Defense in Depth

B’More Secure

GenCyber Train the Trainer�Camp 2025

Objectives

Participants will:

• Understand cybersecurity requirements and basic design principles
• Practice implementing multiple layers of defense in the Gold Bar Heist activity

​

Cybersecurity Learning Standards:

• 6-8.SEC.ACC Explain the concept of access control and how to limit access to authorized users.
• 9-12.SEC.DATA Formulate a plan to apply security measures to protect data in all three states.
• 6-8.SEC.CTRL Describe defense in depth and how physical access controls work together.

Role Reversal

Back to the gold bar heist: Mary has seen the error of her ways and hired you to help her protect the gold bars.

​

Create a security plan for the gold bars to ensure that no one can steal, damage, or prevent Mary from accessing them. Make sure that you include multiple layers of defenses.

​

​

How much protection is enough?

Defense Testing

Exchange your security plan with another group. Read through their plan and then see if you can come up with a plan to steal their gold bars!

1. Can you find any weaknesses in the security measures they have put in place?
2. Can you think of ways to get through or around the security measures?
3. Write your ideas down as feedback for the other group.

Reinforcing your Defenses

Consider the feedback you just received.

1. Do you now see any weaknesses in your plan that you didn’t see before?
2. Which layers of defense are the strongest?
3. What changes could you make to enhance your security plan?

​

How does the gold bar heist relate to cybersecurity?

Cybersecurity Concepts Hand Model

Confidentiality

Integrity

Availability

Defense

in Depth

Think like

an Adversary

Keep it Simple

Defense in Depth

​

• Multiple security layers / measures to protect / defend assets
• Redundancy will better protect assets
• Strong defense-in-depth strategy

BYOD (Bring Your Own Device) Security

• Different Software
• Different level of updates
• Different security measures or lack of
• Different habits / sites visited outside of work’s firewalls

​

​

Different Elements of a Defense-in-Depth System

1. Physical controls: Examples include key cards to enter a building or scanners to read fingerprints.
2. Network security controls: This is software that authenticates an employee to enter the network and use a device or application.
3. Administrative controls: This authorizes employees, once authenticated, to access only certain applications or parts of the network.
4. Antivirus: This is the tool that stops malicious software from entering the network and spreading.
5. Behavioral analysis: Algorithms and ML can detect anomalies in the behavior of employees and in the applications and devices themselves.”

​

From https://www.fortinet.com/resources/cyberglossary/defense-in-depth

Castle 6 layers

https://adarshds.medium.com/what-is-defense-in-depth-8250baf2c091

https://www.learningtree.ca/blog/defense-in-depth-the-stealth-cybersecurity-essential/

Five Security

Layers

Cyber Career Spotlight

What are your layers of defense?

Return to your list of assets from the previous section. How do you protect those assets?

​

• Pick an asset from your asset inventory
• Consider what security measures you already have in place
• Think like an adversary: how might someone gain access to that asset?
• How could you refine your security plan to prevent that type of attack? Think about adding layers of defense!

Keep It Simple:

Write a student policy on how to make a sure password, but keep it simple!