Defense in Depth

I had no fewer than three separate conversations yesterday about the importance of Defense in Depth in the context of building out a comprehensive plan to secure a web application and its environment. In light of that, I wanted to share with you the basic concept and point out some places to read about this big idea in security.

Photo: A combination door lock is one possible countermeasure in a layered security approach, but there is so much more to defense in depth.

Summary

At its core, a Defense in Depth strategy is not relying on a single security measure or feature (called a technical control in security lingo) to protect or defend an information asset. Start by asking yourself (and your client) “what is the worst case scenario if ______ is compromised?” Then based upon that answer, set up two or more security measures.

Some common practical security measures

• Don’t ask for information that is not truly needed for a business purpose
• Never put server credentials or API keys in your source code repository, which turns out to be a major problem.
• External web application firewall service, such as CloudFlare
• Robust application code that has been built following a Secure Software Development methodology
• Need-to-know where employees, especially customer service do not have access to sensitive information that is not vital for them to do their job. See Insider Threat.
• Database with varying level of permissions, enforced by the database server, following the principle of least privilege
• Web application firewall, such as ModSecurity that inspects inbound HTTP/HTTPS traffic and rejects suspect traffic
• Active log monitoring, such as fail2ban that blocks at the firewall level
• In depth criminal background checks on all employees with access to sensitive information
• Network level security
• Multi-factor authentication for privileged users, something they know and something they have.
• Encrypted records in the database using Public Key Cryptography
• Military-grade cryptographic smart cards, similar to the Common Access Card, that control access to computers systems and decrypt messages with that user’s key that never leaves the card
• Regular security guards at your building
• High fences, biometric gates, controlled access parking lots
• Guards with rifles and dogs that inspect traffic coming and going from your campus

Practical risk management

These are but a few of a large number, escalating security measures that can be brought forward to defend your application. You do not have to use all of the measures and nor should you use measures where the cost of the security controls outweighs the cost associated with a breach of the protected information.

Guards and dogs are great for controlling access to a building, but if the database can be breached from the internet then it may not be an effective tool anyway, though crypto cards may stop an attacker in his tracks if the data is encrypted such that it cannot possibly be accessed without the physical card.

Insider risk

It’s important to remember that the insider threat is real. It’s not just that an employee in your company has to go rogue either.

If an attacker gains access to a team member’s password, he can maliciously gain access to the information that that employee had access to. If there are not additional security measures to prevent the access other than the compromised password then there is a data breach. Restricting information based on the principle of least privilege and having two-factor authentication would be two layers in a defense to protect the sensitive information that a customer service agent has access to.

Additionally, anything that the customer service agent has access to is something that a Social Engineering attack can talk that employee into divulging inappropriately. It was just this sort of attack that Kevin Mitnick was famous for. His Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker [Kindle Edition] is a great read to learn how he did it. In the end, he compromised major companies as a conman, not through Hollywood movie plot technical attacks.

Takeaway, it’s about layering

Defense in Depth is also know is layering. It is an important security architecture concept. If you remember nothing else from this post, I ask that you memorize this. Always use several concurrent mechanisms to protect the information that must be protected.

Further reading

• Defense in Depth: A practical strategy for achieving Information Assurance in today’s highly networked environments. (nsa.gov)
• Layered security (wikipedia.org)
• The layered defense approach to security (ibm.com)
• Security Development Lifecycle (microsoft.com)
• 2012 Red Hat Summit: SELinux For Mere Mortals (youtube.com)
• SANS Institute InfoSec Reading Room: Defense In Depth (sans.org)