Appendix B: Protection Strategies
Appendix B: Protection Strategies
Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved
Safeguards may be categorized into protection strategies. At a high
level there are essentially three basic strategies: prevention,
detection, and recovery. It is useful to examine safeguards in relation
to their application along an incident event timeline. Table 1
illustrates nine protection strategy types that can be used to describe
a safeguard.
TABLE 1
Protection Strategy Hierarchy
Prevention A Avoidance
T Transfer
RT Reduction of Threat
RV Reduction of Vulnerability
Detection RD Real-time Detection
NRD Non-real time detection
Recovery RI Reduction of Impact
RR Real-time Recovery
NRR Non real-time Recovery
The abbreviations are used as the legend to Figure 3. When
selecting safeguards, the information security professional may be able
to expand the range of available safeguards by envisioning an available
safeguard as each of the nine protection strategies. Generally
speaking, safeguards that operate prior to the event are more effective
and more expensive. Safeguards that operate after the event are less
expensive and less effective. Another application of the diagram is as
a graphical representation of the coverage (by safeguards) of a system
vulnerability. A detailed explanation of each protection strategy
follows:
- 1. Avoidance (A) is where the risk is bypassed. For example,
taking a decision to no longer, or not to, process data; i.e., remove it
from the system under review and not process it by any other IT system,
or a physical asset is no longer to be used or is not to be purchased.
- 2. Transfer (T) is where the asset or assets at risk is/are
transferred outside the boundary. For example, a highly sensitive file
could be removed and run on an entirely separate IT system, thus
transferring the risk to the other system. Alternatively, the risk
could be transferred outside the boundary, say by Insurance.
- 3. Reduction of Threat (RT) safeguards put a 'barrier', between
the threat (which might cause an action or event) and an asset. For
example, an RT safeguard could counter:
- a. accidental threat to a physical asset, such as the prohibiting
of the storage of inflammable material near IT equipment.
- b. accidental threat to a data asset, such as better training of
staff to reduce people error.
- c. deliberate internal threat, such as paying staff more money to
reduce the motivation for willful damage caused by disgruntlement, or
strictly enforced personnel disciplinary procedures, or ensuring that
non-security functions to be performed in the security administration
role are limited to those essential to performing that role effectively.
- d. deliberate external threat, such as the removal of existing or
non-installation of dial-up lines, or the use of only private circuits.
- 4. Reduction of Vulnerability (RV) safeguards make it more
difficult for a specific vulnerability to be exploited by a threat.
Examples of RV safeguards could include not installing all assets in the
same physical location (thus reducing the vulnerability to the loss of
all the system assets, say in a major fire), introducing dial- in
protection, or plugging "loopholes" in software. Thus individual RV
safeguards reduce the level of a specific weakness (or weaknesses),
while in combination they will make the system less vulnerable overall.
- 5. Reduction of Impact (RI) safeguards lessen the effect of an
impact on an asset, in particular to lessen the damage to assets.
Examples of an RI safeguard are daily backups of files for later use in
recovery, and the introduction of water sprinklers to combat fire.
- 6. Real-time Detection (RD) safeguards detect the occurrence of an
event as it happens, the conditions that indicate the potential for an
event exists, or evidence that an event has just occurred. Examples of
an RD safeguard include a smoke detector to detect that a fire may be
present, software "sensors" to detect the attempted use of network
services that are not being offered, such as potential intruders
attempting to see if login is enabled. Both real-time and non-real-
time detection strategies are usually coupled with one or more
prevention or recovery strategies. In the case of the smoke detector,
the smoke detector may set off halon to try to prevent the loss (RV),
set off sprinklers to prevent catastrophic loss (RI), or prevent loss of
life by sounding audible alarms (RT), automatically contact the fire
department (RI),or any combination of these. In the software example,
the software sensor may send a message that triggers the system
administrator's beeper (RT), or it may send a message to a special log
maintained on a WORM CD drive to ensure an unmodifiable audit record of
the penetration attempt (NRR).
- 7. Real-time Recovery (RR) safeguards are related to the RI
safeguards. Both strategies involve reducing the impact of an event.
The RI strategy reduces damage to assets. The RR strategy reduces the
loss of service caused by the event. Examples are the use of onsite
stock of replacement parts, the use of checkpointing* and warm start to
facilitate a quick return to service following a system failure or
system corruption, or the use of the well-formed transaction, where an
application restores itself to its previous state when a transaction
cannot be completed successfully. It also includes the use of
procedures to correct and validate corrupted or erred data in real-
time.
*Checkpointing is a technique where a system, in
real-time, stores critical application and environment data to allow,
when conditions permit, the system to be restarted without having to
power off the system and reinitialize all variables, a procedure
sometimes known as "cold start." Checkpointing can also be used to
shorten the length of system start-up time following a cold start by
recording certain environment data and reducing the user's burden by
recording the user's configuration data.
- 8. Non-Real-time Detection (NRD) safeguards discover the
manifestation of a threat which has exploited a vulnerability but not
during the occurrence of the event. Examples of NRD include the
analysis of audit trails, error logs, and traceability journals. Other
examples include EDP audits, cross-facility analysis, and historical
trend analysis.
- 9. Non-Real-time Recovery (NRR) safeguards attempt to return the
system or data to a desired state after a failure or disaster has
occurred. NRR safeguards range from the procedures to recover a user's
deleted file to the ability (Disaster Recovery Plan) to move to a remote
location and successfully conduct operations following a natural
disaster.
- 10. Recording, while a form of the vulnerability reduction
protection strategy, is also an enabling mechanism for the detection and
recovery strategies. The choices made regarding what to record, when,
and how often will dictate the degree of detection and recovery
possible. Examples of recording include electronic data logging,
handwritten operator logs, and video from surveillance cameras.