Re: Thinking about Security rules...

[Harvey Newstrom <mail () HarveyNewstrom com>]

On Thursday, May 9, 2002, at 03:47 pm, Ray Parks wrote:
>   Just remember this aphorism - Depth without Breadth is useless.
>   We engaged in a series of experiments within the DARPA IA program in
> which we proved that Defense in Depth is an over-rated concept.  Layered
> defenses can actually be weaker than single defenses because
> administrators/developers think that another layer is providing the 
> defense
> they are ignoring.  The results of these experiments were recorded in a
> paper, unfortunately I don't have a cite at this time.
>   Bottom line - we were able to get through layers of defense in depth
> because we could attack each layer in a different way.  This allowed
> attacks to woogle through to the goal despite multiple layers of 
> defense.

I have seen similar studies long ago relating to alarm monitoring.  
Items being monitored by multiple people had worse response times than 
items monitored by a single person!  It turned out that people would 
frequently be lax and assume that someone else was handling it.

I have also seen this scenario in help desk or message queues.  Some 
ringing phones or e-mails would remain unanswered for days because 
everybody was answering other items and assumed the missed item would be 
caught by somebody else somewhere.

--
Harvey Newstrom, CISSP <www.HarveyNewstrom.com>
Principal Security Consultant <www.Newstaff.com>