It was the night of the masquerade ball, and the security professionals had left their rooms for a night of carousing and revelry.
I dressed and went to collect my date for the evening, a few levels up in the Royal Pines Resort on Queensland’s Gold Coast. It was AusCERT 2010.
She wore a grin as she opened the door. She had the master room key.
While the others confabbed and gossiped, I considered the possibilities.
Hundreds of empty rooms, and nothing linking me to the key. No one had seen me arrive and the cleaner had left the key many hours earlier.
Obviously, I did nothing, but the irony of a security breach at Australia’s biggest security conference was not lost on me.
It highlights the fallibility of users and is a reminder that humans are often the weakest point in a security system.
You can implement the latest zero-day-detecting, malware-rejecting, access-subjecting platform and it will all go to hell if your staff sticks their password to the computer.
Or hand their access card to a journalist.
But they can be the strength too. Cryptography god, Bruce Schneier, once proved this point through a scenario of a real-life gaol break.
He wrote that a prisoner had escaped by tiptoeing around a tripwire system. The guard sentry was replaced by the tripwire. So where does the blame lie?
Prisoners, hackers and disgruntled employees are a dynamic threat, and humans, with their powers of observation and critical thought, are a dynamic defence.
The guard could have spotted the prisoner’s escape, while the tripwire had a single defence and a single, constant point of failure.
As one senior security veteran told me over a beer that night, scoffing at the “new kids and their toys”, the chief problem in security has remained the same for decades — educating stupid users.