Transcript SANS Security Essentials

Defense-in-Depth
What Is It?
• Peter Leight and Richard Hammer
• August 2006
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
What is Defense-in-Depth?
• There is no “silver bullet” when it comes to
network security
• Any layer of protection might fail
• Multiple levels of protection
must be deployed
• Measures must be across
a wide range of controls
(preventive and detective
measures)
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Focus of Security is Risk
• Security deals with managing risk to your critical
assets
• Security is basically an exercise in loss reduction
• Impossible to totally eliminate risk, we settle for
residual risk
• Risk is the probability of a threat crossing or touching
a vulnerability
• Risk is managed by utilizing defense-in-depth (DiD)
• Risk = threat x vulnerabilities
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Key Focus of Risk
• Confidentiality / Disclosure
• Integrity / Alteration
• Availability / Destruction
Integrity
Confidentiality
Availability
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Prioritizing CIA
• While all three areas of CIA are important to an organization,
there is always one area that is more critical than others
• Confidentiality
– Health Care Organizations
– Hospitals
• Integrity
– Financial Institutions
– Banks
• Availability
– E-commerce based organizations
– Online banking
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
What is a Threat?
• Possible danger
• Protect against the ones
that are most likely or
most worrisome based
on:
– Intellectual property
–
–
–
–
• Validated data
Business goals
Validated data
Past history
Main point of exposure
5 Primary
Threats
Natural
Disasters
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Vulnerabilities
• Weaknesses in a system
• Vulnerabilities are inherent in complex systems, they
will always be present
• The majority of vulnerabilities are the result of poor
coding practices
– Lack of error checking
• Vulnerabilities are the gateway by which threats are
manifested
• Vulnerabilities fall into two categories:
– Known, those you can protect against
– Unknown or “zero day”
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Approaches to DiD
• Deploy measures to reduce, eliminate
or transfer risk
• Five basic approaches
– uniform protection
– protected enclaves
– information centric
– threat vector analysis
– role-based access control
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Uniform Protection - DiD
• Most common approach to Defense-inDepth
• Firewall, VPN, Intrusion Detection, Antivirus etc
• All parts of the organization receive
equal protection
• Particularly vulnerable to malicious
insider attacks
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Protected Enclaves DiD
• Work groups that require additional
protection are segmented from the rest
of the internal organization
• Restricting access to critical segments
• DOE “unclean” network
• System of VPNs
• Internal Firewalls
• VLANs and ACLs
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Information Centric
Defense-in-Depth
Network
Host
Application
Info
•Identify critical
assets and provide
layered protection
•Data is accessed by
applications
•Applications reside
on hosts
•Hosts operate on
networks
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Vector Oriented DiD
• The threat requires a vector to cross
the vulnerability
• Stop the ability of the threat to use the
vector
– USB Thumb Drives – Disable USB
– Floppy Drives – Disable
– Auto Answer Modems – Digital phone PBX
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Role-Based Access Control
Jim
i te
Wr
ad/
Re
ber
Mem
em
be
r
Role:
Engineer
M
Member
ber
Me m
Mary
Role:
Engineer
Team
Leader
Membe
r
nly
Read/O
/Write
Read
Member
Role:
Finance
Department
Joe
Project
Data
Read/Write
Financial
Data
Sam
•People identified by
their roles
•Data is accessed by
roles not people
•People can have
more than one role
•More than one role
can access the same
data
Jill
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Identity, Authentication,
Authorization & Accountability
• Identity is who you claim to be
• Authentication is a process by which you prove you are
who you say you are:
–
–
–
–
Something you know
Something you have
Something you are
Some place you are
• Authorization is determining what someone has access to
or is allowed to do, after they have been properly
authenticated
• Accountability deals with knowing who did what and when
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS
Controlling Access
• Least Privilege
– Give someone the least amount of access they need to
do their job
• Need to Know
– Only give them the access when they need it and take
it away when it is no longer required
• Separation of Duties
– Break critical tasks across multiple people to limit your
points of exposure
• Rotation of Duties
– Change jobs on a regular basis to prevent anyone from
being able to get comfortable in a position and be able
to cover their tracks
Security Leadership Essentials – Defense-in-Depth – © 2006 SANS