Schneier on Security
A blog covering security and security technology.
« Computer Crime Hype |
| Insider Threat Statistics »
December 17, 2005
Security is only as strong as the weakest link.
Posted on December 17, 2005 at 10:21 AM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'll remember this the next time my company's CSO says the old "people are our weakest link" line again.
This may also mean that werewolves shop exclusively at wal-mart, but the market research on that is unfinished.
"I'll remember this the next time my company's CSO says the old 'people are our weakest link' line again."
Your CSO is right.
Perhaps oW/VAge wanted to address the fact that often CSO's tend to overtrust tools and not hiring top-notch people.
As much I share the same view as you Bruce, maybe we should take it in account.
Funny comic. I remember when the car "club" came out. It was supposed to lock onto the steering wheel and prevent it from spinning around so you can steer. It was made of the strongest cut proof steel and the lock, if I remember, was one of those expensive lock pick proof types. Most criminals either brought their own steering wheel and replaced the locked one, or cut through the steering wheel and removed the locked "club" intact.
Whew, I managed to actually climb down off my high horse *before* I posted a comment - after I initally read the quote in the first comment and Bruces' reply as...
"The old people are our weakest link" as referring to old people...
'cause I tell you, it was gonna be a real scathing comment.
Actually I was thinking of organisations that either leave copies of IIS running unpatched or companies that do knee-jerk rollouts of patches and service packs which then cause application compatibility problems so eliminating one vulnerability at the expense of needed functionality.
Or perhaps I wanted to stimulate conversation by being intentionally vague.
And no, the "old people" are not our weakest link, unless they happen to be old CSOs that buy expensive steel chains, while the old facilities manager buys cheap chairs, while the old HR director does their best to turn ordinary people into werewolves. That cartoon is not an accident - it's a team effort. :-)
"'cause I tell you, it was gonna be a real scathing comment."
And some people say that punctuation is unimportant.
"Actually I was thinking of organisations that either leave copies of IIS running unpatched or companies that do knee-jerk rollouts of patches and service packs which then cause application compatibility problems so eliminating one vulnerability at the expense of needed functionality."
Organisations do none of these things, people do.
The real weakness of the Club was that criminals rapidly learned you could buy a $1.99 can of aerosol chiller from Radio Shack complete with a handy injector nozzle, dump the entire can into the lock (about 30 seconds), give the lock one good smack with a hammer, and it would shear and fall off.
"Security is only as strong as the weakest link" seems to apply well to older security models like perimeter security, however 'defense in depth' would controvert that axiom. In defense in depth I expect layers to fail yet not subvert the overall strength of our security.
A lot of people say you can break a kryptonite bike lock by freezing and whaking it. However, people who have actually tried it find it just doesn't work (Jobs Brandt for one). I'm highyl skeptical that it would work on a Club either.
Club lock - I use one - it adds a second layer of defence to my car... instead of just needing a screwdriver in the ignition, they also need too be tooled up with a saw, freon or spare steering wheel... so they nick my neighbours car instead.
For a £5 lock, I think I get a good return... it's not perfect security, it's just raising the bar...
In response to the can I freeze a Kryptonite lock and break it, here is the answer from the manufacturer of the "Kryptonite" lock.
Q: What locks can be broken with freon or any other freezing materials? How long will it take and how much will it take?
A: This is one of the most common misconceptions that there is about how to defeat a Kryptonite lock. We hear many accounts of this type of attack, yet have never spoken to anyone who has first hand knowledge about breaking a Kryptonite lock with a freezing agent. People are perhaps intrigued by this method because it seems like something James Bond would do. However, freon is a highly controlled substance that is harder to get than most illegal drugs. That is not to say that freezing will not break a lock, but it would require a very controlled situation. If you get steel cold enough, it does become very brittle, but it is very difficult to make this happen.
That's true, provided you don't have some method of bypassing all the security in one hit (like downloading a 0-day exploit using HTTPS).
Defence-in-depth is having multiple fences one behind the other. Not much use if you tunnel under all of them.
I guess you could use the reworded version : "Security is only as strong as the weakest link in the longest chain".
I once lost the key to my Kryptonite lock. Took about one minute to cut it off with the ceramic cutting disk attatchment on a cordless Dremel-type tool.
Yeah the freezing substance I heard of was liquid nitrogen. Kind of inconvenient to carry around. But you can break clubs with proper leverage.
The best tool is a lock that goes on your brake column. Unlike the steering wheel, the brake column is generally a solid, metal, mechanical linkage for safety and reliability reasons. And even the most drug-addled thief realizes that driving a car without brakes is not in a good idea.
I've seen a picture of a car who's owner forgot to unlock the brake pedal (and it was locked to the steering wheel).
So the accelerator worked but not the brakes and the steering :-o
The brake pedal locks don't stop a tow truck though, so it probably won't deter most car theft rings. The device stops the joy rider type of car thief however they might just break into your car and steal the radio and rip out your airbag instead.
I'm gonna give the freon thing a try tomorrow. You see, company cars are hard to come by where I work. I work at night so I've been taking a car from a unit that only works during the day (they got careless and I made a copy of the key!). One of the higher up bosses saw me parking the car one night and laughed, telling me that they know someone is using their car but they don't know who. Well, came to work today and found they put the club on it!! Can't let them think they got the best of me! Going to be funny when they come in to work in the morning and find the club on the floor all broken up! Hope the freon trick works!!!!!
Followed the suggestion of using a Dremel tool with carbide disk on an automobile hitch-pin lock and it came off like gangbusters. Thanks for the suggestion.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.