User:Blittrell1/sandbox

Security Control Distance
Security Control Distance in simple terms is the distance from a vulnerability and the corresponding compensating control. In a conceptual view of a computer system or security architecture this could be equated out to hops along a path until you travel from a compensating control to the vulnerability. Since the environment may differ form one company to another the Security Control Distance may introduce higher risks in some environments then others, this concept is not designed to be a quantitative evaluation of security effectiveness however it may be combined with qualitative analysis to derive a quantitative figure for a specific environment.

Although there may be many gradations of Security Control Distances a good general concept is Zero SCD, Short SCD, Medium SCD and Long SCD.

Zero Security Control Distance:
Zero Security Control Distance simple means that the vulnerability has been fixed, that is the compensating control was to remove the vunlerability. In the case of a hypothetical ssh based vulnerability it may be that ssh was completely removed from the system, or that the ssh service was patched to remove the vulnerability.

Short Security Control Distance:
A short security control distance may be where we system with a service vulnerability has a compensating control of the host firewall blocking the port used to access the vulnerability, or even a host is directly connected to a router or firewall that actively blocks port access to the vulnerability. There is still a risk of the vulnerability being compromised as a malicious actor may be able to subjugate the host or directly connected router or firewall, it is less likely that this may happen but it is possible so it would not evaluate to a Zero SCD.

Medium Security Control Distance:
A Medium SCD is where the compensating control is not on or directly connected to the vulnerable device. This may be a Demilitarized Zone, where other systems are present in the DMZ. Due to the distance from the compensating control, this being a firewall of some kind, the likelihood of the vulnerability being exploited increases as other hosts within the DMZ are inside the protective "shell" of the compensating control and are therefore free to directly exploit the vulnerability.

Example:
Assume a web server and a ssh server are sitting in a DMZ, the ssh server has a vulnerability but it is only used to access the web server as a bastion host for the internal network, so the compensating control is to block all traffic from the Internet to that ssh server. Although the distance from compensating control to vulnerability is only 1 hop the vulnerability is now exposed to every host in the DMZ, therefore an attacker may be able to subjugate the web server then pivot and compromise the ssh vulnerability.

Long Security Control Distance:
A Long SCD is one where the compensating control is more then 1 hop away from the vulnerability. This may expose the vulnerable service to exponentially more device that may be able to take advantage of that vulnerability.

Example:
An internal server on a standard server network may have a vulnerability in a ssh service it runs, most clients are 2 or more hops away with multiple networks at varying distances from the server. Placing an ACL on on a client network would usually equate out to a Long SCD, as there are multiple points to traverse from the security control to the vulnerability. Each of these points introduces a vector where an attack may traverse increasing the likelihood of a successful attack. If the ACL was placed closer to the server, such as on the router where right before the server it would be a medium security control distance, this would protect from multiple vectors from the client networks but still leave open the other servers/services in the Local Area Network that would be capable of exploiting the vulnerability thus lowering the SCD to Medium. Similarly a host based firewall would reduce the SCD to Short.

Practical Use of SCD:
Defining SCD allows for a qualitative assessment of varying distances to services within a infrastructure thus allowing for a quantitative evaluation of SCD to determine the risk level.