Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 62

Deterrent controls work to dissuade an attacker from initiating or continuing in their efforts to attack your systems, property, information, or people. Their design, deployment, and use should all raise either the perceived costs or risks to an attacker and the actual costs the attacker could face should they choose to persist. Guard dogs off of the leash, free to range around your property (but within a fence line), are an example of a deterrent that offers painful costs to an attacker, while raising the probability of being forcibly detained and subjected to arrest and prosecution as well.

Deterrent controls should provide a variety of capabilities to the security architect by placing barriers (real and perceived) between potential attackers and the systems they defend.

 Visible, tangible barriers, which an attacker can see, sense, or probe, signal that the target is defended.

 This suggests that the barriers are alarmed and monitored, which increases the possibility of an intrusion being detected.

 The barriers suggest to the attacker that greater assets, time, or effort must be expended for their attack to succeed.

 They also suggest that more barriers may be encountered, layer upon layer, should the attacker continue in their attempt.

Note the key concept that to be effective, a deterrent control must be visible, observable, and verifiably present to the prospective intruder. It cannot deter an attacker if the attacker doesn't know that it is there! This directly suggests that you're defending against a known group of attackers and that you have some degree of operational threat intelligence data, which you can use in selecting potentially effective deterrent tactics and techniques.

Simple deterrents can be physical controls, such as fences, locked doors and windows, or landscaping and paving that restricts the movement of vehicles and pedestrians onto a protected property or campus. Exterior lighting, including the use of moving spotlights or floodlights, can also provide a deterrent effect. Most physical controls are passive, in that they do not react to an intrusion attempt; active controls would include guard dogs and security controls, for example.

Physically, the architecture of buildings or workspaces make statements about an organization and the work that is performed there. These statements can also be powerful deterrents to would-be attackers. Think about how many modern embassy compounds (and not just the American ones) around the world have been transformed into little fortresses as they've been blast-hardened, surrounded by impact-resisting barrier walls, and armed military personnel or security guards; entry onto such embassy grounds is restricted and tightly controlled in most cases. High technology companies have also made similar architectural deterrent statements with the ways that they design, build, and operate their physical locations. These are definitely not statements of security through obscurity.

Network systems such as firewalls and intrusion detection and prevention systems can act as powerful deterrents by thwarting an attacker's ability to gain meaningful insight via reconnaissance probes or scans. (It's somewhat unfortunate that the line between NIDS and NIPS as product systems has become quite blurred at this point since both apply filtering rules of varying potency to block or restrict traffic from crossing their point of protection.) Well-trained, highly aware people throughout your organization are also effective deterrents when they smoothly deflect social engineering attack attempts, perhaps by guiding unknown callers through a well-rehearsed script to filter out the innocent prospective customer, client, or job seeker from the whaler-wannabee.