Read some concepts lately that I wanted to remind myself about, and don’t really want to bother figuring out where I first saw them.
Time-to-penetrate. Locks are rated by how long they take to fall to an expert. How long will your network/security last? To drive-by scripts/kids/worms? To experts?
Increasing attacker’s costs. I read about border security between the US and Mexico and how border authorities want to make it more expensive for drug cartels to get drugs over the border. Not stop it, but make it more difficult/expensive. If you rightly believe in the inevitability of insecurity, then you really want to keep the bar raised as far as possible (this is an argument that can formulate a defense to ‘security through obscurity,’ in moderation).
Interesting…I’ve read something similar to “time-to-penetrate” with regards to safe construction…at one point, I think I heard that copper plates were added between the steel plates to disperse the heat from a torch, so that it took longer for that method to succeed.
I’ve also thought over the years about incorporating ideas in defense from my military training, but after seeing some of the infrastructures I’ve encountered, there really seems to be no concept of defense, let alone defense-in-depth, at all. Of course, my view of this is jaundiced, in a way, b/c I usually only get to work with folks who’ve been compromised in some way…