The ‘defend in depth’ principle in practise

Recent revelations of user account breaches at online service providers as diverse as eBay, SingPass, Target and innumerable OpenSSL-dependent organisations suggest that attacks against such targets are now succeeding on an unprecedented scale.

The wider public is unlikely to gain full knowledge of the whys and wherefores of the breaches: as is customary with security matters, the victims and the investigators are keeping the factual details close to their chests — assuming of course that they have been able to uncover such facts.

Nonetheless, it would appear that the principal conclusion to be drawn if you are a business executive or security professional is that your networks are under constant attack, and that some attacks will succeed – and in fact, have succeeded – quite probably unbeknown to you. In adopting such a stance however, it is vital to ensure that your organisation’s tactical security countermeasures continue to actively reflect and support strategic business objectives.

Periodically going back to first principles – security principles – may prove to be an effective way to consciously maintain links between the declarations of a sound security posture and the techniques that underpin it. Such practice is vital to ensuring that your organisation’s windows of opportunity are kept open to the fullest extent.

As an exercise in risk management, the practice of information security is pervaded with complex sets of interlocking decisions across people, process and technology domains; and through projects, products and services; all aimed at delivering upon the 'CIA' triad of security objectives: confidentiality, integrity and availability.

So how do you set about structuring the overall strategy, assembling the right technologies, framing the right questions and making the necessary decisions? What foundational truths will hold true for every strategic, tactical and operational choice made, individually and collectively, in the name of information security? The answer may lie in a conscious and deliberate adoption of a clear set of security principles.

> See also: Know your cyber-attacker: profiling a hacker

At this juncture, it is perhaps useful to quickly flag the distinction between principles and policies. Principles are foundational guidelines. Policies are courses of action. Crudely speaking, principles guide policies, and policies implement principles. At the edges, the distinction is in fact quite nuanced, and can only be done full justice in a dedicated article. But at the level of approximation appropriate for this piece, we can assert that, at another level, principles tend to be generic to security, whereas policies tend to be specific to organisations.

Security principles have not attained quite the degree of canonicity attributed to the CIA triad of security objectives. However, the most widely adopted principles are accepted as best-practice, and in many respects the most important of these is the 'Defend in Depth' principle.

Layering up

You may have at some point locked your password-protected laptop computer away in a hotel-room safe. If so, you would have been practicing defend-in-depth. To steal something from your e-mail, I would have had to get past hotel security (admittedly often trivial), get a key that lets me into your room, worked out your PIN to open the safe, obtained your laptop password and perhaps your separate (of course) password for your e-mail software. This exemplifies multi-layered security, which ensures that attackers have to breach multiple defences if they are to succeed at pilfering data.

Better yet, when deployed with deliberation, defend-in-depth confers multi-layered benefits, too: it deters, defeats or at least detains (delays) all but the most resourceful of attackers. Protecting, say, a database of usernames and passwords — which of course should be hashed or at least encrypted — not only deter the attackers, it also slow them down, increasing the likelihood of detection. For that reason, the multiple layers of security must also include sound detection methods in addition to the defensive measures.

As it happens, the SingPass service did have a number of security counter-measures in place — for example, there is strong-passwords policy in place, CAPTCHAs are used after failed logins, and out-of-band PIN-verification is deployed to protect password changes.

What was signally missing, however, is two-factor authentication, which exemplifies defend-in-depth in the narrow context of user authentication. In that context, a 'factor' is a means by which a user can be identified.

> See also: More enterprises plan to strengthen access security with multi-factor authentication

The three most common factors employed are: something the user knows (usually a password or PIN), something the user has (usually a token, card or key), and something the user is (usually represented by a fingerprint, retinal scan or voiceprint). Multi-factor schemes defend in depth by requiring more than one factor to be presented before access is granted to systems or resources. That way, the loss or theft of a password, for example, is not sufficient for a would-be attacker to gain illicit access to information.

By the way, a would-be attacker who calculates that your laptop is too well-defended in the hotel might target your company’s Web-mail instead. Unless of course your company, in a risk-avoidance reference to the 'Minimal Attack Surface Area' security principle, had established a policy that stipulated that the company will not employ Web-mail.

In medieval times, security engineering was deployed in the service of protecting castles, and defend-in-depth was taken to rather gory lengths. Every castle of note was defended by curtain walls (a fortified wall enclosing the space around the castle but not supporting the roof), a moat (deep ditch filled with water and impaling stakes), a barbican (a heavily fortified gatehouse), more than one portcullis (a suspended strong, heavy grating with impaling spikes) and a peppering of machicolations ('murder holes') and arrow-slits.

Then, as now, there was an arms race between defenders and would-be attackers. In the end, the technology that did for the castles and their elaborate defences was ballistic: cannons and mortar proved effective and efficient at destroying stone structures from a distance with reduced risk to the attackers. Nonetheless, the medieval age made the most of its ten centuries, which is a decent window of opportunity by most stretches of the imagination.

A sound security posture starts with good governance, used to establish an organisationally-appropriate framework within which principles, policies, processes and technologies are deployed. The principles should collectively serve as a reference point for all other decisions made in respect of security – which should actively be checked for conformance with the principles. Violation of the principles will likely lead to undesirable or unexpected results, so periodic or episodic conformance checks are vital. The aim of course is to keep your organisation’s windows of opportunity open wide enough and for long enough to deliver significant benefits to its stakeholders.


Sourced from Toyin Adelakun, VP of Products, Sestus International

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Breach