# Defence In Depth 1. [Home](https://www.agilicus.com/) 2. [Blog](https://www.agilicus.com/blog/) 3. Defence In Depth ![about-agilicus](https://www.agilicus.com/www/9f15eb3a-about-hero-01.svg)# Defence In Depth: What We Practice We practice what we preach. Zero Trust is part of a complete defence in depth strategy. ## Overview [Defence In Depth](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)). The principle is simple. Assume each layer of your security will be breached. Think about how to delay the attacker, how to increase their costs. The more you can delay the attacker, the more you have a chance of observing and reacting before its too late. The more you can shift cost from you (the defender) to the attacker, the more likely it is they will go elsewhere. Defense in depth means defending at each stage of a pipeline. From [SAST](https://www.agilicus.com/static-application-security-testing-sast-and-nodejs-with-gitlab-ci/) through simple orthogonal security techniques like [fail to ban](https://www.agilicus.com/fail-to-ban/) to [zero-trust](https://zero-trust.ca/) techniques like [splitting identity from authorisation](https://www.agilicus.com/simplify-security-zero-trust-split/). - [![Time To Exploit Approaches Zero](https://www.agilicus.com/www/12385aa0-image.png "Time To Exploit Approaches Zero 1")](https://www.agilicus.com/time-to-exploit-approaches-zero/)## [Time To Exploit Approaches Zero](https://www.agilicus.com/time-to-exploit-approaches-zero/) The time between a vulnerability being detected to exploited has been declining. This web site https://zerodayclock.com has a great graph, below. It shows that in 2018 you had 2.5 years from detection to get a fix deployed. This worked its way through your supply chain and you updated. Think of a ‘log4j‘ type vulnerability, its a library inside a component inside a larger component inside a product you buy. The ‘gear lash’ speed takes a bit of time, but eventually… - [![Agilicus Ready for the Quantum Leap: Securing Today’s Gear from Tomorrow’s Threats](https://www.agilicus.com/www/d2da103c-image.png "Agilicus Ready for the Quantum Leap: Securing Today's Gear from Tomorrow's Threats 2")](https://www.agilicus.com/agilicus-ready-for-the-quantum-leap-securing-todays-gear-from-tomorrows-threats/)## [Agilicus Ready for the Quantum Leap: Securing Today’s Gear from Tomorrow’s Threats](https://www.agilicus.com/agilicus-ready-for-the-quantum-leap-securing-todays-gear-from-tomorrows-threats/) It’s a tale as old as time: we build a better lock, and someone, somewhere, starts building a better lock-pick. In the digital world, we’re on the cusp of a monumental leap in lock-picking technology: quantum computing. The cryptographic locks we rely on for everything from banking to binge-watching are in danger of becoming as effective as a screen door on a submarine. But fear not, because the future of digital security is already taking shape, and it’s called Post-Quantum… - [![Apache Tomcat: Stealthy Risk Vector](https://www.agilicus.com/www/c2a851d2-tomcat.jpg "Apache Tomcat: Stealthy Risk Vector 3")](https://www.agilicus.com/apache-tomcat-stealthy-risk-vector/)## [Apache Tomcat: Stealthy Risk Vector](https://www.agilicus.com/apache-tomcat-stealthy-risk-vector/) Apache Tomcat. It is an everywhere middleware. And, quelle surprise, the time from disclosure to use is a day. Like log4j it will be with us for some time, so, time for some defence in depth. - [![It’s Been 0-Days Since The Last Municipal Cyber Security Attack](https://www.agilicus.com/www/3c41d77e-texas-cyber-attack.png "It's Been 0-Days Since The Last Municipal Cyber Security Attack 4")](https://www.agilicus.com/its-been-0-days-since-the-last-municipal-cyber-security-attack/)## [It’s Been 0-Days Since The Last Municipal Cyber Security Attack](https://www.agilicus.com/its-been-0-days-since-the-last-municipal-cyber-security-attack/) Asymmetric warfare: Big governments attack little governments. Attackers need to be right once, defenders need to be right 24x7x365. Municipalities continue to be a target. - [![FTC To GoDaddy: Heal Thyself](https://www.agilicus.com/www/816e581a-ftc-godaddy-fix-your-security.png "FTC To GoDaddy: Heal Thyself 5")](https://www.agilicus.com/ftc-to-godaddy-heal-thyself/)## [FTC To GoDaddy: Heal Thyself](https://www.agilicus.com/ftc-to-godaddy-heal-thyself/) FTC orders GoDaddy to improve security, marking an expansion in supply chain hardening tactics of government regulators. - [![Krooked Kriminals Krack Krispy Kreme](https://www.agilicus.com/www/9c7115a9-donut-secure.webp "Krooked Kriminals Krack Krispy Kreme 6")](https://www.agilicus.com/krooked-kriminals-krack-krispy-kreme/)## [Krooked Kriminals Krack Krispy Kreme](https://www.agilicus.com/krooked-kriminals-krack-krispy-kreme/) Krispy Kreme materially impacted by cyber security issue, files SEC-8K disclosure. - [![Windows Update Breaks VPN, Good Riddance #zerotrust](https://www.agilicus.com/www/cc02f044-broken-vpn-q.png "Windows Update Breaks VPN, Good Riddance #zerotrust 7")](https://www.agilicus.com/windows-update-breaks-vpn-good-riddance-zerotrust/)## [Windows Update Breaks VPN, Good Riddance #zerotrust](https://www.agilicus.com/windows-update-breaks-vpn-good-riddance-zerotrust/) Microsoft Windows Update Breaks VPN for Windows 10 and 11. 3rd party VPN's have known exploited vulnerabilities. Let's talk about VPN alternatives! - [![Industrial Supply Chain Matryoshka Risk](https://www.agilicus.com/www/40c0dcf7-supply-chain-matryoshka.avif "Industrial Supply Chain Matryoshka Risk 8")](https://www.agilicus.com/industrial-supply-chain-matryoshka-risk/)## [Industrial Supply Chain Matryoshka Risk](https://www.agilicus.com/industrial-supply-chain-matryoshka-risk/) Last weeks hyper-critical NGFW vulnerability is this weeks embedded operational technology challenge due to nested risk and supply chain. - [![Quis custodiet ipsos custodes: When Good Firewalls Go Bad](https://www.agilicus.com/www/2dd40f5f-image.png "Quis custodiet ipsos custodes: When Good Firewalls Go Bad 9")](https://www.agilicus.com/quis-custodiet-ipsos-custodes-when-good-firewalls-go-bad/)## [Quis custodiet ipsos custodes: When Good Firewalls Go Bad](https://www.agilicus.com/quis-custodiet-ipsos-custodes-when-good-firewalls-go-bad/) Recently Palo Alto announced a 10.0 CVE in the Global Protect feature of their PAN-OS firewall. "Unauthenticated attacker \[can\] execute arbitrary code with root privileges on the firewall". Well, that is not good. But, how "not good" is it? It's terrifyingly bad ungood in fact. - [![Three Strategies To Help: Cisco ASA AnyConnect and WebVPN added to CISA Known Exploits](https://www.agilicus.com/www/74062964-cisco-asa.png "Three Strategies To Help: Cisco ASA AnyConnect and WebVPN added to CISA Known Exploits 10")](https://www.agilicus.com/three-strategies-to-help-cisco-asa-anyconnect-and-webvpn-added-to-cisa-known-exploits/)## [Three Strategies To Help: Cisco ASA AnyConnect and WebVPN added to CISA Known Exploits](https://www.agilicus.com/three-strategies-to-help-cisco-asa-anyconnect-and-webvpn-added-to-cisa-known-exploits/) Cisco ASA AnyConnect and WebVPN added to CISA Known Exploits. Do you have one running on autopilot in your plant somewhere? Maybe between the IT and OT network? Maybe running the DMZ? - [![Ground Hog Day: Fortinet VPN Edition](https://www.agilicus.com/www/76cabfdc-insecure-vpn.jpg "Ground Hog Day: Fortinet VPN Edition 11")](https://www.agilicus.com/ground-hog-day-fortinet-vpn-edition/)## [Ground Hog Day: Fortinet VPN Edition](https://www.agilicus.com/ground-hog-day-fortinet-vpn-edition/) Another day, another VPN letting the world in to snoop around and fondle your crown jewels: Fortinet edition. - [![Dutch Defence Detail Dastardly Dirty Deed](https://www.agilicus.com/www/08617d19-windmill-firewall.jpg "Dutch Defence Detail Dastardly Dirty Deed 12")](https://www.agilicus.com/dutch-defence-detail-dastardly-dirty-deed/)## [Dutch Defence Detail Dastardly Dirty Deed](https://www.agilicus.com/dutch-defence-detail-dastardly-dirty-deed/) The Netherlands ministry of defence just published the cliff-hanger document TLP:CLEAR MIVD AIVD Advisory COATHANGER regarding a remote access attack of their Fortinet FortiGate VPN by "a state-sponsored actor from the People’s Republic of China". CVE-2022-42475 was the weakness. One thing that is unusual about the report is the direct attribution: this is rare. - [![Howto: Open Source Intelligence and your Digital Footprint](https://www.agilicus.com/www/396d0d78-open-source-intelligence-scaled.jpg "Howto: Open Source Intelligence and your Digital Footprint 13")](https://www.agilicus.com/howto-open-source-intelligence-and-your-digital-footprint/)## [Howto: Open Source Intelligence and your Digital Footprint](https://www.agilicus.com/howto-open-source-intelligence-and-your-digital-footprint/) Let me show you a very simple means of Open Source Intelligence (OSINT) on yourself. If I can do this, anyone can do this, and if anyone can do this, someone bad can do this. - [![Off-Grid Agricultural Cyber Physical Systems](https://www.agilicus.com/www/9cc79512-tractor-satellite.jpeg "Off-Grid Agricultural Cyber Physical Systems 14")](https://www.agilicus.com/off-grid-agricultural-cyber-physical-systems/)## [Off-Grid Agricultural Cyber Physical Systems](https://www.agilicus.com/off-grid-agricultural-cyber-physical-systems/) The "John Deere Business Model" of taking something traditional and making it subscription. Starlink and its complex remote access needs due to CGNAT. And, cybersecurity, notably Cyber Physical Systems with their scary downsides of being able to move and cause damage. - [![Hard Industrial Cybersecurity is hardly secure, nuclear waste edition](https://www.agilicus.com/www/a26693c2-nuclear-password.png "Hard Industrial Cybersecurity is hardly secure, nuclear waste edition 15")](https://www.agilicus.com/hard-industrial-cybersecurity-is-hardly-secure-nuclear-waste-edition/)## [Hard Industrial Cybersecurity is hardly secure, nuclear waste edition](https://www.agilicus.com/hard-industrial-cybersecurity-is-hardly-secure-nuclear-waste-edition/) One thing all industrial control installations have in common, they straddle the complexity of modern information technology with the dangers of operational technology and its inherent control of things which can go bump and boom. Hard Industrial Cybersecurity - [![Avoid Exploitation of Unitronics PLCs used in Public Water Systems](https://www.agilicus.com/www/00e44659-unitronics-wastewater-plc-hmi.png "Avoid Exploitation of Unitronics PLCs used in Public Water Systems 16")](https://www.agilicus.com/avoid-exploitation-of-unitronics-plcs-used-in-public-water-systems/)## [Avoid Exploitation of Unitronics PLCs used in Public Water Systems](https://www.agilicus.com/avoid-exploitation-of-unitronics-plcs-used-in-public-water-systems/) Exploitation of Unitronics PLCs used in Public Water Systems for political purposes. Recommendations. - [![Attainable Municipal Zero Trust](https://www.agilicus.com/www/2662cf92-muncipal-cybersecurity.png "Attainable Municipal Zero Trust 17")](https://www.agilicus.com/attainable-municipal-zero-trust/)## [Attainable Municipal Zero Trust](https://www.agilicus.com/attainable-municipal-zero-trust/) Attainable Municipal Zero Trust: Key insights from recent Zero Trust implementations by Municipalities. Why, How, What ROI, Lead use cases. - [![CISA Cyber Scan Water](https://www.agilicus.com/www/fc0bd397-2023-09-13_10-51.png "CISA Cyber Scan Water 18")](https://www.agilicus.com/cisa-cyber-scan-water/)## [CISA Cyber Scan Water](https://www.agilicus.com/cisa-cyber-scan-water/) CISA has announced a free (as in beer) service to scan water systems for vulnerabilities. Agilicus has used this scan for a year, receiving weekly reports. - [![Terminator Becomes National Standard](https://www.agilicus.com/www/1846e171-cyber-physical-system-ics-ot.jpg "Terminator Becomes National Standard 19")](https://www.agilicus.com/terminator-becomes-national-standard/)## [Terminator Becomes National Standard](https://www.agilicus.com/terminator-becomes-national-standard/) I'll be back. Iconic line foreshadows rise of cyber-physical-systems. Terminator trifecta of physical machines, artificial intelligence, cyber-security awry. - [![Another Day, Another Exploit – Protecting Against the ProxyNotShell Exchange Server Zero-Day Vulnerability](https://www.agilicus.com/www/996fee5d-proxy-not-shell.png "Another Day, Another Exploit - Protecting Against the ProxyNotShell Exchange Server Zero-Day Vulnerability 20")](https://www.agilicus.com/protecting-against-proxynotshell-zero-day/)## [Another Day, Another Exploit – Protecting Against the ProxyNotShell Exchange Server Zero-Day Vulnerability](https://www.agilicus.com/protecting-against-proxynotshell-zero-day/) Learn how zero trust protects against the new Microsoft Exchange Server zero-day exploit affecting Outlook Web Access (OWA), ProxyNotShell. With Agilicus, you’ll block lateral traversal and prevent unauthorised traffic from arriving at your resources while ensuring they are still accessible to legitimate users. - [![Well Timed or Coincidental, Cue the Phishing Attacks as 2.5M Students Affected by Data Breach](https://www.agilicus.com/www/0f461025-phiahing-blog.png "Well Timed or Coincidental, Cue the Phishing Attacks as 2.5M Students Affected by Data Breach 21")](https://www.agilicus.com/phishing-students-loan-breach/)## [Well Timed or Coincidental, Cue the Phishing Attacks as 2.5M Students Affected by Data Breach](https://www.agilicus.com/phishing-students-loan-breach/) Days after announcing student loan forgiveness in the United States, 2.5 million student borrowers had their personal information exposed in a data breach and are at an increased risk of being targeted in a phishing attack. - [![Protecting Against the OWASP Top 10 Web Application Vulnerabilities](https://www.agilicus.com/www/68410f2b-web-app-security.png "Protecting Against the OWASP Top 10 Web Application Vulnerabilities 22")](https://www.agilicus.com/protecting-against-the-owasp-top-10/)## [Protecting Against the OWASP Top 10 Web Application Vulnerabilities](https://www.agilicus.com/protecting-against-the-owasp-top-10/) The OWASP Top 10 is a standard awareness document that outlines the most critical web application security risks and vulnerabilities. Learn how Agilicus AnyX is designed to eliminate an attacker's visibility into the potential OWASP Top 10 web application vulnerabilities. - [![570 News Agilicus Interview](https://www.agilicus.com/www/c69d0ada-log4shell-lateraltraversal-01.png "570 News Agilicus Interview 23")](https://www.agilicus.com/570-news-agilicus-interview/)## [570 News Agilicus Interview](https://www.agilicus.com/570-news-agilicus-interview/) Interviewed on 570 News Tech Spotlight. listen to the interview here, I talk through some of the simple risks and how we help. And a bear joke. - [![Chewy Centre Protected By A Sponge](https://www.agilicus.com/www/5e37810a-cvss-score.png "Chewy Centre Protected By A Sponge 24")](https://www.agilicus.com/chewy-centre-protected-by-a-sponge/)## [Chewy Centre Protected By A Sponge](https://www.agilicus.com/chewy-centre-protected-by-a-sponge/) The M&M is not a good network design: chewy centre, hard shell. Recent cisco router vulnerabilities discussed for defense in depth. - [![Log4Shell – Not Even the Smart Thermostat is Safe](https://www.agilicus.com/www/c69d0ada-log4shell-lateraltraversal-01.png "Log4Shell - Not Even the Smart Thermostat is Safe 25")](https://www.agilicus.com/log4shell-not-even-the-smart-thermostat-is-safe/)## [Log4Shell – Not Even the Smart Thermostat is Safe](https://www.agilicus.com/log4shell-not-even-the-smart-thermostat-is-safe/) Ignoring systems that may be deemed 'unimportant' in comparison to your revenue-generating technology stack will leave your organization open to compromise from the Log4Shell vulnerability. - [![A Little Consequences Go A Long Way: Return Of The Bear Joke](https://www.agilicus.com/www/fd84beaa-running.png "A Little Consequences Go A Long Way: Return Of The Bear Joke 26")](https://www.agilicus.com/a-little-consequences-go-a-long-way-return-of-the-bear-joke/)## [A Little Consequences Go A Long Way: Return Of The Bear Joke](https://www.agilicus.com/a-little-consequences-go-a-long-way-return-of-the-bear-joke/) Two hikers see a bear. One bends over to tie shoes. Other says, you can't out run a bear. First says, just need to outrun you. Pause laughter - [![Fake It Till You Make It: Canadian Bank Multi-Factor Authentication Edition](https://www.agilicus.com/www/a510d4fc-money.png "Fake It Till You Make It: Canadian Bank Multi-Factor Authentication Edition 27")](https://www.agilicus.com/fake-it-till-you-make-it-canadian-bank-multi-factor-authentication-edition/)## [Fake It Till You Make It: Canadian Bank Multi-Factor Authentication Edition](https://www.agilicus.com/fake-it-till-you-make-it-canadian-bank-multi-factor-authentication-edition/) A big 5 Canadian bank has a fake multi-factor authentication sytem, allowing anyone to fall back to password. Why? How is this acceptable? - [![The Economic Cost Of Not Having Multi-Factor: MSP Lawsuit Edition](https://www.agilicus.com/www/ff38fd1c-server-down.png "The Economic Cost Of Not Having Multi-Factor: MSP Lawsuit Edition 28")](https://www.agilicus.com/the-economic-cost-of-not-having-multi-factor-msp-lawsuit-edition/)## [The Economic Cost Of Not Having Multi-Factor: MSP Lawsuit Edition](https://www.agilicus.com/the-economic-cost-of-not-having-multi-factor-msp-lawsuit-edition/) Managed Service Provider Breached. Customer pays out. Who is at fault? Lawsuit to determine. Multi-factor authentication to prevent. - [![Cyber-Security For Thee But Not For Me](https://www.agilicus.com/www/07cdf558-training.png "Cyber-Security For Thee But Not For Me 29")](https://www.agilicus.com/public-sector-cyber-security-survey/)## [Cyber-Security For Thee But Not For Me](https://www.agilicus.com/public-sector-cyber-security-survey/) How some public sector entities have great cyber-awareness training, but exempt the elected and senior staff. From Great To Good in one step. - [![Minimum Viable Secure Product](https://www.agilicus.com/www/1328f16e-secure-product.png "Minimum Viable Secure Product 30")](https://www.agilicus.com/minimum-viable-secure-product/)## [Minimum Viable Secure Product](https://www.agilicus.com/minimum-viable-secure-product/) A simple set of controls for a Minimum Viable Secure Product. Open source for us all to use. Implement, ask in RFP, common baseline to follow [Next Page→](/blog/defence-in-depth/?query-20-page=2)