Computer Security: How Layered Defense & Defense in Depth Protect the US Against Cyber Threats

Page content

Who can argue that middle century castles were not the best type of defense network in Europe? Surely an army caught in the open plains without calvary was doomed. The more layers of defense you have protecting an asset the harder the conquest of that asset. Ancient castles were usually on a huge hill like Edinburgh castle. They had only one approach. They had a moat. They had redounts (hills and troughs). They had an outer wall, an inner wall, and cannons on the inner wall. They had hot boiling oil with flames. They had anti-siege machine metal arrows. The challenge of breaching the castle was so huge that very few would even consider it.  Not every army is as lucky as the Greeks with the Trojan Horse. More often the attacker is thwarted by the layers of defense.  The defender has the advantage. Scotland has still never been conquered by outside forces including the Vikings. Our own DOD (Department of Defense) has not learned this lesson very well and yet they are the proponents of layered defenses and defense in depth. 

Home security is layered. You have a fence, video cameras, covered windows, barred doors, double locks, internal security system and motion detectors, a dog, a safe deposit box, a hidden safe, and as a last resort, a shotgun waiting for the unauthorized intruder. These are layers of defense and the would-be criminal may well become disinterested at any one of the levels of defense. This is also an example of defense in depth.

Computer Security is based on the both layered security and defense in depth. While it’s possible to degrade a network run time with too many layers of software defense, the more layers of security you add the more secure your network. The ISO model is a layered communications model and offers security by its very layered architecture. All 7 layers drill down to the bits and bytes that make a message unique. Security engineers can hide information through encryption. The perimeter of a network can have intrusion detectors outside or inside the firewall. Security software can use a honeypot to lure unsuspecting cyber criminals into the safety of an online trap.  Administrators can use security policies on our servers to keep out the bad guys. Software and hardware engineers can also play bad guy and do their own penetration testing and vulnerability analysis while at the same time keeping system patches up to date. System administrators need to make sure they give least privileges to insider threats trusting no one with full system administrator privileges. This is an example of a layered security model. 

It was James Martin who said computer security is like an onion. We peel back each layer and find another.  Martin’s 7 layers of computer security were political, environmental, procedural, hardware. firmware, software, and password. Martin has written more books on computers than most anyone in the industry so he can be relied upon to have given us educated information. The DOD has used James Martin’s books in classes at the DOD Computer Institute. As security engineers and system administrators, we need to remember that as the gatekeepers, we need to ensure the layers have significant integrity.

The Pentagon would like us to think we must be offensive to win the war on terror. I posit that it takes defensive posture because we are thousands of miles removed by two oceans from an invading force - even more formidable than Scotland’s harsh North Sea.  Now missile defense or star wars is a reality. The ICBM is no longer a threat to America. Cyber threats is one of the remaining significant attack vectors. Just as America’s Ben Franklin shared the American invention of electricity with the French in exchange for the French fleet support at Yorktown, I believe that modern diplomats should be quick to negotiate in areas affecting our layered defense such as oil reserves. Layers of defense keep us on our toes for building a strong trade economy.  

Economics policy has led us to many new defensive inventions like SSL and PayPal. We have secured the banks of America better than Fort Knox. Need we remember that we can dig for more gold deposits inside America.  America has vast natural resources that increase her wealth. This gold and silver is used in microchip technology built right here.  Adam Smith could not have been more correct in assuming a nation depends on the wealth of its trade agreements. These are like economic security to our layered defense. We grow more food for the world than any other nation. We have the means to help every country in the world with our crop surplus.  I believe foreign countries still send their young technology experts to America to be trained. How can we not build upon this stature in the international community?  This is political security. The layers of defense teach us to be vigilant about national security and afford us the chance to be generous to our allies. So next time you mention a layered defense remember that it is the cornerstone of protecting our great democracy.