LRQA Nettitude Blog

Is Defence In Depth Dead?

Posted by Matthew Gough on Nov 5, 2012 2:37:54 PM

“Networks are no longer safe if a company takes the egg-shell approach of simply using perimeter-centric hardware devices, anti-virus and anti-malware software and other approaches to keep intruders out" - William Boni, VP and CISO T-Mobile USA – Jan 2012.

I am a great believer that good security comes from a multi-layer approach. You don't lock your front gate and leave all the doors open, right? So why should IT security differ? This article looks at an interesting list of the "Top 20" critical security controls published recently by Center for the Protection of National Infrastructure (CPNI). CPNI was formed from the merger of the National Infrastructure Security Co-ordination Center (NISCC) and the National Security Advice Center (NSAC), formerly part of MI5 the UK's security service and have responsibility for providing information assurance guidance for the UK's national infrastructure.

Here is the list:

1.     Inventory of Authorised and Unauthorised Devices

2.     Secure Configurations (Hardware & Software)

3.     Secure configurations for hardware and software on laptops, workstations, and servers

4.     Continual Vulnerability Assessment

5.     Malware Defences

6.     Application Software Security

7.     Wireless Device Control

8.     Data Recovery Capability

9.     Training

10.   Secure configurations for network devices such as firewalls, routers, and switches

11.   Limit network ports, protocols and services

12.   Controlled use of Admin privileges

13.   Boundary Defence

14.   Maintenance and Monitoring

15.   Need to know permissions

16.   Account monitoring and control

17.   Data Loss Prevention

18.   Incident Response

19.   Secure network engineering

20.   Penetration Testing

Being in security for the past 4 years I have audited and tested the security defences of 100+ organisations and I can honestly say I have never seen anyone organisation conducting satisfactory controls in all these areas, if any at all. Therefore, I suggest any organisation review this list and either use it as a basis for their IT security policy (if they have one) or conduct a simple audit of their systems against this list. If you have gone as far as classifying the information that flows in and out of your organisation you may want to use this list per classification.

My particular favourites are training and penetration tests. This maybe because I have conducted many social engineering and penetration tests, but these really standout for me. Penetration testing is a key indicator that the other 19 controls are working, and any tests they do not include elements of social engineering really are not true tests of the threats faced by organisations today. Just look at RSA.....

To contact Nettitude's editor, please contact

Topics: Nettitude, Security Blog, Social Engineering, Uncategorized

Subscribe Here!

About LRQA Nettitude

LRQA Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Recent Posts

Posts by Tag

See all