NewsCertificationMajor ProjectsOur Company
.

ISGS – The leader in training and certification for Federal and State Government Security Programs

ISGS was founded in 2006 to provide training and certification to computer professionals who hold positions in the government sector.

ISGS provides certification to technicians and engineers working at the United States Department of Customs and Border Patrol, United States Department of the Treasury and the United States Department of Commerce.

ISGS courses cover most aspects of enterprise information security and information assurance.

Contact:
Industry Standard
Government Security
6717 Eastern Ave., Suite #B
Takoma Park MD, 20912
(703) 220-4097

 

 

 

News & Articles

7 July 2009
Data Loss Prevention Can Prevent Your Network from Serious Breaches
With the rise of data breaches and the emergence of the insider threat, veteran strategist Clarence Irons presents the latest overview of DLP technology.


Defense-In-Depth Should be Planned and Implemented Strategically

by Staff Writer

Both new and veteran IT managers will likely need to be familiar with a defense-in-depth strategy for protecting their networks. According to a best practice guide published by Idaho National Lab, contemporary enterprise networks are likely to face problems from insecure connectivity to external networks, use of technology with known security problems, off-by-default security features, and technology with widely-publicized configuration standards. In fact some managers may erroneously feel that there is no "business case for cyber security…". (Idaho National Laboratory, 2006)

One pitfall to avoid when using defense-in-depth is to haphazardly add layer after layer of security features that are not properly implemented or properly monitored. "It doesn’t add much value if it simply protects against the threats that you have already selected safeguards for," in the words of security writers at the SANS Institute. Each addition or change to the security architecture of an enterprise network should be integrated into overall strategy. (SANS 2008)

After all, defense-in-depth is not a piece of software or a question of regulatory compliance. It is a form of strategy.

As Chad Perrin from Tech Republic Magazine chooses to introduce defense-in-depth "Corporate vendors of security software are in an interesting position. In order to best serve their business goals, they must on one hand try to sell integrated, comprehensive solutions to lock customers into single-vendor relationships, and on the other, try to sell components of a comprehensive layered security strategy individually to those who are unlikely to buy their own integrated solution — and convince such customers that a best-of-breed approach is better than a vertically integrated stack approach to do it." Redundant security features in software released to the security community serves to distract defensive security analysts from a comprehensive approach. "Rather, technological components of a layered security strategy are regarded as stumbling blocks that hinder the progress of a threat, slowing and frustrating it until either it ceases to threaten or some additional resources — not strictly technological in nature — can be brought to bear." (Perrin 2008)

Defense-in-depth strategy may come naturally to security professionals who have a background in sports such as coaching a football team or playing competitive chess. These activities emphasize the importance of methodical planning and strategic thinking. Defense-in-depth strategy may not be second nature to IT managers who have focused on customer service or vendor management but have never been forced to develop first-hand exposure to competitive strategy. They might appreciate a few friendly pointers:

• Begin your approach by identifying the most vulnerable points in your security boundary. Protect your most vulnerable points with your strongest team members or strongest assets.

• Attackers often like to go after "low-hanging fruit". After you’ve positioned your best assets around vulnerable points, assign your remaining assets to provide coverage to your remaining resources to avoid giving an attacker the impression that you aren’t paying attention.

• Know your opponent. Collect information about the situation inside of your security boundary as well as potentials threats. Experiment with different techniques for defensive and offensive security. Learn to identify and separate what works from what doesn’t work. Establish a baseline and strive for continuous improvement.

Obviously, security managers can define their own strategies and modify the defense-in-depth philosophy to suit their goals and opportunities. Remember that the "idea behind defense in depth is to manage risk with diverse defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense will hopefully prevent a full breach." (Barnum and Gegick 2005)


References:

Idaho National Laboratory, "Control Systems Cyber Security: Defense in Depth Strategies." Report for the U.S. Department of Homeland Security (2006). http://csrp.inl.gov/Documents/Defense%20in%20Depth%20Strategies.pdf

The SANS Technology Institute "Information Centric Approach to Defense-in-Depth." Security Laboratory: Defense In Depth Series publication (2008). http://www.sans.edu/resources/securitylab/321.php

Chad Perrin, "Understanding Layered Security and Defense in Depth." Tech Republic Magazine (2008). http://blogs.techrepublic.com.com/security/?p=703

Sean Barnum and Michael Gegick, "Defense in Depth." US-CERT Publication Sponsored by the Department of Homeland Security (2005). https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/347-BSI.html#dsy347-BSI_N10177


The author is a security researcher who has previously provided security consulting for Earth Resources Technology.