Skip to content
Illustration of a man with a briefcase, holding a very large key. In front of him are four doors with red locks, a long shadow is cast behind him.

Image by iStock

Security Controls: Understanding How They Fail Can Improve your Security

Pin tumbler locks have six basic features: the plug, driver pins, key pins, springs, the shear line, and a housing that holds all the features together.

When a key is inserted into one of these locks, the key pins slide up to the shear line and the driver pins are moved out of the way of the plug, allowing someone to unlock the lock. Understanding how the mechanism works—and the controls in place to enable its function—also provides insights into how they can be bypassed and vulnerabilities that may exist with using a certain type of lock.

While thieves and those with malicious intent might practice the art form, lockpicking is also a competitive sport for enthusiasts around the world. And it’s practiced by many security practitioners who want to understand how a security device can be compromised, allowing them to be creative about how those vulnerabilities might be addressed by other means.

“I teach IT people to pick locks—not that picking locks is important, but once you understand the rules of a security system, you can apply something else to bypass them,” says Jake Williams, executive director of cyber threat intelligence at SCYTHE and known as @MalwareJake on Twitter.

This is a mind-set that attracts many people to the cybersecurity workforce—the desire to understand how a system, such as a computer network, operates; how it can be compromised; and how it can be better secured.

Typically, this means identifying risks and implementing controls—like those in the pin tumbler lock—to prevent those with malicious intent from gaining unauthorized access. But often, security practitioners and organizations are unable to effectively communicate what those risks are.

For instance, a recent survey of 400 C-suite level leaders at U.S. companies found that departments often assess and investigate similar threats independently of each other, through different lenses and with different priorities. In addition, the Ontic 2022 Mid-Year Outlook State of Protective Intelligence Report showed that these respondents lacked a common definition of what a threat was and the measures in place to reduce it—leading to missed threats that negatively impacted the organization.

Further analysis of respondents’ answers also revealed that nearly one-quarter—26 percent of executives—said they anticipate missing at least 51 percent of threats by the end of 2022, with another 31 percent estimating they will miss between 26 and 50 percent of threats before they cause harm or damage. 

And even when practitioners do have a unified view of what risks are, they don’t always implement or understand the security controls in place to address them. This is a dynamic that Williams, is familiar with.

“Most of my commercial career has been in investigating incident response,” says Williams, who previously worked for the U.S. government and is certified as a Master Network Exploitation Operator, as an instructor for the SANS Institute and IANS, and as the CTO for BreachQuest. “Consistently, I would go in and say, ‘Here’s what we think is happening. I need this data to confirm it.’ And people would say, ‘You’re wrong—we have a security control that would stop this.’”

And yet, the evidence that Williams analyzed would say otherwise. This often led to charged conversations because there was a misunderstanding about the security control in place and how effective—or not—it was.

Simply because a security control exists “doesn’t mean that you deployed it correctly. It doesn’t mean that an update that was made didn’t change it,” Williams adds. “Way too often, folks I work with deploy controls and assume they’ll work.”

This is a flawed approach, however, which Williams intends to discuss and provide guidance on in his keynote address at GSX 2022. Some of these insights will be based on his experience working at SCYTHE, an advanced adversary emulation platform that enables red, blue, and purple teams to build and emulate real-world adversarial campaigns. Customers can then take that information to validate the risk posture and exposure of their business, employees, and the performance of enterprise security teams and existing security solutions.

“We don’t focus as much on indicators of compromise,” Williams tells the GSX Daily. “I have to go a few steps further than that and think about how those indicators come to live on a machine, and then once we have those indicators what steps do we need to take to get them there?”

All of this requires a depth of understanding of what security controls are in place, what behaviors they are meant to address, and what happens if those controls fail.

In his keynote, Williams says he hopes to provide an overview of this dynamic and discuss the importance of validating the controls within your own security systems. Knowing how to override them might, in turn, enable you to create stronger ones—just like lock-picking locksmiths do.

For more insights from Jake Williams, listen to his keynote address during the GSX general session on Tuesday, 13 September, at 8:30 a.m. ET. A livestream of his remarks will be provided for GSX Digital attendees.

Megan Gates is editor-in-chief of the GSX Daily and senior editor of Security Management. Connect with her at [email protected]. Follow her on Twitter: @mgngates.