Java Reference
In-Depth Information
with a twist in the tale: instead of being in a foreign city, the woman is in her hometown, which
she knows like the back of her hand. She is a trained karate expert and carries, in her purse, a can
of pepper spray. To add another twist in the tale, let us say it is morning, and the same dark street
is now illed with people. How does the equation change?
For starters, the woman would not be vulnerable anymore, not as vulnerable at least. he
chances that an attacker can really cause damage to her or her belongings are greatly reduced. his
does not mean that the threat would disappear in this case. here is always the threat of someone
stealing her purse or shopping bags and also attacking her, but she isn't vulnerable anymore. Her
vulnerability has greatly reduced because of the said factors. his concept drives home the primal
and most basic concept of risk:
Risk = hreat × Vulnerability
Our understanding of risk is far from complete. We have just been introduced to risk and its
basic constituents. Risk is also made up of some other ingredients like impact. his concept is also
imperative for our understanding of risk. We will also have to explore threats and vulnerabilities
with a magnifying glass and explore in some detail each of these concept areas.
2.2.3 Defense-in-Depth
Defense-in-depth is a military strategy that is also known as
deep defense
. In the information secu-
rity world, defense-in-depth is a metaphor for
layered security
. he idea behind defense-in-depth
is to prevent attacks from happening by deploying layers of security around critical information
or information assets. Rather than have a single layer of defense—and in pessimistic terms, the
proverbial
single point of failure
—defense-in-depth relies on the concept that the attack tends to
lose its venom or may be detected by diferent layers of security as and when the attack is taking
place, so as to be able to mitigate the attack using detective controls. hese layers may difer from
implementation to implementation and based on the sensitivity of the information in question as
well. We will explore defense-in-depth with an example. (See Figure 2.2.)
2.2.3.1 Network Security
Firewalls are access control devices that control the traic to and from the network they are pro-
tecting. A irewall examines network traic, examines a rule base, which has been conigured for
the irewall, and only then allows the traic to low inside or outside the network. Firewall rules
to allow and drop network traic can be conigured by the organization's security department or
network administration department. Today's irewalls have intelligence built into the appliances
and also provide additional security functionality, such as content iltering, intrusion detection/
prevention, and virtual private networking capabilities.
An
intrusion detection system
(IDS) is a device that examines each and every packet coming
into and out of the network and correlates the same against a database of built-in attack types.
An IDS alerts the information security personnel or the concerned authorities in the organization
that an attack might be taking place when it inds network traic that matches its built-in attack
signatures. An
intrusion prevention system
(IPS) goes a step further than the IDS. he IPS also
examines the packets and correlates them with a known database of attacks or against what is
considered normal network traic; when it inds the traic, however, it not only generates an alert
Search WWH ::
Custom Search