Search

Recent Posts

Tags


« | Main | »

DiD basics – a layered/ring security posture

By Dale Reagan | September 14, 2008

Defense-in-Depth (D-i-D) is a layered security posture – all devices (or as many as possible) in your infrastructure must be able to stand alone (for some period of time) if the ‘outer wall’ is breached.  Many systems currently on the Internet have multiple ‘weak links’ (a single network-edge firewall or no firewall, outdated binaries, mis-configured applications, no security monitoring, etc.)  If the outer wall comes down then the candy store is open and everything is free…

We/I have a firewall – We/I don’t need this Draconian approach.   Hmm, with only one barrier to entry the chances that your networks, servers, PCs, and applications will be compromised is, well, quite high;  do you have really good insurance coverage or a very high tolerance for risk?  Is their any sort of business consequence if your networks, servers, PCs are compromised?  Are your employees adequately educated/informed about network/computing security issues?  Is there a revenue impact if/when your web, email, database or other servers are compromised?

By standarizing, monitoring, reviewing, updating, and securing ALL of your servers, PCs and networks you can reduce the opportunities for unexpected and unwanted system and network activity.   Any component that is outside of your standards becomes your weakest link and a likely point of compromise.  If all of your electronic system components are as secure as possible (for the moment) then your weakest link is human: your employees and other people working/accessing resources/assets in your environment.

Are all of your systems:

For EACH component in your infrastructure you need to consider a baseline configuration:

  1. only allow required access (network, device and OS level access)
  2. only allow required services (networking, server applications, PC applications)
  3. only allow required network, device, OS changes (no deviation from your baseline, ‘gold image’ for the device/server/application)

For EACH component in your infrastructure you need to consider patches/updates:

  1. emergency (zero day other nefarious issues/vulnerabilities – can you address such issues quickly and efficiently?)
  2. normal (new tool/application/device versions that add needed functionality)
  3. other (some specialized application/package that becomes a new requirement)

All of the above items are dictated by your business/corporate policies – do you have information/security usage policies?  Are your employees aware of these policies and do they understand and follow them?

Policies are implemented by adopting  and implementing standards – do you have build/implementation standards? documented production operation standards, i.e. SOPs – standard operating procedures: what steps to take for normal as well as unusual conditions.

So, some questions to consider:

  1. What is your level of IT related risk tolerance? and
  2. How are you addressing your IT related risk tolerance level?

Just a few years ago both servers and PCs were delivered (and usually installed on production networks) with multilple network or other security weaknesses; now (2008), it is less common for servers new PCs to be ‘wide open’ immediately after an install.  By adopting reasonable policies and by implementing strong standards and procedures you can reduce the liklihood that your systems will be compromised.  Adopting a defense-in-depth posture is, I think, a better solution than relying on only one protection/barrier for your networked assets (i.e. just one firewall at the edge of your network(s) is not a solution and should NOT provide any level of warm fuzzies…)

Topics: Computer Technology, System and Network Security, Web Problem Solving, Web Technologies | Comments Off on DiD basics – a layered/ring security posture

Comments are closed.


________________________________________________
YOUR GeoIP Data | Ip: 73.21.121.1
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...
________________________________________________

Georgia-USA.Com - Web Hosting for Business
____________________________________