Learning Library

← Back to Library

Defense-in-Depth Cybersecurity Fundamentals

17m • Unknown Channel • security • tutorial • beginner • Watch on YouTube ↗

Key Points

The series introduces cybersecurity architecture by first covering fundamental principles that should underpin every security effort and then exploring specific domains for identifying vulnerabilities and implementing best practices.
It is based on a 400‑level enterprise security architecture course taught by an adjunct professor at NC State University, offering informal video instruction without homework or exams.
One core principle emphasized is “defense in depth,” which uses multiple, layered security controls—like walls, moats, and drawbridges in a castle analogy—to avoid reliance on a single mechanism.
A modern application of defense in depth includes adding multifactor authentication for user verification and deploying mobile/device management tools to enforce security policies across workstations, networks, and servers.
The presenter promises to reveal a critical security practice to avoid (“one that you never should do”) later in the series.

Sections

Full Transcript

# Defense-in-Depth Cybersecurity Fundamentals **Source:** [https://www.youtube.com/watch?v=jq_LZ1RFPfU](https://www.youtube.com/watch?v=jq_LZ1RFPfU) **Duration:** 00:17:30 ## Summary - The series introduces cybersecurity architecture by first covering fundamental principles that should underpin every security effort and then exploring specific domains for identifying vulnerabilities and implementing best practices. - It is based on a 400‑level enterprise security architecture course taught by an adjunct professor at NC State University, offering informal video instruction without homework or exams. - One core principle emphasized is “defense in depth,” which uses multiple, layered security controls—like walls, moats, and drawbridges in a castle analogy—to avoid reliance on a single mechanism. - A modern application of defense in depth includes adding multifactor authentication for user verification and deploying mobile/device management tools to enforce security policies across workstations, networks, and servers. - The presenter promises to reveal a critical security practice to avoid (“one that you never should do”) later in the series. ## Sections - [00:00:00](https://www.youtube.com/watch?v=jq_LZ1RFPfU&t=0s) **Intro to Cybersecurity Architecture Series** - An adjunct professor introduces a video series on cybersecurity architecture, outlining fundamental principles—including defense‑in‑depth—and previewing the course’s focus on identifying vulnerabilities and best‑practice defenses. - [00:03:08](https://www.youtube.com/watch?v=jq_LZ1RFPfU&t=188s) **Layered Security and Least Privilege** - The speaker outlines a defense‑in‑depth strategy—using EDR, firewalls, vulnerability testing, encryption, and strict access controls—to eliminate single points of failure while emphasizing the principle of least privilege for limiting user rights. - [00:06:13](https://www.youtube.com/watch?v=jq_LZ1RFPfU&t=373s) **Preventing Privilege Creep and Default Password Risks** - The speaker urges replacing default passwords and implementing regular access recertifications to avoid privilege creep and uphold the principle of least privilege. - [00:09:20](https://www.youtube.com/watch?v=jq_LZ1RFPfU&t=560s) **Separation of Duties & Security by Design** - The speaker stresses that requesters cannot also be approvers to prevent collusion and advocates embedding security from the initial design phase throughout the development lifecycle rather than adding it later. - [00:12:28](https://www.youtube.com/watch?v=jq_LZ1RFPfU&t=748s) **Overcomplicated Security Fuels Workarounds** - When security measures are made more difficult than the desired behavior—such as excessively complex password rules—legitimate users tend to bypass them, highlighting the need for security that is both effective and simple. - [00:15:32](https://www.youtube.com/watch?v=jq_LZ1RFPfU&t=932s) **Avoid Proprietary Black-Box Crypto** - The speaker warns against secret encryption schemes, insisting that only publicly vetted algorithms with secret keys (glass‑box security) provide true protection. ## Full Transcript

0:00With the rise of cyberattacks and data breaches, 0:02it's never been more important to make sure that your organization is protected against hackers. 0:08This series is about cybersecurity architecture, and we're going to talk about two different areas. 0:14Fundamentals, where we're going to go through and discover what some of the principles of cybersecurity are 0:20that need to be applied to everything that you do. 0:23And then the second part is on various cybersecurity domains. 0:27Here we're going to explore how to identify vulnerabilities, implement best practices, 0:33and defend against a wide range of cyber threats through an all encompassing cybersecurity architecture. 0:40By the way, I'm an adjunct professor at NC State University. And there I teach a 400 level course on enterprise security architecture. 0:49This video series is based upon that course. 0:53The bad news is you won't get college credit for watching these videos. 0:57The good news is no homework and no exams. 1:00So yay. 1:02All right, let's get started with cybersecurity fundamentals. 1:06All right, we want to start with five security principles that you absolutely should do and one that you never should do. 1:13So stay tuned to the end to find out what that one is. 1:15The first one we're going to talk about is this notion of "defense in depth". 1:19Defense in depth is trying to create an obstacle course, a difficulty for the bad guy. 1:24So if we take a look at an old security model, the castle. 1:28Well, the castle was designed with thick, tall walls to keep the good guys on the inside, the bad guys on the outside. 1:35And it worked pretty well until you realized the good guys sometimes needed to come out. 1:39And therefore, we needed to put a door on this thing. 1:42Well, the door then became a vulnerability. 1:45And so we we would try to reinforce it. 1:47And then maybe put a moat around the whole thing, because that made it even harder. 1:53And then the door with a drawbridge. 1:55So now we've got a moat, which is harder to cross. 1:59We've got the thick, tall walls. 2:01And maybe we even had in an angry dog here on this side. 2:04Something to give a system of security mechanisms, 2:08because defense in depth is all about not relying on any single security mechanism to keep the system safe. 2:15Now, let's move and transition into a modern security example. 2:19Here, we've got a user who is on a workstation who's going to go across a network to get to a web server, 2:25which is going to hit an app server, which is ultimately going to hit a database. 2:29Now, what would we do for defense in depth in this example? 2:33Well, one thing I might do here is I might add multifactor authentication (MFA). 2:38That is a system where I make sure that this user is who they are because I'm asking them for something they have, 2:44something they are, something they know--some combination of those kinds of things. 2:48Now, how about over here? 2:50I might do if it's a mobile device or an endpoint of some sort--mobile device management (MDM), endpoint device management software 2:57that makes sure that the security policy that we have set for the organization is in fact followed 3:03on this device-- it's got the right patches, it's got a password that's of sufficient length and things like that. 3:09We might also add something like an EDR, which is sort of a next generation antivirus. 3:14An endpoint detection and response capability to make sure that this platform is secure. 3:19Then from a network standpoint, well, I'm going to add in firewalls to keep the web server secure from the outside 3:26and also allow only traffic that I choose to allow to get back to these more sensitive zones. 3:33And then for the app server and the web server, I might do some testing, 3:37some vulnerability testing on those, so that I make sure that those systems are not vulnerable to attack. 3:44And then ultimately, I'm going to take the data back here and I'm going to encrypt it. 3:48Lock it up, put access controls around it. 3:51So you can see what I've done here, is there's no single security mechanism that is protecting this thing. 3:57If any one of these fails, the rest of the system still works. 4:01And that's the idea that we're after here. 4:03So if you think about it this way: we've got no single point of failure. 4:08We're trying to avoid single points of failure. 4:11And we want a system that ultimately, if it fails, it fails safe. 4:15That's what we're trying to get. 4:16And that's what the old model and the new model of security were designed to do. 4:21The second principle we're going to review is the "principle of least privilege". 4:25Principle of least privilege basically says I'm only going to give access rights to people that need that-- 4:31that are authorized and needed in order to do their job and can justify it, and for only as long as they need that access right. 4:39For instance, in this example, I've got three users. 4:42This guy does not really have a business need, so we don't give it to him. 4:47The other guys get the access right. 4:48They can prove their need. 4:50And the other thing is, even for these guys, the clock is ticking. 4:53I'm not going to give them this access right in perpetuity, forever. 4:57We're going to constantly be going back and making sure that they still need that capability. 5:03If they don't, we're going to remove it from them as well. 5:06Now, another notion in the principle of least privilege is hardening a system. 5:10Let's say we've got a web server like this and the web server out of the box-- 5:14default configuration--is that it runs a HTTP, of course, because we need that in order to do web traffic. 5:20But let's say it also turns on an FTP service 5:23and SSH service so that I can log in remotely. 5:27Well, there's some things that I might look at and say, "Okay, do I really need this FTP server?" 5:32If it turns out I'm not going to use it, I should remove that service entirely. 5:37In the SSH, if I'm not planning to use it, remove it entirely. 5:41Because every single one of these services is potentially expanding our attack surface and making us more vulnerable. 5:49Another example of hardening is to remove all of the unnecessary IDs 5:54that are on the system and change the names of the IDs that we do keep from their default. 5:59So, for instance, if the administrator ID on this system--out of the box as it's configured--is admin, let's change that. 6:07Let's make it something more specific. 6:10And I'll name it after me, or give it some other name. 6:13Change all the default passwords. 6:15We don't want this thing in just a vanilla configuration because the bad guys will know what that is and they'll know how to break in. 6:22Now another example is this idea of privilege creep. 6:25Let me illustrate that. 6:27Let's say there's two people that work for the company, and each one of these are access rights that they have. 6:32So this guy is able to do these things. 6:34He can do the same things because they perform essentially the same role. 6:38Now, this guy gets a promotion and a new job and new responsibilities. 6:43Well, he goes to the administrator and says, "Okay, now I'm doing my new job. 6:46I need you to add to my capabilities. 6:49And these are the things I need." The administrator gives him those and then also says, "You know what? 6:55Just in case, I think you're going to probably need this. 6:58Let me give you that as well. 6:59That way you won't have to come back and ask again." 7:02Or, come back and bother me, is what he really means. 7:05The problem with this is, just-in-case is just the opposite of principle of least privilege. 7:10In fact, what we should be doing is running an annual recertification campaign. 7:16At least annual. 7:17Some organizations do it more frequently than that. 7:20And in re-cert, I go back and look at all of my users and all of their access rights and make sure they still have a justified need. 7:26So this person is still doing the same job, still needs all of that. 7:29Great, they keep it. 7:31This guy, though, no longer needs this capability because his new job doesn't require it. 7:35So we're taking it away. 7:37And this thing that he got just in case, we're taking that away, too. 7:41So what we're trying to do with the principle of least privilege is to give only the access rights you need for as long as you need them. 7:48Hardened systems. 7:49We're going to eliminate privilege creep, and we're going to eliminate the just-in-case principle. 7:56Our third principle to keep in mind with cybersecurity is this notion of separation of duties. 8:02That is, we won't have any single point of control. 8:07In fact, what we're trying to do is force collusion by two bad actors-- or more than two bad actors --in order to compromise the system. 8:15But no single person can create the compromise. 8:19So, an example, in the physical world, would be if I had two people here and I've got a door with two locks on it. 8:26And this guy has a key to this lock and this guy has a key to this lock. 8:32And what it is, is now, if he uses his key to open the door, he still can't open the door. 8:38He can't open the door alone. 8:40But the two of them together, cooperating, can in fact, open the door. 8:45So there's no single point of control. 8:47Therefore, we have a separation of duties. 8:51Now, taking a look at another example here, let's say in an IT case, here's a requester. 8:56And this user wants access to this database. 8:59So he's going to ask for that. 9:01He's going to send in his request. 9:02But then there's an approver who's going to have to take action on it and say yes or no based upon whether we think they should have it or not. 9:09Then if they get the approval, then they're given the action that they want. 9:14Whatever it is, the funds transfer, the access to the database, the package delivered, whatever it happens to be. 9:21But notice the point here. 9:22This person, the requester, is not the same as the approver. 9:27They cannot be the same person. 9:29Because if it was, if I could request and approve my own request, then there is no separation of duties. 9:35So again, what we're trying to do with this is create a necessary case for collusion, 9:40which is hard to do because it's hard for lots of people to work together and keep a good secret. 9:45And what we're trying to avoid is this single point of control. 9:51The fourth security principle that we're going to talk about is secure by design. 9:56In other words, it shouldn't be an afterthought that we put security in. 10:00Think of it this way: If you were designing a building in an earthquake zone, you want to make this building able to stand the pressure. 10:07So, you don't go build the building, and then after it's all done, go back and say, "Now let's make it earthquake-proof". 10:14No, you want to do that from start-to-finish, all the way from design through completion. 10:20So let's take a look at an IT example. 10:22So when we have a project, we will tend to start off with requirements stage. 10:27We'll go then into design, we will code the thing, 10:31then we'll install whatever it is that we've written, then we'll test it out and then we'll promote it to production. 10:38And then, in theory, we should feed that loop back and continue the continuous development process that way. 10:45Well, what we don't want to do, is what too many people do in these cases, 10:49and they wait until really about this phase to do security--once it's already out there. 10:55Security can't just be a bolt-on that you do at the end. 10:59In fact, it needs to be something that we're doing throughout, pervasively. 11:03We look at the security aspects of the requirements. 11:06We build security into the design. 11:08We are thinking about secure coding principles all along the path. 11:13When we install, we do it on a secure system. 11:16We're testing and and guarding that test data. 11:19And then in production, obviously, we keep testing. 11:21So security is something we do throughout, but it doesn't begin here. 11:26It begins in these phases. 11:28That's what we're really looking for here. 11:30Now, if you think about another example, let's say: Whose job is security? 11:35Well, it's really everyone here. 11:36We have a designer, an administrator and a user. 11:39So really, all of them are responsible for security in one way or another. 11:44But who does the job begin with? 11:47Well, it begins with this guy right here. 11:49We need to make sure that he is designing security in. 11:53In other words, what we're trying to do is make security start to finish. 11:57And we want "secure by design", means it's secure out of the box. 12:02That's the way we'd like it to be. 12:03Now, sometimes we're going to have to do some configuration changes to make it more secure. 12:07But this is the goal that we're trying to shoot for--secure by design, secure out of the box. 12:15Our fifth security principle is the "K.I.S.S. principle". 12:18It stands for "Keep It Simple, Stupid". 12:21In other words, we don't want to make it harder than necessary because that will make it easier for the bad guys and harder for the good guys. 12:29To give you an example: we're trying to create some level of complexity so that it's not easy for the bad guy to get in. 12:35But a lot of times the security department will create this complex maze of things that the good guys essentially have to go through. 12:42And what happens in that case is, I start in here, okay, I log in. 12:47Now, I have to traverse and eventually I'm like, "Oh, I'm at a dead end". 12:53Okay, maybe let's try this again. 12:54You know what? 12:55It's too much trouble to do what the security department has asked me to do. 13:00I'm just going to subvert this, and I'm going to end up doing it that way, which is, of course, not what we're after. 13:06So the lesson here is, if we make it harder to do the right thing than it is to do the wrong thing, people are going to do the wrong thing. 13:14So we need to be able to make the system secure, but also as simple as possible. 13:18So keep it simple, stupid. 13:20Here's an example of how we do this in security departments, for real. 13:24We'll come up with password rules. 13:26So we'll say this is your password and it equals this. 13:31And it's this because we created a complex set of rules that say you have to start with an uppercase, 13:36then you follow with a lowercase, then you need a special character, then you need to throw in some numbers, 13:42and then you have to have some mixture of upper and lower case and special characters and all this kind of stuff. And it has to be really long. 13:48And by the way, we need lots of these. 13:50You're going to have a different one on every system, and I'm going to make you change it on a frequent basis. 13:55That's this-- that's what the user sees --is a complex maze, and they're going to find a way to do this. 14:02And what they're going to do is find one password and write it down 14:05and set all their systems equal to the same thing, which is again, not what we were after. 14:10So what we want to do is understand complexity is the enemy of security. 14:17So we want to make the system just complex enough to keep the bad guys out, 14:21but not so complex that it's hard for the good guys to do what they need to do. 14:25For instance, you might have noticed, well, what about Defense in Depth, which I talked about up here? 14:30There might be some conflict in that because there we're trying to set 14:33a system of security mechanisms in place to put an obstacle course for the bad guy. 14:38We want that obstacle course to be for the bad guy, not for the good guy. 14:44All right, now we've gone over five security principles that you should always observe. 14:49And now the big reveal, the security principle you should never observe, and that is security by obscurity. 14:55That is, relying on some sort of secret knowledge in order to make the system safe. 15:01It turns out that secrecy and security are not the same thing. 15:06In fact, what we want is a system that is open and observable. 15:10And this guy called Kerckhoff came up with what's now known as Kerckhoff's Principle, which basically describes that. 15:17He was specifically talking about a crypto system. 15:20And he said basically, a crypto system should be secure if you know every single thing about it except for the key. 15:27In other words, the key is the only secret in the whole system. 15:30Now, why would this be an issue? 15:32Well, it turns out a lot of people and you should whenever you hear this, you should run and not walk, 15:38but run away when you hear somebody say, "I've invented a crypto system that's proprietary and it will take your clear text, 15:45you feed it into my algorithm along with a key, and then it will produce from clear text to ciphertext". 15:53Okay, great. 15:54The problem is this is a black box. 15:57I can't see how it's working. 15:59And if the individual says it's unbreakable, I've been hacking at it for weeks, months, years. 16:06All that means is the inventor couldn't find a way to break it. 16:10But that's not the same thing as the whole world, given access, would, in fact, break this. 16:15And, in fact, given time, they will. 16:17Even if it is a black box. 16:19History has shown that to be the case. 16:21So what we want is not black box security, we want glass box security. 16:27So in this case, what we have is the clear text, goes into a crypto algorithm, which we understand, it's been published. 16:35In fact, if you look at the good crypto algorithms that we rely on today, it's things like, AES, the Advanced Encryption Standard and RSA. 16:45These are algorithms that everyone that wants to know how they work can look it up and see. 16:51And the secrecy, therefore, the security doesn't come from some secret knowledge of how this thing works. 16:57It's able to produce ciphertext from clear text without having to keep this part secret. 17:04The only secret is the key. 17:06And that's what we want. 17:07We do the same kind of things when we talk about secure operating systems or secure applications or things like that. 17:16As long as the security is based on secrecy, it's not really something that we can rely on. 17:22Thanks for watching! 17:23Before you leave, don't forget to hit subscribe. That way you won't miss the next installment of the cybersecurity architecture series.