Remembering Defense-In-Depth Security By Denny Deaton

One of the recurring topics, in discussions with our clients, is defense in depth security practices. As a good refresher, defense-in-depth simply means a redundant multi-tiered security architecture, which ensures that each layer of technology is independently secure. This alleviates the opportunity for single points of failure and unauthorized access.

In the day-to-day rat race of patching systems, managing firewalls, developing software, meetings and so on the big picture of security within an organization is often forgotten. Do yourself a favor and stop to think about that for a second. This is important to you; regardless of what level in the organization you are or what role you play.

Historically, attacks have occurred primarily at the network and host levels. Hackers targeted firewalls and company networks, then found an unsecured port or unpatched system to further access the internal network. Firewall and system administrators have done a great job of changing that. More times than not systems and firewalls we perform testing on are secure. Yet other components of the technology infrastructure still are not. For example, web sites, wireless devices, mobile devices, and support staff to name a few.

Today, web sites are considered the low hanging fruit when it comes to finding a way into the network. In almost every case with our clients, we find a way into the application and furthermore access to the underlying data, like apples lying on the ground. Software is custom, written by humans, changed sometimes daily and rarely tested or reviewed for security. Time to market is the primary focus in almost every situation. Which means there is more room for error and less time for reviewing it from a security approach.

Another popular attack vector has become social engineering and physical security breaches. It is all too common that we encounter a customer support representative providing login credentials for a flagship application, simply by asking a few questions or making several callbacks.

In summary, enough emphasis cannot be applied to the importance of a defense-in-depth methodology to the overall security within an organization. This effort should be championed by the company’s CSO (or an equal role), and a series of steps should be defined to ensure that the methodology is carried out throughout all tiers within the organization.