Security – Use Weakest Link Methodology

By Ken travis

Security experts (such as they are) cite many best practices, industry standards, and vendor recommendations for how we should secure our networks and systems. They are correct, except when they don’t consider the weakest link.

Many years ago, in a land far, far away, I spent a year working for a bank call center as the night IT support. During the quiet hours, I would take a walk on the floor checking on my users. One night I noted a post it note on one of the day shifts manager’s monitor. It looked like a password with random lower and upper case characters and numbers. I commented this to a user sitting near by. Oh that’s because the passwords are so hard to remember she said. They forced password changes once a month with the maximum complexity, randomness, and uniqueness restrictions possible and using a minimum of 12 characters or more making it very difficult to remember. I then started checking other empty cubes. Under the mouse pad, in the drawer, everyone was writing down their passwords.

The next day I talked to the IT manager. To my surprise he knew about it, and said he couldn’t do anything about it. They could enforce the password policy automatically, but could not force people to not write them down because they didn’t have support of management.

This is a perfect example of failing to use weakest link methodology – don’t lock and bar the windows when you leave the door wide open. If you can’t secure that door for what ever reason, then a thief will enter that way, and it doesn’t mater how well you have secured that window.