Thursday, March 17, 2016

Defence in Depth - Security or False Comfort?

Defence in Depth has been an information assurance approach used for many years to protect networks and systems within ICT environments.
In short, it involves adding multiple layers of security around your “core” protected system/environment so that attacks can be fended off as attackers meet these layers one after the next.  Should a control fail to protect a system, another control is there to prevent further attacks. It was introduced by the NSA and has been used by many companies in the past, and of course the present.
However, does DID (Defence-in-Depth) protect against hackers? Does it even slow them down?
This question is asked a lot because many companies that have implemented this kind of security approach found themselves to be hacked, or had breaches and other security-related problems.
Like any security methodology or process, DID has to yield to certain business requirements in order to be an enabler of business (this is a topic for another blog post, but suffice it to say, Security has to be a business enabler, not just a defender of business from risks).
In the process of enabling business, certain facilities have to be implemented for DID to allow business services to be properly provided. For example, for a user to access a website with an accounting system, that user needs access to the website. So, a firewall rule is created to allow users to access the web application. Now, for the web application to work – it needs to see the Database server behind the DMZ (see Google), as such access is opened for the web server to see the database server. Layer by layer we grant access to various systems for them to work together properly.
I wont go into more detail but you get the point? Our sphere of protection with its layers of defence in depth, now has a sharp “needle” put into it to the core to allow business to operate. This is not a problem, since of course the company’s security would be useless if it did not enable business systems to function for the company.
However, think of an attacker now. The attacker has access to the same website as “normal users”. Say this hacker finds a vulnerability to exploit in the web application that is available on the internet.
The hacker starts to exploit functions on the web application to access the database within the company. Defence in Depth is no longer a viable method of protection because as we mentioned above, we have opened a hole between the layers for our systems to work. The hacker thus is able to exploit the database and steal data via the web application front-end – all the while the company had a Defence in Depth approach.
The short fact is, trusted paths have to be carved into your DID implementations for business functions and other IT functions to operate. And it is through these methods that attackers attack your systems.
In conclusion, DID should be viewed as a piece of a much larger pie. It cannot be viewed as a check-box approach that guarantees security. In fact, it is an approach that should form a foundation towards a tailor-made solution that is implemented to suit your needs – both security, and business.
Add Defence in Depth to your overall strategy, but do not rely solely on it. Cyber Security is an ever-changing, evolving and granular entity that needs the correct input and advisory partners to make it work.

We operate in various countries globally. Contact us for any Cyber Security related needs such as Architecture, Advisory, Ethical Hacking, Threat Intelligence and more.