Information Technology Reference
In-Depth Information
Security crosses conventional boundaries
Figure 16.2
Vulnerabilities may exist elsewhere
.
degree of separation, is practically impossible — or otherwise prohibitively
expensive.
While scattered information adds to the complexity of the situation,
such scattering is likely a subset of the total information; for example, the
data that resides with your dealer is most probably only the dealer's data
and not the entire corporation's data. Military and intelligence agencies
operate on a similar “need-to-know” principle: if an agent is captured, he
or she cannot compromise the entire operation. At the same time, one
must recognize that even subsets can reveal sufficient structural informa-
tion concerning the larger set, for example, by looking at the dealer's
data, one can figure out what information is being captured in the central
databases. Although incomplete, this could be of some value to interested
parties.
How does the size of the organization, or the scale of the operations,
affect security needs? Larger perimeters are more difficult to protect. They
need more resources to protect everything and are likely to give rise to
situations where certain portions are not as well protected as the others
due to resource limitations. Attackers know this well and actively look
for less protected points of entry. This leads to the familiar comment that
the chain is only as strong as its weakest link. So how does one find the
weakest link?
The Weaker Links
Gregory Bateson (1904-1980) was an important social scientist of the
twentieth century and one of the founders of cybernetics. He comments
on this problem in his topic entitled
Mind and Nature
:
“Under tension, a chain will break at its weakest link. That
much is predictable. What is difficult is to identify the weakest
link before it breaks. The generic we can know, but the specific
eludes us. Some chains are designed to break at a certain tension
and at a certain link. But a good chain is homogeneous, and
no prediction is possible. And because we cannot know which
