Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.

Rant: Is It an Effective Control or Not?

This is spurred on by a comment a pen tester made. He was referring to a particular technology and said something to the effect of, "What do you expect? It's 30 year-old technology." I was stunned when the comment was relayed to me. My response was, "An armed guard with an M16 can be an effective control. And the M16 has been around since the 1960s. And that's 40 year-old technology." The point is that the age of a technology or control is not all the most relevant factor. What is relevant is whether or not the control is effective. A similar corollary is it doesn't matter how expensive the control is, it still boils down to whether or not the control is effective.

A good example I can think of is at a military base I once visited. The base had gates with armed security personnel. However, unless there was a reason to suspect a threat (and where this base was located, it wasn't very likely), the weapons were holstered and unloaded. The base had no means of preventing a car from turning onto the road that ran through the middle of the base and driving right by the main gate. So if someone wanted to get onto the base, that gate was not an effective control. Even if the security forces were armed, if someone turned onto the road to the gate, they could build up a good rate of speed before reaching the gate. You can draw the obvious conclusions as to how effective the gate was in that situation. Now, at the time I visited, the world was a kinder, gentler place. Also, as I pointed out, there wasn't likely a threat to the base. The gate was there to ensure the merely curious stayed out and to catch military personnel who might have gone out on the town, imbibed a bit too much, and decided to drive back to the barracks or base housing. Those were bigger risks.

Then there is this:

These "dragon's teeth" were part of the Siegfried Line and were reinforced concrete pyramids that were designed to make driving a tank through a very risky proposition. Low-tech, reasonably inexpensive, and based on older technology, but they were an effective control at that time.

And that's what it really boils down with respect to a control. Does it protect against the threat it was put in place to guard against? If the answer is yes, then it doesn't matter how old it is or how cheap it is. Similarly, if the answer is no, then it doesn't matter how new it is or how much money was spent on it.

 

Comments

Posted by Steve Jones on 5 May 2009

Here, here!

Effectiveness is the measure of something, not it's age or cost. Very nicely said, Brian.

Posted by nwlibrarian on 7 May 2009

This also speaks a little bit of an all too common practice of "throwing money at a problem." In spite of the economic conditions the mindset of, "The most expensive and current gadget is our best solution to the problem" is still in vogue. As if a price tag makes it all legit. Awesome post!

Posted by Mike Brockington on 13 May 2009

To be fair, you don't explain what the control was - if it was encryption of some sort, then it was probably a fair comment, as that always has to be a balance between an algorithm that is cheap enough to be carried out normally, but too difficult to brute force, but as technology improves, both sides of the equation improve.

Posted by K. Brian Kelley on 13 May 2009

Mike, I hear what you're saying, but the example you give has factors which enter into whether or not it's a good control, not just age.

For instance, MD5 hashes are more and more vulnerable because generating collisions is easier and quicker, but not because of a brute force attack. MD5 was designed in 1991. So it's 18 years old. SHA-1 has also been shown to have collisions which can be generated faster than brute force methods would normally allow. And SHA-1 was released in 1995, so we're talking 14 years old. The reason for their vulnerability as hashing functions don't have to do with age and computational power so much as it does with the fact that weaknesses were found in the algorithms.

And that's what I'm getting at. Age shouldn't just be thrown out for something as to whether or not its an effective control. What should be considered is if it protects the asset it currently is assigned to guard and will it continue to do so for the foreseeable future.

Posted by bob.willsie on 13 May 2009

I agree with your thesis, but remember that the Siegfried line was not really an effective control; didn't the Germans simply drive around it?

Sometimes controls are circumvented by better technology (which may or may not be costly), sometimes by thinking and moving laterally.  

The key is the balance of effectiveness versus the cost of the control and the value of the asset.

Posted by K. Brian Kelley on 13 May 2009

Bob,

you are thinking of the Maginot Line. The original Siegfried Line belonged to the Germans and was built during WWI. It was never really tested.

Posted by Andrew Peterson on 13 May 2009

Spot on.  Always base a solution to a problem on the problem, not the tool.  Alas, so many in the technology sector do the opposite.

Posted by rudy komacsar on 13 May 2009

Like Grandpa used to say ...

Locks only keep honest people out !

Posted by TimothyAWiseman on 13 May 2009

Mike, your point is partially correct, but remember there were encryption techniques that are extremely old that still stand quite nicely.  A one time pad is as unbreakable now as it was when developped and no forseeable technology is going to change that.  The only major change in the RSA algorithm for many many years is that the standard key length in use has gone up, but the algorithm itself will likely remain powerful and effective for a very long time.

Posted by Eddie on 13 May 2009

It was WWII, not WWI. The Siegfried line was tested and proved ineffective--didn't we invade Germany? I have seen photos of American engineers destroying the dragon's teeth with explosives so that our tanks could pass through. It only took a small breach to allow that to happen.

Posted by K. Brian Kelley on 13 May 2009

My mistake, with regards to the pic. The original was built during WWI. The picture refers to a tank trap in WWII. However, if American engineers had to use explosives to destroy, then it showed itself as an effective control against tanks. This is why you practice defense in depth. :)

Posted by Carleton on 13 May 2009

My business is controls.  I will agree with most of the author's content.  The point that is missed in the examples given is that the appearance of a control can be a potent deterrent.  For example:

A security guard at a gate with an unloaded weapon may still be an effective deterrent for someone with mal-intent.

Two houses on a street, one has a sign out front indicating an alarm system is present and the other does not have such a sign.  Everything else holding equal, a thief is more likely to hit the house without the warning sign (even though both houses are unsecured).

I am less likely to jump a fence that has a sign indicating it is electric (even though it is juice-less).

I am less likely to steal my company's money that I have custody of if I think someone is reconciling the books (even though they are not).

Appearance of controls doesn't get mileage from your auditors, but they are not totally meritless.  And yes, operationally effective controls are always best.

Leave a Comment

Please register or log in to leave a comment.