A Few More Thoughts on Defense in Depth

“Security is not a product; it’s a continuous process.” - Unknown

An information security professional is a lifetime student.  The more you learn, the more you realize how much more there is to learn.  That being said, it’s time to wrap up our discussion of Defense in Depth.

The main objective of any security program is to ensure confidentiality, integrity, availability, authentication, and non-repudiation of information systems.  These five items make up the five pillars of information assurance:

-Confidentiality - the prevention of unauthorized disclosure of information
-Integrity - ensuring information is protected from unauthorized or unintentional alteration, modification, or deletion
-Availability - ensuring information is readily accessible to authorized users
-Authentication - the establishment and verification of user identity
-Non-repudiation - method of guaranteeing message transmission between parties via digital signature and/or encryption; assurance that a transmission cannot later be denied by either of the parties involved

DID strategies support this objective.  The concept of DID is based on the premise that multi-layered defenses create a comprehensive strategy that is stronger than any single system.  These defenses span multiple technological solutions, operational procedures, and the education of personnel.  Throughout this blog series, we have covered each layer of the DID model in detail, but we can summarize a DID strategy here with the inclusion of the following tools:

-User policies and training
-Strong password policy
-Workstation lockdown rules
-Access control policies based on the principal of least privilege
-Packet filtering firewall with stateful packet inspection
-DMZ for isolated, externally-facing servers
-Intrusion detection/prevention
-Proxy server
-Wireless network authentication and encryption
-Antivirus protection for network, file servers and clients
-Spam filtering at server and client
-Content monitoring and filtering
-Mobile device validation
-Host-Based firewall for servers and clients
-Patch management
-Application layer firewall with deep packet inspection
-Application security features
-Appropriate use of data encryption
(Again, this is not an exhaustive list, and the need for security measures varies from system to system.)

So this completes the blog series on Defense in Depth.  I hope you learned as much as I have.  Join me again soon to visit more information security topics.

Thanks for reading!

Jen

Thoughts on Defense in Depth

“If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.” - Bruce Schneier 

As we discussed in an earlier post, DID’s main disadvantage is complexity.  Implementing security at every layer takes a lot of planning and valuable resources.  It is important to consider if and how security measures can work together as well as the maintenance, administration, and monitoring that is required for each.  DID must achieve a balance between protection capability and cost, performance, and operational considerations.  There must also be a balance between security and functionality.

Employing a proper DID strategy is expensive, especially if products are purchased from multiple vendors.  (Mixing vendors throughout the system may provide some level of added protection so that the whole system will not be threatened by one vendor’s vulnerability.)  It may include multiple products with overlapping functionality.  It may involve managing more physical hardware.  It may require justification of the purchase of new equipment rather than repurposing old equipment.  It’s an expense that is difficult to justify because the return on investment is not apparent to all staff members; however, the justification is warranted.

It is also important to consider that more layers are not always better; effective security depends on the quality of the layers that are implemented.   Just because there are several security measures in place, it does not guarantee that they are all working synergistically.  That is why it is so important to take the time to study what the security needs require and what the resources can support.

Defense in Depth is definitely a viable security strategy, but it may take some research as to what resources are available and what the specific needs of the company are.  Best wishes on your security endeavors!

Thanks for reading!

Jen

Defense in Depth Layer 7: Data Security

“Be careful and you will save many men from the sin of robbing you.” — Ed Howe

The final layer in the Defense in Depth security model protects the sensitive data itself.  Protecting this data is the end goal of almost all IT security measures.  Protection strategies at this layer should focus on stored data as well as data in transit.  As you can see from the image below, we will have covered all layers in the Defense in Depth security model.

Image retrieved from www.windowsecurity.com

1. Encryption
Encryption helps protect data where it resides and as it travels across a network by controlling access to it while verifying its authenticity and maintaining its availability.  To read an encrypted file, one must have access to a secret key or password that enables decryption. Unencrypted data is called plain text; encrypted data is called cipher text.  There are two main types of encryption: asymmetric encryption (also called public-key encryption) and symmetric encryption.

Strong encryption like TLS (Transport Layer Security) and SSL (Secure Sockets Layer) will keep data private though they can't always ensure its security.  A website that uses these types of encryption may be verified with the procedure of checking the digital signature on its certificate that in turn must be validated by an approved Certificate Authority.  There are many types of data encryption software algorithms, but not all of them are equally reliable.

2. Access Control/Authentication
Like network-level, host-level, and application-level authentication, only authorized users should be given access to the data. Access control and transaction logging are implemented at this layer.  If data is changed, it is important to track by whom, and this especially true when dealing with sensitive information.
 

3. Data Loss/Leakage Prevention (DLP)
DLP is a strategy for making sure that end users do not send sensitive or confidential information outside of the company network.  DLP is also used to describe software products that help a company control what data end users can transfer.

4. Data Backup
Backing up is the copying and archiving of data so it may be used to restore the original after a data loss event.  Data should be backed up on a regular basis.  Backups should be created on reliable media, and they should be kept in a secure, off-site location.

So there you have it!  We’ve covered all layers of the Defense in Depth security model.  We’ve actually covered the layers within the layers.  As you can see, security measures can easily become very complex, and complexity typically equals more money.  Our next blog post will discuss how to balance security concerns with cost constraints.

Thanks for reading!

Jen

Defense in Depth Layer 6: Application Security

"One person's ‘paranoia’ is another person's ‘engineering redundancy’." — Marcus J. Ranum

Image retrieved from http://www.sentrillion.com/cyber/secure-architecture.php

Once again, we continue exploring the Defense in Depth model of security.  The second-to-last layer we will discuss is the application layer.  The application layer of the defense in depth model focuses on keeping applications on a host system and workstations secure.  Applications are the software that manipulates the data, which is the ultimate attack target.  Poorly protected applications can provide easy access to confidential data.  These applications, such as customer relationship management and financial systems, can provide a target to individuals with malicious intent. The following components are essential for application layer security.

1. Application Shield 

An application shield, often referred to as an application-level firewall, ensures that incoming and outgoing requests are allowable for the application at hand.  The application shield is commonly installed on web servers, email servers, database servers, etc.  It is finely tuned to the host device’s expected functionality, i.e. an application shield on an email server would be configured to prevent an incoming mail message from automatically launching executables as this is not a typical or necessary email function.

2. Access Control/Authentication 

Like network-level and device-level authentication, only authorized users should be able to access an application.  All users may be authorized to access the company network, but only select workgroups should be allowed access to certain specific information.  These control systems ensure that only authorized users are given access to protected data.

3. Input Validation 

Pre-validation of data that is being entered into an application can resolve a number of vulnerabilities.  Many of the existing vulnerabilities are achieved through overflowing buffers.  An attacker overflows the input buffer which causes the operating system to default to a known state.  The attacker may then have complete access to the entire system.  An additional benefit of validation is that the data is more accurate which makes the entire information base more reliable.

For example, the only acceptable input from a zip code field on a web-form should be the standard five number characters.  All other input should be denied and produce an error message when submitted.  Key words should also be filtered, especially command-related terms. 

4. Application Hardening 

Application hardening is a security measure designed to prevent exploitation of various types of vulnerabilities in software applications.  Application hardening tools are designed to protect code from hackers by using obfuscation, encryption, or authentication techniques.  These tools will ward against tampering, piracy, reverse-engineering, malware insertions, and unauthorized use. 

5. Content Filtering Software 

Content filtering software can be used to block malware and other content that contains hostile, intrusive, or annoying material including adware, spam, computer viruses, worms, trojan horses, and spyware.

6. Application Gateway/Proxy 

An application gateway is an application program that runs on a firewall system between two networks. When a client program establishes a connection to a destination service, it connects to an application gateway or proxy. The client negotiates with the proxy server in order to communicate with the destination service. The proxy establishes the connection with the destination behind the firewall and acts on behalf of the client, hiding and protecting individual computers on the network behind the firewall. 

Next time, we will cover the last layer of the Defense in Depth model of security, the data layer.

Thanks for reading!

Jen

Defense in Depth Layer 5: Host Security

"We have only two modes - complacency and panic."
— James R. Schlesinger

The host layer of security focuses on keeping host operating systems and workstations secure.   A host is any device/computer/server with a unique Internet Protocol (IP) address that is interlinked with another machine through an Internet connection.  Security at this layer is especially challenging as these devices are designed to multitask and interact with multiple applications and services simultaneously.  The following is a list of measures to support host security.

1. Host Vulnerability Assessment and Management
Host-based scanners can recognize system-level vulnerabilities including incorrect file permissions, registry permissions, and software configuration errors.  They also ensure that target systems comply with predefined company security policies.  

2. Host-Based IDS/IPS
Host-based intrusion detection systems (HIDS) consist of software agents installed on individual computers within the system.  The HIDS analyze traffic to and from the specific computer on which it is installed.  The HIDS can monitor activities that only an administrator should be able to implement.  It is also able to monitor changes to key system files and any attempt to overwrite these files as well as prevent Trojan or backdoor installation.

Host-based intrusion prevention systems (HIPS) are used to protect servers and workstations through software that runs between the system's applications and operating system.  The software is preconfigured to determine the protection rules based on intrusion and attack signatures.  The HIPS will catch suspicious activity on the system and will either block or allow the event depending on predefined rules.  It also monitors activities including application or data requests, network connection attempts, and read/write attempts.

3. Access Control and Authentication
Host-based access control grants or denies access depending on the IP address of the machine that requested access.  This system is the least intrusive to users because access is granted on the basis of the machine address.  User authentication allows access control on an individual user basis by utilizing user and passwords lists to provide the necessary authentication.

4. Host-Based Anti-Virus Protection
Anti-virus protection should ensure that updates to the required signature files for addressing new forms of malware are delivered as soon as possible.  A signature file contains information that anti-virus programs use to detect malware during a scan.  Signature files are designed to be regularly updated by the anti-virus application vendors and downloaded to the client computer.

5. Host-Based Firewall
Host-based firewalls can be used to reduce the attack surface on servers as well as to remove unwanted services and applications.  Host-based firewalls control incoming and outgoing network traffic on individual hosts.  The firewalls check each packet's source, destination address, port, type, etc., and then determine whether to allow them into the machine.  Host-based firewall software must be enabled and configured to block all inbound traffic that is not clearly required for the intended use of the device.

6. Host Hardening
Host hardening works with intrusion detection and is an important part of a secure architecture. It is especially important when it comes to public-facing or Internet-enabled servers such as email, web, or DNS servers.  The main function of host hardening is to harden key servers to ensure the confidentiality and integrity of the systems.  Host hardening measures include:  disabling unused services and user accounts, tightening security settings of required services and file systems, replacing vulnerable services with more secure alternatives, and removing unused tools, libraries, and files.

7. Port Control
It is important to block any unnecessary ports, restrict access to necessary ports whenever possible, and audit open ports to determine if required ports are being abused or if unnecessary ports have been opened.

8. Patch and Security Update Management
It is important to keep up to date on all security related patches and updates. The most commonly exploited security vulnerabilities are widely known and already have patches and updates which address them.  The expected result is to reduce the time and money spent dealing with vulnerabilities and their exploitation.

9. Logging and Auditing
Critical areas of the host can be logged, and the logs can be audited for any unusual activity.  As hosts communicate with each other, the transferred packets are logged to the system log.  Logged information can be monitored for traffic analysis and debugging assistance.

10. Lockdown Mode
Lockdown mode is a security setting used to disable direct user access to a host.  When direct user access is disabled, the host must be managed from the server.  This ensures that the security policies and access controls defined on the server are always enforced, and users are not able to bypass security by logging into the host directly.

Next time, we’ll continue the Defense in Depth journey by discussing application layer security.

Thanks for reading!

Jen

Defense in Depth Layer 4: Internal Network Security

"Do not figure on opponents not attacking; worry about your own lack of preparation."

- Book of the Five Rings

This is the sixth post in in the series/semester.  The next step in our journey through the Defense in Depth model of security is the internal network.  Internal network security deals with authenticating network users, authorizing access to the network resources, and protecting the information that flows over the network.  There are various tools here to protect the network from potential attackers and traffic that should not be there.  The following is a list of key elements for internal network security.

1. Vulnerability Assessment and Management
Network services should be assessed and tested for vulnerabilities on a regular basis.  The purpose is to discover possible attack vectors to each host and device on the network and to address them in a way that makes an attack more difficult.

2. Network Segmentation
The process of network segmentation splits the network into sub-networks or network segments.  Network segments are created to control the flow of traffic between hosts on different segments  In addition to improving performance by reducing congestion and containing network problems, segmenting the network improves security by ensuring that only appropriate traffic is forwarded between segments and that the internal network structure is not visible from the outside. 

3. Network-Based IDS/IPS
The internal network layer, like the perimeter layer, works in conjunction with IDS/IPS.  As we discussed in the last blog post, the intrusion detecting system is in place to identify and proactively respond to problems while the intrusion prevention system allows for an automated response to potential security breaches.

4. Internet Protocol Security (IPSec)
IPSec is a set of protocols for securing IP communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic, public keys to be used during the session.  It can be used in protecting data flows between a pair of security gateways (network-to-network) or between a security gateway and a host (network-to-host). 

5. Network Access Control (NAC)
NAC restricts the availability of network resources to endpoint devices that comply with a defined security policy.  NAC restricts the data that each individual user can access and can also implement anti-threat applications such as firewalls, anti-virus software, and spyware-detection programs.  NAC also regulates and restricts the things individual subscribers can do once they are connected.

6. Access Control and Authentication
Access control is the means of controlling what a user or device can and cannot access. Authentication is the method used to identify a user or device.  Access control and authentication measures have evolved to include ID and password, digital certificates, security tokens, smart cards, and biometrics.   Access control lists (ACLs) block traffic and ensure that only those individual IP addresses can access systems and services.

7. Network-Based Anti-Virus Protection
Network based anti-virus software can eliminate viruses and worms before they reach other layers.

8. Network Communication Encryption
Encryption can defend network communications in three ways:
-An encrypted link can be constructed so that a third party cannot see its contents while data is in transit.
-An encrypted link can be constructed so that data cannot be modified while it is in transit without the modifications being detected.
-An encrypted link can be constructed to ensure the sender’s identity.

9. Network Analytics and Monitoring
Network traffic flow can be analyzed to determine patterns and identify potential risks.  This can be done through packet sampling, port scanning, behavior anomaly tracking, threat detection, rogue traffic quarantine, and network event management.

Next time, we’ll discuss security at the host layer.  

Thanks for reading!

Jen

Defense in Depth Layer 3: Perimeter Security

“Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place, be transported halfway across the planet in seconds, and be stolen without your knowledge.” — Bruce Schneier

Image retrieved from v3.co.uk

The perimeter of the network is the part that touches the outside world.  Therefore, it is essential to strengthen defenses along the edges of the network to promote comprehensive protection.  The perimeter is the network's border where data flows in from, and out to, other networks, including the Internet.  Perimeter defense allows authorized data to enter while blocking suspicious traffic, and it is handled by several different components, outlined below.

1. Border Router
The border router is the last controllable router before an untrusted or external network, e.g. the Internet.  Since all Internet traffic passes through the border router, it is a practical place for filtering.  It is the first and last line of defense.

2. Demilitarized Zone (DMZ)
A DMZ is a small network that provides public services with low security.  It is a neutral area that is created outside the firewall between a company’s network and an external network, e.g. the Internet.  Web servers, for example, would not be protected by firewall because of the traffic it generates or that needs less protection.

3. Firewall
A firewall is a chokepoint device that decides which traffic is permitted and which is denied.  For perimeter defense, firewalls are available as software (installed inside a router) or as standalone hardware appliances.  A firewall can provide services such as the following:
-Stateful packet inspection – analyzes transactions to ensure inbound packets were requested
-Packet filtering – blocks data from specified IP addresses and ports
-Network Address Translation (NAT) – presents a single IP address representing multiple internal IP addresses to the outside world.

4. Intrusion Detection System (IDS)
An IDS is an alarm system that detects malicious and suspicious activities by analyzing network traffic.  If something unusual is detected, the IDS alerts the network administrator to take action to stop the event.  A network-based intrusion detection system is referred to as a NIDS.

5. Intrusion Prevention System (IPS)
An IPS is similar to an IDS, except that the IPS takes automatic and immediate defensive action without requiring action by the network administrator. 

6. Virtual Private Network (VPN)
A VPN provides perimeter security by encrypting the data sent between a business network and remote users over the Internet.  This creates a private tunnel through the Internet.

Perimeter defense measures are designed to fortify the network boundary.  While the components listed above do not constitute an exhaustive list, they give us an idea of what is required for perimeter security.  Once again, it is easy to see how this layer is actually layers within a layer.  These different technologies work in unison to create a protective barrier.  

Next time, we will discuss the internal network layer. 

Thanks for reading!

Jen