work with law enforcement, your abilities to stop a threat from existing are negligible.
You should plan to implement countermeasures to mitigate what is within your control. So while you might not be able to prevent a hurricane, you can choose to locate resources outside of hurricane zones. You can create backup systems and files. You can have backup power sources in case of power outages.
Also consider that when you mitigate a vulnerability, you mitigate the opportunity for a threat to exploit that vulnerability. For example, if a user has a bad password, the password can be exploited by any threat, from nation-states to nosy co-workers. However, if you implement multifactor authentication, it helps prevent nation-states and other attackers from exploiting the bad password.
For these reasons, you want to prioritize countermeasures that mitigate vulnerabilities that are most likely to be exploited and result in loss. This is a critical theme in Part III of this book.
Protection, Detection, and Reaction
It is also important to recognize that countermeasures not only apply to protection but apply to detection and reaction as well. When people think of countermeasures, they typically perceive them to provide protection, in other words, stopping a loss from occurring in the first place and keeping the bad guys out. The reality is that countermeasures can provide protection, detection, or reaction. There is no such thing as perfect protection. Because protection will inevitably fail, it is just as critical to invest in detection and reaction capabilities.
Different studies indicate that up to 80% of investment in countermeasures is in protection. This unfortunately results in massive success for perpetrators who are able to get through the initial protection measures. In many cases, it is sometimes more feasible to focus on detection of malicious activity and not put effort into prevention, as it is too costly. For example, if you are trying to secure a public network, any people with malicious intent are already allowed on the network. Likewise, even well-meaning users might violate policies. For that reason, it might be more effective to look for potentially harmful activities and, where appropriate, reduce the users' capabilities.
Accept, Avoid, Mitigate, Transfer
When you consider countermeasures, you must consider that the goal of countermeasures is not always to stop an attack. There is a widely accepted risk management paradigm known as accept, avoid, mitigate, and transfer.
Accepting risk implies that you acknowledge the risk exists but consciously choose not to take further action on the risk. This is appropriate, for example, when a risk involves an inconsequential loss or has a low probability of occurring.
Avoiding risk implies that as opposed to directly addressing the risk, you find a way to make it a moot issue. For example, a company might decide that it is not worth doing business within a specific region.
Mitigating risk means that you implement specific countermeasures to address a risk.
Transferring risk implies that you will not mitigate the risk directly, but you acknowledge it occurs and choose to transfer liability. This is the primary purpose of insurance, where you choose to be financially compensated, if a loss is realized, as opposed to proactively stopping the loss.
As you examine a potential risk, you need to consider how you want to manage that risk. There are many factors that are unique to your organization, and you must determine which method of addressing risk is best for your circumstances.
TIME'S ROLE IN COUNTERMEASURES
It is critical to understand the importance of time in a security program. When author Ira Winkler worked at the NSA, he learned that any encryption algorithm will inevitably by cracked. Given sufficient time and resources, an attacker can eventually crack an algorithm. However, you can endeavor to use encryption that is strong enough to prevent the code from being cracked for as long as the data is valuable.
For example, a commander in battle has to give tactical commands to troops in the field. Knowledge of the individual commands becomes worthless at the end of the battle in most cases. In this case, very low-grade encryption can be used. However, if you consider a military communications satellite that may be in orbit for a decade, you need to employ encryption that will not likely be cracked for much more than a decade. You cannot just upgrade the encryption hardware. The encryption does not just have to be strong enough to withstand current attacks but to withstand anticipated improvements in technology and the changing attacks that will occur over that time period.
Similarly, when you consider a physical safe that contains valuables, the security can potentially be compromised. A safe is intended to be heavy so that it isn't easy to physically remove. The removal of the safe will take time, and the expectation is that by the time the safe can be removed, police or other responders will arrive to stop the theft. Likewise, if someone intends to crack the safe, the time it takes to crack the safe should be long enough for responders to arrive.
Types of Countermeasures
As with vulnerabilities, we address four basic types of countermeasures: physical, operational, personnel, and technical. It is important to note that you do not need to mitigate a vulnerability with a countermeasure of the same type. Also, you may choose to mitigate a vulnerability with countermeasures from multiple categories.
For example, the case of Edward Snowden demonstrates personnel vulnerabilities. Several types of countermeasures could have helped in this case. Better personnel countermeasures could have identified and addressed the problem. However, technical countermeasures, such as multifactor authentication and better network security controls, as well as operational controls, such as Snowden's co-workers having better awareness about not giving out their passwords to others, would have combined to stop Snowden's theft.
You should likewise look for diverse sets of countermeasures to mitigate vulnerabilities. Know that no single type of countermeasure is perfect. However, when combined effectively, they should ideally stop UIL from actually being realized. The following sections further examine physical, operational, personnel, and technical countermeasures.
Physical Countermeasures
Physical countermeasures are those that implement some tangible security control to prevent a loss through physical means. Some common physical countermeasures are access controls, such as gates, locks, filing cabinets, and so on. They include physically securing unattended materials or workstations when you are away from the area. They also include getting someone to take custody of valuable materials.
Guards and surveillance cameras are physical countermeasures. Surveillance is a form of detection, while guards provide a combination of protection, detection, and reaction, depending upon their assignment and deployment. It is also important to consider that known detection is also an indirect form of protection. For example, when criminals know that a house or office has an alarm system, which is a form of detection, they might choose to avoid the facility and choose a different target.
When considering physical countermeasures for UIL, keep in mind that countermeasures may be put in place to prevent error. For example, covers on power switches prevent accidental pressing of the off buttons. Guards inspecting outgoing materials can detect when users accidentally take things out of the facility. It may also prevent
