The Importance of Keeping Security Controls Up to Date
Today I am visiting the DMV for the second time in my quest to exchange my out-of-state license for a Texas driver's license. Like many others, I didn't have all the required documentation with me during the first visit. Part of Texas' licensing process is to verify the applicant's SSN. Acceptable documents included a Social Security Card and various other documents such as a W-2, pay stub, and other documents and ID cards with the SSN displayed.
The IRS document I provided during my first visit wasn't accepted. I pointed out to the person helping me that most of the other listed documents and ID cards no longer show Social Security Numbers due to identity theft concerns – my current and former employers didn't list SSNs on their employee documents, and the only option would be the actual Social Security Card.
So, I am returning today with a decades-old card that is easily replicated. After investigating Nigerian fraud organizations for a few years, I saw how anyone with a color printer, some heavy linen paper, and an Exacto knife could easily duplicate a Social Security card.
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks. Every control put in place can be quantified in the level of risk it decreases and the amount of "friction," or inconvenience experienced by users when they encounter the control. With the insistence that the actual Social Security card is provided to conduct transactions, this control created a great deal of friction while lowering the risk of identity theft only slightly. This requirement would have been more effective years ago, before the widespread use of high-quality color printers.
Industrial Control Systems can become increasingly vulnerable to cyber threats during their life span.
Security controls could fall into one of the following categories:
Physical controls: doors, locks, security cameras
Procedure controls:incident response processes, management oversight, security awareness and training, background checks for personnel who handle critical systems
Technical controls:user authentication (login) and logical access controls, antivirus software, firewalls
Legal and regulatory controls: policies & standards
Security controls can also be classified according to the time that they act, relative to a security incident:
Before the event: preventative controlsare intended to stop an incident from occurring (An example is locking out unauthorized users)
During the event: detective controlsare intended to identify and characterize an incident in progress (An example is sounding the intruder alarm and alerting the appropriate personnel such as system administrators, security guards, or law enforcement)
After the event: corrective controls are intended to limit the extent of damage caused by an incident (such as restoring a system to normal working status as fast as possible)
Types of security controls that can easily fall out of date
ActiveX controls - ActiveX was a popular technology several years ago, making it possible for websites to provide certain types of content, such as videos and games, and allowing users to interact with certain types of elements in the browser, such as toolbars. Unfortunately, too many ActiveX exposed unsafe functionality.
Account passwords - Only changing passwords on a rotational basis or allowing simple passwords exposes accounts to easy compromise. Complex passphrases are a step in the right direction, but Multi-Factor Authentication (MFA) should be used to prevent access to sensitive data. Implementing (MFA) is one of the most cost-effective security controls facing an ever-increasing cyber threat.
Obsolete software - Software needs to be continually updated and patched to reduce security vulnerabilities. But what about when patches and updates are no longer available when software continues to be used after a manufacturer discontinues support? Transitioning to newer software may provide operational gains while increasing resilience.
Obsolete products - Most consumers transition to new products every few years. Industrial Control Systems are often kept in service for decades, and organizations must ensure that compensating controls are put in place to safeguard their infrastructure.
Even if your client organization has developed the most comprehensive set of security controls, they are effective only as long as their environment stays static. As soon as a change happens within their environment (which will inevitably happen), they will need to reevaluate their controls. When the organization rolls out a new process, technology, or operating procedures (such as allowing employees to work from home due to COVID-19), they need to assess whether the inherent risk that their business faces have increased and update their internal controls accordingly. Personnel who are Certified Information Security Auditors (CISA) or Certified Protection Professional (CPP through the American Society for Industrial Security (ASIS)) or a certified Physical Security Professional (PSP through ASIS) can carry out this endeavor.
A sustainable compliance program is needed to monitor new risks, test and document controls, and guide remediation efforts to mitigate risks effectively and on an ongoing basis.