Defense in Depth:
An Impractical Strategy

For a Cyber World

By Prescott E. Small

Copyright 2011, Prescott E. Small

Smashwords Edition

This eBook is licensed for your personal enjoyment only. This eBook may not be re-sold or given away to other people. If you would like to share this book with another person, please purchase an additional copy for each recipient. If you’re reading this book and did not purchase it, or it was not purchased for your use only, then please visit Smashwords.com and purchase your own copy. Thank you for respecting the hard work of this author.

Businesses and Information Technology Security Professionals have spent a tremendous amount of time, money and resources to deploy a Defense in Depth approach to Information Technology Security. Yet successful attacks against RSA, HB Gary, Booz, Allen & Hamilton, the United States Military, and many others are examples of how Defense in Depth, as practiced, is unsustainable and the examples show that the enemy cannot be eliminated permanently. A closer look at how Defense in Depth evolved and how it was made to fit within Information Technology is important to help better understand the trends seen today. Knowing that Defense in Depth, as practiced, actually renders the organization more vulnerable is vital to understanding that there must be a shift in attitudes and thinking to better address the risks faced in a more effective manner. Based on examples in this paper, a change is proposed in the current security and risk management models from the Defense in Depth model to Sustained Cyber-Siege Defense. The implications for this are significant in that there have to be transitions in thinking as well as how People, Process and Technology are implemented to better defend against a never ending siege by a limitless number and variety of attackers that cannot be eliminated. The suggestions proposed are not a drastic change in operations as much as how defenses area aligned, achieve vendor collaboration by applying market pressures and openly sharing information with each other as well as with federal and state agencies. By more accurately describing the problems, corporations and IT Security Professionals will be better equipped to address the challenges faced together.

Defense in Depth: A Flawed strategy for a Sustained Cyber-Siege:

Defense in Depth was developed to defend a kinetic or real world military or strategic assets by creating layers of defense that compel the attacker to expend a large amount of resources, while straining supply lines. The tactical goal is to delay and render the enemy attack unsustainable. This strategy results in leaving the attacker vulnerable for counter attack. The defender is then able to counter attack the enemy and eliminate the threat.

In the kinetic world, Loss of Strength Gradient (LSG) is a key indicator of the effectiveness of Defense in Depth. The LSG demonstrates that the further away the attacker is from the target of aggression the less strength that could be made available. (Wikipedia, 1962) The evidence has shown that geographic distance is irrelevant to Cyber-Defense. Attackers can be on the opposite side of the planet and be as effective as someone sitting in the parking lot. In fact, the evidence shows that the opposite of LSG is true for attackers residing outside the borders of the United States. Many attackers are immune to a response by law enforcement because of the restrictions of international borders and the lack of laws being enforced or even existing to stop such activity.

Defense in Depth, in its original concept, works for a kinetic world defense. The problem with Defense in Depth in the world of Cyber-Defense is that it is unsustainable. Practitioners of Information Technology Security exercise a component of Defense in Depth called a “Layered Defense”. What Defense in Depth is and what security practitioner’s do are not the same because the Layers of Defense is only a component of the Defense in Depth strategy. While the Defense in Depth strategy requires this element, having Layered Defenses alone does not fulfill the requirements of Defense in Depth as a whole.

What is practiced in the civilian sectors cannot be called Defense in Depth because the civilian sector can never fulfill the original intent of the strategy and counter attack to destroy the enemy.

For one, a Counter-attack would not be legal and secondly the ethics of a counter attack would be questionable at best. Thirdly, at the minimum, counter attacking would not be cost effective or practical for those practicing Cyber-Defense with their existing challenges and strained resources. A counter attack from the public sector would not have a return on investment, would likely result in escalation of the attack and increase costs with little to no measurable benefit for the effort. For evidence of this opinion one need only take a look at the reactions from groups like Anonymous and their attacks against HB Gary or PayPal. There is no profit in provocation. (Associated Press, 2011; Goodin, 2011; Lennon, 2011; McMillan, 2011)

To be fair it needs to be pointed out that the Defense in Depth concept has been co-opted by many different industries and no longer resembles the original strategy for the kinetic world of the military. While this paper is focused on the application of Defense in Depth in Information Security there are many other applications that demonstrate the dilution of the original concept.

Some additional adaptations of Defense in Depth include the following:

• Fire Prevention – “…requires the deployment of fire alarms, extinguishers, evacuation plans, mobile rescue and fire-fighting equipment” (The Australian, 2011)

• Nuclear Energy – “denotes the practice of having multiple, redundant, and independent layers of safety systems for the single, critical point of failure: the reactor core.” (Wikipedia, 2011)

• Engineering – “…emphasizes redundancy - a system that keeps working when a component fails - over attempts to design components that will not fail in the first place.” (Wikipedia, 2011)

• Online Gaming – In Xbox Live Battlefield 2 “The objective of the defense in depth is to defeat the attacker by attrition, trading ground for kill/tickets.” (Phalanx, 2011)