From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Fri May 10 2002 - 21:05:27 EDT
On Thursday, May 9, 2002, at 03:47 pm, Ray Parks wrote:
> Just remember this aphorism - Depth without Breadth is useless.
> We engaged in a series of experiments within the DARPA IA program in
> which we proved that Defense in Depth is an over-rated concept. Layered
> defenses can actually be weaker than single defenses because
> administrators/developers think that another layer is providing the
> defense
> they are ignoring. The results of these experiments were recorded in a
> paper, unfortunately I don't have a cite at this time.
> Bottom line - we were able to get through layers of defense in depth
> because we could attack each layer in a different way. This allowed
> attacks to woogle through to the goal despite multiple layers of
> defense.
>
I have seen similar studies long ago relating to alarm monitoring.
Items being monitored by multiple people had worse response times than
items monitored by a single person! It turned out that people would
frequently be lax and assume that someone else was handling it.
I have also seen this scenario in help desk or message queues. Some
ringing phones or e-mails would remain unanswered for days because
everybody was answering other items and assumed the missed item would be
caught by somebody else somewhere.
-- Harvey Newstrom, CISSP <www.HarveyNewstrom.com> Principal Security Consultant <www.Newstaff.com>
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:28:08 EDT