Layered security, sometimes called defense in depth, is a security strategy that involves multiple, overlapping and complementary protections to help ensure the safety and security of critical systems and data. For example, to protect from external threats, you might have layers of security working from the outside in including external firewalls, intrusion prevention systems, a demilitarized zone, revers proxies, internal firewalls, system hardening, antivirus software, and host based intrusion prevention agents. But your security should not stop at that point, nor should it depend only upon technology.

Systems are deployed by people, configured by people, administered by people, updated by people, and used by people. How many times can those people do something wrong? How many ways can someone accidentally forget to do something; decide to put something off until later; configure an option to favor convenience over security? How many times has someone accidentally clicked something, opened something, downloaded something, run something?

People are people, and we are fallible. We make mistakes. We take the easy way out. And if we don’t have good training, an understanding of the reasons behind some rule or procedure, a checklist to follow to ensure nothing gets missed, then we are far more likely to make a mistake that leaves a system open to exploitation.

You can audit your firewalls, run vulnerability assessments against your systems, and tune your IPS until the moon turns blue, but if you are not actively investing in the training and education of your users then you are missing a key component of your layered defense…the people. 

It’s critically important for you to ensure that every single employee who will access a computer system be familiar with and understand the acceptable use policy, but also what the reasons are behind things like “don’t download files” and “run antivirus” and “don’t visit bad websites.” People are notoriously bad about disobeying or ignoring rules if they don’t understand the reasons behind those rules. sysadmins should be able to do their jobs. Yes, their jobs include securing systems, but you should take a look at your policies to ensure that they are doing what they are meant to do…securing systems, without being so onerous as to be bypassed or so misguided as to make matters worse. 

Here’s an example of a colleague. He was working with a customer whose servers are not allowed to access the Internet; ever. If there is a remote system that a server must access, they will permit that through the firewall (after a bunch of paperwork and reviews) but if it is not critical for the function of the application, don’t even bother to ask. This leads to two things that are actually quite less secure. The first is that no server can connect to an OCSP or CRL publishing endpoint to validate certificates. So, any encrypted traffic or signed binaries are just blindly trusted without verifying the certificate is legitimate. The second is that no sysadmin can download anything to the server, either to install the application or to patch it. Everything has to be downloaded onto another machine, copied to USB, and then physically transferred over. This includes patches and antivirus updates. How likely is it a server is missing a patch, has out of date anti-virus definitions, or gets malware from a USB key? Once the server is approved for production it can be patched by the central system and pull anti-virus definitions from the central system, but it’s on the network and able to connect to other systems before then. How likely is it that some piece of malware will get on the server pre-production and then try to spread throughout the internal network? I’d say very likely, and this company’s security policies are flawed as it leave tons of room for the sysadmins to make a mistake. 

Train your users; both sysadmins and end users. Ensure that they know the rules, understand the reasons behind the rules, and can get their jobs done without having to bypass the rules. Make your users both the first and the last line of defense, empower them to actively contribute to the defense of your network, and ensure they are working with you to support security, not against you because that’s the only way they can do their jobs.