Last updated: 
2 months 6 days ago
Blog Manager
I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Group administrators:

Understanding your security controls

Tuesday, April 5, 2016 - 08:37

Jisc often receives requests from customers asking to help assess the effectiveness of a security control (firewalls being the most common). Security controls can rarely be assessed in isolation since doing so requires an understanding of the risks that led to the control being selected. This causes obvious problems for measuring effectiveness if controls are implemented for “best practice” rather than identified needs.

Denial of service attacks provide a good example of how these issues needs to be considered holistically. Not only does ‘denial of service’ cover a wide range of events designed to exploit of a wide range of different vulnerabilities, but the resources that they are aimed at can be protected in different ways for different organisations.

Volumetric attacks overwhelm a network through the amount of traffic alone. Since networks tend to serve a population of users with a (relatively) fixed location, relocating the attacked service to somewhere safe isn’t a viable option. Malicious traffic needs to be filtered from the network without interrupting legitimate traffic if normal operation is to be maintained.

The controls to do this may be prohibitively expensive for an organization. Instead a degraded form of limited network connectivity to a set of destinations (for example, selected SaaS providers) may be acceptable if provided at a much lower cost point than filtering of traffic. This could be achieved through engineering of dedicated bandwidth.

It may also be the case that the attack is aimed at a service provided by the organization, and that just this service needs to be protected – not a network. Unlike an ethernet cable, the service doesn’t need to be in a particular location, making it easy to distribute. This distribution can both reduce the volumes of attack traffic that need to be filtered and transfer the risks to an organization specializing in protecting services from attack.

Judging the effectiveness of a control requires understanding the different aspects of the risks involved, the nature and value of the asset that’s being protected, and the costs and protection that a particular control can provide. Understanding the effectiveness of your controls then becomes another step in your journey to building sustainable and affordable security.