The Importance of Keeping Security Controls Up to Date
Today I am visiting the DMV for the second time in my quest to exchange my out of state license for a Texas driver's license. Like many others, I didn't have all the required documentation with the during the first visit.Part of Texas' licensing process is to verify the applicant's SSN.Acceptable documents included a Social Security Card and various other documents such as a W-2, pay stub, or variety of other documents and ID cards with the SSN displayed.
The IRS document I provided during my first visit wasn't accepted. I pointed out to the person helping me that most of the other listed documents and ID cards no longer show Social Security Numbers due to identity theft concerns – my current and former employers didn't list SSNs on their employee documents, and the only option would be the actual Social Security Card.
So I am returning today with a decades-old card that is easily replicated. After investigating Nigerian fraud organizations for a few years, I saw how anyone with a color printer, some heavy linen paper, and an Exacto knife could easily duplicate a Social Security card.
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks. Every control put in place can be quantified in the level of risk it decreases, and the amount of "friction," or inconvenience experienced by users when the encounter the control. With the insistence that the actual Social Security card be provided to conduct transactions, this control created a great deal of friction while lowering the risk of identity theft only slightly. This requirement would have been more effective years ago, before the widespread use of high quality color printers.
Security controls could fall into one of the following categories:
- Physical controls: doors, locks, security cameras
- Procedure controls: incident response processes, management oversight, security awareness and training, background checks for personnel who handle critical systems
- Technical controls: user authentication (login) and logical access controls, antivirus software, firewalls
- Legal and regulatory controls: policies & standards
- Before the event: preventative controls are intended to stop an incident from occurring (An example is locking out unauthorized users)
- During the event: detective controls are intended to identify and characterize an incident in progress (An example is sounding the intruder alarm and alerting the appropriate personnel such as system administrators, security guards, or law enforcement)
- After the event: corrective controls are intended to limit the extent of damage caused by an incident (such as restoring a system to normal working status as fast as possible)
Types of security controls that can easily fall out of date
ActiveX controls - ActiveX was a popular technology several years ago, making it possible for websites to provide certain types of content, such as videos and games, and allowing users to interact with certain types of elements in the browser, such as toolbars. Unfortunately, too many ActiveX exposed unsafe functionality.
Account passwords - Only changing passwords on a rotational basis or allowing simple passwords exposes accounts to easy compromise. Complex passphrases are a step in a right direction, but Multi Factor Authentication (MFA) should be used to prevent access to sensitive data. Implementing (MFA) is one fo the most cost effective security controls in face of an ever increasing cyber threat.
Obsolete software - Software needs to be continually updated and patched to reduce security vulnerabilities. But what about when patches and updates are no longer available when software continues to be used after a manufacturer discontinues support? Transitioning to newer software may provide operational gains while increasing resilience.
Obsolete products - Most consumers transition to new products every few years. Industrial Control Systems are often kept in service for decades, and organizations must ensure that compensating controls are put in place to safeguard their infrastructure.
Even if your client organization has developed the most comprehensive set of security controls, they are effective only as long as their environment stays static. As soon as change happens within their environment (which will inevitably happen), they will need have their controls reevaluated. When the organization rolls out a new process, technology or operating procedures (such as allowing employees to work from home due to COVID-19), they need to assess whether the inherent risk that their business faces has increased and update their internal controls accordingly.Personnel who are Certified Information Security Auditors (CISA) or Certified Protection Professional (CPP through the American Society for Industrial Security (ASIS)) or a certified Physical Security Professional (PSP through ASIS) can carry out this endeavor.
To mitigate risk effectively on an ongoing basis, a sustainable compliance program is needed to monitor new risks, test and document controls, and guide remediation efforts.