Vulnerability Development mailing list archives
Re: Thinking about Security rules...
From: Geoff Galitz <galitz () chem berkeley edu>
Date: Mon, 13 May 2002 18:15:20 -0700
On Friday, May 10, 2002, at 06:05 PM, Harvey Newstrom wrote:
On Thursday, May 9, 2002, at 03:47 pm, Ray Parks wrote:Just remember this aphorism - Depth without Breadth is useless. We engaged in a series of experiments within the DARPA IA program inwhich we proved that Defense in Depth is an over-rated concept. Layereddefenses can actually be weaker than single defenses becauseadministrators/developers think that another layer is providing the defensethey are ignoring. The results of these experiments were recorded in a paper, unfortunately I don't have a cite at this time. Bottom line - we were able to get through layers of defense in depth because we could attack each layer in a different way. This allowedattacks to woogle through to the goal despite multiple layers of defense.I have seen similar studies long ago relating to alarm monitoring. Items being monitored by multiple people had worse response times than items monitored by a single person! It turned out that people would frequently be lax and assume that someone else was handling it.I have also seen this scenario in help desk or message queues. Some ringing phones or e-mails would remain unanswered for days because everybody was answering other items and assumed the missed item would be caught by somebody else somewhere.
I would point out that the issues cited above are issues of deployment and internal procedure which are separate from the network vulnerability issues. Of course, the two are linked, but the lesson to take home is that the right answer will vary between different organizations. The variables include how well the security operation runs, is it integrated with the general IT organization, how responsive are those teams in general, do they have well-functioning and well-known procedures and so on... One size does not fit all. -geoff ---------------------------------------------------------------------------------- Geoff Galitz | UC Berkeley | D'oh! galitz () uclink berkeley edu | http://www.cchem.berkeley.edu/College/unix http://www.cchem.berkeley.edu/~galitz
Current thread:
- Thinking about Security rules... Rhino Bond (May 08)
- Re: Thinking about Security rules... Peter Kristolaitis (May 08)
- RE: Thinking about Security rules... Sean Convery (May 09)
- Re: Thinking about Security rules... f.harster (May 09)
- Re: Thinking about Security rules... Ray Parks (May 09)
- Re: Thinking about Security rules... f.harster (May 10)
- Re: Thinking about Security rules... Harvey Newstrom (May 10)
- Re: Thinking about Security rules... Geoff Galitz (May 13)
- Re: Thinking about Security rules... Rhino Bond (May 14)
- Re: Thinking about Security rules... Geoff Galitz (May 14)
- Re: Thinking about Security rules... Ray Parks (May 09)
- Re: Thinking about Security rules... Peter Kristolaitis (May 08)
- <Possible follow-ups>
- RE: Thinking about Security rules... Mendoza Bazan, Luis - (Per) (May 14)
- Re: Thinking about Security rules... David Hawley (May 14)