Defence in Depth (DiD)

Javid Chizari

7/19/20221 min read

Defense-in-depth is a cybersecurity strategy that employs a multi-layered defense system to ensure maximum safeguards. If a layer of defense fails, the others will be there to block the attacks. The architecture of DiD consists of:

  • Administrative Controls (Policies & Procedures)

  • Technical Controls (Hardware, Software, and Networks)

  • Physical Controls

Assuming that we are a systems security analyst for an organization and want to deploy the new server, here is my checklist:

  • Ensuring the physical safeguards are in place following security policies and protocols.

  • Using NGFW (Next Generation Firewall) as the first line of defense. This device could include IDS/IPS, application-level monitoring and control, and WAFs.

  • Check the supply chain of the hardware used for the server.

  • Review and confirm the integrity of the components of the server.

  • Ensuring that IT technicians are following the security policies for hardening the out-of-the-box server procedures and changing all default settings.

  • Ensuring that all the updates and patches have been installed.

  • Appropriate anti-malware installed and properly configured.

  • Unnecessary ports are disabled.

  • Overseeing the testing process of server in DMZ or Screened Subnet as per security policies and protocols.

  • Reviewing the Active Directory, security policies, and logging/monitoring requirements have been met.

  • Ensuring remote access policies have been enforced.

  • DNS protection.

  • VPN and multi-factor authentication.

  • The server has been added to the inventory record, and its baseline configuration is well documented.

  • The server’s data is protected in-rest in-transit and has been set for redundancy based on the organization’s policies and protocols.

  • Ensuring all the updates and patches are current.

  • Installation of perimeter defenses such as IDS, IPS, and firewalls.

Added endpoint-related pieces of advice such as:

  • Installation of the preset OS by using a workstation installer or snapshots to keep a uniform endpoint in the organization.

  • Endpoint protection and installation of the latest version of the corporate licensed anti-malware.