Mike Wills - The Official (ISC)2 SSCP CBK Reference

Deterrent controls should provide a variety of capabilities to the security architect by placing barriers (real and perceived) between potential attackers and the systems they defend.

Visible, tangible barriers, which an attacker can see, sense, or probe, signal that the target is defended.

This suggests that the barriers are alarmed and monitored, which increases the possibility of an intrusion being detected.

The barriers suggest to the attacker that greater assets, time, or effort must be expended for their attack to succeed.

They also suggest that more barriers may be encountered, layer upon layer, should the attacker continue in their attempt.

Note the key concept that to be effective, a deterrent control must be visible, observable, and verifiably present to the prospective intruder. It cannot deter an attacker if the attacker doesn't know that it is there! This directly suggests that you're defending against a known group of attackers and that you have some degree of operational threat intelligence data, which you can use in selecting potentially effective deterrent tactics and techniques.

Simple deterrents can be physical controls, such as fences, locked doors and windows, or landscaping and paving that restricts the movement of vehicles and pedestrians onto a protected property or campus. Exterior lighting, including the use of moving spotlights or floodlights, can also provide a deterrent effect. Most physical controls are passive, in that they do not react to an intrusion attempt; active controls would include guard dogs and security controls, for example.

Physically, the architecture of buildings or workspaces make statements about an organization and the work that is performed there. These statements can also be powerful deterrents to would-be attackers. Think about how many modern embassy compounds (and not just the American ones) around the world have been transformed into little fortresses as they've been blast-hardened, surrounded by impact-resisting barrier walls, and armed military personnel or security guards; entry onto such embassy grounds is restricted and tightly controlled in most cases. High technology companies have also made similar architectural deterrent statements with the ways that they design, build, and operate their physical locations. These are definitely not statements of security through obscurity.

Network systems such as firewalls and intrusion detection and prevention systems can act as powerful deterrents by thwarting an attacker's ability to gain meaningful insight via reconnaissance probes or scans. (It's somewhat unfortunate that the line between NIDS and NIPS as product systems has become quite blurred at this point since both apply filtering rules of varying potency to block or restrict traffic from crossing their point of protection.) Well-trained, highly aware people throughout your organization are also effective deterrents when they smoothly deflect social engineering attack attempts, perhaps by guiding unknown callers through a well-rehearsed script to filter out the innocent prospective customer, client, or job seeker from the whaler-wannabee.

Preventative (or prevention) controls provide two forms of protection to keep your systems from harm by reducing the probability of an occurrence of a risk or, when it starts to occur, by containing it in such a way as to limit the spread of its disruption or damage. Securely locked doors and windows prevent an intruder from unlawfully entering your home, unless they want to elevate their risk by breaking through the locks, the windows, or the doors in question. The design of interior walls, doors, and utility spaces restricts the speed with which fire can spread from room to room, while reducing or blocking the spread of smoke and heat. This suggests that security architects should use prevention (like deterrence) in layers.

Prevention can be active or passive, as with deterrence; the same types of controls used for physical, passive deterrence also bring some prevention with them.

Host-based or network-based firewalls, intrusion detection and prevention systems, and of course identity management and access control systems are the main components of a solid prevention architecture. Layer upon layer, they detect attempts to cross a threat boundary's controlled access points; they test that access attempt against varying sets of criteria and in some cases issue challenges requesting further credentials from the requesting subject. Since all of these systems can and should generate both accounting log information for successfully authenticated attempts, and alerts or alarms for failures, they are deterrent, prevention, and detection systems all at the same time.

Detective (or detection) controls look for any out-of-limits conditions, such as signatures associated with an intrusion attempt, and then take two fundamental and important actions. First, the detection controls notify operations personnel or higher- level supervisory systems that a problem exists; this is absolutely critical if you are to have any command and control over your systems or any ability to manage an effective response to incidents as and when they occur. Second, the detection controls can (if desired) signal an attacker that you've noticed what they're doing, which leads them to believe you'll be responding to their attack. This may deter them from continuing their efforts.

All intrusion or incident detection systems are subject to error rates. Getting the crossover point set so that your risk of harm or loss due to false acceptance errors is balanced by your ongoing costs of investigating and resolving false rejections (and their concomitant “sky is falling” feeling) is a never-ending process. In fact, the smarter these controls get—and the more that they employ machine learning and predictive analytic capabilities—the more time you'll have to invest in understanding their behavior and tuning it to fit your constantly changing threat landscape and the dynamic nature of your routine business activities.

Physical detection systems can include motion detectors, motion switches on doors and windows, and continuity circuits embedded or built into walls, fences, and other landscaping features. Many such systems can support change detection as well, which can highlight suspicious portions of the systems they surveil to human security monitors for analysis and possible action. Physical systems such as power conditioning, air and environmental conditioning systems, and other aspects of your data center or network operations facilities should be primary sources of alarms that indicate a potential disruption, possibly due to an intrusion, is underway.

Don't forget the end-user element! Properly motivated and trained, having a cadre of end users who can spot something that's not quite right and appreciate that management wants to hear about it sooner rather than later can often stymie an attack before it gets too far.

Corrective controls provide for the containment, isolation, or restoration of services that have been disrupted for any reason. Uninterruptible power supplies (UPSs) are a good example of this: They isolate or buffer your IT and communications systems from external commercial electrical power providers and in doing so can correct for temporary undervoltage, overvoltage, spikes, noise, or other problems with power before those problems pop circuit breakers or damage equipment. Power problems, incidentally, can also cause equipment to operate in degraded ways that are oftentimes hard to diagnose. Consumer and small business-grade routers, switches, and servers, for example, are prone to odd and intermittent outages for this reason, and the simple expedient of putting them onto an inexpensive battery backup power conditioner or UPS can save hours of fruitless troubleshooting.