Information Technology Reference
In-Depth Information
Enforcement of trust relationships is achieved through a variety of security mecha-
nisms appropriate to the organization, project, and business requirements.
13.7.2
Defend
The IA operations cycle phase
defend
is to oppose or ward off a danger or attack
against information, information technology, or other organizational assets. Limi-
tations on resources prevent the defense of 100 percent of assets from 100 percent
of threats 100 percent of the time. Intelligent resource allocation provides insight
into necessary and sufficient defenses. A principle of security is to make the cost of
a successful attack high enough so as to prohibit the attempt and success of that
attack. Defenses establish the cost level of a successful attack. For example, door
locks will not deter a motivated attacker; however, they provide a sufficient safe-
guard against casual attacks (e.g., the merely curious). Additional safeguards like
video cameras and security guards increase the defenses. The cost of a successful
attack increases when there are safeguards to avoid or overcome. Then the attack
is not an impossible feat, but is more difficult. Video cameras provide evidentiary
records. The possibility of successful prosecution and jail time has now increased
the cost of an attack even more.
The same principle applies in cyber-security. Absence of a firewall allows unre-
stricted access to all comers. A well-configured firewall prohibits entrance of the
casually curious; however, the appropriate tools and knowledge allow entrance by
those with the means (money to buy the tools), method (knowledge to use them),
and motivation (reason for doing so). Adding additional safeguards, like a network
intrusion detection system (NIDS), creates another safeguard to overcome, thus
increasing the cost for a successful attack. Adding a host-based intrusion detec-
tion system (HIDS) is another safeguard. Configuring the host system to elimi-
nate unnecessary applications and services, close down unnecessary ports, and use
strong passwords for any access adds yet another layer. Defense-in-depth increases
the attacker's cost of reaching the objective.
To reiterate, the objective is not to introduce airtight security measures with abso-
lutely no chance of a successful attack. The objective is to introduce necessary secu-
rity measures to sufficiently raise the cost of a successful attack to the point of being
prohibitive. This takes us back to the threat space analysis. If the asset is a govern-
ment installation and the potential attacker has state sponsorship from an unfriendly
government, the means, method, and motivation may be high enough that complex
defenses are necessary. On the other hand, small businesses that suffer more from
incidental fallout than a focused attack are usually fine with the cyber-equivalent of
door locks. A firewall and anti-malware cover most of the incidental threats. A sound
backup and recovery plan provides adequate contingency planning for a potential
incident. These claims are broad generalizations to make a point. Any particular orga-
nization must evaluate its own environment and prepare accordingly.
