Validating Your Security Controls: How and Why it Matters
Hackers backed by the Chinese military breached consumer credit reporting agency Equifax in 2017, carrying out what was then known as the largest theft of personally identifiable information (PII) ever committed by state-sponsored actors.
The hackers were able to obtain addresses, birth dates, Social Security numbers, and other data on approximately 145 million Americans, as well as individuals from Canada and the United Kingdom. A subsequent investigation by the Federal Trade Commission (FTC) revealed that Equifax [had] failed to secure the PII stored on its network, which made it easier for the hackers to gain access to their systems.
One of the reasons the hackers were able to get so much data off Equifax’s network was because of a “failure in security controls,” said Jake Williams, director of cyber threat intelligence at SCYTHE, in his keynote address at GSX 2022.
“They had security controls in place. They broke down on process…and that killed their technology,” Williams explained, adding that Equifax’s systems were not configured properly due to a process failure that did not renew its certificates.
And that process failure, followed by the data breach, led to Equifax settling with the FTC for $575 million—potentially up to $700 million—along with compensating consumers who bought credit or identity monitoring services from Equifax or other third parties because of the incident. The FBI also issued indictments, charging four Chinese military-backed hackers in connection with the attack.
While the Equifax breach was a unique incident with high-stakes players, the lack of security control validation is an all-too-common issue. Williams walked attendees through why security controls matter, the importance of validating security control efficacy, and guidance on how to initiate this process within your own organization.
Why Security Controls Matter
At its most basic level, a security control is a safeguard or countermeasure designed to meet a defined set of security requirements to protect the confidentiality, integrity, and availability of an asset, according to the National Institute of Standards and Technology (NIST).
In the physical realm, these security controls are easy to spot. They’re the locks on exterior doors and the badge system in place at GSX 2022. They’re put into place to limit access to a facility and authenticate that the individuals inside are meant to be there.
These security controls also exist in the cyber realm. They could be password requirements for logins, firewalls, limits on the number of administrative accounts, or system monitoring to alert analysts to an issue. Or they could be a cybersecurity control, like a unique password requirement, to manage physical security devices that are connected to a network, such as an access control system.
But sometimes the reasons for implementing cybersecurity controls are not as clear as they are in the physical realm. And sometimes they're initiated to meet compliance or contractual requirements, instead of to achieve a defined security goal, Williams explained.
Why Validation of Controls is Important
While walking the exhibit hall on Monday, Williams said he came across a demonstration video of a crew of people doing a forced entry test on a door. The crew—of approximately 10—switched out individuals attempting to break down the door by using a sledgehammer. Despite whacking away, they were not able to breach the door.
“We were looking at real world testing to make sure the device—in this case the door—operates as intended,” Williams said.
This same process is required when validating that cybersecurity controls are deployed and work as they were designed to. This means that once a control is developed and implemented, it needs to be tested—just like that door—to ensure it’s working properly, such as blocking network traffic from certain countries or alerting an analyst to unusual activity.
Some organizations might have this skillset in-house, but others will need to contract someone with the ability to break cybersecurity controls—such as cyber professionals or ethical hackers, which may require additional resources because these abilities are in high demand, Williams said.
And while validating that the security control itself works as intended is important, ensuring that the human response process is working is more critical.
“If you don’t have an AI system to automatically identify what’s going on in your cameras, you’re dependent on the people monitoring the CCTV to say, ‘Oh, that’s bad,’” Williams added. “But that’s not where it stops. They not only have to see it, they have to respond.”
Once the security control is in place, working properly, and has a process to respond to it, organizations should continue to maintain them—even if they’re not receiving regular alerts that someone is attempting to breach that control.
“You’d never pull out a sprinkler system from your environment just because you hadn’t had a fire this year,” Williams said, adding that the same is true for cybersecurity controls. “We should not be talking about pulling out the last line of defense.”
Implementing this Process
To confirm—or initiate—the validation of security controls at your organization, Williams recommended meeting with your cybersecurity team to talk about the controls they have in place, how they are validating them, and ensure that the response is a holistic one.
If security controls aren’t in place, explore measures to implement them based on the security outcome you’re attempting to achieve. Then, put them in place, communicate with your colleagues what the controls are and when they will be tested, and validate that they work. If the control is not deployed as designed, Williams said it should be fixed and then retested to ensure that the process is working.
Additionally, Williams recommended reviewing the MITRE Attack Matrix—a taxonomy for how cyber threat actors engage in certain activities—and using tools like Caldera or Atomic Red Team to conduct better security control validation. He also suggested reading The Hacker Playbook to better understand the mindset of the adversary.
“Think about those forced entry tests—where someone would hand you a sledgehammer to beat on the door,” Williams said. “People that know where to beat on that door can break it down faster. These books teach that methodology.”
Megan Gates is editor-in-chief of the GSX Daily, which is published by Security Management. Connect with her at [email protected]. Follow her on Twitter: @mgngates.
