Читать книгу You CAN Stop Stupid - Ira Winkler - Страница 57

When you look at the risk equation in Figure 4.1, you can see that countermeasures can be used to mitigate threats and vulnerabilities. However, you must consider that mitigating threats is frequently not possible or realistic. For example, you are not going to prevent hurricanes. Hurricanes will always exist. You are not going to prevent a nation-state from existing, unless you are likewise a nation-state and willing to invest significant resources. The average organization is not going to prevent outside criminals from making attacks. Even if you work with law enforcement, your abilities to stop a threat from existing are negligible.

You should plan to implement countermeasures to mitigate what is within your control. So while you might not be able to prevent a hurricane, you can choose to locate resources outside of hurricane zones. You can create backup systems and files. You can have backup power sources in case of power outages.

Also consider that when you mitigate a vulnerability, you mitigate the opportunity for a threat to exploit that vulnerability. For example, if a user has a bad password, the password can be exploited by any threat, from nation-states to nosy co-workers. However, if you implement multifactor authentication, it helps prevent nation-states and other attackers from exploiting the bad password.

For these reasons, you want to prioritize countermeasures that mitigate vulnerabilities that are most likely to be exploited and result in loss. This is a critical theme in Part III of this book.