Countermeasure Selection and Implementation

Countermeasure Selection and Implementation

对策选择和实施

Selecting a countermeasure, safeguard, or control (short for security control) within the realm of risk management relies heavily on the cost/benefit analysis results. However, you should consider several other factors when assessing the value or pertinence of a security control:

在风险管理领域内选择对策、保障措施或控制（简称安全控制），在很大程度上依赖于成本/效益分析结果。不过，在评估安全控制的价值或相关性时，还应考虑其他几个因素：

• The cost of the countermeasure should be less than the value of the asset.

对策的成本应低于资产的价值。

• The cost of the countermeasure should be less than the benefit of the countermeasure.

对策的成本应低于对策产生的效益。

• The result of the applied countermeasure should make the cost of an attack greater for the perpetrator than the derived benefit from an attack.

采用对策的结果应该是，对作恶者说，攻击的代价大于攻击带来的好处。

• The countermeasure should provide a solution to a real and identified problem. (Don’t install countermeasures just because they are available, are advertised, or sound appealing.)

对策应能解决实际存在的问题。(不要因为有对策可用、有广告宣传或听起来很吸引人，就使用对策）。

• The benefit of the countermeasure should not be dependent on its secrecy. Any viable countermeasure can withstand public disclosure and scrutiny and thus maintain protection even when known.

  对策的好处不应取决于其保密性。任何可行的对策都应该能经受住公众的披露和监督，因此即使被人知晓，也能保持其保护作用。

•  The benefit of the countermeasure should be testable and verifiable.

  对策的益处是可测试和可验证的。

• The countermeasure should provide consistent and uniform protection across all users, systems, protocols, and so on.

  对策应为所有用户、系统、协议等提供一致和统一的保护。

•  The countermeasure should have few or no dependencies to reduce cascade failures.

    对策应很少或没有依赖性，以减少连带故障。

• The countermeasure should require minimal human intervention after initial deployment and configuration.

    在初始部署和配置之后，对策应尽量减少人工干预。

• The countermeasure should be tamper proof.

  对策应该是防篡改的

• The countermeasure should have overrides accessible to privileged operators only.

  对策应具有只有特权操作员才能使用的覆盖功能。

• The countermeasure should provide fail-safe and/or fail-secure options.

  对策应提供失效保护/或故障防护选项。

Keep in mind that security should be designed to support and enable business tasks and functions. Thus, countermeasures and safeguards need to be evaluated in the context of a business process. If there is no clear business case for a safeguard, it is probably not an effective security option.

请记住，设计安全措施的目的应是支持和实现业务任务和功能。因此，需要根据业务流程来评估对策和保障措施。如果保障措施没有明确的业务案例，则可能不是有效的安全选项

Security controls, countermeasures, and safeguards can be implemented administratively,logically/technically, or physically. These three categories of security mechanisms should be implemented in a conceptual layered defense-in-depth manner in order to provide maximum benefit (Figure 2.4). This idea is based on the concept that policies (part of administrative controls) drive all aspects of security and thus form the initial protection layer around assets. Next, logical and technical controls provide protection against logical attacks and exploits.Then, the physical controls provide protection against real-world physical attacks against the facility and devices.

安全控制、应对措施和保障措施可以通过行政、逻辑/技术或物理方式实施。这三类安全机制应以概念性的分层深度防御方式实施，以提供最大效益（图 2.4）。这一理念基于这样一个概念，即政策（行政控制的一部分）驱动着安全的方方面面，从而形成围绕资产的初始保护层。其次，逻辑和技术控制可防范逻辑攻击和漏洞利用。然后，物理控制可防范现实世界中针对设施和设备的物理攻击。

Administrative（行政的）

The category of administrative controls are the policies and procedures defined by an organization’s security policy and other regulations or requirements. They are sometimes referred to as management controls, managerial controls, or procedural controls. These controls focus on personnel oversight and business practices. Examples of administrative controls include policies, procedures, hiring practices, background checks, data classifications and labeling, security awareness and training efforts, reports and reviews, work supervision, personnel controls, and testing.

管理控制类是由组织的安全政策和其他规定或要求所定义的政策和程序。它们有时也被称为管理控制、管理控制或程序控制。这些控制侧重于人员监督和业务实践。行政控制措施的例子包括政策、程序、招聘做法、背景调查、数据分类和标签、安全意识和培训工作、报告和审查、工作监督、人事控制和测试。

Technical or Logical（技术/逻辑的）

The category of technical controls or logical controls involves the hardware or software mechanisms used to manage access and provide protection for IT resources and systems. Examples of logical or technical controls include authentication methods (such as passwords, smartcards, and biometrics), encryption, constrained interfaces, access control lists, protocols, firewalls, routers, intrusion detection systems (IDSs), and clipping levels.

技术控制或逻辑控制类别涉及用于管理访问并为 IT 资源和系统提供保护的硬件或软件机制。逻辑控制或技术控制的例子包括认证方法（如密码、智能卡和生物识别）、加密、受限接口、访问控制列表、协议、防火墙、路由器、入侵检测系统（IDS）和 clipping Levels。

Physical(物理的)

Physical controls are security mechanisms focused on providing protection to the facility and real-world objects. Examples of physical controls include guards, fences, motion detectors, locked doors, sealed windows, lights, cable protection, laptop locks, badges, swipe cards, guard dogs, video cameras, access control vestibules, and alarms.

物理控制是一种安全机制，重点是为设施和现实世界中的物体提供保护。物理控制的例子包括警卫、围栏、移动探测器、上锁的门、密封的窗、灯、电缆保护、笔记本电脑锁、徽章、刷卡器、看门狗、摄像机、门禁前庭和警报器。

原文始发于微信公众号（网络安全等保测评）：Countermeasure Selection and Implementation