Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday March 24 2017, @02:23AM   Printer-friendly
from the onions-have-layers dept.

The principle of Defence in Depth ("DiD"), says OWASP (Open Web Application Security Project), is that "layered security mechanisms increase security of the system as a whole". That is, if one layer of protection is breached, there's still the opportunity for the attack to be fended off by one or more of the other layers. If anyone's ever drawn something that looks like an onion on the whiteboard – a load of concentric layers with your infrastructure in the middle – that's the concept we're looking at. It's actually a military term that's been adopted by security types in the IT industry who want to be tank commanders when they grow up.

On the face of it it's a pretty simple concept to understand. Rather than just having (say) anti-malware software on your desktop computers, why not also make your Web downloads go through a filter that has malware protection on it too? And yes, this helps. But to do it properly you have to step back a few strides and have an overview of your world: although it's going to cost me 50p in the buzzword swear box, I'm going to say "holistic view".

I secure my systems by naming things like Perl regular expressions. Attackers instantly go cross-eyed and fall over.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by maxwell demon on Friday March 24 2017, @08:08AM (7 children)

    by maxwell demon (1608) on Friday March 24 2017, @08:08AM (#483564) Journal

    What about doing "reverse port knocking": If some IP address accesses unused ports, it gets blocked for a short time, that increases with each tried access to unused or currently blocked ports.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by Wootery on Friday March 24 2017, @08:46AM (5 children)

    by Wootery (2341) on Friday March 24 2017, @08:46AM (#483569)

    Could be defeated by using a different source IP to check each port number.

    • (Score: 1) by khallow on Friday March 24 2017, @10:13AM (4 children)

      by khallow (3766) Subscriber Badge on Friday March 24 2017, @10:13AM (#483578) Journal
      But still means that you're keeping out the script kiddies, which sounds like that's all the OP wants to do.
      • (Score: 2) by TheRaven on Friday March 24 2017, @10:23AM

        by TheRaven (270) on Friday March 24 2017, @10:23AM (#483581) Journal
        Most of these scans come from botnets. They'll try 2-3 from one IP, then a few from another, and so on. Botnet machines are something like 5¢ on the open market: well within the price range of most script kiddies.
        --
        sudo mod me up
      • (Score: 2) by JoeMerchant on Friday March 24 2017, @01:46PM (2 children)

        by JoeMerchant (3937) on Friday March 24 2017, @01:46PM (#483628)

        There are 10,000 script kiddie attacks flying around for every serious hack.

        Serious hacks tend to be more targeted, deliberate, focused. Yes, you should be resistant to them, but ultimately - if someone within your organization fails to resist some social engineering, no amount of technical security can resist that.

        In security, you should be as good as you can without compromising usability (unacceptably). The major threat are the simple scripts that trawl for open ports, first: don't fall for that.

        --
        🌻🌻 [google.com]
        • (Score: 2) by PiMuNu on Friday March 24 2017, @02:20PM (1 child)

          by PiMuNu (3823) on Friday March 24 2017, @02:20PM (#483650)

          > if someone within your organization fails to resist some social engineering, no amount of technical security can resist that.

          I thought that was the point of having layered defences (or network zones, or whatever) - so only a very few privileged actors have access to your golden data e.g. customer account data and only by jumping through some hard-to-socially engineer hoop (like ssh keys). Proabably the sort of people who are vulnerable to phishing aren't the sort of people who need to make accesses to the customer db (e.g. non-technical support staff, management, etc).

          • (Score: 2) by JoeMerchant on Friday March 24 2017, @03:37PM

            by JoeMerchant (3937) on Friday March 24 2017, @03:37PM (#483688)

            Very true, first consider the integrity of the user and the power of the key before putting them together... However, in this context, I think they're referring to "layered" as in onions, which means scanning attachments for viruses at multiple points in the stack, with multiple types of scanners, or requiring an SSH key and a username/password login, rather than multiple levels of privilege.

            --
            🌻🌻 [google.com]
  • (Score: 2) by bob_super on Friday March 24 2017, @05:06PM

    by bob_super (1357) on Friday March 24 2017, @05:06PM (#483746)

    Then some exec fails to connect using the default ports, gets blacklisted, grabs his phone to give you an earful, because he needs a cute door with a doormat and a key that fits His keychain, to get into your fortress, and he need it right now...