Security is better in layers -:- The Blanket Approach to Security

posted onOctober 17, 2001
by hitbsecnews

The difference between good and bad security often comes down to someone’s understanding of the “Principle of Defense in Depth.” Here’s the soundbite definition: It’s best to have multiple layers of security and to put them as close as possible to the valuables they’re designed to protect.

The layers of security controlling access to a bank illustrate this concept well. Exterior walls and doors are the first line of defense. Just inside, there’s typically another set of lockable doors (ever noticed those?); make those the second layer of security. Inside the main lobby, surveillance cameras and security guards provide a third layer of protection. Beyond the counter and down hallways that are off limits to the public (fourth layer) are locked vaults (fifth layer) and locked boxes (sixth layer) in those vaults...

Make sure your security measures serve these five purposes:

* Authentication: Proving the validity of user identification
* Access control: Limiting access to corporate information and computer systems
*Protection of confidentiality: Disclosing information only to those for whom it is
intended
* Protection of integrity: Preserving the accuracy and ensuring the completeness of
corporate information
* Nonrepudiation: Proving that electronic transactions of data or money between the
company and its customers and business partners did occur

When designing a business’ security system, also think in terms of prevention and
detection. Why both? Well, preventive controls – such as a long hallway aimed at
separating a vault from customers – don’t always work. When they fail, it’s
important to have a system in place that immediately detects abnormal, improper or unusual
behavior or system performance. So, in addition to the long hallway in the bank, security
cameras might sweep the area every five minutes, or motion sensors might detect movement
in the hallway after the bank has closed. Another good thing about detection controls is
that they clearly show how well preventive efforts are – or aren’t –
working.

After you’ve decided what to protect, determine how to protect it by thinking in
layers. Here they are:

Physical layer Controlling access to buildings and rooms is important here.
Preventative controls include badge readers on perimeter doors and locking cables on
laptops and safes. Detection controls for the physical layer include closed-circuit
television, door alarms and motion detectors.

Network layer Confidentiality, access and authentication are the key security needs
here. Control who can access networks by verifying their identities, limiting where they
can go and ensuring that others cannot see what they send. Preventative controls include
the following: routers and switches that block certain attacks and address spoofing,
firewalls that limit access between networks, virtual private network (VPN) gateways that
encrypt communications between private networks and authentication tokens that validate
users. Detection controls include the following: security event logging and intrusion
detection systems that can “see” attacks and unusual traffic and send alerts
about suspicious activity.

Operating system layer With few exceptions, operating systems are inherently
insecure when first installed and require configuration and customization before they
should be put into regular use. Limiting access to key system files, removing unnecessary
services, setting up administrative and user accounts and fixing known vulnerabilities
address access control and integrity. Setting password standards for user accounts helps
verify users’ identities. File encryption addresses confidentiality. Auditing key
events addresses security management. In terms of detection, an operating system-based IDS
can be added to identify file changes that indicate a potential attack.

Application layer Applications vary tremendously in function, scope and use. So it’s
expected that the security controls deployed will be varied as well. Applications with
password access provide authentication and controls users. Some applications enable you to
set permissions, which define what the user can do. Applications with inactivity timeouts
help to prevent an unauthorized user from accessing an unattended application. Encryption
can be used in databases to keep passwords and credit card numbers confidential. To secure
file transfer, file storage and mail applications, implement an anti-virus product to
control malicious programs and maintain integrity. SSL can be used on Web applications and
PGP or S/MIME can be used on e-mail applications to prevent eavesdropping. A Web-based
firewall also can prevent application-level attacks such as Code Red and Nimda.

Administration layer Security management tools are useful for monitoring network
devices, systems and applications for general health and security problems, as well as
processing and reviewing audit logs. Security assessment tools should be used on a regular
basis for detection.

Procedural Measures

Establish procedures to support technical controls at all five layers. Otherwise, those
controls will be ineffective.

Many of these procedures will be administrative in nature. This is crucial because even a
simple change in an employee’s status that isn’t handled properly could have
significant and unintended consequences.

For example, all system accounts and employee badges should be created and removed through
a formal process. Designated managers and human resources personnel should be responsible
for who gets access to what systems and building locations, and those rights should be
taken away immediately after they are no longer needed.

New external network connections should be subject to administrative review and approval.
Prospective employees and contractors should undergo background checks before being hired.
Register and escort on-site visitors.

Establish these procedures only after they’ve been carefully reviewed for their
impact on security and tested in advance.

The Big Picture

Don’t try to do everything at once; add security layers as a business’ needs
change.

For example, build a firewall at the perimeter of an operating system -– much like
that first door into the bank -– but then create isolated networks within that
firewall -- much like the motion sensors and surveillance cameras.

SNP.

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs