Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.

Defence in Depth: a 'Layered' Strategy Can Repel Cold Attackers

posted by Fnord666 on Friday March 24 2017, @02:23AM   Printer-friendly
from the onions-have-layers dept.

Phoenix666 writes:

The principle of Defence in Depth ("DiD"), says OWASP (Open Web Application Security Project), is that "layered security mechanisms increase security of the system as a whole". That is, if one layer of protection is breached, there's still the opportunity for the attack to be fended off by one or more of the other layers. If anyone's ever drawn something that looks like an onion on the whiteboard – a load of concentric layers with your infrastructure in the middle – that's the concept we're looking at. It's actually a military term that's been adopted by security types in the IT industry who want to be tank commanders when they grow up.

On the face of it it's a pretty simple concept to understand. Rather than just having (say) anti-malware software on your desktop computers, why not also make your Web downloads go through a filter that has malware protection on it too? And yes, this helps. But to do it properly you have to step back a few strides and have an overview of your world: although it's going to cost me 50p in the buzzword swear box, I'm going to say "holistic view".

I secure my systems by naming things like Perl regular expressions. Attackers instantly go cross-eyed and fall over.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Defence in Depth: a 'Layered' Strategy Can Repel Cold Attackers | Log In/Create an Account | Top | 21 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by JoeMerchant on Friday March 24 2017, @01:46PM (2 children)

    by JoeMerchant (3937) on Friday March 24 2017, @01:46PM (#483628)

    There are 10,000 script kiddie attacks flying around for every serious hack.

    Serious hacks tend to be more targeted, deliberate, focused. Yes, you should be resistant to them, but ultimately - if someone within your organization fails to resist some social engineering, no amount of technical security can resist that.

    In security, you should be as good as you can without compromising usability (unacceptably). The major threat are the simple scripts that trawl for open ports, first: don't fall for that.

    --
    🌻🌻 [google.com]
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by PiMuNu on Friday March 24 2017, @02:20PM (1 child)

    by PiMuNu (3823) on Friday March 24 2017, @02:20PM (#483650)

    > if someone within your organization fails to resist some social engineering, no amount of technical security can resist that.

    I thought that was the point of having layered defences (or network zones, or whatever) - so only a very few privileged actors have access to your golden data e.g. customer account data and only by jumping through some hard-to-socially engineer hoop (like ssh keys). Proabably the sort of people who are vulnerable to phishing aren't the sort of people who need to make accesses to the customer db (e.g. non-technical support staff, management, etc).

    • (Score: 2) by JoeMerchant on Friday March 24 2017, @03:37PM

      by JoeMerchant (3937) on Friday March 24 2017, @03:37PM (#483688)

      Very true, first consider the integrity of the user and the power of the key before putting them together... However, in this context, I think they're referring to "layered" as in onions, which means scanning attachments for viruses at multiple points in the stack, with multiple types of scanners, or requiring an SSH key and a username/password login, rather than multiple levels of privilege.

      --
      🌻🌻 [google.com]