On Thursday, May 9, 2002, at 03:47 pm, Ray Parks wrote:
> Just remember this aphorism - Depth without Breadth is useless.
> We engaged in a series of experiments within the DARPA IA program in
> which we proved that Defense in Depth is an over-rated concept. Layered
> defenses can actually be weaker than single defenses because
> administrators/developers think that another layer is providing the
> defense
> they are ignoring. The results of these experiments were recorded in a
> paper, unfortunately I don't have a cite at this time.
> Bottom line - we were able to get through layers of defense in depth
> because we could attack each layer in a different way. This allowed
> attacks to woogle through to the goal despite multiple layers of
> defense.
>

I have seen similar studies long ago relating to alarm monitoring.
Items being monitored by multiple people had worse response times than
items monitored by a single person! It turned out that people would
frequently be lax and assume that someone else was handling it.

I have also seen this scenario in help desk or message queues. Some
ringing phones or e-mails would remain unanswered for days because
everybody was answering other items and assumed the missed item would be
caught by somebody else somewhere.

--
Harvey Newstrom, CISSP <www.HarveyNewstrom.com>
Principal Security Consultant <www.Newstaff.com>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]