Is DiD Really the Way?
It’s a pretty well known fact that an attacker with sufficient means and motive has the potential to bypass every security measure you put in place. As a countermeasure to this belief, people often propose Defense in Depth (DiD), believing that by implementing layers of security controls at various logical and physical tiers within an organization, they can reduce security risk. Unfortunately, that’s not necessarily true.
Sorry to be the bearer of bad news, but DiD can actually make the job of an attacker far easier than it otherwise would be, depending on how it is implemented. Here’s why: as the complexity of the data that is processed increases, it becomes easier for an attacker to introduce an exploitable vulnerability. Therefore, when an attacker is culling the potential target list, they will focus on the applications that process the most complex data. Anti-virus applications are a pretty good fit.
There are companies that implement as many anti-virus products in as many places as their budgets will allow because they think this strategy will keep them safe. They’ve got anti-virus software on workstations, email gateways, proxy servers, network attached storage, mobile devices, messaging, gateways, FTP and HTTP traffic analyzers, and soon enough, they’ll have it on any other technology that stores or transmits files. This strategy gives the attacker a path into each of these systems and allows them to bypass each segmentation layer that may exist within the network. This strategy also makes end users feel invincible, and often leads them to participate in more risky online behavior. When a false sense of security is established, a user may use the same machine to perform risky online behaviors that they use to perform financial transactions, putting sensitive personal or corporate data at risk.
So, what security measures will work without providing additional opportunities to attackers?
Patching the underlying error within the code is the easiest way to keep a vulnerability from being exploited. This process increases security without increasing the amount of code an attacker can interact with. While it is the most straightforward solution, many organizations fail to quickly patch vulnerabilities because of time constraints, management issues or because the patch causes a mission critical application to fail.
Virtualization can provide a computing platform where dangerous operations can be performed and relatively little effort expended to revert the virtual machine to the exact state it was before dangerous actions were performed. The biggest danger with virtualization is that attackers can leverage vulnerabilities to move between the virtual machine and the host machine. As long as the virtual machine software is kept up-to-date with the latest patches, then an attacker would have to use a zero day exploit.
Another effective strategy is to remove infrequently used features from software packages. In general this approach is not commonly employed because software developers feel the need to maintain backwards compatibility, a tendency that is driven by end users who want to be able to access and manipulate historical documents. Here’s a workaround: include a separate program that updates documents produced by outdated versions of a program to the newest version. This enables the backwards compatibility that some end-users desire while keeping the main program lean with regard to rarely used features.
The bottom line is that DiD increases the attack surface available to an attacker and can lead to assumptions that further increase risk to an organization. When implementing a security strategy, it is always preferable to limit the amount of code that processes potentially malicious data.