‌‌ General Security •‌ Penetration Testing ‌• Vulnerability Assessment •‌ Risk Management •‌ IT Certification

  

General Security: The Defense in Depth Concept and the 10 Generic Steps

Information Security in its essence is about managing risks and not about technologies like firewalls, intrusion detection, antivirus, etc. Dependent on what threats we face and what assets we prioritize as critical to our business or privacy, we can determine what level or types of risks we will mitigate, transfer or accept. So the security initiatives must be based on your individual needs and priorities.

Defense in Depth:

Defense in Depth is a commonly accepted security concept used at least ever since the Middle Ages, where castles first had towers with lookout posts to see the enemy approaching, then moats with water or ditches, then a drawbridge to the only castle entry, then thick wooden gates and high walls with battlements and arrow loops. The defenders often also had murder holes to pour boiling water and rocks down on the enemy. Should the enemy get past these different defense layers, the inner castle or the "keep" was a self-sufficient bastion in itself, also with thick gates and even higher walls. The whole point was that should one layer of defense fall to the enemy's attack, and then there would be more layers to protect the defenders and the riches of the castle owner.

The same concept of Defense in Depth should be used when addressing information security, by adding multiple layers of security and is considered Best Practice. This will not only reduce the attacker's chance of success, but also increase the attacker's risk of detection. One could argue that Defense in Depth also will discourage or stop scripted/simple attacks.

Defense in Depth will:

  • Reduce the attackers chance of success
  • Increase the attackers risk of detection
Microsoft has written an excellent article about this concept where they even differentiate between client and server needs (link). Steve Riley and Jesper M. Johansson from Microsoft discuss the Defense in Depth (link) and other security concepts in webcasts, articles and their new book. Make sure you check them out for some great “no-bull-shit” discussions of the topics - addressing the real roots of the problems.

Layered Rings of Security Model of Defense in Depth:

When implementing Defense in Depth, we should ensure the different layers actually supplement each other and have a holistic view on the individual layers. What good is your corporate firewall if the users bring home their laptops and connects them directly to the internet without a host firewall? How safe are your financial data if they are also cached on the laptops unencrypted? How well will the physical security protect your physical network if your wireless network is unencrypted, unauthenticated and connects directly into the corporate network?

We recommend looking at each layer as a ring of defense around your data - so you must focus on each ring as a whole, maybe using more than one technical implementation - five "half" rings are not as strong as two "full" rings as the attackers eventually will find the holes in the rings for easy entry – just like the medieval castles had walls and moats all around the castle. This expanded view on Defense in Depth could be called Layered Rings of Security.

As seen in the concept picture to the left (as an example), the corporate Network Firewall, the Host Firewall, Physical Security measures and Wireless Authentication (wireless network access) all together form one single ring of security - a "perimeter ring". If the attacker can penetrate any of these layers, access to the network is possible without the need to penetrate any of the other mechanisms/technologies of that ring.

The next ring could be a "network ring" that deals with the network attacks, protecting data on the network and preventing network access to certain systems and services. This could be done by encrypting the data in transit across the network using either wireless or physical cables, preventing an attacker from connecting to the physical network by disabling unused wall connectors in the switches and by segmenting the network using subnets but also using IPSec to perform network isolation, thereby ensuring that hosts cannot communicate directly to each other as there mostly are no reasons for this. They only need access to the resource servers and the internet. Microsoft used this and has promoted this concept very heavily recently in their initiatives to prevent malware spreading as can be seen in webcasts and articles (link).

The last ring demonstrated in the picture is what could be called a "data ring" where the critical business and HR information is protected by technologies like client disk encryption, folder and data encryption as well as using access control lists for authorizing access to the data.

A ring that is not illustrated in the picture is the "host ring" where host hardening and protection of clients and servers is implemented using patch management, host firewalls (for host protection and not perimeter protection this time), IPSec policies and SMB signing, malware protection like antivirus scanners, physical access controls (normally to servers), multifactor authentication (smart cards and tokens), etc.

The point here is that these rings, which were demonstrated above, are not representative for all environments and may not even be generic or common, so the rings must be defined during the Risk Management process based on the perceived threats for each individual organization (or person). They are here only to illustrate the concept of Layered Rings of Security and to promote a holistic mindset to Defense in Depth.

More Information:

See more on the DiD concept and Security Practices here:

Steve Riley and Jesper M. Johansson’s 5 part webcast series from Technet's "Spotlight”:
“Getting and Staying Secure the Right Way”

Rafal Lukawiecki’s 2 part webcast series from Technet's "Spotlight”:
Active Security Common Practices”

Windows Home Security - 10 Generic Steps:

For the average Internet user Computer and Data Security is something they may not know much about, so we encourage that they start by watching the general introduction flash-videos from Microsoft (link1 and link2) and a Security Basics demo (link).

Security protection is important as most viruses and hackers try to exploit the low security settings of systems that are unpatched and have default settings. In the end of 2004 the SANS Institute could document that an unpatched system put on the Internet would be compromised within an average of 30 minutes.

Below you can find freeware tools and information about the 10 most generic security measures that most Internet users should consider implementing as part of their Defense in Depth plan for a Windows XP system.

It has been analyzed that most (about 85%) security incidents happens not due to "Elite" hackers or the infamous 0-day exploits, but due to simple failure in behaviour to protect the systems against know attacks. The SANS institute analyzed this and came up with their SANS Top-20 list (link) of mostly used during attacks.

Why: A personal firewall will block intruders and most malware from entering your system - even if your system, software or antivirus product is not updated. Some firewalls will also block unauthorized outbound traffic.

What: You can learn more details about what a firewall is, what it does and how it does it from the following links:

Where: Here is a collection of firewall software that is free for personal use. Read about them and select the product that best meet your needs:

Scan: You can test your firewall by having someone (a web-service) scan and probe your system from the outside on the Internet:

Why: Two security issues must be considered. First, can other users attack your computer through the wireless connection and secondly, can a malicious person abuse your Internet connection to commit Internet crime through your wireless access point. Especially the second issue is hard to defend against, as no cabling is required and logging is mostly impossible. Private wireless access points should always use encryption and authentication, while computers using an un-trusted public network (wireless or not) should always use a firewall.

What: You can read more about wireless encryption and authentication here:

Why: Automatic Update is a feature of most operating systems and software that will ensure that your system has applied all the latest updates for security and features. It is important to have an updated system as most viruses and worms spread and will try to infect by exploiting unpatched systems. Hackers may also be able to enter and take full control of your system by exploiting an unpatched security hole.

What: You can learn more details about how to use automatic update from the following links:

Where: Most software also has the option to perform an online update from either the Help or Tools Menu. To enable Automatic Updates you can read more on the following links:

Scan: To ensure your system and software is updated you can scan your system online or yourself using the following tools:

Why: Windows will by default have some settings that could be concidered minor security flaws. These should be locked off to prevent information disclosure that could help an attacker to attack your system.

What: The two primary flaws for voluntering information are the Windows Messenger Service and Anonymous Access using a "Null Session". Another good way to improve security is to disallow network access to the system using policies for all except required users - with no network access there can be no network attack even when there is a vulnerability. Read more here:

Where: You can see how to deny network access to the computer, to disable the messenger service and to change the restrict anonymous setting here:

Why: Viruses, worms and Trojan horses can infect your system, destroy or erase your files and data, slow down your network, replicate using your email or network and open backdoors into your system. It is important to block and to remove infections by virus, worms and trojans.

What: You can learn more details about virus, worms and trojans as well as antivirus software from the following links:

Where: Here is a collection of antivirus software that is free for personal use. Read about them and select the product that best meet your needs:

Scan: If you don't have antivirus software installed or you suspect that your current product does not know a brand new virus, you can use the antivirus vendors online scanning of your system:

Why: Malware covers spyware, adware, badware, scumware, hijackers and trackware (besides viruses, worms and Trojan horses). This kind of software is often secretly installed on your system, tracks your habits, collects personal information about you, changes your settings or exposes you to advertising, all without your consent or knowledge. Often the software will slow down or even criple your system and it is most often very hard to uninstall and to get rid of.

What: You can learn more details about Malware in all forms from the following links:

Where: Here is a collection of malware scan and removal software that is free for personal use. Read about them and select the product that best meet your needs:

Scan: You can scan your computer online for malware using any of the following links:

Why: Full Disk Encryption is used to protect your data stored on the harddisk if the computer or harddisk is stolen. For this scenario the protection is even more secure than file and folder encryption. If a hacker gets physical access to your computer or harddisk they will easily be able to get full administrative access to the system or harddisk, over-ruling access rights and may be able to circumvent file and folder encryption software. The most secure solution is to also prevent access to the system by encrypting the whole system using full disk encryption.

What: You can learn more about disk encryption from the following links:

Where: Not many full disk encryption products exists and only two products (it still seems) are free:

Why: It is not enough to only rely on authorization to protect sensitive data, system administrators will always be able to enforce access to the data. This is also true if a hacker or intruder manages to gain control of your system. Also, you can never be 100% sure access control is correctly implemented as human errors do happen. The first step to protect sensitive data is to use encryption of files and folders. Some products works on files and folders, while others creates a container or virtual drive to place sensitive files and folder in. Access to the files is based upon a password that most often is independent of the user's account in the operating system, e.g. the Windows useraccount. Full disk encryption will not protect a networked computer that has been opened, so file or folder encryption is needed.

What: You can learn more details about file and folder encryption works in Windows EFS:

Where: Below is a collection of products that are free for personal use. Read about them and select the product that best meet your needs:

Why: If you need to send sensitive information by email you should encrypt any attached files and encrypt the contents of the email. Mail encryption focuses on securely exchanging mails with a friend, either by using a previously agreed upon password or using public key encryption (symmetrical or asymmetrical keys).

What: You can read more about encryption methods here:

Where: No free for personal use programs seems to exists.

Why: Both online and in real life it is important to guard your personal information and identity with great care. Phishing is type of deception designed to steal your identity. This can later be used for scams or frauds where your identity is used, e.g. for purchases or loans. Other scams revolve around tricking money out of the victim by the promise of easy money, e.g. The Nigerian Letters. Another deception type is Social Engineering where hackers tricks usable information out of users they can minipulate.

What: You can learn more details about what phishing and other frauds are, and how to protect your information and identity from the following links:

Recommended books:

         

Updated 2008/12/28