[Infowarrior] - Gov RFC: Defense-in-Depth a Smart Investment?

Richard Forno rforno at infowarrior.org
Wed Jan 12 07:18:32 CST 2011


(The answer, I'm sure, will be "Yes, we need more 'stuff' to ensure protection.  Can't have too much 'stuff' protecting us." -- rick)

http://cryptome.org/0003/did-cybersec.htm

Defense-in-Depth is a Smart Investment for Cyber Security

There is a strong and often repeated call for research to provide novel cyber security solutions. The rhetoric of this call is to elicit new solutions that are radically different from existing solutions. Continuing research that achieves only incremental improvements is a losing proposition. We are lagging behind and need technological leaps to get, and keep, ahead of adversaries who are themselves rapidly improving attack technology. To answer this call, we must examine the key assumptions that underlie current security architectures. Challenging those assumptions both opens up the possibilities for novel solutions that are rooted in a fundamentally different understanding of the problem and provides an even stronger basis for moving forward on those assumptions that are well-founded. The SCORE Committee is conducting a series of four workshops to begin the assumption buster process. The assumptions that underlie this series are that cyber space is an adversarial domain, that the adversary is tenacious, clever, and capable, and that re-examining cyber security solutions in the context of these assumptions will result in key insights that will lead to the novel solutions we desperately need. To ensure that our discussion has the requisite adversarial flavor, we are inviting researchers who develop solutions of the type under discussion, and researchers who exploit these solutions. The goal is to engage in robust debate of topics generally believed to be true to determine to what extent that claim is warranted. The adversarial nature of these debates is meant to ensure the threat environment is reflected in the discussion in order to elicit innovative research concepts that will have a greater chance of having a sustained positive impact on our cyber security posture.

The first topic to be explored in this series is “Defense-indepth is a Smart Investment.” The workshop on this topic will be held in the Washington DC area on March 22, 2011.

Initially developed by the military for perimeter protection, Defense-in-Depth was adopted by the National Security Agency (NSA) for main-frame computer system protection. The Defense-in-Depth strategy was designed to provide multiple layers of security mechanisms focusing on people, technology, and operations (including physical security) in order to achieve robust information assurance (IA).1 Today’s highly networked computing environments, however, have significantly changed the cyber security calculus, and Defense-in-Depth has struggled to keep pace with change. Over time, it became evident that Defense-in-depth failed to provide information assurance against all but the most elementary threats, in the process putting at risk mission essential functions. The 2009 White House Cyberspace Policy Review called for “changes in technology” to protect cyberspace, and the 2010 DHS DOD MOA sought to “aid in preventing, detecting, mitigating and recovering from the effects of an attack”, suggesting a new dimension for Defense-in-depth along the lifecycle of an attack.

< -- >

http://cryptome.org/0003/did-cybersec.htm


More information about the Infowarrior mailing list