Fantasy security

Got any pointless ‘security’ policies, procedures or features you want to get off your chest?
Here are some of my current ‘insecurity-masquerading-as-security’ things.

First a simple example from joinery.
Its standard to fit a lock to a hardwood external door about half way up. Some bright spark realised that many doors get kicked in so some people began fitting knee high locks as ‘additional security’. Sadly they got it completely wrong – the best place for an additional lock on an external hardwood door is 3/4 height. That way the door just flexes when kicked and absorbs much of the energy. Putting the lock at knee height transfers the force straight to the jamb often causing it to split. Overall knee height locks make it easier to force an entry not harder – fantasy security.

Next an office mangement example – clear desk policy.
If you need to keep paper off the desks at night for security reasons then you have security problems that are too big to be solved by simply locking paperwork in a drawer. If non trusted people have access to your offices then the paperwork is the least of your worries. For example inserting a hardware key logger on a keyboard cable is simple and unobtrusive. Clear desks are fantasy security.

A hardware example.
One UK financial institution had a significant confidential data loss via a USB pen drive. Now some spotty dweeb has decreed that all USB drives should be disabled to ‘improve data security’. Of course people can still email large files of sensitive data to external email addresses, or maybe upload via FTP to a web server. A better solution would be to work harder to minimise the sensitivity of the data people need, for example by substituting codes for names, addresses and card details. Now people who need access to these files are either sending them over an open internet connection, or storing them for longer than before – fantasy security.

And of course a couple of spreadsheet examples (Excel specific)
Workbook open passwords – these encrypt the actual spreadsheet, making it hard to impossible to recover from file corruption. Microsoft don’t see this as a security feature, they would prefer we rely on the rich permissions based security model of NTFS, and I would agree with them.
Worksheet protection – I’ve ranted about this before, but as it stops people from tracing precedents etc it prevents them from fully understanding the sheet contents. How does being unable to confirm logic improve information security? Spreadsheets are not secure (and I’m glad about that), worksheet protection does not make them more secure. But it may lead to misplaced trust. To me its total fantasy security.

I was going to go on about some flight (fantasy) security stuff, but I’ll save that for another day.

What security fantasies are bothering you at the moment?

cheers

Simon
 

Advertisements

2 Responses to “Fantasy security”

  1. MikeC Says:

    Not spreadsheet-related, but one that I see a lot of.

    I’m a keen martial artist, having studied for some 20 years. I keep seeing people offering “Self-Defence” classes that last a couple of hours to a day, and apparently teach someone “all they need to know” to look after themselves in a real-life situation.

    I can’t accurately describe how misleading this is whilst using polite language.

    I’ve seen a large number of people who’ve attended one of these, got themselves into some trouble, and then found out that what they were taught in that session 2 years previously (that they haven’t practiced since!) doesn’t actually do them any good when it comes to it. So, now, they want to learn properly.

    The “fantasy” part of this is that a lot of people who attend these courses leave with the illusion that they are able to defend themselves should they ever need to without needing to do anything else. The reality, of course, is very, very different.

  2. Marcus Says:

    Not long after 9/11, at one bank, senior executives revoked access to the floor on which they worked which (until that time) I had access to. Their logic failed me – were they protecting themselves or their data? Their data, which they saw on their screens was in fact 20 kms away on secure file servers. A few appropriate work requests would gain electronic access to large portions of their data. If they were protecting themselves, could you please explain how the ‘lolly man’ (you know the guy who comes around selling chocolates and sweets) got access to their floor every Friday afternoon. Access cards are useless when you can blatantly ‘shadow’ some one on to a floor. I might get questioned 1 in 20 entries.

    Another I mentioned a few threads ago. I ran a DOS batch file to get an audit of all the Access databases and Excel spreadsheets on a server. DOS wrote the list to a text file. Most of these files I could ‘not’ get access to via Windows Explorer. So much for network security. If a DOS batch file can detect files Windows wont grant me access to – will it also allow me to copy them?

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: