It is a "best practices" strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy recommends a balance between the protection capability and cost, performance, and operational considerations." [National Security Agency]
Fahey (2004) graduated from the SANS GSEC course and uses their systematic approach to addressing risk through defense in depth. The SANS approach promulgates an efficient and cost effective methodology for improving security. The organization for which he works already had a number of policies, each designed to address a multi-layered approach to IT security such as operations security, physical security and contingency and disaster recovery. Furthermore external security personnel routinely came to the organization to perform security audits. He was concerned that one area which had not been addressed was:
"a systematic procedure designed to protect against electronic attacks from hackers. This was due in part to the false sense of security which comes from being behind a firewall and partly from a lack of experience in the information security field." (Fahey, 2004, p3)
In putting together a Defense in Depth security policy one must consider the characteristics of one's adversary, the motivation behind an attack and the class of attack. An adversary may be anyone from a competitor to a hacker. They may be motivated by theft of intellectual property, denial of service or simply pride in bringing down a target. Classes of attack include passive or active monitoring of communications, identity theft or close-in attacks. Besides deliberate attacks there may also be inadvertent attacks on the system, such as fire, flood, power outages - and most frequently - user error.
Information Assurance is achieved when information and information systems are protected against such attacks through the application of security services such as:
Availability, Integrity, Authentication, Confidentiality, and Non-Repudiation. The application of these services should be based on the Protect, Detect, and React paradigm. This means that in addition to incorporating protection mechanisms, organizations need to expect attacks and include attack detection tools and procedures that allow them to react to and recover from these attacks. No system is perfectly secure, and it has been argued that no system needs to be. To achieve Information Assurance focus must be balanced on three elements: People, Technology and Operations.
"Security goals have their own contradictions because confidentiality, integrity, privacy, accountability, and recovery often conflict fundamentally. For example, accountability requires a strong audit trail and end-user authentication, which conflicts with privacy needs for user anonymity." (Sandhu 2004, page 3)
Fahey's methodology for evaluating risk used the confidentiality, integrity, and availability (CIA) approach which emphasizes the importance to the organization of a particular information asset. This approach focuses budget managers on the real threats to reputation and therefore the business' ability to survive against its competitors.
Fahey focuses on 3 security risks in his article: passwords, policies and patches. Fahey's risk assessment relies heavily on SANS assessment of the top 20 risks for networks in 2003/4. This brings to light the