You are the weakest link – goodbye!

Once you’ve determined the risks a given organisation or IT system is likely to face, you can start to deploy appropriate and proportionate controls to mitigate them. However, having all the controls in the world is worthless if they’re not implemented properly.

Take the control depicted in the photo below:

This control is designed to mitigate the risk of unauthorised personnel opening a door and interfering with what’s inside (in this case, it’s a large public building’s gas meter – clearly something worth defending).

Ignoring for one moment the possibility of circumventing the control entirely (by smashing through the door or something), what can we say about how this control has been implemented?

  • It’s got a nice chunky padlock. It’ll take me a while to saw through that one, and I’m all fingers-and-thumbs with my lockpicks.
  • It’s got a decent bolt, too. Again, I’ll be hacksawing for a good while to get through that.
  • There are dome-headed bolts on the right hand side. I won’t be able to remove those easily.
  • But there are ordinary cross-headed screws on the left hand side, so I can defeat this control in its entirety with nothing more sophisticated than a screwdriver.

If the control had been implemented differently (with dome-headed bolts on the left hand side too) it would have better achieved its control objectives by forcing an adversary to be better equipped in terms of tools (big boltcutters vs. pocket screwdriver) or skills (lockpicking). In short, fewer adversaries would have been in a position to even try to defeat the control.

As it is, I’ll be keeping a keen eye out for Handy Manny and Felipe. You never know when cartoon characters will go rogue and perpetrate some heinous crime…


Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)dataline.co.uk

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: