Defense in Depth

You have already learned a little about the layered approach to security called defense in depth. The concept of defense in depth originated from the military and was seen as a way to delay rather than prevent an attack. As an information security tactic, it is based on the concept of layering more than one control to protect assets. These controls can be physical, administrative, or technical in design. We have looked at a variety of physical controls in this chapter, such as locks, doors, fences, gates, and barriers. Administrative controls include policies and procedures for (among other things) how you recruit, hire, manage, and fire employees. During employment, administrative controls such as least privilege, separation of duties, and rotation of duties are a few of the items that must be enforced. When employees leave or are fired, their access needs to be revoked, accounts blocked, property returned, and passwords changed. Technical controls are another piece of defense in depth and can include items such as encryption, firewalls, and IDSs.

For the physical facility, a security professional should strive for a minimum of three layers of physical defense. The first line of defense is the building perimeter. Barriers placed here should delay and deter attacks. Items at this layer include fences, gates, and bollards. These defenses should not reduce visibility of CCTV and/or guards. Items such as shrubs should be 18 to 24 inches away from all entry points, and hedges should be cut 6 inches below the level of all windows.

The second layer of defense is the building exterior: roof, walls, floor, doors, and ceiling. Windows are a weak point here. Any opening 18 feet or less above the ground should be considered a potential easy access and should be secured if greater than 96 square inches.

The third layer of physical defense is the interior controls: locks, safes, containers, cabinets, interior lighting. It can even include policies and procedures that cover what controls are placed on computers, laptops, equipment, and storage media. This third layer of defense is important when you consider items such as the data center or any servers kept onsite. A well-placed data center should not be above the second floor of a facility because a fire might make it inaccessible. Likewise, you wouldn’t want the data center located in the basement because it could be subject to flooding. A well-placed data center should have limited accessibility—typically no more than two doors. Keep these items in mind because they will help you secure the facility.

CHAPTER 4 ASSESSMENT

  1.   1. Physical security is less important than logical security.

    1. A. True

    2. B. False

  2.   2. ________ is a common physical control that can be used as both a detective and a reactive tool.

    1. A. A fence

    2. B. An alarm

    3. C. CCTV

    4. D. A lock

  3.   3. For a fence to deter a determined intruder, it should be at least ____ feet tall.

    1. A. 4

    2. B. 5

    3. C. 8

    4. D. 10

  4.   4. A(n) ________ is used to prevent cars from ramming a building.

  5.   5. Although both guards and dogs are good for physical security, which of the following more commonly applies to dogs?

    1. A. Liability

    2. B. Discernment

    3. C. Dual role

    4. D. Multifunction

  6.   6. What grade of lock would be appropriate to protect a critical business asset?

    1. A. Grade 4

    2. B. Grade 2

    3. C. Grade 1

    4. D. Grade 3

  7.   7. ________ defines the camera’s effectiveness in viewing objects from a horizontal and vertical view.

    1. A. Granularity

    2. B. Ability to zoom

    3. C. Field of view

    4. D. Focal length

  8.   8. In the field of IT security, the concept of defense in depth is layering more than one control on another.

    1. A. True

    2. B. False

  9.   9. ________ is an intrusion detection system used exclusively in conjunction with fences.

    1. A. Infrared wave patter

    2. B. Motion detector

    3. C. RFID

    4. D. PIDAS

  10. 10. A type II error is also known as what?

    1. A. False rejection rate

    2. B. Failure rate

    3. C. Crossover error rate

    4. D. False acceptance rate

  11. 11. Which type of biometric system is frequently found on laptops?

    1. A. Retina

    2. B. Fingerprint

    3. C. Iris

    4. D. Voice recognition

  12. 12. What do lock pick sets typically contain, at a minimum?

    1. A. Tension wrenches and drivers

    2. B. A pick

    3. C. A pick and a driver

    4. D. A pick and a tension wrench

  13. 13. During an assessment, you discovered that the target company was using a fax machine. Which of the following is the least important?

    1. A. The phone number is publicly available.

    2. B. The fax machine is in an open, unsecured area.

    3. C. Faxes frequently sit in the printer tray.

    4. D. The fax machine uses a ribbon.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset