equal
  protection
• Particularly vulnerable to malicious insider
  attacks

10
Protected Enclaves DiD

• Work groups that require additional protection
  are segmented from the rest of the internal
  organization
• Restricting access to critical segments
• DOE unclean network
• System of VPNs
• Internal Firewalls
• VLANs and ACLs

11
Information Centric Defense-in-Depth

• Identify critical assets and provide layered
  protection
• Data is accessed by applications
• Applications reside on hosts
• Hosts operate on networks

Network
Host
Application
Info
12
Vector Oriented DiD

• The threat requires a vector to cross the
  vulnerability
• Stop the ability of the threat to use the vector
• USB Thumb Drives Disable USB
• Floppy Drives Disable
• Auto Answer Modems Digital phone PBX

13
Role-Based Access Control

• People identified by their roles
• Data is accessed by roles not people
• People can have more than one role
• More than one role can access the same data

14
Identity, Authentication, Authorization
Accountability

• Identity is who you claim to be
• Authentication is a process by which you prove
  you are who you say you are
• Something you know
• Something you have
• Something you are
• Some place you are
• Authorization is determining what someone has
  access to or is allowed to do, after they have
  been properly authenticated
• Accountability deals with knowing who did what
  and when

15
Controlling Access

• Least Privilege
• Give someone the least amount of access they need
  to do their job
• Need to Know
• Only give them the access when they need it and
  take it away when it is no longer required
• Separation of Duties
• Break critical tasks across multiple people to
  limit your points of exposure
• Rotation of Duties
• Change jobs on a regular basis to prevent anyone
  from being able to get comfortable in a position
  and be able to cover their tracks