Archive

Posts Tagged ‘Oxymoron’

Security by Encryption

February 18, 2011 2 comments

In The Security Oxymoron, I wrote about the possibility of an individual introducing security measures that seem inheriently reasonably but, when analysed, offer no additional security and at times even an increase in an organisation’s vulnerability.

An example is often more useful than a mere concept. The overall story is fictional, but I promise that the individual parts have been observed over the course of many years. It starts with the Datafile, a file whose existence was essential to the smooth running of the company, and were it to end up in an outsider’s hands the result could be catastrophic.

To ensure that the Datafile was stored as securely as possible, the following security mechanism was put into place:

  1. The Datafile was stored in a folder on the local network, accessible to all individuals in the company.  No ACLs were placed on the file, as the security enhancements that followed were deemed to be sufficient.
  2. The data in the file was securely encrypted (AES) with a passphrase, using a third party tool freely available on the Internet. The only access to the data would then be through this tool.
  3. For security, the chosen passphrase was around 20 characters, consisting of numbers and mixed-case letters. The downside of this was that the passphrase was meaningless and thus unmemorable for any individual in the company.
  4. To work around this, the password had been printed out onto strips of paper (little larger than the passphrase itself, printed at 14pt), and distributed to people’s desks by hand.
  5. An office move meant that the majority of employees lost their strips of paper. Nobody noticed.
  6. Because of the security in place, it was decided that no monitoring was required to ensure that the file was not, for example, copied onto a USB stick and taken to off-site where the same third party tool could be download and the easily-lost passphrase used to decrypt it with.

The suggestion that all encryption be dropped as counter-productive, and the file kept as plaintext secured with ACLs, was deemed ‘too risky’.

Categories: Security Tags: , ,

The Password Spreadsheet

February 16, 2011 Leave a comment

Is a company’s efficiency worth the loss of its security?

Companies exist, for the most part, to make money. The more efficiently a company can run, the more money it has the potential to make. It is management’s responsibility to lead this efficiency, and to decide how this efficiency can be achieved. Often it is through simple streamlining of existing processes, but occasionally decisions are made that can lead to compromises in other areas.

One such compromise is the Password Spreadsheet, common to a large number of companies. Safe enough in small companies, which are driven by trust and talent, but a danger in large ones.

The reasoning behind the spreadsheet’s existence is simple enough, and is generally caused by the strength of the security that exists within the systems that the company is responsible for. The MD of a client has phoned to complain about an issue with their system and needs it investigating immediately; unfortunately, the person taking the call has no access. This is flagged as an issue, and (as with all problems in large companies) heads upwards throught the management chain with all the speed that a zombie attack lacks.

Eventually, it arrives at someone who realises that this might be a wider problem; after all, the company has a number of different client systems that different people might need access to in the future. Security takes second place behind ensuring that the business is kept as efficient as possible, as the decision is made that all user accounts for all systems should be stored in one location for everyone to access.

Next time the call comes through, the company may be able to react slightly faster. But the cost of that ability is security; not of the company’s own systems, but of those that are entrusted to it.

Categories: Security Tags: , , ,

The Security Oxymoron

February 14, 2011 4 comments

Many years ago, Bruce Schneier coined the term ‘security theater’ to describe situations in which an impression of security was being given without any additional security actually being given. His examples often center around airports and the steps they make passengers – their customers – go through despite the complete lack of evidence that any improvement in the security is being offered.

I’m no Schneier (no beard for starters), but am hereby coining a new term: Security Oxymoron. It describes security measures so convoluted that they end up reducing security instead of enhancing it.

For consistency, the individual who designs such a process should hereafter be referred to as the Security Moron.

Categories: Security Tags: ,