From The Secure Arc Wiki

Jump to: navigation, search
Go to Asset DefinitionGo to Asset ValueGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to ExposuresGo to Asset VulnerabilitiesGo to Asset ImpactGo to ThreatsGo to Deterrent ControlGo to Detective ControlGo to Preventative ControlGo to Corrective ControlYou Are HereYou Are HereYou Are HereYou Are HereYou Are HereYou Are HereYou Are HereBack up to Security Controls

The purpose of the Countermeasures are to protect the Information Assets. This can be as simple as putting a Web Server (Infrastructure Asset) behind a firewall to reduce the likelihood of an attack from a potential vulnerability. Doing this doesn't eliminate the Threat as it is still exposed to administrative staff or other compromised Infrastructure Assets within the same network segment.

Similarly, a network monitoring tool, such as Snort, can be configured to detect Threats and potentially initiate another Countermeasure that decreases the Impact of an attack after it has begun, such as blacklisting the source IP of the attack.

Part of the assessment of any vulnerability includes it's Remediation Level. In the case of a software bug in an off the shelf middleware product there may either be a Workaround or an Official Fix. If there is, the Vulnerability itself can be eliminated altogether. Doing so seems like a no-brainer, but for various reasons patching servers is not always a simple or cost effective solution. Without an appropriate patch management process in place upgrading a production server can be a long and costly endeavor. In other cases, there may simply be no fix available.

Security Controls

There are four categories Security Controls that an be applied as Countermeasures:

  1. Preventative Controls
  2. Corrective Controls
  3. Detective Controls
  4. Deterrent Controls

To quickly put these into context and provide some examples, the following paragraph is taken from the Official (ISC)2® Guide to the CISSP®-ISSEP® CBK®

Unauthorized access can be prevented with locks, smartcards, passcodes, biometrics and mantraps. Intruders can be deterred with fences and contraband checks (metal detectors or x-ray). Detection of unauthorized access can be performed with CCTV, motion detectors or infrared sensors.


While required, at present we are not detailing Recovery and Compensating controls in relation the asset Vulnerabilities and their assessments.


While each of the different categories of Security Controls above have different goals and address different parts of the CVSS assessment of the target Vulnerability, they all have the cost assessment in common.

To keep things as simple as possible, we only deal with three variables when considering the cost of a Security Control:

  1. Time
  2. Operational Expenses (OPEX)
  3. Capital Expenses (CAPEX)

In large corporations, the first one is often the most 'costly' irrespectively of the dollar values associated with the CAPEX and OPEX assessments. Particularly when launch deadlines are drawing near. The time should be based on how many hours, days or months it will take to deliver in whatever unit of measurement is appropriate for the project or system.

OPEX needs to take into account how much the Security Control will cost to implement and maintain, typically over the next 5 to 7 years. This will include any ongoing support costs paid to a vendor.

CAPEX is simply the upfront cost of the software and/or hardware.

To help come up with the OPEX implementation cost, just take the Time and multiply it by the rate and number of personnel required to deliver it. For the ongoing costs, make an estimate on how much time per week or month is required to dedicate to it and again, multiply that by the rate and number of personnel required to maintain it.

How these are actually broken up will depend entirely on the project, the company and where the Security Controls come from. If everything is vendor supplied and implemented, it may be all one contract and all considered CAPEX. If the whole thing is outsourced to something like Google's Security Services then the whole thing, including ongoing maintenance, may be classified as OPEX.


Personal tools