Security can be an overwhelming topic to get started and as a result, a concept known as Defense in Depth has been making its way across the industry for the last couple of years. Defense in Depth is an organized and systematic way to ensure that your network is as unattractive to hackers as reasonably possible. Keep in mind that there is no such thing as “unhackable,” so the object of security is to make the costs of attacking your network more than the benefit of doing so without incurring more cost in defense than your network’s security is worth. Defense in Depth does this by breaking the security process down into eight distinct phases.
Phase One: Security through Obscurity
Obscurity is the first and easiest phase of Defense in Depth, but it’s also the most easily circumvented phase. Security through obscurity is essentially attempting to hide your resources from attackers in an attempt to make yourself less likely to be targeted. While obscurity does nothing to protect your data, it is an important first step in developing a comprehensive security ideology to use at your home or business.
It’s important to know that your network isn’t always the end goal. Attackers are often interested in larger organizations (Google, Bank of America, or Amazon) and attackers may only attempt to gain access to your network so that they may use your resources against these larger targets. Attackers may also be utilizing your network to send out spam, act as a proxy, or perform any number of illegal or risky behaviors described in the Malware Business Model. Obscurity just ensures that your network is less visible and less likely to be targeted at random; it doesn’t do anything to specifically defend your network.
One example of this is disabling the Service Set Identification (SSID) broadcasting for your wireless or WiFi network; this doesn’t actually protect your wireless network, but it makes your network less visible to attackers who are not specifically looking for it. In essence, it removes the risk of being the victim of a crime of opportunity. It’s much the same reason you don’t broadcast that you’re carrying a lot of cash when you’re at a pawn shop; it doesn’t remove the risk of being robbed, it simply reduces its likelihood.
Phase Two: Establishing Identity
The second phase of Defense in Depth is to establish authentication methods. Let’s assume, for a moment, that each user has an account to log into the domain, the web server, the databases, the file servers, and the computers themselves. At first glance this may seem absurd (and it is), but it’s not exactly unheard of – in fact, most organizations find themselves at this intersection at some point during their growth. As unfortunate as the task of remembering dozens (sometimes hundreds (!)) of account credentials is for the general user, this can be particularly problematic for the organization as the maintenance of managing countless password reset requests rises, and the number of users writing down or sharing their account information grows!
Now imagine that a user can log on to the domain with their Windows account, and every (or most) websites, servers, and databases would use this account to authenticate the user. The concept of using one set of account credentials to log into multiple systems is known as Single Sign-On or SSO. Single Sign-On enables administrators to link multiple accounts to a centralized identity with which the user authenticates and interacts, thereby reducing the number of account credentials the user must memorize from three or more to one.
However, one password or one-hundred makes no difference if the passwords themselves are incredibly weak. Ensuring proper password management is no accident, and ensuring that users don’t use “password1” as their password can be a Herculean task, but luckily, LDAP and Active Directory have us covered. Through the use of Active Directory (or /etc/passwd for UNIX), administrators can set restrictions for passwords, including:
- Reuse of passwords
- Maximum password age
- Minimum password age
- Minimum password length
- Password complexity
- Encryption methods
If you get nothing else out of this post, rest assured that the single biggest blunder in securing your network is using weak passwords, repetitive passwords, or passwords that are excessively old. For example, if you use “Password1” as a password, hackers are easily able to decipher this password and gain access to your network resources and cause you harm; if you share this password among multiple systems, then hacking one system will grant them access to your entire network; and if you do not change your password frequently, they may have access for an indefinite amount of time. By ensuring that your passwords are more complicated, “W^Ffl#h0use”, the password is harder to obtain, and if you are breached (nothing is hacker-proof) by using unique passwords that are changed often, you minimize the impact.
Phase Three: Encryption and Hashing
However, ensuring that only authorized users can access your data doesn’t do your organization much good if attackers are able to intercept the traffic as it is being transmitted across the internet! Preventing these types of attacks, known as man-in-the-middle attacks, is an important benefit of encrypting your network traffic whenever it leaves your building.
Encryption, or cryptography, is the process of “scrambling” information so that unauthorized users cannot read the data, even if they are able to obtain it. Cryptography comes in three basic forms:
- Hashing – creates a unique signature for data for integrity testing
- Symmetric – uses a single key to encrypt and decrypt data
- Asymmetric – uses a set of keys to encrypt and decrypt data
Hashing is not technically encryption, it simply serves as a way for software to identify data that has been tampered with, enabling users to trust the data they receive; as a result, it is often used in conjunction with (a)symmetric encryption. While hashing isn't typically something that a lot of users on the web need to be familiar with, any border router you purchase should have the option to use AES encryption - and you should always enable this.
Phase Four: Hardening your Devices
The fourth phase is the most involved as it requires you to specifically “harden” (or protect) your devices against the malware threats that exist out in the wild, and given that there are estimated to be more malware programs than legitimate ones, the process of hardening is fairly involved. Luckily for us, most of this process can be accomplished by simply installing a reputable anti-virus and anti-spyware program; however, here are a few considerations to get you started:
- Turn off unnecessary ports on each computer
- Disable unnecessary services
- User Firewalls (Anti-virus software or Windows will have this)
Phase Five: Preventing Intrusion
The next phase in defending your computers (and their data) is in preventing attackers from gaining access to them in the first place. It stands to reason that if turning off port 421 on each computer would stop an attacker from gaining a foothold in your computer, then turning off port 421 (and thousands of other ports) would help prevent an attacker from reaching the computer in the first place. There are several tools that you can employ to help accomplish this layer of the defense model:
- Turn off unnecessary ports and use DHCP and MAC Filtering
- Ensure network equipment defaults are changed, and are unique
- User firewalls (intra-router or hardware), DMZs, and NAT technology
Phase Six: Adhering to Laws
Once your basic security measures have been implemented, you’ll need to look at the governing laws in your jurisdiction to ensure your compliance. This is covered in some depth in my book, Understanding IT; both as these laws (especially the Privacy Act of 1974) relate to security and privacy.
Phase Seven: Routine Maintenance
It doesn’t matter how many firewalls you have or how expensive your antivirus software was if you don’t routinely maintain your equipment. Malware adapts and changes every single day and you must keep your antivirus definitions up-to-date, your firewall must remain as secure as possible, and your users as restricted as you can without impacting day-to-day operations.
There aren’t any specific recommendations in this phase, but the general rule is to keep your operating system, antivirus and antispyware, and individual programs as up-to-date as possible while also regularly auditing user accounts to ensure that unused accounts are deleted, that users are given the minimal amount of permissions required to do their jobs, and that programs are not being downloaded without your knowledge.
Phase Eight: User Education
The final phase is not only the most important phase, it’s also the most time consuming. Every phase that we’ve introduced in the Defense in Depth model has added a layer of security to your network, but this one doesn’t. User education is a completely separate issue, and educating your users will not add security to your network, but failing to educate them can render every previous measure completely useless due to social engineering.
What good is an administrator’s password if it’s on a post-it?
What benefit is antivirus software if it’s disabled?
Why lock your front door if the receptionist lets anyone in?
These may seem like dumb questions, but the simple fact of the matter is that users are your greatest threat, and attackers know this. The threat is so intense that many security departments have sub-departments specifically designed to prevent insider threats from becoming a problem. What these security experts know is what every hacker has been exploiting since the rise of social media: Social Engineering is the easiest way into a network.
If an attacker wants to specifically target your organization, and you’re not just a random target but the target of interest, then they could spend months trying to bypass your DMZ and firewalls so they can install key loggers, packet sniffers, and Trojans or they can just ask for the passwords. You read that correctly.
They just ask for the passwords.
Imagine you got an e-mail asking you to login, or visit a link to login, to your bank to check a suspicious transaction. You may not fall for the login-from-email trick, but what if your DNS information was corrupted and when you typed in www.bankofamerica.com it sent you to a different website; would you notice? Millions of people fall for these tricks every single day and it’s all avoidable.
Very simple, but continuous and never ceasing, educational programs can help defend your network and its users from its users. Initiatives like shredding all paper may make people unhappy, but it completely removes the threat of dumpster diving. Using smart cards or two factor authentication can help alleviate some of the risk if users do inadvertently reveal login credentials. Keeping control of who should have access to the building, and educating your receptionist not to allow people without appointments into sensitive areas, can help alleviate the risk of physical key loggers or war driving.
These programs are time consuming but they’re cheaper than any of the technological countermeasures we’ve discussed so far and both are far cheaper than being dragged into a law suit or having lost a substantial amount of business and reputation after being the victim of a cyber-attack.
These sections are only a snippet of the fifteen pages that I've dedicated to security and privacy in my 140pg book, Understanding IT: Decoding Business and Technology. I've posted this to introduce the concept of Defense in Depth as it relates to the Malware Business Model. The topics covered here may be broad strokes, but before a specific technical understanding can be reached, the frameworks have to be established.