• Defense in Depth – Also called Layered Defense or Onion Defense.
  • We implement multiple overlapping security controls to protect an asset.
  • This applies both to physical and logical controls.
  • To get to a server you may have to go through multiple locked doors, security guards, man traps.
  • To get to data you may need to get past firewalls, routers, switches, the server, and the applications security.
  • Each step may have multiple security controls.
  • No single security control secures an asset.
  • By implementing Defense in Depth you improve your organizations Confidentiality, Integrity and Availability.

• Liability:
  • If the question is who is ULTIMATELY liable, the answer is Senior Leadership. This does not mean you are not liable; you may be, that depends on Due Care. Who is held accountable, who is to blame, who should pay?
• Due Diligence and Due Care:
  • Due Diligence – The research to build the IT Security architecture of your organization. Best practices and common protection mechanisms. Research of new systems before implementing.
  • Due Care – Prudent Person Rule – What would a Prudent Person do in this situation?
  • Implementing the IT Security architecture, keep systems patched. If compromised: fix the issue, notify effected users (Follow the Security Policies to the letter).
• Negligence (and Gross Negligence) is the opposite of Due Care.
  • If a system under your control is compromised and you can prove you did your Due Care you are most likely not liable.
  • If a system under your control is compromised and you did NOT perform Due Care you are most likely liable.

• Least Privilege and Need to know.
  • Least Privilege – (Minimum Necessary Access) Give users/systems exactly the access they need, no more, no less.
  • Need to know – Even if you have access, if you do not need to know, then you should not access the data.
• Non-repudiation.
  • A user can not deny having performed a certain action. This uses both Authentication and Integrity.
• Subject and Object.
  • Subject – (Active) Most often users, but can also be programs – Subject manipulates Object.
  • Object – (Passive) Any passive data (both physical paper and data) – Object is manipulated by Subject.
  • Some can be both at different times, an active program is a subject; when closed, the data in program can be object.

• Identification:
  • Your name, username, ID number, employee number, SSN etc.
  • “I am Thor”.
• Authentication:
  • “Prove you are Thor”. – Should always be done with Multifactor Authentication!
  • Something you know – Type 1 Authentication (passwords, pass phrase, PIN etc.).
  • Something you have – Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC etc.).
  • Something you are – Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry etc.).
  • Somewhere you are – Type 4 Authentication (IP/MAC Address).
  • Something you do – Type 5 Authentication (Signature, Pattern unlock).
• Authorization
  • What are you allowed to access – We use Access Control models, what and how we implement depends on the organization and what our security goals are.
  • More on this in Domain 5 – Identity and Access Management (DAC, MAC, RBAC, RUBAC)
• Accountability (also often referred to as Auditing)
  • Trace an Action to a Subjects Identity:
  • Prove who/what a given action was performed by (non-repudiation).

Confidentiality, Integrity and Availability

• Finding the right mix of Confidentiality, Integrity and Availability is a balancing act.
• This is really the corner stone of IT Security – finding the RIGHT mix for your organization.
  • Too much Confidentiality and the Availability can suffer.
  • Too much Integrity and the Availability can suffer.
  • Too much Availability and both the Confidentiality and Integrity can suffer.

• The opposites of the CIA Triad is DAD (Disclosure, Alteration and Destruction).
  • Disclosure – Someone not authorized gets access to your information.
  • Alteration – Your data has been changed.
  • Destruction – Your Data or Systems has been Destroyed or rendered inaccessible.

We want to keep our System and Data available.

• We use:
  • IPS/IDS.
  • Patch Management.
  • Redundancy on Hardware Power (Multiple Power Supplies/UPS’/Generators), Disks (RAID), Traffic paths (Network Design), HVAC, Staff, HA (high availability) and much more.
  • SLA’s – How high uptime to we want (99,9%?) – (ROI)
• Threats:
  • Malicious attacks (DDOS, Physical, System compromise, Staff).
  • Application failures (errors in the code).
  • Component failure (Hardware).

• We want system and Data integrity
  • We use:
    • Cryptography (again).
    • Check sums (This could be CRC).
    • Message Digests also known as a hash (This could be MD5, SHA1 or SHA2).
    • Digital Signatures – non-repudiation.
    • Access control.
  • Threats:
    • Alterations of our data.
    • Code injections.
    • Attacks on your encryption (cryptanalysis).

We want to keep our information confidential. 

• We use:
  • Encryption for data at rest (for instance AES256), full disk encryption.
  • Secure transport protocols for data in motion. (SSL, TLS or IPSEC).
  • Good best practices for data in use – clean desk, no shoulder surfing, screen view angle protector, PC locking (automatic and when leaving).
  • Strong passwords, multi factor authentication, masking, Access Control, Need-to-Know, Least Privilege.
• Threats:
  • Attacks on your encryption (cryptanalysis).
  • Social engineering.
  • Key loggers (software/hardware), cameras, Steganography.
  • IOT (Internet Of Things) – The growing number of connected devices we have pose a new threat, they can be a backdoor to other systems.
    

• The CIA Triad (AIC)
  • Confidentiality
    • This is what most people think IT Security is.
    • We keep our data secure and our secrets secret.
    • We ensure no one unauthorized can access the data.
  • Integrity
    • How do we protect against modifications of the data and the systems.
    • We ensure the data has not been altered.
  • Availability
    • • How do we ensure the data is available when users need to access it.
      • We ensure authorized people can access the data they need, when they need to.