Is Defense-in-Depth a Myth?
Defense-in-depth teaches us that information security is best implemented using layers of defense. It is based on a military strategy that seeks to prevent the advance of an adversary with a series of defenses, starting at the perimeter and working inwards to the asset that requires protection.
Human Element believes this approach may work on the battlefield for which it was designed, but it doesn’t work in information security – at least not any more. Why? Two reasons:
- First, today’s attacks do not usually start at the perimeter. They can begin anywhere. A SQL injection attack originates well inside the firewalls and can compromise an entire enterprise. Another example: A user receives a USB drive from a “vendor” and plugs it into his laptop – unaware of the malware the USB is carrying. Here’s a frequent one attackers take advantage of: A network appliance is installed without changing the manufacturer’s default admin password. We all know the stories. All of these are inside-the-firewall attacks.
- Second, people are the weakest link in securing the enterprise, and people operate at every layer of the defensive scheme. One mistake by a user or by security operations personnel can compromise the entire enterprise.
Tags: cyber security , defense-in-depth ,
Today, effective security must follow an inside-out approach. Every function within an enterprise must each have its own application of the principals of security: risk management, access control, least privilege, data integrity & protection, monitoring & reporting, and human-based vulnerability mitigation.