General Security: The
Defense in Depth Concept and the 10
Generic Steps
Information
Security in its essence is about
managing risks and not about
technologies like firewalls, intrusion
detection, antivirus, etc. Dependent on
what threats we face and what assets we
prioritize as critical to our business
or privacy, we can determine what level
or types of risks we will mitigate,
transfer or accept. So the security
initiatives must be based on your
individual needs and priorities.
Defense in Depth:
Defense in Depth
is a commonly accepted security concept
used at least ever since the Middle Ages,
where castles first had towers with
lookout posts to see the enemy
approaching, then moats with water or
ditches, then a drawbridge to the only
castle entry, then thick wooden gates
and high walls with battlements and
arrow loops. The defenders often also
had murder holes to pour boiling water
and rocks down on the enemy. Should the
enemy get past these different defense
layers, the inner castle or the "keep"
was a self-sufficient bastion in itself,
also with thick gates and even higher
walls. The whole point was that should
one layer of defense fall to the enemy's
attack, and then there would be more
layers to protect the defenders and the
riches of the castle owner.
The same concept of Defense in Depth
should be used when addressing
information security, by adding multiple
layers of security and is considered
Best Practice. This will not only
reduce the attacker's chance of success,
but also increase the attacker's risk of
detection. One could argue that Defense
in Depth also will discourage or stop
scripted/simple attacks.
Defense in Depth will:
-
Reduce the attackers chance of
success
-
Increase the attackers risk of
detection
Microsoft has written an excellent
article about this concept where they
even differentiate between client and
server needs
(link).
Steve Riley and Jesper M. Johansson from
Microsoft discuss the Defense in Depth (link)
and other security concepts in webcasts,
articles and their new book. Make sure
you check them out for some great
“no-bull-shit” discussions of the topics
- addressing the real roots of the
problems.
Layered Rings
of Security Model of Defense in Depth:
When implementing Defense in Depth,
we should ensure the different layers
actually supplement each other and
have a holistic view on the individual
layers. What good is your corporate
firewall if the users bring home their
laptops and connects them directly to
the internet without a host firewall?
How safe are your financial data if they
are also cached on the laptops
unencrypted? How well will the physical
security protect your physical network
if your wireless network is unencrypted,
unauthenticated and connects directly
into the corporate network?
We
recommend looking at each layer as a
ring of defense around your data - so
you must focus on each ring as a whole,
maybe using more than one technical
implementation - five "half" rings are
not as strong as two "full" rings as the
attackers eventually will find the holes
in the rings for easy entry – just like
the medieval castles had walls and moats
all around the castle. This
expanded view on Defense in Depth could
be called Layered Rings of Security.
As seen in
the concept picture to the left
(as an example), the corporate Network
Firewall, the Host Firewall, Physical
Security measures and Wireless
Authentication (wireless network access)
all together form one single ring of
security - a "perimeter ring".
If the attacker can penetrate any of
these layers, access to the network is
possible without the need to penetrate
any of the other mechanisms/technologies
of that ring.
The next ring could be a "network
ring" that deals with the
network attacks, protecting data on the
network and preventing network access to
certain systems and services. This could
be done by encrypting the data in
transit across the network using either
wireless or physical cables, preventing
an attacker from connecting to the
physical network by disabling unused
wall connectors in the switches and by
segmenting the network using subnets but
also using IPSec to perform network
isolation, thereby ensuring that hosts
cannot communicate directly to each
other as there mostly are no reasons for
this. They only need access to the
resource servers and the internet.
Microsoft used this and has promoted
this concept very heavily recently in
their initiatives to prevent malware
spreading as can be seen in webcasts and
articles (link).
The last ring demonstrated in the
picture is what could be called a "data
ring" where the critical
business and HR information is protected
by technologies like client disk
encryption, folder and data encryption
as well as using access control lists
for authorizing access to the data.
A ring that is not illustrated in the
picture is the "host ring"
where host hardening and protection of
clients and servers is implemented using
patch management, host firewalls (for
host protection and not perimeter
protection this time), IPSec policies
and SMB signing, malware protection like
antivirus scanners, physical access
controls (normally to servers),
multifactor authentication (smart cards
and tokens), etc.
The point here is that these rings,
which were demonstrated above, are not
representative for all environments and
may not even be generic or common, so
the rings must be defined during the
Risk Management process based on the
perceived threats for each individual
organization (or person). They are here
only to illustrate the concept of
Layered Rings of Security and to
promote a holistic mindset to Defense
in Depth.
More
Information:
See more on
the DiD concept and Security Practices here:
Steve Riley and Jesper M. Johansson’s 5
part webcast series from Technet's
"Spotlight”:
“Getting and Staying Secure the Right
Way”
Rafal Lukawiecki’s 2 part webcast series
from Technet's "Spotlight”:
“Active
Security Common Practices”
Windows Home
Security - 10 Generic Steps:
For the average
Internet user Computer and Data Security is
something they may not know much about, so
we encourage that they start by watching
the general introduction flash-videos
from Microsoft (link1
and
link2)
and a Security Basics demo (link).
Security protection
is important as most
viruses and hackers try to exploit the
low security settings of systems that
are unpatched and have default settings.
In the end of 2004 the SANS Institute
could document that an unpatched system
put on the Internet would be compromised
within an average of 30 minutes.
Below you can find freeware tools and
information about the 10 most generic
security measures that most
Internet users should consider
implementing as part of their Defense in Depth
plan for a Windows XP system.
It has been
analyzed that most (about 85%) security
incidents happens not due to "Elite"
hackers or the infamous 0-day exploits,
but due to simple failure in behaviour
to protect the systems against know
attacks. The SANS institute analyzed
this and came up with their SANS Top-20
list (link)
of mostly used during attacks.