Defense-in-Depth What Is It? Peter Leight and Richard Hammer August 2006

What is Defense-in-Depth? There is no “silver bullet” when it comes to network security Any layer of protection might fail Multiple levels of protection must be deployed Measures must be across a wide range of controls (preventive and detective measures)

Focus of Security is Risk Security deals with managing risk to your critical assets Security is basically an exercise in loss reduction Impossible to totally eliminate risk, we settle for residual risk Risk is the probability of a threat crossing or touching a vulnerability Risk is managed by utilizing defense-in-depth (DiD) Risk = threat x vulnerabilities

Key Focus of Risk Confidentiality / Disclosure Integrity / Alteration Availability / Destruction Confidentiality Integrity Availability

Prioritizing CIA While all three areas of CIA are important to an organization, there is always one area that is more critical than others Confidentiality Health Care Organizations Hospitals Integrity Financial Institutions Banks Availability E-commerce based organizations Online banking

What is a Threat? Possible danger Protect against the ones that are most likely or most worrisome based on: Intellectual property Validated data Business goals Past history Main point of exposure Malware Insider 5 Primary Threats Health Epidemic Terrorism Natural Disasters

Vulnerabilities Weaknesses in a system Vulnerabilities are inherent in complex systems, they will always be present The majority of vulnerabilities are the result of poor coding practices Lack of error checking Vulnerabilities are the gateway by which threats are manifested Vulnerabilities fall into two categories: Known, those you can protect against Unknown or “zero day”

Approaches to DiD Deploy measures to reduce, eliminate or transfer risk Five basic approaches uniform protection protected enclaves information centric threat vector analysis role-based access control

Uniform Protection - DiD Most common approach to Defense-in-Depth Firewall, VPN, Intrusion Detection, Anti-virus etc All parts of the organization receive equal protection Particularly vulnerable to malicious insider attacks

Protected Enclaves DiD Work groups that require additional protection are segmented from the rest of the internal organization Restricting access to critical segments DOE “unclean” network System of VPNs Internal Firewalls VLANs and ACLs

Information Centric Defense-in-Depth Identify critical assets and provide layered protection Data is accessed by applications Applications reside on hosts Hosts operate on networks Network Host Application Info

Vector Oriented DiD The threat requires a vector to cross the vulnerability Stop the ability of the threat to use the vector USB Thumb Drives – Disable USB Floppy Drives – Disable Auto Answer Modems – Digital phone PBX

Role-Based Access Control People identified by their roles Data is accessed by roles not people People can have more than one role More than one role can access the same data

Identity, Authentication, Authorization & Accountability Identity is who you claim to be Authentication is a process by which you prove you are who you say you are: Something you know Something you have Something you are Some place you are Authorization is determining what someone has access to or is allowed to do, after they have been properly authenticated Accountability deals with knowing who did what and when

Controlling Access Least Privilege Need to Know Separation of Duties Give someone the least amount of access they need to do their job Need to Know Only give them the access when they need it and take it away when it is no longer required Separation of Duties Break critical tasks across multiple people to limit your points of exposure Rotation of Duties Change jobs on a regular basis to prevent anyone from being able to get comfortable in a position and be able to cover their tracks