Using Controls, Safeguards, and Countermeasures
Chapter 7 provided information on risk and explained that risk is the probability of a threat exploiting a vulnerability, and Chapter 8 presented information on performing vulnerability assessments to detect vulnerabilities. Both chapters mentioned that risk is mitigated by implementing controls. This chapter digs into the details of controls.
The terms controls, safeguards, and countermeasures are often used interchangeably. In essence, they are means, methods, actions, techniques, processes, procedures, or devices that reduce the vulnerability of a system or the possibility of a threat exploiting a vulnerability in a system. In this chapter, I’ve used the term controls, but the terms safeguards or countermeasures could just as easily be used.
Figure 9-1 shows the two ways that controls are used. They can either reduce vulnerabilities to reduce losses from a risk or attempt to neutralize a threat to reduce losses from a risk. For example, AV software protects against malware. When AV software is installed and kept up to date on a system, the system is less vulnerable to malware attacks. The AV software also helps to neutralize the threat of malware.
Figure 9-1 Controls reduce vulnerabilities, resulting in reduced losses
Controls can be either technical or nontechnical. Technical controls use technical means to reduce risk and are merged with hardware, software, and firmware either to reduce vulnerabilities or reduce the impact of threats. Nontechnical controls are management and operational controls and include items such as written security policies, physical security controls, operational procedures, and personnel training.
For example, an intrusion prevention system (IPS), covered in Chapter 8, is an example of a technical control that attempts to detect and block attacks. User training is an example of a nontechnical control that attempts to educate users and encourage them to avoid risky behavior such as clicking a link within a phishing e-mail.
EXAM TIP Controls and countermeasures can be either technical or nontechnical. Technical controls use technical means within computer systems to reduce risk. Nontechnical controls include user training and written documents such as security policies.
Figure 9-2 shows the overall steps in a control implementation plan, along with the output from each of the steps. These steps are derived from National Institute of Standards and Technology (NIST) SP 800-30, Risk Management Guide for Information Technology Systems. The steps are as follows:
Figure 9-2 Controls reduce vulnerabilities, resulting in reduced losses
1. Step 1: Prioritize actions This priority is based on the results of a risk assessment as described in Chapter 7. The likelihood determination is combined with an impact analysis to determine the overall risk determination. The output of this step is a list of risks with an action ranking for each. High-level risks should be addressed first.
2. Step 2: Evaluate recommended controls The risk assessment also recommends controls, and in this step the recommended controls are evaluated for feasibility and effectiveness. Some controls may be effective, but not feasible because of compatibility or user acceptance. For example, armed guards and full-sized cages used as mantraps are effective access controls, but may present an inappropriate negative image for a business office. The output of this step is a list of feasible controls that can be further evaluated.
3. Step 3: Conduct cost/benefit analysis (CBA) A CBA attempts to determine whether the cost of the control is justified by sufficiently lowering losses associated with specific risks. The CBA determines the cost of implementing the controls and the cost associated with losses if the control is not implemented. Chapter 7 presented both quantitative analysis and qualitative analysis methods. A quantitative analysis uses numerical figures that provide monetary figures that can be easily used in a CBA. This step identifies the costs and benefits associated with implementing, or not implementing, a control. The CBA is performed for each control in the list of feasible controls.
4. Step 4: Select the control Management uses the available data to select the controls determined to be the most cost-effective for reducing risks to the organization. This step creates a list of selected controls.
5. Step 5: Assign responsibility Once the controls are selected, appropriate individuals, departments, or divisions within the organization are assigned the responsibility of implementing the control. This step matches each selected control with a party assigned responsibility for implementing the control.
6. Step 6: Develop an implementation plan The responsible party creates an action plan for implementing the control. Depending on what the control is, the action plan can be quite extensive or very simple.
7. Step 7: Implement controls In the last step, the action plan is followed and the action plan is implemented. In most situations, the risk will be reduced, but not eliminated. This step identifies the risk that remains (the residual risk) after implementing the control.
When evaluating any controls, it’s important to evaluate both its expected effectiveness in mitigating a risk and the cost of the control. Further, the cost of the control is more than just the initial cost. Controls have several costs that should be considered, such as initial cost, implementation cost, and compatibility costs.
The initial cost is the cost of the product. It could be a one-time purchase price or could entail monthly or annual recurring costs. For example, malware has both an initial cost and a subscription cost to update definitions regularly.
Technical controls often require costs to implement them. They many need to be tested for compatibility, consuming labor costs; they may require a vendor to install them initially, or they may require the staff to get training before they can be installed.
Compatibility costs are the costs associated with the usability of a system after a control is implemented. Although security often requires a balance with usability, it’s easy for security professionals to get overzealous and implement controls without considering the impact on usability. If the control affects productivity, it can impact the mission of the organization.
EXAM TIP If the cost of the control is significantly lower than the losses without the control, the cost of the control is justified. If the cost of the control is significantly higher than the losses without the control, the cost may not be justified. When the costs and savings are about the same, a return on investment (ROI) analysis is needed to determine whether the cost is justified.