Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 59

In the risk formula (see the earlier section “The risk formula”), countermeasures are what you do or implement to mitigate threats or vulnerabilities. Most organizations cannot mitigate threats, however. Unless you’re a nation-state, you cannot stop terrorists, for example, from existing. You cannot stop a criminal from being a criminal. You cannot stop a hurricane from striking Florida.

Though you cannot address a threat, you can address the vulnerabilities that threats exploit. With a hurricane, for example, you might choose to locate facilities outside of hurricane zones. If you know that facilities might lose power from a wide variety of threats, you can address the vulnerability of nonresilient power sources by installing backup generators.

The primary purpose of countermeasures is specifically to mitigate vulnerabilities.

As with vulnerabilities, I divide countermeasures into the following categories — these categories correspond to the implementation type of the countermeasure, not the vulnerability it addresses:

 Technical countermeasure: Mitigates vulnerabilities by using technical tools. A software tool used to fix a technical flaw is a technical countermeasure. Multifactor authentication is a technical countermeasure that can mitigate an operational weakness of poor security awareness as demonstrated by users who don’t know not to divulge their passwords. Awareness messages embedded in screen savers are also technical countermeasures.

 Physical countermeasure: Uses physical tools, such as reminder signs, to mitigate vulnerabilities.

 Personnel countermeasure: Involves tools that address the human resources (HR) process, such as a security awareness presentation into new hire orientation.

 Operational countermeasure: Addresses how work is performed, which may also include the identification of governance. This may include how to properly identify callers asking for protected information.