Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Thinking about Security rules...

From: "Ray Parks" <rcparks () sandia gov>
Date: Thu, 09 May 2002 13:47:35 -0600


"f.harster" wrote:


Rhino Bond wrote:

...


Any thoughts on this?  Anyone seen a white paper on
such a set of rules?


David,

actually this reminds me of the "Defense-in-Depth" concept applied to
network/system security, but i may be wrong ;)
have a look at this one in the meantime :
http://rr.sans.org/start/primer.php


  Just remember this aphorism - Depth without Breadth is useless.
  We engaged in a series of experiments within the DARPA IA program in
which we proved that Defense in Depth is an over-rated concept.  Layered
defenses can actually be weaker than single defenses because
administrators/developers think that another layer is providing the defense
they are ignoring.  The results of these experiments were recorded in a
paper, unfortunately I don't have a cite at this time.
  Bottom line - we were able to get through layers of defense in depth
because we could attack each layer in a different way.  This allowed
attacks to woogle through to the goal despite multiple layers of defense.

-- 
Ray Parks
rcparks () sandia gov
V:505-844-4024
F:505-844-9641
P:800-690-5288
Previous By Date Next
Previous By Thread Next

Current thread: