Security Presumptive

>> Friday, 15 May 2015

We have the auditors currently visiting the office.  They don't mix with anyone at all, from what I can see, apart from the one man that is the 'go between'.  They work out of a meeting room not very far away from my desk.

I feel it necessary to say before I tell you why I'm telling you about this that I work in a very secure building.  It is surrounded by high wire fences,  cameras and sound detectors.  A secure site within an already secure site.  It's safe to say it is secure!  There are very few people that can get in and generally we all know each other fairly well,  if not intimately then at least by sight or on "you left your card in the coffee machine" terms.

To get to my internal office door you have to go through 3 sets of secure doors requiring a personal level of access and also past the glass window of the 24 hours manned security office.  It's safe to say by the time you get to my office door you have passed security.  There is nothing in my office of merit or value to be secured!  There used to be something behind the door to secure.  That thing is now many, many miles away.  Any security left on my office door is there because a jobsworth didn't take it away with 'the thing'.

So back to my auditor non-interactive-'friend'.  Everyday, many times a day she opens my office door with her secure access.  My office doors are double doors.  The right hand door is next to the security point.  The left hand door is not (this is relevant!).

Some office incumbents noticed many moons ago that no one uses the left hand door.  People push the right hand door, it is locked, they then try their secure access method and if it says 'come on in' they then open the door.  An office incumbent took the bolt off the left hand door.  So now the office incumbents walk through the left hand door.  It can be done backwards whilst balancing a laptop and a hot cup of tea without the need to swing the body part attached to a pass at a reader or punch anything into a keypad with your nose.  Others use their pass and come through the locked right hand door.

 So back to my auditor non-interactive-'friend':  everyday, many times a day, she opens the right hand door with her secure access. Today I watched her use her secure access and then open the left hand door.  She has been there at least 2 weeks so this is progress but she still hasn't thought to just push the door first.

There is another door that leads to a meeting room with a key card reader on it.  (Again, there is nothing of merit or value behind this door, even the furniture behind it wouldn't sell at a car boot!) The door lock does not work, men with hammers are aware of this and on a regular basis they come to it, bang their hammers, scratch their heads and leave again.  The key card reader beeps when you do stuff to it with your access and its light turns green if it likes you.

For 2 weeks I have watched my non-interactive-auditor-'friend' use her secure access to go through the door, never once doubting that it is locked.  Although bizarrely there is no handle on the door the other side and she must just push the door to get out!!!

So my point is:  just because something asks you for a password you shouldn't assume that it is secure.  Does it care what that password is?  What happens if you try to get in without the password?  The appearance of secure does not mean it is.  You might have userids, roles, profiles, passwords, key readers, whatever,  but what if, as I found recently, one table has clear text passwords in that could (note the past tense here - sorted) be read by a multitude of people?! Or what if people that are fed up with dealing with security on a daily basis can undo a bolt and no one is alerted?!

I am desperate to tell my non-interactive-auditor-'friend' to just walk through the door but I'm also now totally wrapped up in watching to see how many weeks it takes her to twig.

I am also torn about what this tells me about her approach to looking at security.  Life for many would be jolly easy if our non-interactive-auditor-'friend' just puts a lovely large green tick on a box to say that she tried the security and it all worked fine and moves onto her next job. But whilst I think/hope/know the baskets of eggs I am responsible for are safe from the foxes, I would really like her to find any security holes in anything because there are lots of people out there that are constantly pushing at the left hand door to see if it opens all on its own and I want to bolt it solid before they even try.


Mwa 15 May 2015 at 15:10  

Ha! I think I tried the left hand door with Captcha. I got fed up trying to work out the silly words and numbers one day, and now I just ignore it. It goes 'prove you are a person', and I think 'no', and then I just click 'Post' but it doesn't complain! Kinda proves some of your points.

Mwa 15 May 2015 at 15:10  

Oh and by the way, I'm now convinced you are either M or Moneypenny.

KV_Guiding_DBA 16 May 2015 at 00:56  

Oh no, I don't do anything special! I think most IT sites will be secure. There is value in both the general infrastructure and the data they hold. But most modern buildings are pretty well (or seem to give the impression of being) secured these days, don't you think.

  © Blogger template Simple n' Sweet by 2009

Back to TOP