A control or countermeasure is a means to counter threats. Harm occurs when a threat is realized against a vulnerability. To protect against harm, then, we can neutralize the threat, close the vulnerability, or both. The possibility for harm to occur is called risk. We can deal with harm in several ways:
- prevent it, by blocking the attack or closing the vulnerability
- deter it, by making the attack harder but not impossible
- deflect it, by making another target more attractive (or this one less so)
- mitigate it, by making its impact less severe
- detect it, either as it happens or some time after the fact
- recover from its effects
Of course, more than one of these controls can be used simultaneously. So, for example, we might try to prevent intrusions—but if we suspect we cannot prevent all of them, we might also install a detection device to warn of an imminent attack. And we should have in place incident-response procedures to help in the recovery in case an intrusion does succeed.
To consider the controls or countermeasures that attempt to prevent exploiting a computing system's vulnerabilities, we begin by thinking about traditional ways to enhance physical security. In the Middle Ages, castles and fortresses were built to protect the people and valuable property inside. The fortress might have had one or more security characteristics, including
- a strong gate or door to repel invaders
- heavy walls to withstand objects thrown or projected against them
- a surrounding moat to control access
- arrow slits to let archers shoot at approaching enemies
- crenellations to allow inhabitants to lean out from the roof and pour hot or vile liquids on attackers
- a drawbridge to limit access to authorized people
- a portcullis to limit access beyond the drawbridge
- gatekeepers to verify that only authorized people and goods could enter
Similarly, today we use a multipronged approach to protect our homes and offices. We may combine strong locks on the doors with a burglar alarm, reinforced windows, and even a nosy neighbor to keep an eye on our valuables. In each case, we select one or more ways to deter an intruder or attacker, and we base our selection not only on the value of what we protect but also on the effort we think an attacker or intruder will expend to get inside.
Computer security has the same characteristics. We have many controls at our disposal. Some are easier than others to use or implement. Some are cheaper than others to use or implement. And some are more difficult than others for intruders to override. Figure 1-11 illustrates how we use a combination of controls to secure our valuable resources. We use one or more controls, according to what we are protecting, how the cost of protection compares with the risk of loss, and how hard we think intruders will work to get what they want.
Figure 1-11 Effects of Controls
In this section, we present an overview of the controls available to us. In the rest of this book, we examine how to use controls against specific kinds of threats.
We can group controls into three largely independent classes. The following list shows the classes and several examples of each type of control.
Physical controls stop or block an attack by using something tangible, such as
- walls and fences
- (human) guards
- sprinklers and other fire extinguishers
Procedural or administrative controls use a command or agreement that requires or advises people how to act; for example,
- laws, regulations
- policies, procedures, guidelines
- copyrights, patents
- contracts, agreements
Technical controls counter threats with technology (hardware or software), including
- access controls enforced by an operating system or application
- network protocols
- firewalls, intrusion detection systems
- network traffic flow regulators
(Note that the term "logical controls" is also used, but some people use it to mean administrative controls, whereas others use it to mean technical controls. To avoid confusion, we do not use that term.)
As shown in Figure 1-12, you can think in terms of the property to be protected and the kind of threat when you are choosing appropriate types of countermeasures. None of these classes is necessarily better than or preferable to the others; they work in different ways with different kinds of results. And it can be effective to use overlapping controls or defense in depth: more than one control or more than one class of control to achieve protection.
Figure 1-12 Types of Countermeasures