Driven by the continued noise about the RSA and Comodo breaches, we have spent a lot of time stating the obvious this week. But then I remember that what is obvious to us may not be to everyone else. And even if it is obvious to you, sometimes you need a reminder because you are probably too busy fighting fires and answering questions from senior management (like “Don’t I take dumps in a Comodo?”) to remember the obvious stuff.
So, once again, it is time to don the Captain Obvious suit and talk about layered security models. Rich reminded everyone about Crisis Communications yesterday and earlier this week; Adrian ranted about people fail trumping process fail regarding development every day of the week. Now it’s my turn. If you only have one line of defense, such as strong authentication (either two-factor or even a digital certificate) – you are doing it wrong.
Yes, we still need layers in our security models. You cannot assume that any specific control will be effective, so you need a variety of controls to ensure critical information is adequately protected. That’s the underlying concept of the vaults idea balloon I have been working on. Depending on the sensitivity of the information, you layer additional controls until it’s sufficiently difficult to compromise that information. Note that I said sufficiently hard – Captain Obvious reminds us that everything can be broken.
When you are building your threat models, you don’t assume your user is trusted, even after they authenticate, right? Remember, a device can be compromised after authenticating just as easily as before. Or someone could be holding a gun to your user’s head, which makes most folks pretty well willing to provide access to anything the attacker wants. That’s another reason the RSA and Comodo breaches should be business as usual. Factor in that you now have a bit less trust in the authentication layer. How does that change what you do?
This is why we also advocate monitoring everything, looking for not normal, and being able to react faster and better to any situation. Yes, your controls will fail. Even when you layer them. So constantly checking for out-of-the-ordinary behavior may give you early warning that something has been pwned.
In a post earlier this week, Rob Graham linked to a South Park clip where Captain Hindsight points out that BP’s critical error was not having a backup valve for the backup valve for the regular valve. Of course. And you know that in your shop Captain Hindsight will make an appearance when you get compromised. That’s part of the job, but you can make sure you are doing all you can to reduce the likelihood that one control failure will provide open access. That means don’t outside without your layers on.
Photo Credit: “Captain Obvious” originally uploaded by Gareth Jones