Security Strength Through Diversification

In November, I saw an interesting article on the Wired Danger Room national security blog: Top Pilot: Air Force Should Put Brakes on All-Stealth Arsenal. Stealth technology is obviously a critical asset, and in December they ran another good piece (7 Secret Ways America's Stealth Armada Stays Off the Radar) that explained some of the technical aspects of how stealth works in modern aircraft. I make note of the article not so much because of the aspect that it's getting at - a discussion of the types of aircraft in America's air forces - but rather, to illustrate a broader point about security.

Most folks have a pretty standardized vision of what security entails: guys with guns, concrete or chain link fences, barbed wire, and maybe high security doors. Of course, these can all be important aspects of security. However, security is best when it uses a layered, diverse approach that draws upon multiple disciplines, techniques, and technologies. In network security, this is referred to as defense in depth (a term and concept that's also used by the military). It's similar to the military doctrine of combined arms, which seeks to maximize military effectiveness by using multiple, complementary weapon systems.

In security operations, defense in depth can be achieved by combining what we usually think of - things like guard forces, barriers, and sensors - with other disciplines, like specialized security procedures, red teaming/penetration testing, and overlapping access controls. By overlapping security protocols, procedures, and equipment, the overall risk of security breaches can be mitigated. The likelihood of security failures increases When an organization relies too heavily on one security measure, or attempts to do security on the cheap - for example, relying only on procedures, or by providing authorized personnel with credentials without implementing measures to verify those credentials.

The steps for establishing good overall security are the same as the steps for OPSEC:

1. Identify Critical Information/Assets
2. Conduct Threat Analysis
3. Conduct Vulnerability Analysis
4. Assess Risk
5. Apply Countermeasures

A strong risk analysis is critical because it can help to ensure two things:

1. Gaps in security can be identified, addressed, and mitigated, potentially saving the organization from the costs incurred in a security breach. Security breaches can be expensive, both in financial costs and in damage to an organization's reputation or ability to conduct its operations. 2. A level of security commensurate with the threat to the organization can be established. This can also save costs, as it prevents overspending on security measures that are poorly suited to an organization's needs, or which exceed the threat posed by an adversary.

Combining a good risk assessment with defense in depth is the essence of the old adage, "An ounce of prevention equals a pound of cure".