6.2. Security Program Elements

💡 First Principle: Technical controls alone aren't enough—security requires a comprehensive program that includes people, processes, and technology. Think of it like a bank vault: the best lock in the world doesn't help if an employee props the door open. The best firewall can't stop someone from clicking a phishing link.

Consider this breach scenario: A company invests millions in firewalls, IDS, and endpoint protection. An attacker sends a convincing phishing email to an accountant, who clicks the link and enters credentials on a fake login page. Now the attacker has valid credentials. They log in through the VPN (which the firewall allows because it's "legitimate" traffic). Every technical control is bypassed because the human element failed. Imagine how different the outcome would be with user awareness training.

What happens without defense in depth: An attacker finds a vulnerability in your web application (bypasses firewall). Without additional controls, they have direct access to the database (no segmentation), can extract data (no encryption at rest), and you won't know for months (no monitoring). Each missing layer multiplies the damage.

The three control types:

• Administrative: Policies, procedures, training, background checks
• Technical: Firewalls, encryption, ACLs, authentication
• Physical: Locks, cameras, biometric readers, mantraps

Defense in depth: Layer these controls so that if one fails, others still protect you. An attacker who bypasses the firewall should still face authentication. One who steals credentials should still face MFA. One who gets into the building should still find server rooms locked.