Good advertising stays with you. Few security ads really stick with me because I know there's typically a large disconnect between what marketing says the product can do and what it really does in a live environment. That said, one ad from a couple of years ago still stands out today. The ad showed the front view of a medieval knight, heavily armored, and ready for combat. He appeared very intimidating. The message was "I am impenetrable and ready for battle." When viewed from behind, however, the knight’s entire rear was completely exposed, revealing white boxer shorts speckled with little red hearts. There are several ways to interpret this. “ Make sure your defense is complete”, “Watch your back!”, etc. The messaged I’d like to underscore, however is, “things aren't always as they appear. (And some weaknesses are really embarrassing and painfully obvious!)”
I trust you don’t have any partially clad knights running through your organization. But you do have safeguards that give the appearance of being “secure.” There’s visible security, from “guards, guns, and dogs”, firewalls, IPS, and AV, to softer items like a well structured marketing program that promotes privacy and confidentiality to clients and stakeholders. There's also emotional security, or the feeling that's developed through exposure to security buzzwords and statements like "We have a firewall...", "We passed our audit...", "We value security…", "Customer privacy is our #1 priority…" Security erodes over time and simply saying security is a priority doesn't mean it is a priority. Both the visible and the emotional aspects make you feel good, but as the partially protected knight demonstrates, there’s more than meets the eye.
I was once faced with a very secure data center door during a security assessment for a $500M+ retail company. The door boasted a hand geometry reader, PIN access, and proximity card components. Quite nice -- visually. I quickly sized up the door, grabbed my library card ("old faithful") from my wallet and took a step toward the door. The security manager chuckled and said "that door's been reviewed by our PCI auditor! It's secure!" Less than three seconds later, I was in the data center. After hearing the F-bomb conjugated seven different ways, the manager sighed and exclaimed, "An alert should have been recorded by the facilities management software." Minutes later, we were explaining to the facilities manager how I had penetrated the most sensitive area in the building using my library card. He checked the system for an alert. Nothing! The system only records when the door's components are used as expected, not bypassed entirely.
Key take way: Things aren’t always as they appear. Don’t trust your emotions or the emotions of others. Search for facts. Once you’ve found them, schedule another search. Assess, remediate, manage, & educate.
Comments