Security Laboratory

Security Laboratory

Security Laboratory: Defense In Depth Series

Other Related Articles in Security Laboratory: Defense In Depth Series

Vector Oriented Defense in Depth

By Stephen Northcutt
"You shall not pass", cried Gandalf standing on a narrow rock bridge facing the Balrog at the mines of Moria.[1] Gandalf's resolve was unshakable. The actor portrayed the moment extremely well, showing fear and dread, yet an unshakable determination, proclaiming "You shall not pass!"[2] And, through the magic of movie making, leaves those of us in the information security management community with a fantastic word picture of vector oriented defense in depth. The Balrog is some monster threat, and the fractured fellowship of the ring behind Gandalf are vulnerable to the threat. If the Balrog gets to the party, they are mincemeat. The vector to get to them is the rock bridge, and it is OK because one of the most powerful wizards on the planet is on that bridge saying, "Tain't gonna happen." The threat could not pass through the vector to reach the vulnerability, so they all lived happily ever after and goodnight.

When we design a defense-in-depth architecture we can make use of this approach.

Consider the following true scenario: Thumb Drive Missing from TSA Command Center in Portland Holds Employee Data (25 October 2006)
A thumb drive has been reported missing from the Transportation Security Administration's (TSA) command center at Portland (OR) International Airport. Mike Irwin, federal security director at PDX, says it is likely the drive was inadvertently swept into the trash. When the drive was backed up one month ago, it held names, Social Security numbers (SSNs) and other personal data of all current employees and 400 former employees.[3]

The threat is that the information will fall into the wrong hands. The vulnerability is that the USB drive is easily misplaced or stolen and has no security, but what is the vector? The USB port. If we can say to the USB drive "You shall not pass", then the data cannot be put on the USB drive and therefore cannot be lost in that way. How do we do that? The simplest and most effective solution is to fill up the USB hole with epoxy putty[4]; however, some people are averse to that so you might choose to disable the USB drive using the registry.[5]

The increasing popularity of USB memory sticks, also known as flash or thumb drives, has presented its own set of security concerns. People could potentially use the devices to download significant chunks of sensitive data. Now it appears the drives can be used to store and run applications; this feature could be exploited to place malware on machines or steal passwords and software product keys within seconds. These particular drives are self-activating, highlighting the need for organizations to disable Windows AutoRun.[6]

Now we know what you are thinking, "I can't disable the USB drives, the users would kill me". To be sure, in many organizations USB drives have become an unalienable right; you can have them when you pry them from the user's cold dead fingers. However, defense-in-depth is an architecture approach and should be used in conjunction with other defense-in-depth architectures. Another approach is information centric, where we survey our information and identify the location of the most valuable information. While we might never pour epoxy in all of our USB drives, we might choose to disable the USB port on the servers with the most valuable information.

To employ vector oriented defense-in-depth:

  • Identify the assets you want to protect
  • Rack and stack the assets and work with the most valuable one first
  • Brainstorm as many possible ways a threat could get to the asset
  • Figure out how to place controls on the vectors to prevent the threat from crossing the vulnerability