Defense in Depth

Defense in Depth

• A single layer of security to protect your organization's network is just not enough anymore.

• Implementing a multi-layered approach to secure all areas all attack points which enables you to reduce their attack surfaces. 

• Within a Defense in Depth approach, if a single layer fails to protect the organization, there are other layers of security implemented to safeguard the assets.

• Implement and enforce security policies.

• Ensure proper procedures are used.

• Ensure user awareness training is continuous.

• Secure all layers of the OSI model and the TCP/IP protocol suite.

• Implement physical security.

• Implement perimeter security.

• Network segmentation enforcement.

• Screened subnet [previously known as demilitarized zone (DMZ)]

• Implement host-based security.

• Implement application security.

• Implement wired and wireless security.

• Implement Network Access Control (NAC).

• Implement anti-malware protection.

• Implement patch management.

• Implement Data Leakage Protection (DLP).

Firewalls

• Firewalls are used to filter both inbound and outbound traffic.

• They are used to prevent malicious traffic from entering and even leaving your network.

• Firewalls can be installed on host devices such as your computers and mobile devices.

• Firewalls can be implemented on  a network to monitor all network traffic.

• Creates a Demilitarized Zone (DMZ) - Allows strict access to users from the Internet to devices within the DMZ.

Network-Based Firewalls

• Some firewalls are able to operate up to Layer 4 of the OSI model

• Filter traffic based on the source and destination IP addresses and source and destination port numbers.

• These types of firewalls can restrict traffic between networks

Host-based Firewalls

• This type of firewall is installed on the local system.

• Filters traffic entering and learning the local system only.

Stateless Firewall

• This type of firewall does keep track of sessions.

• Looks the 5 Tuples: source and destination IP address, source and destination service port numbers and Protocol.

• Highly rely on the access-control lists rules to filter traffic between networks

Stateful Firewall

• This type of firewall simply takes a look at the sessions between a sender and a destination.

• Content and URL filtering

• Blocks URLs and website addresses. 

Application Layer Firewall

• Can perform inspection of each packet

• Can detect if the traffic is going to YouTube, Microsoft and other websites.

• Can prevent malware or malicious code from passing through the firewall

Firewall Access-Control List (ACL)

• Allow or deny traffic based on the  Tuples

• Source IP, destination IP, Source Port, Destination Port, Protocol 

• At the bottom of all ACLs is an implicit deny rule

• ACLs can be implemented within routers to filter traffic between networks.

IDS and IPS

• Intrusion Detection System (IDS )can only monitor traffic and send an alert only after it detects a threat.

• Intrusion Prevention System (IPS) sits in-line to network and blocks malicious traffic as it is detected.

• Network-based IDS (NIDS) is placed on the network to monitor and detect potential network-based security intrusions.

• Network-based IPS (NIPS) is placed in-line on the network to monitor, detect, and prevent security intrusions in real-time.

• Host-based IDS (HIDS) are installed on a host device to monitor and detect potential network-based security intrusions.

• Host-based IPS (HIPS) are installed on a host device to monitor, detect, and prevent security intrusions in real-time.

Identification Methods

• Signature-based - Look for a perfect match in the traffic.

• Anomaly-based - Build a baseline of what’s “normal”.

• Behavior-based - Observe and report.

• Heuristics - Looks for a specific patterns in the traffic.

Alert types

• False Positive - No threat exists and an alert is triggered

• True Positive - A threat exists and an alert is triggered

• False Negative - Threat exists and no alert is triggered

• True Negative - No threat exist and no alert is sent.

Network Segmentation - Virtual Local Area Network (VLAN)

• A Virtual LAN (VLAN) allows the segmentation of physically connection components on switches to be logically divided. 

• A Virtual Local Area Network (VLAN) creates multiple subnets and smaller broadcast domains. 

• VLANs can scale to entire layer 2 network, however it is stopped by a router.

• VLANs help us segment the network on a per interface basis and isolate traffic.

Application security

• Threat actors looks for vulnerabilities within web applications and attempt to exploit them.

Input validations

• Input validation ensure the data input is validated by the web application to ensure malformed data is not injected.

• Using syntactic validation ensures the input type of validated.

• Using semantic validation ensures the user enters data as it is expected by the system.

• Input validation can help reduce the risk of SQL Injection and other web application attacks.

Blacklisting and Whitelisting

• Whitelisting is used to permit a set of characters which are allowed on a web application.

• Blacklisting is used to banner or deny characters from entering a web application.

Hypertext Transfer Protocol (HTTP) headers

• Using HTTP Headers can be used to upload data/files to a server.

• Used to retrieve data about the backend server and web application.

Code signing

• Vendors uses a digital certificate to help users to verify the software vendor, code integrity and digital signatures.

• Provides trust from the software vendor to the user.

Secure Cookies

• Cookies contains session information about a user when they are visiting a website.

• Sensitive information is stored in a cookie about the user.

• Ensure HTTPS is used to prevent a threat actor from gaining the cookie and its information.

Static code analysis

• Automated process which is used to analyze code to look for vulnerabilities.

• During the analysis process, the code is not actively running in real-time.

• This technique is used to help software developers to detect any issues at the early phases of the Software Development Lifecycle (SDLC).

Manual code review

• This method is a manual process conducted by a human tester.

• Checks each line of the code for any errors.

Dynamic code analysis

• Automated process which is used to analyze code to look for vulnerabilities.

• During the analysis process, the code is actively running in real-time to understand its behavior.

Fuzzing

• This an automated process.

• This is a technique which application developers uses to inject malformed data into the application to determine how the application reacts and handle issues.

Antivirus and Anti-malware

• Security application which is used to detect and mitigate various types of malware.

• Signatures/definitions

• Behavior monitoring

• Heuristics and AI

• Cloud-based submissions

• Sandboxing vs. quarantining

Endpoint Detection and Response (EDR)

• Endpoint threat detection

• Monitoring endpoint behavior

• Real-time monitoring

• Uses Indicators of Compromise (IoC) such as Fireye EDR and Datashield EDR

Data security

• File-level encryption.

• Disk-level encryption.

• Identity and Access Management

  • File permissions

  • Share permissions

Separation of duties

• Organizations implement separation of duties to ensure no one person has all the information of details about a system.

• An employee may be given some details but not all details for a system.

• This leads to Dual Control which ensure 2 persons uses their combination of knowledge to person a critical business function or task.

Honeypot

• The purpose of a honeypot is to trick an attacker into thinking they are attacking a real system on a target network. 

• However, the honeypot is a specialized system that contains various security detection, monitoring, and deflection tools that are used to help cybersecurity professionals better understand the intentions of the attacker.