Richard Parry, one of the best risk managers who used to work at JP Morgan Chase, said once about a security solution:”…it’s like placing a turnstile in the middle of the desert.”
What does this mean in risk management?
Let’s go back to the bicycle example again to see what could go wrong with that security solution. Remember, every risk management solution has three layers:
Logical, Implementation and Process/Procedure.
I could use a very good lock to protect my bicycle, made of the most hardened steel. I can lock the chain very well around the pole I chose. I can take the key with me and not leave it hanging on my bicycle for “convenience”.
What could wrong with my solution?
As the pole is placed in the ground, say into a concrete surface – it could be very snug to the hole in which it is inserted to. When I try to move to pole sideways and shake it, it “seems” sturdy and unmovable. However, I could miss completely the fact that this pole can easily be pulled upwards and easily be taken out of the ground… rendering my solution useless.
This would count as placing a turnstile in the middle of the desert. Why? I expect all the users and attackers to follow the same path I tested, and get stuck in my turnstile. I expect them to make themselves knows when they arrive, and follow my “scripted” path.
However, crooks do not try to enter through the turnstile you set – they try to enter the way that provides them the goods, in this case the bicycle.
When we port this example to the Internet, we can ask users when they login to select a VERY hard password. Say, 20 characters, with upper/lower case letters, some numerical and special characters. However, if we also have a path called “Forgot Your Password?” and in that path all we ask is for the last four digits of their social security number… then we are allowing the solution to become a turnstile in the middle of the desert – as crooks will simply go around it.
This leaves our good customers with the pain of remembering the long password, and the inconvenience that it comes with – yet not with the security it connotes.
Another example is to allow a user to call into your call center, and by you analyzing their Caller ID (ANI number) you assume it is the customer. If the crook can fool the ANI system and “spoof” the number of the user, they effectively circumvented your 20 character password policy.
Another example is how some prisoners hide in laundry baskets and sneak out of prison. If they went through the gates, doors, man-traps and other hardware and processes – they would be accounted for. By hiding in the laundry, they effectively turn the prison security solution to a turnstile in the middle of the desert.
Read more in Chapter 5