Once you’ve determined the risks a given organisation or IT system is likely to face, you can start to deploy appropriate and proportionate controls to mitigate them. However, having all the controls in the world is worthless if they’re not implemented properly.
Take the control depicted in the photo below:
This control is designed to mitigate the risk of unauthorised personnel opening a door and interfering with what’s inside (in this case, it’s a large public building’s gas meter – clearly something worth defending).
Ignoring for one moment the possibility of circumventing the control entirely (by smashing through the door or something), what can we say about how this control has been implemented?
- It’s got a nice chunky padlock. It’ll take me a while to saw through that one, and I’m all fingers-and-thumbs with my lockpicks.
- It’s got a decent bolt, too. Again, I’ll be hacksawing for a good while to get through that.
- There are dome-headed bolts on the right hand side. I won’t be able to remove those easily.
- But there are ordinary cross-headed screws on the left hand side, so I can defeat this control in its entirety with nothing more sophisticated than a screwdriver.
If the control had been implemented differently (with dome-headed bolts on the left hand side too) it would have better achieved its control objectives by forcing an adversary to be better equipped in terms of tools (big boltcutters vs. pocket screwdriver) or skills (lockpicking). In short, fewer adversaries would have been in a position to even try to defeat the control.
Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk