Appendix B: Protection Strategies

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved

Safeguards may be categorized into protection strategies. At a high level there are essentially three basic strategies: prevention, detection, and recovery. It is useful to examine safeguards in relation to their application along an incident event timeline. Table 1 illustrates nine protection strategy types that can be used to describe a safeguard.

TABLE 1
Protection Strategy Hierarchy

Prevention          A         Avoidance
                    T         Transfer
                    RT        Reduction of Threat
                    RV        Reduction of Vulnerability


Detection           RD        Real-time Detection
                    NRD       Non-real time detection


Recovery            RI        Reduction of Impact
                    RR        Real-time Recovery
                    NRR       Non real-time Recovery

The abbreviations are used as the legend to Figure 3. When selecting safeguards, the information security professional may be able to expand the range of available safeguards by envisioning an available safeguard as each of the nine protection strategies. Generally speaking, safeguards that operate prior to the event are more effective and more expensive. Safeguards that operate after the event are less expensive and less effective. Another application of the diagram is as a graphical representation of the coverage (by safeguards) of a system vulnerability. A detailed explanation of each protection strategy follows:

• 1. Avoidance (A) is where the risk is bypassed. For example, taking a decision to no longer, or not to, process data; i.e., remove it from the system under review and not process it by any other IT system, or a physical asset is no longer to be used or is not to be purchased.
• 2. Transfer (T) is where the asset or assets at risk is/are transferred outside the boundary. For example, a highly sensitive file could be removed and run on an entirely separate IT system, thus transferring the risk to the other system. Alternatively, the risk could be transferred outside the boundary, say by Insurance.
• 3. Reduction of Threat (RT) safeguards put a 'barrier', between the threat (which might cause an action or event) and an asset. For example, an RT safeguard could counter:
  • a. accidental threat to a physical asset, such as the prohibiting of the storage of inflammable material near IT equipment.
  • b. accidental threat to a data asset, such as better training of staff to reduce people error.
  • c. deliberate internal threat, such as paying staff more money to reduce the motivation for willful damage caused by disgruntlement, or strictly enforced personnel disciplinary procedures, or ensuring that non-security functions to be performed in the security administration role are limited to those essential to performing that role effectively.
  • d. deliberate external threat, such as the removal of existing or non-installation of dial-up lines, or the use of only private circuits.
• 4. Reduction of Vulnerability (RV) safeguards make it more difficult for a specific vulnerability to be exploited by a threat. Examples of RV safeguards could include not installing all assets in the same physical location (thus reducing the vulnerability to the loss of all the system assets, say in a major fire), introducing dial- in protection, or plugging "loopholes" in software. Thus individual RV safeguards reduce the level of a specific weakness (or weaknesses), while in combination they will make the system less vulnerable overall.
• 5. Reduction of Impact (RI) safeguards lessen the effect of an impact on an asset, in particular to lessen the damage to assets. Examples of an RI safeguard are daily backups of files for later use in recovery, and the introduction of water sprinklers to combat fire.
• 6. Real-time Detection (RD) safeguards detect the occurrence of an event as it happens, the conditions that indicate the potential for an event exists, or evidence that an event has just occurred. Examples of an RD safeguard include a smoke detector to detect that a fire may be present, software "sensors" to detect the attempted use of network services that are not being offered, such as potential intruders attempting to see if login is enabled. Both real-time and non-real- time detection strategies are usually coupled with one or more prevention or recovery strategies. In the case of the smoke detector, the smoke detector may set off halon to try to prevent the loss (RV), set off sprinklers to prevent catastrophic loss (RI), or prevent loss of life by sounding audible alarms (RT), automatically contact the fire department (RI),or any combination of these. In the software example, the software sensor may send a message that triggers the system administrator's beeper (RT), or it may send a message to a special log maintained on a WORM CD drive to ensure an unmodifiable audit record of the penetration attempt (NRR).
• 7. Real-time Recovery (RR) safeguards are related to the RI safeguards. Both strategies involve reducing the impact of an event. The RI strategy reduces damage to assets. The RR strategy reduces the loss of service caused by the event. Examples are the use of onsite stock of replacement parts, the use of checkpointing* and warm start to facilitate a quick return to service following a system failure or system corruption, or the use of the well-formed transaction, where an application restores itself to its previous state when a transaction cannot be completed successfully. It also includes the use of procedures to correct and validate corrupted or erred data in real- time.

  *Checkpointing is a technique where a system, in real-time, stores critical application and environment data to allow, when conditions permit, the system to be restarted without having to power off the system and reinitialize all variables, a procedure sometimes known as "cold start." Checkpointing can also be used to shorten the length of system start-up time following a cold start by recording certain environment data and reducing the user's burden by recording the user's configuration data.

• 8. Non-Real-time Detection (NRD) safeguards discover the manifestation of a threat which has exploited a vulnerability but not during the occurrence of the event. Examples of NRD include the analysis of audit trails, error logs, and traceability journals. Other examples include EDP audits, cross-facility analysis, and historical trend analysis.
• 9. Non-Real-time Recovery (NRR) safeguards attempt to return the system or data to a desired state after a failure or disaster has occurred. NRR safeguards range from the procedures to recover a user's deleted file to the ability (Disaster Recovery Plan) to move to a remote location and successfully conduct operations following a natural disaster.
• 10. Recording, while a form of the vulnerability reduction protection strategy, is also an enabling mechanism for the detection and recovery strategies. The choices made regarding what to record, when, and how often will dictate the degree of detection and recovery possible. Examples of recording include electronic data logging, handwritten operator logs, and video from surveillance cameras.