4

While looking at this question, one of the comments made me think. In the comment, the user asserted that "one must invest a lock that cost $40, the insurance company just want to make sure that it gives enough deterrent so that thief will switch to next easier target".

In the scenario of a bicycle, the lock is an immediately visible deterrent. I could be oversimplifying, but I don't see that being completely comparable in the realm of IT security.

Granted, asking for a name and password will stop most people from just trying to get to other accounts. With how most attacks are automated, does showing you require upper/lower/number/special characters deter more people?

I'm thinking that hitting any sort of roadblock will stop some minor attackers coming in just to look around. However, if someone is more intent on getting into your system, at what point do all of our security practices start to deter the attackers? At a certain point, does having tons of security become more of a "challenge factor" to beat?

schroeder
  • 123,438
  • 55
  • 284
  • 319
krillgar
  • 143
  • 4
  • 1
    2FA would be one "visible" deterrent. If an attacker sees someone has 2FA enabled, odds are they'll move on to another victim. Even better would be a company that requires 2FA for all authentication. IIRC Google does this internally. – Steve Sether Jul 24 '18 at 18:56
  • 2
    I'd also add a "bug bounty program" is visible security (though also potentially just marketing). I don't know if it's effective, but it's certainly something that's disclosed publicly, and the existence of it might add to deterrence. (i.e. the easy bugs might have already been found) – Steve Sether Jul 24 '18 at 18:59
  • 1
    Locking account when user key in wrong password for X amount of time is a deterrent for both human and bots. Even for targeted attack, some deterrents are always better than no deterrent, to buy the organisation some time. – mootmoot Jul 30 '18 at 15:31

3 Answers3

5

There are a number of different control types, to name a few there are Deterrent, Preventative, Detective, Corrective, and Compensating controls. The idea being that each type of control will specialize in providing a different type of security.

In the case of your padlock, that would fall under a deterrent control, since it is something intended to be noticeable and keep people away. Other examples would be a sign that warns people of a guard dog, visible security cameras, etc. Basically anything that can delay or deter an attack.

Preventative controls are in place to stop something from happening, so again the lock would fall into this category as well.

The best practice is to layer security across many different control types (and vendors) to mitigate the chances of an attack being successful. However, there is no such thing as risk elimination, just that you can reduce them down to acceptable risk as much as possible.

The main point is that the security should cause an attacker more trouble that the data inside is worth, ie. not worth the effort. Although im sure that there are probably people out there that would enjoy a challenge purely for the sake of it rather than the potential data that they could get to.

In the case of IT Security, placing warning signs on login to say that a user will be prosecuted would be classed as a deterrent.

If you saw two bikes, one with a big and heavy lock, and one with a small old-looking lock, and you wanted to steal a bike, which one would you choose?

Further Explanation

To explain this further we can break Deterrence controls into sub-categories:

  1. Technical
  2. Physical
  3. Administrative

I'll explain each one individually below.

Techical

Technical controls that would deter a would be attacker are quite limited, in the case that the purpose of all deterrent controls is simply to try and stop someone from attempting to attack. For technical controls we can use warning signs on login pages, a proxy server that redirects to warn users a certain site is restricted, etc. It doesn't go any further than this though

Physical

Physical controls are anything that would make it look difficult to attack. Things like a high fence, visible cameras, floodlights, etc. would all be classed as physical deterrence controls. Signs that state that areas are off limits, would be another.

Administrative

Administrative controls contain policies, guidelines and standards. For example, a strict security policy that states severe consequences for violation would fall under this category. Training for awareness would also be an example here.

In summary, anything that makes a target look more difficult without actually implementing anything to stop them are classed as deterrence controls. There is usually some overlap, especially with preventative controls, because things like a locked door, or a high fence can fall under both categories.

If you want some further reading on the other types of access controls here is a short blog from a CISSP study guide that explains them quite well: http://cisspstudy.blogspot.com/2007/05/types-of-access-control.html

Connor J
  • 1,464
  • 8
  • 11
  • Thanks for the definition of the different types of security. The point of having the warning on the login screen. I completely agree with the two bikes. However, what I was intending on asking was at any point does any IT security aside from that warning sign constitute "deterrent" controls? If I was not clear with that in my question, please let me know so I can clarify. – krillgar Jul 24 '18 at 16:48
  • @krillgar so just to clarify then, when you say IT security - do you mean purely technical precautions that only exist on the computer? or do you mean anything that would affect security in an IT environment? Just want to be able to answer your question as best I can! – Connor J Jul 25 '18 at 11:30
  • I'm thinking technical stuff, but if you have other pieces, please! – krillgar Jul 25 '18 at 11:32
  • "warning signs on login to say that a user will be prosecuted" would just tell whoever running the site is stupid/incompetent, because it suggests the site is relying on legislation as part of its defence which is a hopeless idea. Good luck prosecuting the thousands of automated vulnerability scanners or kids across the world trying to break into your infrastructure. – André Borie Jul 26 '18 at 08:52
  • @krillgar updated to answer your question a bit better! – Connor J Jul 26 '18 at 09:57
  • 1
    @AndréBorie The answer is targeted at what a deterrent technical security control is, in reality it's not going to stop someone, that would fall under the other categories, which is outside the scope of this answer. – Connor J Jul 26 '18 at 10:00
4

1: I don't see [deterrent methods] being completely comparable in the realm of IT security

They are definitely used. Some of them are implied, some are not. You can often find security posters around office buildings with pictures of guys in hoods and advice on locking your computer when you walk away. (This is a deterrent for the employees). Obviously launching an internal Phishing scheme will get you fired (implied).

And you will often see websites touting its security solutions as a way of broadcasting that it's more difficult to breach them than some other site, and also make customers feel more secure. Internal datacenters often have warning signs on them, as do employee only areas, and critical infrastructure. "warning high voltage" on the door to the Nerc CIP certified electrical demarc that you would have to really try hard to get electrocuted in.

But does it work? Well...

2: If someone is more intent on getting into your system, at what point do all of our security practices start to deter the attackers?

In my experience at no point. Locking the door on your car doesn't stop a professional car thief: they expect that. Motivated hackers will use warnings and etc as guides, as information leakage, as a clue to where to start and where the crown jewels are hidden. If someone has decided to action illegal activity, a warning that something is illegal and has consequences is meaningless.

3: Does showing you require upper/lower/number/special characters deter more people?

Also no, in my experience. It actually helps identify the hash masks to use. So if a site says they require an 8 character password with a number and a symbol I know that probably 50% or more are in the format [Name][date][symbol] and are 8 characters. That is not good to broadcast and I can build my attacks based on it. Saying nothing means I might start at 6 characters and then work up to 7 and 8, or etc.

schroeder
  • 123,438
  • 55
  • 284
  • 319
bashCypher
  • 1,839
  • 11
  • 21
  • 1
    Thanks! That was pretty much what I was thinking as well. As I read your answer, I was also thinking about [the LifeLock guy broadcasting his SSN as proof of their security](https://www.wired.com/2010/05/lifelock-identity-theft/). While not a deterrent, it's bragging of how good their security is, which could be making the strength of their system "more visible". As I alluded to in my question, we all know how well that worked for that guy. – krillgar Jul 24 '18 at 18:16
  • I agree too that this could be flagged as Opinion Based. If that does, I think I have a good way to reword it. – krillgar Jul 24 '18 at 18:18
  • 2
    @krillgar Yes, agreed on LifeLock example. My company refuses to let our security vendors say we have them for any reason (it would be good for their marketing). We don't want to help out the bad guys. – bashCypher Jul 24 '18 at 18:21
1

Visible deterrence only works if someone actually sees it.

A lot of attacks these days are automated and won't care about your deterrence. The remainder are either script kiddies - about which you don't have to worry if you have any halfway reasonable security - or targeted attacks which will be unlikely to be deterred as well as they are typically skilled enough to see your deterrence simply as a challenge, one more hurdle to overcome.


IT Security works as a great deterrent in one other area: Compliance.

Many laws, courts, liability questions, stakeholders, etc. etc. require that you "do something" about IT Security. None of them have any objective measurements what "effective", to use just one favorite term, actually means. In many cases, there are bundles of reasons why something visible needs to be done about security, and why it might even be preferable over an invisible, but more effective, measure.

Tom
  • 10,124
  • 18
  • 51