• United States




Using defense-in-depth to prevent self-inflicted cybersecurity wounds

May 02, 20176 mins

07 insider
Credit: Thinkstock

This past week, I encountered an all too common situation — a user gets a targeted phishing attempt. Despite a strong training program, the user opens the attachment and gets infected with ransomware.

For many organizations, this would have resulted in a disaster. Ransomware would have encrypted files on any servers, and the organization would have been forced to either restore the files from a backup, assuming they had them, or to hold their nose and pay a ransom. 

The news was better, however, for the organization I mentioned above.

Fortunately, the premise of their security planning was that someone would eventually shoot them in the foot. With a security plan that assumed this, they had a depth of layered controls to help. While their anti-virus software did not prevent the infection, it did recognize and send an alert about it, after the fact. In the meantime, their web filtering appliances and their DNS service provider, recognizing the call from the infected PC to a command and control server to get an encryption key, blocked access. Since the ransomware client never got the key, it did not encrypt any files. The blocking of command and control access provided the extra time needed to get the PC pulled out of service and repaired. 

The organization referenced above had a happy ending. For every such happy ending, though, I suspect that there are hundreds that end badly. Since these often happen in small organizations, or those that attempt to keep such matters quiet, we often don’t hear about them, but they do exist. It is these sorts of attacks that resulted in an estimated $209 million ransomware payout in the the first three months of 2016, according to Forbes

There is no end it sight for these attacks, because bad actors are working hard to make the process easier. These efforts have resulted in a new class of malware — Ransomware as a Service (RaaS), a turn-key approach for those who wish to extort people, but don’t have the technical chops to pull off an attack. The hackers do the coding, and make the software available, either for a purchase price or a percentage of any ransoms paid. As such, new hackers can join the fray with little risk. 

If you are placing your hopes in law enforcement to stop the trend, or to help you out when you’re hit, you probably should go ahead and by some bitcoins. It is not that law enforcement does not want to help. Quite the contrary, they are working hard to combat the trend. But because there are so many bad actors participating, and because they are often in countries where we can’t get to them, law enforcement is almost helpless. 

If the above situation gives you a sense of hopelessness, don’t despair quite yet. As with the aforementioned organization,you, too can plan for the worst — and have layered defenses approachwe in the industry call defense-in-depth. 

A defense-in-depth strategy assumes that something will go wrong with your basic security precautions. This can be the result of user error, a really smart hacker, or just Murphy’s Law in full force. To address the problem, you assume in advance that something will break, and you plan for additional controls to make up for that failure.

This approach is hard for many organizations to accept, because they hate to spend money multiple times to solve the same problem. The fallacy of this thinking is that, outside of the helm on information security, we implement defense-in-depth all the time. Consider, for example, a warehouse that invests in a sprinkler system to extinguish fires. Even if they have purchased the best possible sprinkler system, they will still pay for an alarm system to notify the fire department of the emergency — just in case. If you think about it, you probably have many such precautions already in place. Why should cybersecurity be different? 

When planning your defense-in-depth strategy, think about the different categories or layers of protection you need: 


This is the front line of defense from outside attacks against your network. Using a firewall to prevent unwanted traffic from entering or leaving your network is the key to a strong perimeter defense.

The good news is that many organizations have such a firewall. The bad news is that they are often mismanaged. It is critical to only allow traffic in and out of the firewall that is essential for the operation of the organization. Everything else should be blocked. All too many organizations install a firewall, turn it on, and think they are protected out of the box. This is a false sense of security. 


This layer should include intrusion prevention, web filtering, and similar systems. These devices monitor for, and filter out, unusual traffic that is missed at other layers. Web filtering prevents users from aiming a gun at your feet by visiting sites that are known to be infected.

This layer is also a good place to employ a technique called a honeypot, which acts as bait to detect a hacker who has penetrated your perimeter defenses, and is moving laterally through your network. Finally, a good log consolidation system, such as Splunk, can correlate information from various system logs, and generate alerts for suspicious activities. 


This is the layer that resides on your users’ workstations. It is the first line of protection against malware, user downloads, malicious web sites, etc. It is important to use products that can be managed centrally and will report malware back to a console so that alerts can be issued. It also helps to have an endpoint product that that can communicate with other layers of your defense strategy, such as McAfee or Cisco AMP

Don’t forget your mobile devices connecting to your network, because they have many problems of their own. Include a good mobile device management system, such as VMware’s AirWatch

Bottom line — your employees will ultimately shoot you in the foot, either accidentally or intentionally. You can’t do anything to stop that. You can and should, however, deploy defense-in-depth strategies to protect from such events.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author