Don’t Flip-Flop on Defense-in-Depth!

Published on 21st July 2022 Author: Rob Black

We just returned from our annual vacation on Cape Cod. It’s always been an ideal place to relax and recharge.

This year was no exception, thanks in no small part to seven days of picture-perfect weather.

But it wasn’t entirely stress free. That’s because on the very first day, my right flip-flop broke.

I know, I know, this is not a 911-level emergency. But you can’t walk on the hot sand in bare feet, and you can’t get very far with a broken flip-flop.

Fortunately, I had packed two pairs.

But then, on day two, the left flip-flop of the second pair broke!

I’m no statistician, but from a probability standpoint, this would seem to be the footwear equivalent of being struck by lightning one day and being eaten by a tiger the next.

I briefly considered wearing two unmatched flip-flops for the week, but this certainly wasn’t ideal. So I took my wife Rachel’s suggestion to heart and went to the general store in town to see if I could find an appropriate pair.

“Appropriate,” because as a man with size-13 feet, I’ve learned from experience that I can’t just walk into a store and expect to find much to choose from.

But the Brewster General Store surprised me. In a big bin of flip-flops, there sat a pair with a little “13” sticker on it. Not only that, they turned out to be one of the best pairs I’ve ever owned, and all for a whopping nine dollars.

All in all, a happy ending. But only because when my first choice was compromised, I had a few additional options to choose from.

What’s your Defense-in-Depth strategy?

“Defense-in-Depth” refers to the cybersecurity strategy of having complementary controls in place to help protect your systems in the event of failure or compromise of one of those controls.

In the case of a broken flip-flop, that may mean having a second pair and a well-stocked general store nearby.

In the case of your organizational assets, and while I acknowledge that this is a bit more complicated, the concept is the same: setting up complementary controls prior to a breach, outage, or failure.

Unfortunately, many organizations fail to view their cybersecurity in this layered way.

For example, often, when we meet with new clients, they say things like, “We have encryption,” or, “We have Multi-Factor Authentication.”

Awesome. But those are “single flip-flop” safeguards. In our experience, anytime a company has fixated on a single control as a means of protection, there is a rat’s nest of poorly implemented — or nonexistent — secondary controls in place.

Are the encryption keys protected? Do you have a formal process for removing former contractors or employees from your systems when they leave? Are you sharing passwords among employees?

To be truly protected, you need many controls, working together, so that a single failure does not have catastrophic results. In other words, you need Defense-in-Depth.

Banks use Defense-in-Depth – Think like a Bank!

Consider the example of a bank intent on protecting its cash. Sure, they have a vault with a big steel door.

But they also have cameras, alarms, door locks, and armed guards. These are complimentary controls, put in place so that if one fails — a power outage, a compromised employee, etc. — the others are there to ensure ongoing security.

Your web hosting (for example) should likewise be secured with the intention of defending against what could go wrong. Such as…

The initial configuration is done well.
The servers are patched regularly.
Identity and Access Management are managed.
Staff are properly on-boarded and off-boarded.
Multi-Factor Authentication is properly implemented.
The database has restricted access.
The application is tested by an expert for security vulnerabilities (AKA, a “pen test”).

Know What You Don’t Know

One of the most challenging aspects of Defense-in-Depth implementation is uncovering potential risks that may not be immediately obvious. Companies tend to focus on what they are doing, all the while ignoring the hundreds of things that they are not.

Overall, there tends to be a lack of imagination when thinking about security programs.

A good starting point in addressing this is to look at existing cybersecurity standards (CIS or NIST), and/or standards that may already exist in your industry, such as HIPAA in healthcare. Industry standards will give you a sense of what makes up a good cybersecurity program.

Am I Ever Sufficiently Covered?

We hear this question all the time. It’s a little bit like asking, “Am I ever healthy enough?” Strictly speaking, in both health and cybersecurity, the answer is probably no.

But as a practical matter, it comes down to risk reduction — weighing the cost (time, money, resources) against the value of the asset(s) in question.

A large financial institution with billions of dollars at stake is going to need a higher level of controls than a bakery that is simply trying to protect its customer list and order information (and, okay, those delicious cookie recipes).

Whatever the specifics, Defense-in-Depth encourages us to consider implementing multiple layers of control, to help ensure the ongoing security of our most valuable assets.

Speaking of which, I should probably see if I can pick up another pair of flip-flops on the way home. When it comes to beachwear, you can’t be too careful.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).