Election Security Spotlight – Defense in Depth (DiD)

What it is:

Defense in Depth (DiD) refers to an information security approach in which a series of security mechanisms and controls are thoughtfully layered throughout a computer network to protect the confidentiality, integrity, and availability of the network and the data within. While no individual mitigation can stop all cyber threats, together they provide mitigations against a wide variety of threats while incorporating redundancy in the event one mechanism fails. When successful, this approach significantly bolsters network security against many attack vectors. An effective DiD strategy may include these (and other) security best practices, tools, and policies.

  • Firewalls are software or hardware appliances that control network traffic through access or deny policies or rules. These rules include black or whitelisting IP addresses, MAC addresses, and ports. There are also application-specific firewalls, such as Web Application Firewalls (WAF) and secure email gateways that focus on detecting malicious activity directed at a particular application.
  • Intrusion Prevention or Detection Systems (IDS/IPS) – an IDS sends an alert when malicious network traffic is detected (e.g., Albert Network Monitoring), whereas an IPS attempts to prevent and alert on identified malicious activity on the network or a user’s workstation. These solutions base recognition of attacks on signatures of known malicious network activity.
  • Endpoint Detection and Response (EDR) software or agents reside on the client system (e.g. a user’s laptop or mobile phone) and provide antivirus protection, alert, detection, analysis, threat triage, and threat intelligence capabilities. These solutions run on rulesets (i.e. signatures or firewall rules) or heuristics (i.e. detection of anomalous or malicious behaviors).
  • Network Segmentation is the practice of splitting a network into multiple sub-networks designed around business needs. For example, this often includes having sub-networks for executives, finance, operations, and human resources. Depending on the level of security required, these networks may not be able to communicate directly. Segmentation is often accomplished through the use of network switches or firewall rules.
  • The Principle of Least Privilege requires policy and technical controls to only assign users, systems, and processes access to resources (networks, systems, and files) that are absolutely necessary to perform their assigned function.
  • Strong Passwords are a critical authentication mechanism in information security. Modern password guidance involves using multifactor authentication for any account of value, using a phrase with multiple words, and not reusing passwords.
  • Patch Management is the process of applying updates to an operating system, software, hardware, or plugin. Often, these patches address identified vulnerabilities that could allow CTAs unauthorized access to information systems or networks.

Why does it matter:

There is no silver bullet in cybersecurity, however, a DiD strategy ensures network security is redundant, preventing any single point of failure. DiD strategy significantly increases the time and complexity required to successfully compromise a network, which further drains the resources of engaged cyber threat actors and increases the chances that an active attack is identified and mitigated before completion.
A DiD approach is routinely practiced in physical security when trying to protect valuable equipment or other material assets. For example, election offices often have a chain of custody logs, security cameras, and locks within the physical elections environment to protect elections equipment and associated infrastructure. In the banking world, security cameras, ballistic glass, and vaults are used to protect assets and personnel.

What you can do:

Implementing DiD can be a resource-intensive undertaking. As such, election offices should follow a risk-based approach to evaluate existing network environments and ensure key sensitive assets are protected using this security strategy and the security best practices, tools, and policies described above.

Center for Internet Security (CIS) and EI-ISAC resources are designed with DiD concepts in mind. Election offices are encouraged to work with their information technology staff to implement the best practices found in the CIS Handbook for Elections Infrastructure SecurityGuide for Ensuring Security in Election Technology Procurements, and Security Best Practices for Non-Voting Election Technology. Additionally, election offices are encouraged to enroll in the EI-ISAC indicator sharing program and review the recent EI-ISAC Blog Post “I Joined the EI-ISAC® – Now What?” This will ensure election offices ingest the most up-to-date indicators into their security devices and leverage other actionable EI-ISAC services as they develop their DiD strategy.