What’s your organisation’s most glaring cyber vulnerability? Patch management? Third party vendor risk? An incomplete configuration management database? Most of the IT and security leaders I ask this of have an answer ready at hand given how often they’re asked the question by their own executives. The thing is … all of their answers are wrong. Every time. The correct answer (I tease) is “the vulnerability that our team currently doesn’t know exists.”
What I mean by that is that all of us – every organisation, no matter how small – has blind spots. Critically underserved places, processes, and people that are dangerously exposed. We haven’t “hardened” those weak spots because we’re blissfully unaware of their existence. This is a universal truth in cybersecurity … and one that most professionals don’t want to discuss. Why? Because admitting that we have blind spots makes us seem weak and ineffective.
It shouldn’t. Societally, we take for granted that no mortal is omniscient, yet we (as an industry) run our “strategic governance programs” as if we are omniscient and our tools are omnipotent. That level of hubris never ends well, just ask a classics major. Speaking of university studies, I have a true story about this principle that I use when I teach cybersecurity to kids. Feel free to borrow it (embellishing as needed) when talking to your upper management.
My university had a policy that all students were required to live on campus during their first three years of school. Freshmen were sequestered in dormitories reserved exclusively for their ilk, while sophomores and above lived in “upperclassmen housing” … much of which was in poor condition back when I was an undergrad. Students with pull (money cough, cough) monopolized the renovated facilities, leaving the Korean War era dorms for the rest of us.
We lived in two-person rooms that shared a loo with another two-person room to make a “suite.” Having come to the school directly from a 50-man bay on an Army base, I’d thought the arrangement was quite pleasant. Get yourself a good roommate and dorm life wasn’t half bad.
For my junior year, my mate Pete and I were allotted a second-floor room in a three-storey brick structure atop a cliff. Back in the 80s, the dorm was completely clapped out. I’d lived in neglected WW2 barracks that were in better shape. Nonetheless, the old dorm came with a decent amenity: a concrete slab balcony that ran the length of the South side, overlooking the athletic fields at the bottom of the cliff below. Our dorm was located at the midpoint between all the near-campus and far-campus living areas, so friends were constantly passing by.
My first understanding of physical security blind spots came late one Sunday afternoon after a three-day stint of manoeuvres with the corps of cadets. I’d limped back to the dorm covered in filth, barely awake, and aching all over. First things first, I cranked up the stereo to keep myself conscious and threw myself under a hot shower. Trouble was, between the splashing water and the loud music, I couldn’t hear Pete banging the on the front door. He’d misplaced his keys.
While I was towelling off and thinking about scrounging dinner, Pete was next door asking our reclusive suitemate to let him pass through the shared loo back over to our side. I had no idea this was happening; I couldn’t hear their convo through the concrete walls and didn’t hear the loo door swing open because of the stereo. I didn’t know Pete was there in the room with me until he tapped me on the shoulder.
We both learned some important lessons in the violent seconds that followed. First, our room’s security was only as good as the security habits of our suitemate. He could let anyone he liked into our locked room without us knowing, making him a prime candidate for social engineering. Second, I learned to never play music louder than a knock could be heard over if I’m expecting visitors. Third, Pete learned that I am an extremely twitchy person and do not like surprises. Tired as I was, I almost took Pete’s head clean off his shoulders. We’ve been mates for thirty years, and he’s never since tried getting my attention any closer than two metres distance.
We laughed about the mix-up it once the red haze dissipated and my heart got back below 200 bpm. That said, all wasn’t forgiven. We had traditions! I’d need to frighten my mate as good as (or better than) he’d frightened me to even the score. As predicted, Pete didn’t make that easy. He knew all too well what was coming and so made it a habit to always keep the room door and the newly repaired loo door closed and locked whenever he was alone. Points for foresight.
Too stubborn to quit, I hatched a plan that Pete wouldn’t see coming. A few days later, I sent a mutual friend round to start a conversation in the doorway while I climbed the balcony rail and supports on the first floor up to our deck. I slipped silently in through our unsecured balcony door. After that, it was easy to ninja my way up behind Pete and let loose a barbarian’s war cry. Score settled, we had a laugh, Pete changed trousers, and we went out for a pint.
We all learned something from that second episode, too: just because our room was five meters above the foot path (and a good thirty metres up a cliffside) did not mean we were impervious from a balcony side physical attack. Anyone with enough chutzpah could climb the struts and break into any room that left a balcony door or window open. From that point forward, we habitually secured those, too, every time we didn’t want visitors or were leaving the room unoccupied.
In retrospect, our problem had been that we’d been thinking about physical security from far too narrow a perspective: that of access being exclusively a function of the front door. It was only after we’d given one another an awful fright that we reconsidered our threat landscape and how an adversary might exploit our blind spots. We didn’t even think about implementing countermeasures until after the vulnerability was exploited. This is completely normal.
What can we learn from some (almost) harmless undergraduate pranks? Bluntly, that we’re all blind to vulnerabilities that we haven’t yet perceived as such. This is why, I believe, every organisation large enough to afford it should either build in-house or contract an outside penetration tester to run multiple benign attacks on their own infrastructure. Challenge your “red team” to break in, so you can use their successes to re-evaluate your team’s mental model of your threat environment. You’ll almost certainly find vulnerabilities that you never knew existed… vulnerabilities that were obvious to a motivated outsider. You can then mitigate those vulnerabilities before they get exploited by someone with actual malicious intent.