Security by Design : the 3 Main Principles
Principle n°1: Minimise attack surface areaThe attack surface represents all the entry and communication points that an information system has on the outside. The attack surface can be related to a software (OS, libraries, read/write access), a network (open ports, active IP, network flows, used protocols), a human (phishing, social engineering) or a physical intrusion (such as one inside the building). An information system with a wide attack surface would be more vulnerable to attacks. Indeed, filtering and control means are more complex set up and to organise. Once all entry points on the attack surface have been identified, advanced surveillance and protection tools need to be implemented. For very exposed systems, it is advised to perform regular security analysis. Amongst possible solutions to reduce an operating system attack surface, hardening is a well-known but too little used principle. It involves analysing components that are not or little used on the system. The purpose is to close services and ports to limit the possibilities of remote interactions with this system. This principle has been applied in the conception of our APTs detection probes.
Principle n°2: the lesser privilegeAccording to the French Cybersecurity Agency (ANSSI), this principle specifies that an administrator only has access to admin zones on which he has an operational need, without any technical possibilities to access another zone. In the specific cases of the most privilege rights on the directory, only the information system administrator can access it. This principle is inseparable from security by design. A clear distribution of allocated tasks, roles and rights, is to ensure an environment partitioning. Once the least principle is implemented, it is more difficult to compromise a subsection of the environment because the attack surface is significantly reduced. Even if it is corrupted, the attack will only have limited consequences. The application of this principle from the conception goes hand in hand with the idea of roles partition.
Operator: alerts consultation, IOC research, forensics. System administrator: roles creation, rights management, probes and appliances setup. Local administrator: alerts and system logs consultation, feedbacks activation/disabling. Auditor: alerts consultation, probes logs consultation.
Principle n°3 : Defence in DepthThe expression « Defence in Depth » comes from a military technique, which purpose is to delay the enemy. Defence in depth consists in exploiting several security techniques in order to reduce the risk when a component is compromised or defective. In order to rely on a consistent group rather than one element for security, threats must be opposed and countered with coordinated and independent defence lines. As a gate, a security must be monitored, protected and benefits from a reaction plan in case of incident. To set up this defence in depth, we recommend the following steps:
- Determine security goals in order to build a defence in depth strategy,
- Elaborate the organisation and the general architecture of the system in order to define the control and evaluation points,
- Elaborate the defence policy,
- Qualify the system regarding the defence in depth criteria,
- Evaluate the permanent and periodical defence from attacks methods and feedback (control and audit)