1 - 1
Information Assurance Foundations - SANS
©2001
1
Security Essentials
Day 2
Threat and the Need for
Defense in Depth
Welcome. As we begin day 2, or the second major set of courses in Security Essentials, the focus
will be on defense in depth. This is a term that was coined by the Department of Defense and is a
crucially important concept in information assurance. The topics that we are going to cover are
shown below.
Security Fundamentals
Confidentiality, Integrity, Availability
Threat and risk
Security Policy
What it is and what it is not
How to implement an effective policy
Passwords
Overview of passwords
LC3
Crack
Incident Handling
6 step guide
Information Warfare
Defensive strategies
Offensive strategies
Web security
Web security vulnerabilities
Web security defenses
These are all components of a defense in depth risk management framework as we will explain in

our next slide titled, “Defense in Depth.”
1 - 2
Defense in Depth - SANS
©2001
2
Defense in Depth
We have covered: perimeter defense, vulnerability
scanning, host and network intrusion detection,
honeypots/honeynets and risk assessment; is there
more?
Now, we add security policy, password strength and
assessment, incident handling, information warfare and
web security.
Are we there yet? Sorry, not yet. The slide shows that while we have covered a lot of important topics, we
still have a ways to go! The concept behind defense in depth is conceptually simple. The picture we have
painted so far is that a good security architecture, one that can withstand the threat, has many aspects and
dimensions. We need to be certain that if one countermeasure fails, there are more behind it. If they all fail,
we need to be ready to detect that something has occurred and clean up the mess expeditiously and
completely, and then tune our defenses to keep it from happening to us again.
One of the most effective attacks that penetrates standard perimeters is malicious code. These are things like
viruses and Trojan software. They come in as attachments to email messages and on those floppies we bring
in from home (even though we aren’t supposed to), and the CD-ROMs we bring home from DEFCON. These
can do a lot of damage. Most people have heard of BackOrifice and NetBus but there are a score of other
Trojans. The best defense is keeping your anti-virus software up-to-date, and scanning at the firewall, server,
and desktop level. It isn’t particularly expensive or hard, but it takes discipline.
I find systems all the time that don’t even record when successful and unsuccessful logons and logoffs occur.
That's just basic, sensible auditing and they don't turn it on. If there is ever a problem, how will we run it to
ground? You may or may not be in a position where you can affect whether these things are done at your
organizational level, but you can often take the responsibility for your office, shop, division, or desktop. There
are even personal firewall software products – like TCP Wrappers, BlackICE Defender, Zone Alarm, Norton

Internet Security, McAfee Personal Firewall – these range from free to commercial software, and they provide
perimeter protection at the host level. I use a personal firewall on my home systems when I connect to my ISP
so that I can stop the simple attacks that many of my friends have experienced. The threat is targeting each of
us. What role and responsibility are you willing to accept for defense in depth?
1 - 3
Defense in Depth - SANS
©2001
3
Defense In Depth (2)
Info
Application
Host
Network
This diagram shows another way to think of the Defense In Depth concept. At the center of the
diagram is your information. However, the center can be anything you value, or the answer to the
question, “What are you trying to protect?” Around that center you build successive layers of
protection. In the diagram, the protection layers are shown as blue rings. In this example, your
information is protected by your application. The application is protected by the security of the host
it resides on, and so on. In order to successfully get your information, an attacker would have to
penetrate through your network, your host, your application, and finally your information protection
layers.
Using a Defense in Depth strategy does not make it impossible to get to your core resources – the
resource at the center of the diagram. For example, your defense layers might be trivial or easy to
compromise. However, a well-thought-out Defense in Depth strategy, utilizing the strongest
protections feasibly possible at each layer, present a formidable defense against would-be attackers.
Next, we are going to take you on a tour of three famous attacks to see what lessons we can learn
from them. Along the way, we are going to discuss the three key dimensions of protection and
attack. Most of you are already familiar with them. They are: confidentiality, integrity, and
availability. Throughout the Security Essentials program, you will be deploying countermeasures to
protect confidentiality, integrity, and availability; and you may experience attacks against these

dimensions. We can think of these as the “primary colors” of information assurance. By mixing and
matching these -- and we do mix and match, because they are interrelated -- we are able to develop
either a very strong attack, or develop a strong defense. On our next slide, titled, “Agenda,: let’s take
a look at the material we are about to explore.
1 - 4
Defense in Depth - SANS
©2001
4
Agenda
• Principles of attack and defense
• Risk and threats
• Three famous attacks
• Introduction to vulnerabilities
• Basic countermeasures
•Summary
This slide shows the main topics we are going to cover. We will discuss the threats that are arrayed
against our computer systems. To focus that discussion, we will be concerned with some of the more
famous attacks that have occurred. Now, information assurance can get really complex, but these
kinds of problems decompose nicely. As we work our way through the material, we are going to be
pointing out aspects of confidentiality, integrity, and availability, in both the attacks and also the
defenses we discuss. So if you are new to security, or if you just want a quick review, the way I
think about these things is – a credit card.
Have you ever had a credit card not be accepted? Three different times in a row, when I was buying
tires at a local store in my town, my credit card did not clear. All three times, the bank said their
computers were down. Well, that is an availability attack. Well, it certainly felt like an attack to
me! I live in a small town and a lot of people know me – and so to have my card rejected was very
embarrassing. Confidentiality makes sure that no one but you knows your credit card number. An
example of a confidentiality defense is the way that “padlock” on the bottom of your Internet
browser closes (for Netscape) or appears (with Internet Explorer) when you are executing a secure
transaction -- the bit stream is encrypted to foil casual eavesdroppers. An example of an integrity

attack would be telling someone they lie so much, their own mother doesn’t believe them! (Ha ha -
well, maybe that’s not exactly right.) It might be spoofing by using someone else’s credit card, or
modifying the balance of someone else’s account.
We will continue to explore these fundamental principles on our next slide titled, “Three Bedrock
Principles.”
1 - 5
Defense in Depth - SANS
©2001
5
Three Bedrock Principles
• Confidentiality
•Integrity
• Availability
Confidentiality
Integrity Availability
Keep in mind that the keys we have been discussing are interrelated. So, an attacker may exploit an
unintended function on a web server and use the cgi-bin program “phf” to list the password file.
Now, this would breach the confidentiality of this sensitive information (the password file). Then,
on the privacy of his own computer system, the attacker can use brute force or dictionary-driven
password attacks to decrypt the passwords. Then, with a stolen password, the attacker can execute
an integrity attack when they gain entrance to the system. And they can even use an availability
attack as part of their overall effort to neutralize alarms and defensive systems, so they can’t report
his existence. When this is completed, the attacker can fully access the target system, and all three
dimensions (confidentiality, integrity and availability) are in jeopardy.
Now, I chose a very simple, well-known attack for a reason. A large number (in fact, an
embarrassingly large number) of corporate, government, and educational systems that are
compromised and exploited are defeated by these well-known, well-published attacks.
Now, not all the bad things that happen to computer systems are attacks per se. There are fires, water
damage, mechanical breakdowns, and plain old user error. But all of these are called threats. We
use threat models to describe a given threat and the harm it could do if the system has a

vulnerability as we will see on our next slide titled, “Threats.”
1 - 6
Defense in Depth - SANS
©2001
6
Threats
• Activity that represents possible danger
• Can come in different forms & from
different sources
• You can’t protect against all threats
• Protect against the ones that are most
likely or most worrisome based on:
–Business goals
– Validated data
– Industry best practice
In security discussions you will hear a lot about threats. Threats, in an information security sense, are
any activity that represent possible danger to your information. Danger can be thought of as anything
that would negatively affect the confidentiality, integrity, or availability of your systems or services.
Thus, if risk is the potential for loss or harm, threats can be thought of as the agents of risk.
Threats can come in many different forms and from many different sources. There are physical threats,
like fires, floods, terrorist activities, and random acts of violence. And there are electronic threats like
hackers, vandals, and viruses. Your particular set of threats will depend heavily on your situation – what
business you are in, who your partners and enemies are, how valuable your information is, how it is
stored, maintained and secured, who has access to it, and a host of other factors.
The point is there are too many variables to ever possibly protect against all the possible threats to your
information. To do so would cost too much money, take too much time, and too much effort. So, you
will need to pick and choose what threats you will protect against. You will start by identifying those
threats that are most likely to occur or most worrisome to your organization.
The way to do this is by identifying three primary areas of threat. The first is based on your business
goals. If your business is heavily dependent on a patented formula you would consider theft of that

formula to be a likely threat. If your business is the movement of fund transfers over a network, you
would consider attacks on that network link to be a likely threat. These are two examples of business-
based threats.
The second type of threats are those based on validated data. If your web site is repeatedly hacked
through your firewall, you would consider Internet hackers to be a major threat. If your main competitor
always manages to find out key confidential information about your business plans, you would start
considering corporate espionage a threat. These are examples of threats identified because of validated
instances of damage based on those threats. In some ways these may be the most serious, because they
have already happened and are likely to happen again in the future.
The final type of threats are those that are widely known in the security industry. To protect against
them is just good common sense. That is why we put badge readers and guards in buildings, why we use
passwords on our computer systems, and why we keep secret information locked in a safe. We may not
have had attacks against any of these, but it is commonly understood to be foolish not to do so.
1 - 7
Defense in Depth - SANS
©2001
7
Vulnerabilities
• Weaknesses that allow threats to
happen
• Must be coupled with a threat to
have an impact
• Can be prevented (if you know
about them)
The third element of the risk spectrum is the notion of Vulnerabilities. (Remember that the first two
elements are risk and threats.) In security terms, a vulnerability is a weakness in your systems or
processes that allows a threat to occur. However, simply having a vulnerability by itself is not a bad
thing. It is only when the vulnerability is coupled with a threat that the danger starts to set in. Let’s
look at an example.
Suppose you like to leave the doors and windows to your house unlocked at night. If you live in the

middle of the woods, far away from anyone else, this may not be a bad thing. There really aren’t
many people that wander around and, if you’re high enough on the hill, you’ll be able to see them
coming long before they present a danger. So, in this case, the vulnerability of having no locks is
there, but there really isn’t any threat to take advantage of that vulnerability.
Now suppose you move to a big city full of crime. In fact, this city has the highest burglary rate of
any city in the country. If you continue your practice of leaving the doors and windows unlocked,
you have exactly the same vulnerability as you had before. However, in the city the threat is that
much higher. Thus, your overall danger and risk is much greater.
Vulnerabilities can be reduced or even prevented, provided, of course, that you know about them.
The problem is that many vulnerabilities lay hidden, undiscovered until somebody finds out about
them. Unfortunately, the “somebody” is usually a bad guy. The bad guys always seem to find out
about vulnerabilities long before the good guys.
1 - 8
Defense in Depth - SANS
©2001
8
Relating Risk, Threat and
Vulnerability
Risk = Threat x Vulnerability
OK, we’ve spent the last few slides talking about risks, threats, and vulnerabilities. The three
concepts are extremely interrelated. Their relationship can be found in this simple formula:
Risk = Threat x Vulnerability
This formula shows that risk is directly related to the level of threat and vulnerability you, your
systems, or your networks face. Here’s how the formula works:
If you have a very high threat, but a very low vulnerability to that threat, your resulting risk will be
very low. In the example we used before, if you live in a high crime neighborhood (thus, high threat)
but you keep your doors and windows locked (so you have a low vulnerability), your overall risk is
very low.
If you have a high vulnerability to a threat (by keeping your doors and windows unlocked), but the
threat itself is minor (by living in the woods), once again you have a very low risk factor.

If, however, you have a high level of threat potential (a high crime area) and your vulnerability to
that threat is very high (no locks), you have a high risk factor.
Of course, this formula is nice, but keep in mind that, as we stated way up front, there are no
absolutes in security. Thus it is usually impossible to assign numeric values to areas like threats and
vulnerabilities, so this formula should be used as an aid to guide your thinking rather than an absolute
mathematical calculation. When you begin to get into discussions and arguments about risks, threats,
and vulnerabilities (and yes, you will get into arguments about this stuff) you can refer back to this
basic formula to help guide you in your decision making process.
1 - 9
Defense in Depth - SANS
©2001
9
The Threat Model
• Threat
• Vulnerability
• Compromise
Vulnerabilities are the gateways
by which threats are manifested.
On the bottom of your slide, it says that “vulnerabilities are the gateways by which threats are
manifested”. So, for a threat model to have any meaning at all, there has to be a threat. Are there
people with the capability and inclination to attack - and quite possibly harm - your computer
systems and networks? What is the probability of that happening? The probability is high that any
non-private address will be targeted several times a year. The most common countermeasure for
most organizations is to deploy firewalls or other perimeter devices. These work quite well to reduce
the volume of attacks that originate from the Internet, but they don’t protect systems from insiders, or
attacks like macro viruses which are able to pass through firewalls about 99% of the time.
So there is a threat, and there are certainly vulnerabilities, and when a threat is able to connect to its
specific vulnerability, the result can easily be system compromise. Again, the most common tactic is
to protect systems with perimeter devices such as firewalls. It’s cost-effective, it’s practical, and it’s
highly recommended. Even the most open universities or other research environments that require

themselves to be very open should be able to do some perimeter defense, even if they can only do it
at the department or building level, or even if they can only do it at the host level.
In the past few slides, we have been discussing theory that provides a framework to understand and
use tools like the ones we discussed in risk management – the big picture. Now we want to move
away from theory a bit into some historical applications of confidentiality, integrity, and availability.
Our next slide is titled, “Four Lessons From History.”
1 - 10
Defense in Depth - SANS
©2001
10
Four Lessons From History
• Morris worm – Availability - 1988
• Melissa – Availability - 1999
• W32.SirCam worm – Confidentiality
- 2001
• Code Red II – Integrity - 2001
Hopefully, we can learn enough from history to help prevent us from having to repeat it. The attacks
we are going to discuss, perhaps the three most famous information security defense failures are: the
Morris worm, SirCam, and Code Red variant II. These span from 1998 to 2001. We don’t have time
in this course to explore each of these in great detail, but you should be familiar with each of these as
a security professional. As homework, please try an internet search for these attacks and read a bit
more. There are information security lessons that we ought to be able to learn from these well-
known attacks. In each case, there was a computer system vulnerability, and it was exploited.
In each of the cases, there was an absence of defense in depth. In fact, in the case of most systems
affected by the Morris worm, and the Code Red attack, the exploit did not have to penetrate any
defensive perimeters. So, that’s “defense in shallow!”
As we go through each of the attacks, try to look out for the three primary security dimensions:
confidentiality, integrity, and availability. Consider how the defenses for each failed, or did not exist
in the first place. The vulnerability is listed in every case; so please note how the threat was able to
exploit the vulnerability to compromise or affect the target system(s).

1 - 11
Defense in Depth - SANS
©2001
11
The Morris Worm
• Availability attack (Denial of
Service)
• Common vulnerabilities in
fingerd
and
sendmail
allowed rapid
replication
• Internet communications effectively
lost
If you haven’t read Zen and the Art of the Internet, you probably should. It is available at
We’ll do a small reading from that
section:
“On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an
experimental, self-replicating, self-propagating program called a worm and injected it into the Internet. He
chose to release it from MIT, to disguise the fact that the worm came from Cornell. Morris soon discovered
that the program was replicating and reinfecting machines at a much faster rate than he had anticipated --
there was a bug. Ultimately, many machines at locations around the country either crashed or became
"catatonic." When Morris realized what was happening, he contacted a friend at Harvard to discuss a
solution. Eventually, they sent an anonymous message from Harvard over the network, instructing
programmers how to kill the worm and prevent reinfection. However, because the network route was
clogged, this message did not get through until it was too late. Computers were affected at many sites,
including universities, military sites, and medical research facilities. The estimated cost of dealing with the
worm at each installation ranged from $200 to more than $53,000.
The program took advantage of a hole in the debug mode of the Unix sendmail program, which runs on a

system and waits for other systems to connect to it and give it email, and a hole in the finger daemon
fingerd, which serves finger requests. People at the University of California at Berkeley and MIT had
copies of the program and were actively disassembling it (returning the program back into its source form)
to try to figure out how it worked.
Teams of programmers worked non-stop to come up with at least a temporary fix, to prevent the continued
spread of the worm. After about twelve hours, the team at Berkeley came up with steps that would help
retard the speed of the worm. Another method was also discovered at Purdue and widely published. The
information didn't get out as quickly as it could have, however, since so many sites had completely
disconnected themselves from the Internet.”
Additional information on the Morris worm can be found at
/>.
1 - 12
Defense in Depth - SANS
©2001
12
Morris Worm –
Defense in Depth
•Threat
– No perimeter defense (directly accessible
from the Internet)
– Multiple services on same system
– Unpatched systems
•DiD
– Separation of services
– Apply patches
Robert Morris released the worm to illustrate the problem with unpatched systems. If finger had
been running on a separate system from the mail system, the Internet would have been more resilient
against the attack.