“a system is as secure as the weakest link”

That is correct, but that is also what security in depth is trying to combat, in part. If you have a chain and one link is broken, the whole chain breaks (attacker wins). But if you have a series of chains overlapping each other and providing support when one chain is broken by a weak link, that is security in depth. An attacker has to break through several layers in order to penetrate properly implemented defense in depth.

Defense in depth helps to:
a) cover for inevitable deficiencies in various security layers (protocols, systems, devices, software, web apps…)
b) cover for human mistake
c) attempt to anticipate unexpected attacks from skilled, creative attackers
d) raises the bar for attacker knowledge; an attacker may have a few key skills, but proper defense in depth may mean the attacker can only break through a couple security measures, but can’t quite own everything else. Hopefully it takes enough time that they get found out or holes are closed.
e) mitigates successful attacks

Some of your attacks are successful and scary because defense in depth is not being properly practiced. Then again, it is hard to defend in depth when we’re not even sure where the next attack will come from. User George runs a personal firewall, router/firewall on the network, AV, changes passwords…and then you pop him with a bad script that asks his credentials from a web page? That’s simply a chink in the armor, a hole in the defense in depth.

But if my web server has a vulnerable web app and you pop into it, but my web server runs jailed, did you own my system? Not yet, perhaps. That’s defense in depth.

Now, I think you can form some points on two things:
1) Defense in depth adds complexity. Man, does it! But until perfect security comes around (and I posit that it never will, especially as long as humans are involved), the added complexity needs to be weighed against the defense gained.

2) Defense in depth isn’t being practiced in large scale because it isn’t economical. This might be an interesting research idea to poll large scale IT security teams and see if they utilize defense in depth concepts.

I suspect most large companies do a combination…a sort of partial defense in depth strategy that still has plenty of holes and weaknesses. But does that make is useless and broken? That’s an interesting question…

An additional attack on the concept might come from how defense in depth masks the holes in each layer. If you have a mesh of chains all holding your organization’s security in place, if one breaks, you might not notice the break because nothing came crashing down. This is a danger with defense in depth, and could be a point against the concept.

I don’t mean to pounce on this one issue, but I think it takes away from your recent excellent posts and revelations.

Just like attacks make our networks stronger, proper discussion and challenges make our ideas and goals stronger. :) Keep up the good work, pdp and others at gnucitizen.