A Few More Thoughts on Defense in Depth

“Security is not a product; it’s a continuous process.” - Unknown

An information security professional is a lifetime student.  The more you learn, the more you realize how much more there is to learn.  That being said, it’s time to wrap up our discussion of Defense in Depth.

The main objective of any security program is to ensure confidentiality, integrity, availability, authentication, and non-repudiation of information systems.  These five items make up the five pillars of information assurance:

-Confidentiality - the prevention of unauthorized disclosure of information
-Integrity - ensuring information is protected from unauthorized or unintentional alteration, modification, or deletion
-Availability - ensuring information is readily accessible to authorized users
-Authentication - the establishment and verification of user identity
-Non-repudiation - method of guaranteeing message transmission between parties via digital signature and/or encryption; assurance that a transmission cannot later be denied by either of the parties involved

DID strategies support this objective.  The concept of DID is based on the premise that multi-layered defenses create a comprehensive strategy that is stronger than any single system.  These defenses span multiple technological solutions, operational procedures, and the education of personnel.  Throughout this blog series, we have covered each layer of the DID model in detail, but we can summarize a DID strategy here with the inclusion of the following tools:

-User policies and training
-Strong password policy
-Workstation lockdown rules
-Access control policies based on the principal of least privilege
-Packet filtering firewall with stateful packet inspection
-DMZ for isolated, externally-facing servers
-Intrusion detection/prevention
-Proxy server
-Wireless network authentication and encryption
-Antivirus protection for network, file servers and clients
-Spam filtering at server and client
-Content monitoring and filtering
-Mobile device validation
-Host-Based firewall for servers and clients
-Patch management
-Application layer firewall with deep packet inspection
-Application security features
-Appropriate use of data encryption
(Again, this is not an exhaustive list, and the need for security measures varies from system to system.)

So this completes the blog series on Defense in Depth.  I hope you learned as much as I have.  Join me again soon to visit more information security topics.

Thanks for reading!

Jen

Thoughts on Defense in Depth

“If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.” - Bruce Schneier 

As we discussed in an earlier post, DID’s main disadvantage is complexity.  Implementing security at every layer takes a lot of planning and valuable resources.  It is important to consider if and how security measures can work together as well as the maintenance, administration, and monitoring that is required for each.  DID must achieve a balance between protection capability and cost, performance, and operational considerations.  There must also be a balance between security and functionality.

Employing a proper DID strategy is expensive, especially if products are purchased from multiple vendors.  (Mixing vendors throughout the system may provide some level of added protection so that the whole system will not be threatened by one vendor’s vulnerability.)  It may include multiple products with overlapping functionality.  It may involve managing more physical hardware.  It may require justification of the purchase of new equipment rather than repurposing old equipment.  It’s an expense that is difficult to justify because the return on investment is not apparent to all staff members; however, the justification is warranted.

It is also important to consider that more layers are not always better; effective security depends on the quality of the layers that are implemented.   Just because there are several security measures in place, it does not guarantee that they are all working synergistically.  That is why it is so important to take the time to study what the security needs require and what the resources can support.

Defense in Depth is definitely a viable security strategy, but it may take some research as to what resources are available and what the specific needs of the company are.  Best wishes on your security endeavors!

Thanks for reading!

Jen

Defense in Depth Layer 7: Data Security

“Be careful and you will save many men from the sin of robbing you.” — Ed Howe

The final layer in the Defense in Depth security model protects the sensitive data itself.  Protecting this data is the end goal of almost all IT security measures.  Protection strategies at this layer should focus on stored data as well as data in transit.  As you can see from the image below, we will have covered all layers in the Defense in Depth security model.

Image retrieved from www.windowsecurity.com

1. Encryption
Encryption helps protect data where it resides and as it travels across a network by controlling access to it while verifying its authenticity and maintaining its availability.  To read an encrypted file, one must have access to a secret key or password that enables decryption. Unencrypted data is called plain text; encrypted data is called cipher text.  There are two main types of encryption: asymmetric encryption (also called public-key encryption) and symmetric encryption.

Strong encryption like TLS (Transport Layer Security) and SSL (Secure Sockets Layer) will keep data private though they can't always ensure its security.  A website that uses these types of encryption may be verified with the procedure of checking the digital signature on its certificate that in turn must be validated by an approved Certificate Authority.  There are many types of data encryption software algorithms, but not all of them are equally reliable.

2. Access Control/Authentication
Like network-level, host-level, and application-level authentication, only authorized users should be given access to the data. Access control and transaction logging are implemented at this layer.  If data is changed, it is important to track by whom, and this especially true when dealing with sensitive information.
 

3. Data Loss/Leakage Prevention (DLP)
DLP is a strategy for making sure that end users do not send sensitive or confidential information outside of the company network.  DLP is also used to describe software products that help a company control what data end users can transfer.

4. Data Backup
Backing up is the copying and archiving of data so it may be used to restore the original after a data loss event.  Data should be backed up on a regular basis.  Backups should be created on reliable media, and they should be kept in a secure, off-site location.

So there you have it!  We’ve covered all layers of the Defense in Depth security model.  We’ve actually covered the layers within the layers.  As you can see, security measures can easily become very complex, and complexity typically equals more money.  Our next blog post will discuss how to balance security concerns with cost constraints.

Thanks for reading!

Jen

Defense in Depth Layer 6: Application Security

"One person's ‘paranoia’ is another person's ‘engineering redundancy’." — Marcus J. Ranum

Image retrieved from http://www.sentrillion.com/cyber/secure-architecture.php

Once again, we continue exploring the Defense in Depth model of security.  The second-to-last layer we will discuss is the application layer.  The application layer of the defense in depth model focuses on keeping applications on a host system and workstations secure.  Applications are the software that manipulates the data, which is the ultimate attack target.  Poorly protected applications can provide easy access to confidential data.  These applications, such as customer relationship management and financial systems, can provide a target to individuals with malicious intent. The following components are essential for application layer security.

1. Application Shield 

An application shield, often referred to as an application-level firewall, ensures that incoming and outgoing requests are allowable for the application at hand.  The application shield is commonly installed on web servers, email servers, database servers, etc.  It is finely tuned to the host device’s expected functionality, i.e. an application shield on an email server would be configured to prevent an incoming mail message from automatically launching executables as this is not a typical or necessary email function.

2. Access Control/Authentication 

Like network-level and device-level authentication, only authorized users should be able to access an application.  All users may be authorized to access the company network, but only select workgroups should be allowed access to certain specific information.  These control systems ensure that only authorized users are given access to protected data.

3. Input Validation 

Pre-validation of data that is being entered into an application can resolve a number of vulnerabilities.  Many of the existing vulnerabilities are achieved through overflowing buffers.  An attacker overflows the input buffer which causes the operating system to default to a known state.  The attacker may then have complete access to the entire system.  An additional benefit of validation is that the data is more accurate which makes the entire information base more reliable.

For example, the only acceptable input from a zip code field on a web-form should be the standard five number characters.  All other input should be denied and produce an error message when submitted.  Key words should also be filtered, especially command-related terms. 

4. Application Hardening 

Application hardening is a security measure designed to prevent exploitation of various types of vulnerabilities in software applications.  Application hardening tools are designed to protect code from hackers by using obfuscation, encryption, or authentication techniques.  These tools will ward against tampering, piracy, reverse-engineering, malware insertions, and unauthorized use. 

5. Content Filtering Software 

Content filtering software can be used to block malware and other content that contains hostile, intrusive, or annoying material including adware, spam, computer viruses, worms, trojan horses, and spyware.

6. Application Gateway/Proxy 

An application gateway is an application program that runs on a firewall system between two networks. When a client program establishes a connection to a destination service, it connects to an application gateway or proxy. The client negotiates with the proxy server in order to communicate with the destination service. The proxy establishes the connection with the destination behind the firewall and acts on behalf of the client, hiding and protecting individual computers on the network behind the firewall. 

Next time, we will cover the last layer of the Defense in Depth model of security, the data layer.

Thanks for reading!

Jen