Security Laboratory

Security Laboratory

Security Laboratory: Defense In Depth Series

Other Related Articles in Security Laboratory: Defense In Depth Series

Information Centric Approach to Defense-in-Depth

By Stephen Northcutt
Please consider the following quote by Grace Hopper, "Some day, on the corporate balance sheet, there will be an entry which reads, "Information"; for in most cases, the information is more valuable than the hardware which processes it."[1] As an information security manager it is critical to understand and to be able to help others understand the value of information. In addition to richly valuable information such as intellectual property (patents, trademarks, copyrights, know how, data schema), there is also data including the increasingly important business record. Is the uniform approach to defense-in-depth appropriate when it comes to information?

Review the following story from NewsBites:

Former DuPont Scientist Pleads Guilty to Stealing Trade Secrets (19 & 16 February 2007.) Former DuPont scientist Gary Yonggang Min faces up to 10 years in prison and a fine of up to US $250,000 for stealing trade secrets worth more than US $400 million. Min pleaded guilty in November 2006 to downloading proprietary information from DuPont's computer systems after he had accepted a position at a rival company but before DuPont became aware of his imminent departure. Min's document access activity was 15 times greater than that of the next most frequent user of the electronic library, but the anomaly went unnoticed until after he informed DuPont he was leaving. Most of the information Min accessed was not related to his job function. DuPont alerted authorities when it became aware of Mi's activities. Min obtained DuPont documents one month after he left DuPont, storing it on a laptop owned by the rival company. When that company learned of Min's actions, it seized the laptop and turned it over to the FBI. Federal prosecutors unsealed the case last week.[2]

Please note:

  • Anomalous access was not detected till he gave notice
  • Access was still possible after he left the company

At first blush, it sounds like an access control problem and it certainly is; but Min was essentially "shopping." And when you go shopping you are often thinking about value, what things cost and what they are worth. Dupont was almost certainly rethinking their information security architecture after the cow got out of the barn. But one inexpensive thing that would have helped is a honeytoken, a digital entity such as a fake account, a document that looks valuable to the competition, but again is fake. The idea is to instrument it so that if it is accessed it warns the security team. So, as Lance Spitzner observed, its value is not so much in its use, but its misuse. While the honeytoken technique would have helped Dupont, an architectural approach to systematically protect information would have helped a lot more.

When designing defense-in-depth, it helps to consider what the true threat is. Before you read further, remember, defense-in-depth architectures may be layered on top of one another. Everyone implements uniform protection by putting up a firewall etc. If you decide to create an information centric defense-in-depth layer, it doesn't add much value if it simply protects against the threats you have already selected safeguards for. Odds are, you have safeguards in place for hackers, and worms and malware; it may be insider attacks and an aging work force that you need to factor in when considering information centric defense-in-depth.[3] Many companies don't know where they are most vulnerable to knowledge loss.[4] If the information is not written down and the baby boomers start leaving the workforce it may not be possible to continue operations in some segments of the organization. Perhaps one of the most chilling examples of how bad it could be in a technical industry was the drain of space talent from Russia after the fall of the Soviet Union.[5] One potential solution is to employ a knowledge management solution. Knowledge bases are designed to allow people to retrieve and use the knowledge they contain, primarily for training purposes. They are commonly used to capture explicit knowledge of an organization, including troubleshooting articles, white papers, user manuals and others. The primary benefit of such a knowledge base is to provide a means to discover solutions to problems that have known solutions which can be re-applied by others who are less experienced in the problem area.[6]

Information centric is another way to think of the defense-in-depth concept. Think of concentric rings; at the center of the diagram is your information. However, the center can be anything you value or the answer to the question, "What are you trying to protect?" Around that center you build successive layers of protection. In the diagram, the protection layers are shown as blue rings. In this example, your information is protected by your application. The application is protected by the security of the host it resides on and so on. In order to successfully get your information, an attacker would have to penetrate through your network, your host, your application, and finally, your information protection layers.

Information centric defense starts with an awareness of the value of each section of information within an organization. Identify the most valuable information and implement controls to prevent non-authorized employees from accessing it.

A good starting point is:

  1. To identify your organization's intellectual property,
  2. Restrict it to a single section of the network,
  3. Assign a single group of system administrators to it,
  4. Mark the data and
  5. Thoroughly check for this level of data leaving your network.

From an architecture standpoint, consider:

  • Knowledge base software to catalog human readable information
  • Portal to access information so that policy of least privilege and need to know can be enforced
  • Egress scanning for keywords, patterns associated with information of high value
  • Anomaly detection for out of profile file access (salesperson leaving the company and trying to access files with leads etc)