Vulnerability Development mailing list archives
Re: Thinking about Security rules...
From: Harvey Newstrom <mail () HarveyNewstrom com>
Date: Fri, 10 May 2002 21:05:27 -0400
On Thursday, May 9, 2002, at 03:47 pm, Ray Parks wrote:
Just remember this aphorism - Depth without Breadth is useless. We engaged in a series of experiments within the DARPA IA program in which we proved that Defense in Depth is an over-rated concept. Layered defenses can actually be weaker than single defenses becauseadministrators/developers think that another layer is providing the defensethey are ignoring. The results of these experiments were recorded in a paper, unfortunately I don't have a cite at this time. Bottom line - we were able to get through layers of defense in depth because we could attack each layer in a different way. This allowedattacks to woogle through to the goal despite multiple layers of defense.
I have seen similar studies long ago relating to alarm monitoring. Items being monitored by multiple people had worse response times than items monitored by a single person! It turned out that people would frequently be lax and assume that someone else was handling it.
I have also seen this scenario in help desk or message queues. Some ringing phones or e-mails would remain unanswered for days because everybody was answering other items and assumed the missed item would be caught by somebody else somewhere.
-- Harvey Newstrom, CISSP <www.HarveyNewstrom.com> Principal Security Consultant <www.Newstaff.com>
Current thread:
- Thinking about Security rules... Rhino Bond (May 08)
- Re: Thinking about Security rules... Peter Kristolaitis (May 08)
- RE: Thinking about Security rules... Sean Convery (May 09)
- Re: Thinking about Security rules... f.harster (May 09)
- Re: Thinking about Security rules... Ray Parks (May 09)
- Re: Thinking about Security rules... f.harster (May 10)
- Re: Thinking about Security rules... Harvey Newstrom (May 10)
- Re: Thinking about Security rules... Geoff Galitz (May 13)
- Re: Thinking about Security rules... Rhino Bond (May 14)
- Re: Thinking about Security rules... Geoff Galitz (May 14)
- Re: Thinking about Security rules... Ray Parks (May 09)
- Re: Thinking about Security rules... Peter Kristolaitis (May 08)
- <Possible follow-ups>
- RE: Thinking about Security rules... Mendoza Bazan, Luis - (Per) (May 14)
- Re: Thinking about Security rules... David Hawley (May 14)