Defense in Depth: Preventing Cyber Attacks and Data Loss

In OATI’s recent blog, “Understanding Your Attack Surface Area,” we focused on the attack surface area and what we can do to minimize the surface area for attack. To build on that blog post, we’ll explain the mechanisms we can put in place to protect the areas we know will remain exposed. This approach is called “defense in depth.”
Defense in depth is the strategy of having several layers of protection so that if an attack breaks through one barrier it will be stopped at the next. One way to think of this is like an onion. Your data resides in the center and is protected by layers of controls derived from several sources.

Policies, procedures, and awareness make up the first layer. This includes anything from acceptable use policies, which define employee use of information systems, to complex work instructions that define how technology professionals securely implement systems. However, having all these measures in place means little unless you develop a comprehensive auditing system to ensure the controls are being followed. User awareness is all about developing a sense of security in your employees. The more you involve your employees in the cyber security process, the more engaged they will become, and eventually become a key line of defense.

The next level of defense is physical security. Traditional components include gates and fences, card readers, biometric sensors, alarm and surveillance systems. It’s critical to protect your buildings and data centers from not only people, but environmental dangers relevant to your region.

A simple thing to do is securely dispose of both paper and electronic media. This might not be considered physical security, but what good are gates and fences if we’re just throwing USB sticks and hard drives into the trash? Remember, just because a device appears broken doesn’t mean it doesn’t contain confidential information.

Now, we’ll get into some of the more technical controls. To project the perimeter of your network, common technologies include advanced threat protection, next generation firewalls, and intrusion prevention systems. This is a critical layer as it’s basically your front door to the Internet.
The next layer is our internal network, which consists of both wired and wireless networks. Wired networks can use port-based security features to require authentication or limit the number of devices that can communicate over a switch port. Wireless networks that provide access to company resources should be secured with strong authentication mechanisms. Internal networks should also be segmented by firewalls.

Our next layer of defense focuses on the host. Host-based firewalls and intrusion detection systems can prevent unwanted access and alert you to potential security threats that have reached the host. Antivirus and antimalware agents should also be deployed for additional protection from these types of threats.

The final layer of protection lies in your applications. During the development process applications can be strengthened by following secure coding standards, using secure authentication methods, and performing application penetration testing.
As for the data itself, data encryption can be used to prevent prying eyes from seeing your data. But perhaps the most important layer of protection is to have multiple backups of your critical data, which should be spread across sites when possible. If you don’t have multiple sites with secure interconnections, you should consider storing offsite backups.
This was just a quick glance at how to practice defense in depth. OATI suggests applying these practices to protect your information and data. Check back for more blog posts on ways to keep your business secure. If you have any questions or would like more information, please contact