In February 2015 various news outlets reported that millions of encryption keys were stolen from Dutch computer chip producer Gemalto during breaches in 2010 by both the NSA and GCHQ. In March 2015, sources reported that Dutch computer chip producer ASML was hacked, probably by hackers in service of the Chinese government. Government espionage is a current and growing threat to both government and multinational organizations. The Netherlands is an attractive target because of its high-tech industry and its role in the European Union, the United Nations and the NATO.
Traditional information security is focused on preventing attacks by building large Chinese walls around their digital assets. However, the hacks on both Gemalto and ASML show that companies need to do more than building a digital wall around their valuable information assets. High-tech companies, universities and governmental agencies alike have to ramp up their cyber defenses to protect their information assets against these kinds of advanced persistent threats (APT). Advanced persistent threats are covert and continuous attacks, often orchestrated by foreign governments. Since APTs are usually funded by large budgets, they are very difficult to prevent. However, companies should strive to counter attackers by making it as hard (and unprofitable) as possible to get to the most valuable information assets. This means information security should consist of multiple layers, comparable with the rings of an onion. The most valuable assets are in the center, protected by a multitude of layers.
Layered defense implements security mechanisms at multiple layers in the organization.
This approach of stacking or layering security mechanisms is called layered defense. Originally conceived as a military strategy to delay the advance of an attacker by exhausting its resources, the term is used today for the concept of stacking different security mechanisms. Layered defense typically involves a combination of preventative, detective, reactive and recovery security mechanisms at different levels within the organization. When one mechanism fails, other mechanisms are in place to detect, prevent or counter an attack.
The image above shows this information security strategy. The purpose of the outer layer is to ensure proper security policies and procedures are in place. All subsequent layers follow the policies set in the outer layer. Every layer adds more depth and more concreteness to the security mechanisms, from physical security mechanisms to prevent unauthorized access to buildings or server rooms to the separation of network segments to the encryption of data. By layering different preventative, detective, reactive and recovery mechanisms, attacks that successfully defeat a security mechanism on one layer are countered by security mechanisms on the other layers.
Cyber-attacks are difficult (if not impossible) to stop completely. The former director of the NSA even said that almost every US company has been hacked at one time or another. This means a paradigm shift is taking place. Instead of focusing on preventing cyber-attacks, companies should accept the fact that they cannot stop every attack. Rather, their focus should shift towards making it as hard and as unprofitable as possible for an attacker to get to critical systems and valuable information assets. A layered defense can help companies achieve this goal. By layering security mechanisms that counter a wide range of risks to information security, the chance of unauthorized access to critical information assets is reduced greatly.