Classifying Countermeasures

After a company has identified its assets and considered the risks involved to that asset from a threat against a vulnerability, the company can then decide to implement countermeasures to reduce the risk of a successful attack. Common control methods used to implement countermeasures include the following:

Administrative: These consist of written policies, procedures, guidelines, and standards. An example would be a written acceptable use policy (AUP), agreed to by each user on the network. Another example is a change control process that needs to be followed when making changes to the network. Administrative controls could involve items such as background checks for users, as well.

Physical: Physical controls are exactly what they sound like, physical security for the network servers, equipment, and infrastructure. An example is providing a locked door between users and the wiring closet on any floor (where the switches and other gear exist). Another example of a physical control is a redundant system (for instance, an uninterruptible power supply).

Logical: Logical controls include passwords, firewalls, intrusion prevention systems, access lists, VPN tunnels, and so on. Logical controls are often referred to as technical controls.

Not all controls are created equal, and not all controls have the same purpose. Working together, however, the controls should enable you to prevent, detect, correct, and recover, all while acting as a deterrent to a threat.