OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Geoff Galitz (galitzchem.berkeley.edu)
Date: Mon May 13 2002 - 20:15:20 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Friday, May 10, 2002, at 06:05 PM, Harvey Newstrom wrote:

    >
    > On Thursday, May 9, 2002, at 03:47 pm, Ray Parks wrote:
    >> Just remember this aphorism - Depth without Breadth is useless.
    >> We engaged in a series of experiments within the DARPA IA program in
    >> which we proved that Defense in Depth is an over-rated concept.
    >> Layered
    >> defenses can actually be weaker than single defenses because
    >> administrators/developers think that another layer is providing the
    >> defense
    >> they are ignoring. The results of these experiments were recorded in a
    >> paper, unfortunately I don't have a cite at this time.
    >> Bottom line - we were able to get through layers of defense in depth
    >> because we could attack each layer in a different way. This allowed
    >> attacks to woogle through to the goal despite multiple layers of
    >> defense.
    >>
    >
    > I have seen similar studies long ago relating to alarm monitoring.
    > Items being monitored by multiple people had worse response times than
    > items monitored by a single person! It turned out that people would
    > frequently be lax and assume that someone else was handling it.
    >
    > I have also seen this scenario in help desk or message queues. Some
    > ringing phones or e-mails would remain unanswered for days because
    > everybody was answering other items and assumed the missed item would
    > be caught by somebody else somewhere.

    I would point out that the issues cited above are issues of
    deployment and internal procedure which are separate from
    the network vulnerability issues. Of course, the two are linked,
    but the lesson to take home is that the right answer will vary
    between different organizations. The variables include how
    well the security operation runs, is it integrated with the general
    IT organization, how responsive are those teams in general,
    do they have well-functioning and well-known procedures and
    so on...

    One size does not fit all.

    -geoff

    ----------------------------------------------------------------------------------
    Geoff Galitz |
    UC Berkeley | D'oh!
    galitzuclink.berkeley.edu |
    http://www.cchem.berkeley.edu/College/unix
    http://www.cchem.berkeley.edu/~galitz