Defense in Depth

[hogfly]

This isn't so much a tutorial, as it is a concept. If the moderator here wants to move this thread, feel free.

How many times has your manager come to you and said something to the effect of "We have a firewall, we're secure!"
Security is not a product. It is a process. Security is not a series of products, it's a constant battle.

Just as the OSI model has layers that define communications, security is best practiced in layers.

Defense in Depth is the practice of protecting your network and assets in layers. The goal is to ensure you achieve confidentiality, Integrity and Availability at every layer. I've defined 6 simple layers in my outline of defense in depth; 7 if you include physical security(which I didn't get in to depth about in this document). I've listed several common defenses that can be utilized for each of the layers I've defined. I've had to trim down the document in order to make this public.

The layers I've outlined are:
Data
User
Host
Network
Perimeter
External
Physical

Physical security transcends every other layer of security that can possibly be implemented.
Attached is a trimmed down document that I've created as a basic guideline for network administrators where I work. It's not all inclusive but it's designed to get the admins and their managers thinking about security as a process and not a single product. As I said, this list is not all inclusive, so please dont tell me things are missing. I know they are missing and that's by design. Feedback is welcome.

[catch]

I get what you are trying to do with this... however a few things really stand out to me... you say this is a cost benefit ratio, yet I see no cost benefit ratios.

I see:

Concept: Principal of Least Privilege
Cost to implement: little
Time to implement: high
Benefit: Helps create an environment where only the people that need access to specific resources have access to that resource

Ok... so the ratio is (little+high):helps create? (and the concept is "Need to Know" which is implemented at the um... "user" level I guess. Least privilege is implemented at the "user" and "host" levels and states that subjects should have only the exact rights to complete their required tasks and nothing more)

A more proper way to do cost benefit analysis, that will give you more usable results is:

Risk ID: 3402
Risk Description: Users accessing data, that while within their confidentiality level is beyond the scope of their role.
Current Exposure Factor: 3/5 (x out of 5 is a simple way to homogenize risks, safeguards and costs)
Target EF: 1/5

Solution: Implementing a "Need to Know" policy
Safeguard: Role Based Access Controls
Cost to implement: (little + high = average?) 3/5
Benefit: 3402 Final EF = 1/5, 3079 Final EF = 2/5, 3067 Final EF = 2/5, etc etc

Now you have something qualified and usable... and later you can "easily" quantify this data.

This way you have tiers of risks... and each general safeguard leaves more specific risks that can be addressed in the next tier. Managers can than quickly look and see how much it's gonna cost and what still needs to be mitigated.

Next, there is no such thing as free. Never, ever, ever, ever, ever. A lot of people seem to be confused on this fact.

"Linux is free!" Except of course that a Linux admin will cost you about $10k per year more than an NT admin will. This is assuming right off the bat the company is held to no other regulations or anything like that.

"Bastille is free!"
- Cost to install.
- Cost to configure.
- Cost to document.
- Cost support.
----- More experienced admin
----- Potentially different requirements for in-house developments
- ?
- ?

Suddenly when comparing a Bastille Linux web server to something like HYDRA (which costs about $35,000 per box) the prices look comparable. In fact for most security relevant installations HYDRA will end up cheaper... using such a system to qualify costs and risks, plus dismissing the myth of free anything makes such comparisons very simple and efficient.

All in all I think your document is a good start for such a thing, make the data a little more homogenous and it will be of excellent user to many here.

cheers,

catch

[hogfly]

Cost benefit ratio is what the end result will be. I probably should have taken it out of there. All of what you say is very true. It is indeed just a start. A directive was passed down from the top to get the "easy wins" so I've crafted this simple document laying out the basics.
A risk assessment, which will truly involve qualifiying and quantifying items will come once they(the bosses) understand that they have a problem and that perhaps only a few of the items in this list are truly being done.