Blog on SOA - Technologies and Trends

Avi Rosenthal

Subscribe to Avi Rosenthal: eMailAlertsEmail Alerts
Get Avi Rosenthal via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

The Chain is as strong as the weakest link in the chain

The title describes a Security approach. According to this approach the easiest and most plausible Security breach is by usage of the weakest link.

Lessons learned from few Penetration Tests I conducted, support the cited above approach.

It is true that there is no way to assure absolute Security (For deeper explanation why you can look at a well known security Guru, Bruce Schnirer's web site).

Any Security mechanism is breakable by someone who has expertise and spends a lot of resources (including time).

But it is also possible to breach Security without expertise and by spending only few resources for a very short time: just exploit the weakest link.

As part of a Penetration Test, I always looked for simple unsophisticated methods to penetrate instead of penetrating by usage of very sophisticated methods.

These methods could be used by anyone, unlike the sophisticated ones, which could be used only by a limited group of very talented experts.

What is the weakest link?

According to my experience it is the human factor.

For example, let's explore Passwords mechanisms. You may deploy a very sophisticated Password pattern, a frequent password change cycle enforced automatically and a reasonable Suspension mechanism for inactive users, but if users will hang on their screens (or on other visible objects), notes including their passwords, these good mechanisms are futile. Let alone a pattern demonstrated by an incident I experienced while conducting a Penetration Test.

Prior to that meeting, I discovered a user who has authorization far beyond his Role requirements. In front of the CSO I asked him for his password, just to demonstrate that it is possible to misuse the unneeded authorization. Instead of keying the password, he wrote it on a note and gave it to me. I am quiet sure that a lot of employees, lacking Security awareness training would give their passwords to unauthorized people (A well known Phishing method is sending an e-mail message including a bank logo or e-Bay's PayPAL logo and asking the recipient to type them into a form). If the unauthorized people are or pretend to be employees of a respectful organization (e.g. a research institute a market analysis', a well known Software brand or a consulting company), than the probability of disclosing information is higher.

For additional information on the effect of representing a respectful organization read about a classical Psychological experiment conducted by Milgram many years ago.

This experiment is depicted in a YouTube video.

How weak is the weakest link?

It is even weaker than my expectations. Recently I read e-week's Brian Prince post titled: You are the weakest link, and found that in a report surveying 967 end users (The survey was sponsored by IronKey) roughly half the surveyed said that their corporate data security policies are largely ignored by both employees and management. The policy violation acts severity degree is varied.

For example 61% admitted to copying confidential data and transferring the information to non-corporate device and more than 20% turned off security such as anti-virus software, desktop firewalls and enterprise devices encryption.

My Take

It is clear that the weakest chain is human beings. Precious and complicated Security software is not enough.

The question to be asked is why?

Part of the answer is human nature, but the other part could be reduced or eliminated.

As found in the survey more than half (58%) of the surveyed said that they felt their companies did not provide adequate training on following the rules. 46% said the policies were to complex to understand.

The key for good enough Security are awareness, awareness and awareness.

Adequate and down to earth Security Policy may be also helpful .

Read the original blog entry...

More Stories By Avi Rosenthal

Ari has over 30 years of experience in IT across a wide variety of technology platforms, including application development, technology selection, application and infrastructure strategies, system design, middleware and transaction management technologies and security.

Positions held include CTO for one of the largest software houses in Israel as well as the CTO position for one of the largest ministries of the Israeli government.