1 - 1
Information Assurance Foundations - SANS
©2001
1
Security Essentials
Day 2
Threat and the Need for
Defense in Depth
Welcome. As we begin day 2, or the second major set of courses in Security Essentials, the focus
will be on defense in depth. This is a term that was coined by the Department of Defense and is a
crucially important concept in information assurance. The topics that we are going to cover are
shown below.
Security Fundamentals
Confidentiality, Integrity, Availability
Threat and risk
Security Policy
What it is and what it is not
How to implement an effective policy
Passwords
Overview of passwords
LC3
Crack
Incident Handling
6 step guide
Information Warfare
Defensive strategies
Offensive strategies
Web security
Web security vulnerabilities
Web security defenses
These are all components of a defense in depth risk management framework as we will explain in

Internet Security, McAfee Personal Firewall – these range from free to commercial software, and they provide
perimeter protection at the host level. I use a personal firewall on my home systems when I connect to my ISP
so that I can stop the simple attacks that many of my friends have experienced. The threat is targeting each of
us. What role and responsibility are you willing to accept for defense in depth?
1 - 3
Defense in Depth - SANS
©2001
3
Defense In Depth (2)
Info
Application
Host
Network
This diagram shows another way to think of the Defense In Depth concept. At the center of the
diagram is your information. However, the center can be anything you value, or the answer to the
question, “What are you trying to protect?” Around that center you build successive layers of
protection. In the diagram, the protection layers are shown as blue rings. In this example, your
information is protected by your application. The application is protected by the security of the host
it resides on, and so on. In order to successfully get your information, an attacker would have to
penetrate through your network, your host, your application, and finally your information protection
layers.
Using a Defense in Depth strategy does not make it impossible to get to your core resources – the
resource at the center of the diagram. For example, your defense layers might be trivial or easy to
compromise. However, a well-thought-out Defense in Depth strategy, utilizing the strongest
protections feasibly possible at each layer, present a formidable defense against would-be attackers.
Next, we are going to take you on a tour of three famous attacks to see what lessons we can learn
from them. Along the way, we are going to discuss the three key dimensions of protection and
attack. Most of you are already familiar with them. They are: confidentiality, integrity, and
availability. Throughout the Security Essentials program, you will be deploying countermeasures to
protect confidentiality, integrity, and availability; and you may experience attacks against these

attack would be telling someone they lie so much, their own mother doesn’t believe them! (Ha ha -
well, maybe that’s not exactly right.) It might be spoofing by using someone else’s credit card, or
modifying the balance of someone else’s account.
We will continue to explore these fundamental principles on our next slide titled, “Three Bedrock
Principles.”
1 - 5
Defense in Depth - SANS
©2001
5
Three Bedrock Principles
• Confidentiality
•Integrity
• Availability
Confidentiality
Integrity Availability
Keep in mind that the keys we have been discussing are interrelated. So, an attacker may exploit an
unintended function on a web server and use the cgi-bin program “phf” to list the password file.
Now, this would breach the confidentiality of this sensitive information (the password file). Then,
on the privacy of his own computer system, the attacker can use brute force or dictionary-driven
password attacks to decrypt the passwords. Then, with a stolen password, the attacker can execute
an integrity attack when they gain entrance to the system. And they can even use an availability
attack as part of their overall effort to neutralize alarms and defensive systems, so they can’t report
his existence. When this is completed, the attacker can fully access the target system, and all three
dimensions (confidentiality, integrity and availability) are in jeopardy.
Now, I chose a very simple, well-known attack for a reason. A large number (in fact, an
embarrassingly large number) of corporate, government, and educational systems that are
compromised and exploited are defeated by these well-known, well-published attacks.
Now, not all the bad things that happen to computer systems are attacks per se. There are fires, water
damage, mechanical breakdowns, and plain old user error. But all of these are called threats. We
use threat models to describe a given threat and the harm it could do if the system has a

formula to be a likely threat. If your business is the movement of fund transfers over a network, you
would consider attacks on that network link to be a likely threat. These are two examples of business-
based threats.
The second type of threats are those based on validated data. If your web site is repeatedly hacked
through your firewall, you would consider Internet hackers to be a major threat. If your main competitor
always manages to find out key confidential information about your business plans, you would start
considering corporate espionage a threat. These are examples of threats identified because of validated
instances of damage based on those threats. In some ways these may be the most serious, because they
have already happened and are likely to happen again in the future.
The final type of threats are those that are widely known in the security industry. To protect against
them is just good common sense. That is why we put badge readers and guards in buildings, why we use
passwords on our computer systems, and why we keep secret information locked in a safe. We may not
have had attacks against any of these, but it is commonly understood to be foolish not to do so.
1 - 7
Defense in Depth - SANS
©2001
7
Vulnerabilities
• Weaknesses that allow threats to
happen
• Must be coupled with a threat to
have an impact
• Can be prevented (if you know
about them)
The third element of the risk spectrum is the notion of Vulnerabilities. (Remember that the first two
elements are risk and threats.) In security terms, a vulnerability is a weakness in your systems or
processes that allows a threat to occur. However, simply having a vulnerability by itself is not a bad
thing. It is only when the vulnerability is coupled with a threat that the danger starts to set in. Let’s
look at an example.
Suppose you like to leave the doors and windows to your house unlocked at night. If you live in the

If, however, you have a high level of threat potential (a high crime area) and your vulnerability to
that threat is very high (no locks), you have a high risk factor.
Of course, this formula is nice, but keep in mind that, as we stated way up front, there are no
absolutes in security. Thus it is usually impossible to assign numeric values to areas like threats and
vulnerabilities, so this formula should be used as an aid to guide your thinking rather than an absolute
mathematical calculation. When you begin to get into discussions and arguments about risks, threats,
and vulnerabilities (and yes, you will get into arguments about this stuff) you can refer back to this
basic formula to help guide you in your decision making process.
1 - 9
Defense in Depth - SANS
©2001
9
The Threat Model
• Threat
• Vulnerability
• Compromise
Vulnerabilities are the gateways
by which threats are manifested.
On the bottom of your slide, it says that “vulnerabilities are the gateways by which threats are
manifested”. So, for a threat model to have any meaning at all, there has to be a threat. Are there
people with the capability and inclination to attack - and quite possibly harm - your computer
systems and networks? What is the probability of that happening? The probability is high that any
non-private address will be targeted several times a year. The most common countermeasure for
most organizations is to deploy firewalls or other perimeter devices. These work quite well to reduce
the volume of attacks that originate from the Internet, but they don’t protect systems from insiders, or
attacks like macro viruses which are able to pass through firewalls about 99% of the time.
So there is a threat, and there are certainly vulnerabilities, and when a threat is able to connect to its
specific vulnerability, the result can easily be system compromise. Again, the most common tactic is
to protect systems with perimeter devices such as firewalls. It’s cost-effective, it’s practical, and it’s
highly recommended. Even the most open universities or other research environments that require

1 - 11
Defense in Depth - SANS
©2001
11
The Morris Worm
• Availability attack (Denial of
Service)
• Common vulnerabilities in
fingerd
and
sendmail
allowed rapid
replication
• Internet communications effectively
lost
If you haven’t read Zen and the Art of the Internet, you probably should. It is available at
http://sunland.gsfc.nasa.gov/info/guide/The_Internet_Worm.html. We’ll do a small reading from that
section:
“On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an
experimental, self-replicating, self-propagating program called a worm and injected it into the Internet. He
chose to release it from MIT, to disguise the fact that the worm came from Cornell. Morris soon discovered
that the program was replicating and reinfecting machines at a much faster rate than he had anticipated --
there was a bug. Ultimately, many machines at locations around the country either crashed or became
"catatonic." When Morris realized what was happening, he contacted a friend at Harvard to discuss a
solution. Eventually, they sent an anonymous message from Harvard over the network, instructing
programmers how to kill the worm and prevent reinfection. However, because the network route was
clogged, this message did not get through until it was too late. Computers were affected at many sites,
including universities, military sites, and medical research facilities. The estimated cost of dealing with the
worm at each installation ranged from $200 to more than $53,000.
The program took advantage of a hole in the debug mode of the Unix sendmail program, which runs on a