Information Security Basics Part 2: Defense in Depth

Defense in Depth is originally a military term in which multiple layer of defense is used to make the enemy more difficult to attack the target.  The best example is the castle.

There are multiple things used for defense - a draw bridge, water (may be with crocodile), a heavy iron gate.

What are we defending against?
The castle shown about is used to defense against enemy attack.  What about in the Information Security world?  Who is the enemy?

You may say the enemy is the hacker. While this is true, the exact term used should be threats.  Threat by itself is a subjective word.  Threat can be remote, threat can be big or it can be small.

In the Information Security world, 3 terms are used together:

• Risk
• Threat
• Vulnerability

In fact there is a formula for these 3 terms:

          Risk = Threat X Vulnerability

For example, when you kept your front door unlock it is a vulnerability but you live in a safe neighborhood your threat is low and thus your risk will not be high. On the other hand if you keep your front door unlock and you live in a high crime area then your risk is very high.

Note: Security is all about mitigation of risk.  We can never be 100% secure.  The objective of information security is to mitigate all know risk factor to the minimal.

Defense in Depth
Defense in Depth is a security best practice.I have heard the late CEO of Apple Inc Steve Jobs had a security guard to stay within a few feet of his laptop all the time when he is speaking at conferences.  I am sure his laptop is both password protected and encrypted, adding another layer of defense will not hurt.

There are 4 kinds of Defense in Depth:

• Uniform Protection
• Protected Enclaves
• Information Centric
• Vector-Oriented

Uniform Protection
The easiest and most common form is uniform protection where all the resources or data are treated as equally important.  With this approach, it is more vulnerable for malicious insider because everything is being treated as equal, an development engineer can gain access to the data in the HR department.

Protected Enclaves
With this approach, resources/data are segmented.  It enforces the principle of least privilege so that user can only access what they need to access.  So in this case a development engineer cannot gain access to the data in the HR department.  The Pentagon has a classify network and a non classify network.  One time I was there for on site support and since I did not have security clearance, I have to step out of the room when we debug the classify network and tell the guy that has security clearance to type in the debug command and he will have to ready the output for me.  That was quite an experience debugging the classify network.

Information Centric
Data or asset are tagged with different values.  We can envision an onion which has different layers.  The most important asset will be in the center where more protection is deployed.  Each layer has it own security implemented with this defense in depth concept.

image source: http://www.sentrillion.com/images/img_defense-in-depth.jpg

Vector-Oriented 
This approach identify attack vector where the threat can be present.  Similar to the Information centric approach but the emphasis is on the attach vector such as thumb drives, smartphone that can take pictures.

Role-base Access Control
While this is not usually looked at as a defense in depth model but in principle this is form having multiple ways of gaining access.  With the data/resource segmented, after a user is logged into the system with the proper credential, the user is assigned a role and this role can be in a form of a access token is to determine what resource the user is able to access giving an additional level of access control.  Microsoft's Kerberos and OpenStack uses this Role-base Access Control.

Related Post:
Information Security Basics Part 1: Security Models
Information Security Basics Part 3: Cryptography
Information Security Basics Part 4: Public Key Infrastructure (PKI) 

Information Security Basics Part 1: Security Models

image source: http://prmgsecurity.com/wp-content/uploads/2012/12/shutterstock_103173656.jpg

Security means different thing to different people.

To a home user, security is antivirus protection.  The objective is to keep the electronic device free of Malware of Rootkit so that the device can operate “normally”.  It can also mean safe web site access to bank and/or other financial institutes such that their financial account will not be compromised.  Or in some case, celebrities may want to protect their private pictures or videos.  Failure to protect the user device or user’s financial account can lead to monetary loss.  Identity thief is also a major concern for home computer users.

To the government, security, I think will be the protection of sensitive data and the continuous operation of the various departments and agencies. Around November 16, 2014, the U.S. State Department website was compromised.  And it is the 4^th U.S. government agency to announce a breach of their computer systems within a few weeks’ time.  Failure to protect the government’s computer systems can lead to lost of human lives.

To the private sector, security is the protection of data which can be intellectual properties or customer’s financial and private information such as health history, social security number.  Often times company has the office of Chief Security Officer responsible for the “security” and compliance of security rules of the company such as HIPAA for the health sector or Gramm-Leach-Bliley Act for the financial sector. 

Regardless what security means for us, we can always look at security with the following model.

The CIA Triad
This is the most common security model for information systems. This model is used to develop security policy, identify area of security risk and most of all to deploy measurements to mitigate the identified risk.

CIA stands for:

• Confidentiality
• Integrity 
• Availability

image source: http://securitytoolkit.files.wordpress.com/2012/04/cia3.jpg

I like this diagram because besides showing the 3 elements of the CIA triad, it is showing data in the middle.  Most of the the time security are applied to protect data.  Social Security number is a form of data, bank account is a form of data, and intellectual properties is another form of data.  Conceptually, these 3 elements are applied toward data.  In other word, we should show as:

• Confidentiality of the data
• Integrity of the data
• Availability of the data

Confidentiality
Confidentiality means data can only be accessed by the authorized entity.  The owner of the data decided who can gain access to the data.  Access means to read, to modify or to delete the data.  The most basic form of providing confidentiality will be password protection.  To gain access to a personal computer or device we need to provide the user name and password.  Password can be as simple as a 8 character text string or it can be a X.509 certificate.  Also, there can be multiple level/factor of authentication where besides a password user will have to provide an authorized token.  For multi-level authentication user will have to provide:

• Something you know - password
• Something you have - RSA Token
• Something you are - biometric

Another way to provide confidentiality is encryption.  To be satisfy regulatory requirement some companies will require the company issued personal device to turn on encryption so in case the device is lost, there is one level of safe guarding the data that is in the personal device. For BYOD, come companies can provide the ability to wipe out the data on a device remotely.

Integrity
Integrity means data cannot be modified by unauthorized entity as well as the reliability of the electronic device that is storing the data.  With a flip of a bit in the storage device can make a bank account to reflect the wrong amount of money that is available.  As with object storage Swift, data are by default store in 3 different devices and there is a audit task to make sure the data are in tack.  Data replication technique such as RAID (either software or hardware) is another way to provide a means to ensure the integrity of the data.

One basic form of data integrity check for the integrity of the data is to use of a hashing function.  In networking, an Ethernet frame has a CRC value at the end so that when the frame is received, it can be checked with to see if the frame is altered during transit.  System Administrator are familiar with the MD5 hashing value of an ISO image. 

Password protection and encryption also help to prevent the data to be modified by unauthorized entity.

Availability
Availability means data can be accessed when needed.  Have you ever hit the wrong button on your computer and deleted all the Emails in your inbox?  Or have you accidentally delete the files in a directory?  In these cases backup comes to the rescue.  It is important to test the recovery of the backup data. Very often data is backup but when we have to make sure the backup tape is not empty or being over written by later backups. If you are a System Administrator you must know this famous line "Test your backup regularly!"

Most companies have a disaster recovery plan such that if data is lost due to fire, earth quake or terrorist attack data can be restored according to the expected Recovery Time Objective (RTO) and Recovery Point Objective (RPO).  It is very important to test out the recovery plan just like testing the recovery of the backup data.

Data delete by unauthorized entity is of course the basic form of attack in the area of availability.  Another form will be denial-of-service (DOS) attack.  We can easily imagine what will happen to a company if consumers are not able to access a online shopping website before Christmas because some attacker launched a DOS attack on that website.

Which one is more important?
While all 3 elements of the CIA triad are important, different organization will have different element as the most critical area.  For example, in health care industry confidentiality will be the most important element.  In bank or financial institutions, integrity will be the most important element.  Lastly as stated for online shopping/e-commerce based organization, availability will be the most important element.

Related Post:
Information Security Basics Part 2: Defense in Depth
Information Security Basics Part 3: Cryptography 
Information Security Basics Part 4: Public Key Infrastructure (PKI)