The InfoSec Blog

Doubts about “Defense in Depth”

Posted by Anton Aylward

 So to have great (subjective) protection your layered protection and controls have to be "bubbled" as opposed to linear (to slow down or impede a  direct attack).

I have doubts about "defence in depth" analogies with the military that many people in InfoSec use.

Read what they are really talking about in those military examples: its "ablation": that means burning up resources, like land (the traditional defence the Russian Empire used) or manpower (the northern states used in the US civil war) and resources (the USA in WW2).  They try to slow down a direct and linear attack, hopefully to a standstill.

As the Blitzkrieg showed in dealing with the Maginot Line, if you "go around it" the defence isn't a lot of use.

Through the ages of war and politics and empire-hood and nation-hood and tribalism we've seen many threats and attacks and subversions used.

The reality is that many InfoSec defences are more like umbrellas, the assume that the attack in coming from a particular direction in a particular form.  What's needed is more like an all-enclosing "bubble" rather than something linear with the 'defence in depth' model.  But that gets back to the problem of the perimeter.

Many wifi enabled devices are really "spies inside the defensive perimeter".

There was a scare a while ago that various networking equipment was made by companies or fabricators in places that were or might be inimical or economic competitors and as such have subversive code hidden in them.  No doubt this will come around again when journalists have nothing better to write about or the State Department need to wave a big stick and scare the public -- its form of showing that "its doing something".

But how can we tell? The reality is that "security specialists" are finding errors - never mind deliberately malicious code - in all manner of devices: pacemakers, insulin pumps, automobile throttle controllers. Will they find "errors" that allow subversion in mainstream IT deceives like home wifi routers (aka the next generation of spambots), home PC software (that's a no-brainer isn't it!) never mind commercial databases.

I dedicate this to the memory of Ken Thompson