As new vulnerabilities are discovered in your environment you must evaluate, select and install countermeasures
or safeguards to maintain security. Your organizational security policy should define the criteria by which you select countermeasures. Below are several examples of criteria that can be used to establish a selection gauntlet for your organization.
A countermeasure should provide a security solution for an identified problem. While obvious, this is a key element in selecting safeguards. It is quite common to get caught up in the fad of new security solutions, such as IDS, firewalls, honey pots, etc. You should only select and deploy those solutions that address problems you are experiencing.
A countermeasure should be cost effective. As a minimal rule, the countermeasure's yearly cost to acquire, install, test and maintain should be less than the yearly value of the assets it protects. Otherwise, it is counter-productive to deploy it. If it costs more to protect something than its worth, then don't protect it. In many cases there are alternate countermeasure options with less yearly cost. Choose the most cost effective solution for your environment.
A countermeasure should be sufficient for the need. Deploying countermeasures that provide little to no significant improvement in security is a waste. While not all countermeasures provide complete risk elimination, some are better suited to providing improved security than others. Select those countermeasures that provide the most protection for the least cost.
A countermeasure's security should depend on its secrecy. Security through obscurity is a false hope. A countermeasure should provide the same level of security whether it is seen or unseen, known or unknown. While controls should operate invisibly to users -- in other words not interfere with their ability to perform work tasks -- that invisibility does not provide security.
A countermeasure should be testable and provide verifiable improvements in security. If you are unable to validate that a countermeasure is applied or that it improves security, it is worthless.
A countermeasure must provide consistent and uniform protection. If the protection it provides varies over time or per user, it is not a suitable solution.
A countermeasure should be independent (as much as possible) from other countermeasures or safeguards. The fewer dependencies, the more reliable its service will be.
A countermeasure should require little human intervention after its initial installation and configuration. Otherwise, the greater the level of supervision, management, oversight or administration, the less cost effective and efficient the solution becomes.
About the author
James Michael Stewart is a researcher and writer for Lanwrights, Inc.