Judging by this year’s “Infosecurity Europe 2009″ event attendance at Earl’s Court, London, it becomes clear that despite the downturn economy, the stance, which Information Security (akaINFOSEC) has gained over the last two decades, remains firm, and is still strengthening.
 
With the media buzzing over new technologies such as “Cloud Computing” and “Web 2.0” (pronounce Web Two O), most companies find themselves stranded and sometimes at sea.
As such, businesses of all sizes and functions need to devise proper Information Assurance strategies and practices.
 

*Defense in Depth is an Information Assurance (IA) strategy in which multiple layers of defense are placed throughout an Information Technology (IT) system. It addresses security vulnerabilities in personneltechnology and operations for the duration of the system’s lifecycle.* 

*Src: Wikipedia, Accessed Apr 29, 2009

Defense-in-Depth is a layered approach to INFOSEC, designed around the Open Systems Interconnect (OSI) model, with the addition of one extra, 8Th layer: PEOPLE.
 
  • Layer 8: PEOPLE
  • Layer 7: Application
  • Layer 6: Presentation
  • Layer 5: Session
  • Layer 4: Transport
  • Layer 3: Network
  • Layer 2: Data Link
  • Layer 1: Physical
Using these layers, I have devised 10 steps to an effective Defense-in-Depth strategy.
 
Step 0: Assess Risks
Risk Assessments are an important part of any Security Plan. This process can be done alongside the S.W.O.T analysis of any business. Because there is no such thing as “Fail-proof“, or “100% secure” systems, the likelihood of a vulnerability being exploited defines the threats an organization or business may be facing. Identify early, and Remediate as soon as possible are the key steps. 
Once a risk is identified, it is treated based on its relevance and potential of damage to the business via Security measures and control, insurance (risk transfer), or simply accepted along with the consequences (residual risk).
 
Many small businesses may think it’s “Overkill” to perform a Risk Assessment, but not doing it may be close to Suicide. Come on, take a coffee break for 30mn to think about the threats your business is facing! I promise, it will be time wasted for something good.
 
Step 1: Establish an Information Security Policy
An INFOSEC Policy is actually a declaration by the management of an organization, of their intent to do whatever it takes to protect information and other business assets (including People). But,What are we protecting ourselves against? Aha! We now see the prime importance of Step 0. The protection and control measures defined within an Information Security Policy is tightly linked to the risks identified in the previous steps. Risks which are deemed unacceptable will be treated through the application of the proper measures and technical controls.
 
Step 2: Define and Classify Assets and Business Core Components and Infrastructure
This is actually a subset of Step 1, as an Organization needs to know what their assets are, in order to apply the desired protection mechanisms. Most organization see “Inventorizing” as just a list with a bunch of objects within. Actually, it is required to properly identify and Classify Assets, within the framework of the IEC/ISO 27001 standard (ISMS: Information Security Management Systems). The level or prioritization of protection will inevitably be linked to the classification level of the asset (Unclassified, Sensitive, Secret, etc.)
 
Step 3: Defend at the Network Edge
The previous three steps were more “organizational” than technical. In this step, the organization or business needs to protect its network from external third-parties (Partner businesses and Internet connections). In the old age, we use to think that having a “Firewall” at the edge network is all we needed. Unfortunately, a Firewall, by itself does not provide enough protection for today’s networks. 
A combination of protection mechanisms at various layers is the recommended best practice. At the very least, a business will have the following at the Edge network:
Firewall+Intrusion Detection System (IDS)+Intrusion Prevention System (IPS)+Antivirus. 
Together, these devices form the basis of any Unified Threat Management system (UTM).
 
Step 4: Defend Within the Network Edge
Defending within the Network Edge means applying protection measures to an organization’s DMZ (Demilitarized Zone, or Screened Subnet). Having encryption channels setup between each communicating devices, and IDS/IPS sensors is a must. And only use business-justified applications. If users need access to the internal network resources, establish a VPN solution, and have them go through the DMZ.
Applying Network Access Controls techniques at this level may also be necessary.
 
Step 5: Defend the Internal Network
Defending the Internal Network is not a “Nice to have” strategy anymore. Most threats are actually internally-generated. As such, more efforts need to be put into defending the internal network, via Access Control measures.
Not Using IPSec to encrypt communications to critical systems can no longer be justified by assertions such as extra CPU Load and limited bandwidth. 
The average network today runs on 100 Mbps (full duplex; why would you even use half-duplex, when you have a switch connecting your end devices?) or even 1000 Mbps. With Dual-Core and Quad-Core servers that are now available for less than 1000.00 usd, the “extra CPU load excuse” can no longer be put forward (even with Virtualization). So why the wait?
 
Using Network Access Control systems to authenticate and allow users access to the network only when a set of pre-conditions are met (updated Anti-virus and Patches for instance) is a must-have too. The technology has been around for years now, and is still only deployed within big enterprises. 
 
Step 6: Defend Individual Systems
No one will ever say it enough: Always make sure your Systems are fully patched, and Up to Date with the latest Virus Definitions!!! 
However, defending individual systems does not stop there. 
Using Host-based Intrusion Detection Systems, Anti-Spyware, and Rootkit detectors go hand-in-hand altogether. Encrypting the content of Mobile devices (Notebooks, Netbooks, Mobile Phones, etc.) through the Trusted Platform Module (TPM) or any other devices is of utmost importance.
Do not also forget the Physical Security aspect of those systems. No matter how secure your system is, once an intruder gains physical access to it, it will be already too late.
 
Step 7: Train Users
This will not be stressed enough: Always Train and re-train Users. They’re not the Weakest link by pure chance. Increasing Awareness within the Users is a sure way to increased Security. Use any form available, and implement a Rewarding scheme if necessary; not necessarily financial; it could be a certificate such as the “The Secure Employee of the Month”. 
Hiring Professionals for an onsite demonstration of typical security malpractices is another option, which could raise awareness very quickly.
 
Step 8: Frequently Test the Measures
Upon implementing your strategy, it needs to constantly tested for effectiveness. Hire some Professional Penetration Testers for a Black-box or a White-box testing. Use their feedback to improve your security. Remember that Penetration Testers will only attempt to break your defenses for a limited timeframe. A failure in doing so, does not necessarily mean your network is “Secure”; but you’re on the right path.
 
There is a controversy whether those kind of tests should be run from internal I.T departments. I wouldn’t recommenda that, as they mostly know the strenghts and weaknesses of the systems they themselves implemented and are supposed to protect. Using Outside Professionals (your company may want to perform some background checks initially on the candidates) provides an un-biased approach to such testing.
 
Step 9: Review Plan and Improve Strategy
No Plan Survives first contact with the Enemy! dixit a former General (whom I forgot the name). 
Your strategy needs to be frequently reviewed and improved upon. As one says, the more we fall and stand up, the stronger we get.