consider a military communications satellite that may be in orbit for a decade, you need to employ encryption that will not likely be cracked for much more than a decade. You cannot just upgrade the encryption hardware. The encryption does not just have to be strong enough to withstand current attacks but to withstand anticipated improvements in technology and the changing attacks that will occur over that time period.
Similarly, when you consider a physical safe that contains valuables, the security can potentially be compromised. A safe is intended to be heavy so that it isn't easy to physically remove. The removal of the safe will take time, and the expectation is that by the time the safe can be removed, police or other responders will arrive to stop the theft. Likewise, if someone intends to crack the safe, the time it takes to crack the safe should be long enough for responders to arrive.
Types of Countermeasures
As with vulnerabilities, we address four basic types of countermeasures: physical, operational, personnel, and technical. It is important to note that you do not need to mitigate a vulnerability with a countermeasure of the same type. Also, you may choose to mitigate a vulnerability with countermeasures from multiple categories.
For example, the case of Edward Snowden demonstrates personnel vulnerabilities. Several types of countermeasures could have helped in this case. Better personnel countermeasures could have identified and addressed the problem. However, technical countermeasures, such as multifactor authentication and better network security controls, as well as operational controls, such as Snowden's co-workers having better awareness about not giving out their passwords to others, would have combined to stop Snowden's theft.
You should likewise look for diverse sets of countermeasures to mitigate vulnerabilities. Know that no single type of countermeasure is perfect. However, when combined effectively, they should ideally stop UIL from actually being realized. The following sections further examine physical, operational, personnel, and technical countermeasures.
Physical Countermeasures
Physical countermeasures are those that implement some tangible security control to prevent a loss through physical means. Some common physical countermeasures are access controls, such as gates, locks, filing cabinets, and so on. They include physically securing unattended materials or workstations when you are away from the area. They also include getting someone to take custody of valuable materials.
Guards and surveillance cameras are physical countermeasures. Surveillance is a form of detection, while guards provide a combination of protection, detection, and reaction, depending upon their assignment and deployment. It is also important to consider that known detection is also an indirect form of protection. For example, when criminals know that a house or office has an alarm system, which is a form of detection, they might choose to avoid the facility and choose a different target.
When considering physical countermeasures for UIL, keep in mind that countermeasures may be put in place to prevent error. For example, covers on power switches prevent accidental pressing of the off buttons. Guards inspecting outgoing materials can detect when users accidentally take things out of the facility. It may also prevent a malicious act. Again, it is key to understand that physical countermeasures can simultaneously mitigate malicious and malignant threats.
Operational Countermeasures
Operational countermeasures are procedures designed to perform work properly and mitigate loss. For example, procedures on how to safely handle sensitive materials or perform work safely are operational countermeasures. Likewise, audit procedures to detect and mitigate loss and deviations from expectations are operational countermeasures.
Ideally, operational countermeasures that deal with security are embedded in business processes so that security concerns are integral to the organization. Security awareness programs are operational countermeasures, especially when they inform people on how to perform their functions properly. There are also practices that can be put in place to authenticate and verify the identity of individuals and their need to have access to information, facilities, or other resources. This extends to website interactions and requesting critical services to include reset of passwords and access to sensitive information.
Operational countermeasures also include legal agreements and enforcement. For example, nondisclosure agreements are a common form of protection that should be used whenever exchanging sensitive information with potential business partners.
Insurance is also a critical operational countermeasure. It is inevitable that there will be a loss, and insurance provides for a way to potentially mitigate losses.
Personnel Countermeasures
Personnel countermeasures are those that deal with the hiring, managing, and firing of people. We say specifically say “people” and not “employees” because this applies to everyone, including customers, business partners, and any and all users. Anyone with access to your facilities and information needs to be considered a potential threat and should be subject to these countermeasures.
Applying requirements to people who are giving you money and you technically serve is a sensitive matter, but you have to at least limit their access to only the functions required. You may also need to audit those customers and potentially pursue penalties against them. Such is the case where Cambridge Analytica violated Facebook's policies to use Facebook users' information by misrepresenting to users the scope and use of the information collected.
When you hire or otherwise bring someone into your organization, countermeasures include background checks and a consistent process to have people sign the appropriate agreements and to make them aware of their responsibilities. Regarding background checks, this should ideally include criminal and financial checks, as well as confirmation of stated employment and educational histories. When possible, this would also include talking to past employers to ensure there were no concerns. This again is where Snowden's background check failed.
Countermeasures for personnel can vary depending on the nature of your organization. In high security environments, this may include periodic updates of background and criminal records checks. There should be tracking of incidents to ensure that there are not patterns of concerning behaviors. There should also be periodic training and reinforcement of employee responsibilities. In major financial organizations, it is common practice to force employees to take a two-week vacation. During that vacation, there are teams in place to go through all business functions, financial transactions, records, and so on, to ensure there are no concerning behavior or actions.
During separation, there should be established processes for people's departure. This should include review of information access, equipment in their possession, and any other concerns. When possible, there should be a review of activities to see whether the person in question took any information with them. There should also be a reinforcement of any obligations to include protection of sensitive information.
It is critical to involve the IT department to ensure that the individual's access is proactively limited, as feasible, and that their accounts are deactivated as soon as possible. We have investigated incidents where a salesperson still had access to his former company's proposal system. The salesperson would download proposals from his former company and then create a proposal from his new company that was more competitive. This is unfortunately not an uncommon circumstance.
Enforcement also must be consistent. You can't punish one employee for mishandling information and not punish another employee for the same infraction. Inconsistent enforcement exposes your organization to claims of bias, confuses your users about which policies they're truly expected to follow, and emboldens people who are inclined to commit violations.
Technical Countermeasures
Technical countermeasures