Your System Is Only As Secure As The Operators

This article - with the usual mix of decent-to-good facts reportage and mind numbingly stupid speculation and conclusions we've come to expect from Wired- reminds us that no matter how good your system is, one guy with credit card debt on the night shift can ruin your entire day.

That's not to say that the possibility of hacking access control and surveillance systems shouldn't be considered, of course, but... Occam's Razor, people, especially when the bad guys seem to be fortuitously positioned to take advantage of a massive systems failure. Come on.

The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The dog will be there to keep the man from touching the equipment.
~Warren G. Bennis; As cited in: Mark Fisher (1991) The millionaire's book of quotations. p. 151

Ari's title for this post is fitting.

Why aren't there cameras on all of the operator touch-points of the system, both mechanical and computer? Are the operator audit trails really sufficient? Most, but not all, lack important detail.

I'm continually amazed when I review systems, to see a lack of audit trail controls, lack of two-person controls, and so on. Often the design process is weak, likely scenarios aren't designed for or tested for, and the system starts off with significant vulnerabilities.

In one of the article photos you can see a web-cam on the touch-screen. Is that for GoToMeeting video use, chatting with your friends on breaks, or does the system record who is at the console when operator actions are taken?

The same photo also shows the computer CPU box on the desktop right next to the monitor, keyboard and mouse. I'll bet the USB ports aren't locked down. Forget about the fact that you could unlock doors and cells and then walk away with the control console!

Although I've only been involved in a few after-the-fact investigations for jail/prison incidents, each time the supposed "glitch" was operator intentional subterfuge. In one situation, a computer savvy police officer would manually delete transactions from the access control system's database, to erase records of access to the evidence locker. Evidence and drugs were was disappearing with no apparent cause. Video (at that time) was on VCR tapes, which were doctored and had no chain of custody or truly secure physical storage.

I'm definitely not saying all systems are highly vulnerable, but I am saying that not all systems are sufficiently secure.

The first "computer glitch" should have triggered a serious system examination and a correction of system and process vulnerabilities.

Back in the DOS access control system days, it was common for security officers in office buildings or parking lots to reboot the access control software computer (under the desk of the reception or security counter) to run game software on the midnight shift. Mysteriously, alarms were not being received by the computer during the middle of the night shift! These situations were easily found and documented by logging boot-ups and installing TSR software that would take periodic screen shots.

In the days of Windows 3.1 when DDE (Dynamic Data Exchange) was all the rage for access control software, it was fun to use DDE Spy to capture and then play back the "unlock door" commands, and demo for the vendor sales people that it was possible to unlock doors without their Windows software running, or even installed!

But there are often operator-level and process-level vulnerabilities with system deployments, and I rarely see these addressed.

Any system is only secure and trustworthy as the people who configure and operate it.