Defense In Depth
Overview
Defense In Depth. The principle is simple. Assume each layer of your security will be breached. Think about how to delay the attacker, how to increase their costs.
The more you can delay the attacker, the more you have a chance of observing and reacting before its too late.
The more you can shift cost from you (the defender) to the attacker, the more likely it is they will go elsewhere.
Fefense in depth means defending at each stage of a pipeline. From SAST through simple orthogonal security techniques like fail to ban to zero-trust techniques like splitting identity from authorisation.
Articles
Ignoring systems that may be deemed ‘unimportant’ in comparison to your revenue-generating technology stack will leave your organization open to compromise from the Log4Shell vulnerability.
Two hikers see a bear. One bends over to tie shoes. Other says, you can’t out run a bear. First says, just need to outrun you. Pause laughter
A big 5 Canadian bank has a fake multi-factor authentication sytem, allowing anyone to fall back to password. Why? How is this acceptable?
Managed Service Provider Breached. Customer pays out. Who is at fault? Lawsuit to determine. Multi-factor authentication to prevent.
How some public sector entities have great cyber-awareness training, but exempt the elected and senior staff. From Great To Good in one step.
A simple set of controls for a Minimum Viable Secure Product. Open source for us all to use. Implement, ask in RFP, common baseline to follow
Telnet. 40 years old, not fit for purpose. Alive and well in Canada. No amount of mitigation or multi-factor authentication makes it OK.
This article discusses SMS as a second factor for multi-factor authentication in context with the Syniverse hack.
I AM. I HAVE. I KNOW. The trifecta of simple and secure. Why does it improve security so much? Because the factors are not correlated. Use at least 2.