Any effective enterprise IT security program has to be founded on certain core principles. These security principles have been tried-and-tested over decades. They include defense-in-depth, least privileged access, separation of roles, and secure failure. One of the most important foundational principles of IT security is securing the weakest link.
An organization’s IT security infrastructure is not a monolith. It comprises multiple parts that must work in concert to minimize the likelihood of an organization’s defenses getting breached. These different parts have differing degrees of complexity as well as varying levels of vulnerability. You can see these different parts as a chain that is “only as strong as its weakest link.”
The allure of the weakest link
To better understand the weakest link principle, let’s look at a hypothetical scenario. Imagine you have been tasked with moving a valuable art collection from a dilapidated remote warehouse to a highly secured bank vault in the middle of the city. You contract an armored transportation service to transport the items.
Now, assume there is a criminal out there who has just caught wind of this impending move and intends to steal the art collection. At the heart of their strategy will be determining where and when would be the best place to attack. In this case, they probably do not fancy their chances against the bank vault or the armored transportation service.
The remote warehouse is likely to be their best shot. It is the weakest link.
Cybercriminals have finite resources
Hackers do not have infinite resources and time at their disposal. They want to direct their energies toward areas where they are likely to enjoy the easiest and fastest yield on their efforts. The attacker will make a beeline for the path of least resistance. They will attack the security controls that appear the weakest and not those that look strongest.
It is the same rationale whether it is a solo teen hacker hunkered down in a basement or a sophisticated state-sponsored hacking group. They will be looking to identify the weakest link and try to penetrate the organization’s defenses from that point.
No one will deliberately spend their time and money trying to penetrate a heavily fortified part of your IT infrastructure when there is a much easier way in. Only when they fail to succeed at breaking through the weakest link will they explore more challenging options.
Weakest link is not necessarily the one with the biggest payoff
The prioritization of the weakest link occurs even when such a link holds less promising returns than the highly secured elements of your organization’s security infrastructure.
Think about it. A bank holds far more cash than your local convenience store. Robbing a bank would definitely be more lucrative financially. However, it is just too difficult for the average robber to penetrate a bank’s sophisticated security compared to the weaker protections of a convenience store. The convenience store is a much easier target to attack and successfully get away from.
Humans are not always the single or only weakest link
Human actors such as end-users, tech support staff, or infrastructure administrators are usually considered the weakest link from a security standpoint. And there is merit to this argument. Nevertheless, whereas humans are vulnerable due to their unpredictable decision-making as well as susceptibility to social engineering, the weakest link could also be a security function or feature.
Example 1: Data encrypted in transit vs. data at rest
Data encrypted during transmission with the more advanced cryptographic algorithms could require years to decipher. Therefore, hackers will devote their energies to attacking the information before it leaves or after it arrives at the server since it will require less sophisticated hacking techniques. Perhaps there is a buffer overflow flaw they can exploit.
Even for systems that rely on the weakest form of encryption, an attacker can identify much easier alternative paths to accessing the data. While it is possible for them to launch a successful crypto attack, the need for cryptography knowledge as well as large computational capacity is an impediment. In this context, the length of cryptographic keys is actually not that important since there will almost certainly be a more obvious yet valuable target.
Example 2: Firewall versus the applications visible through it
In keeping with the principle of the weakest link, hackers do not usually attack firewalls despite them being the primary external-facing application of an organization’s network. That is unless there exists a well-known vulnerability in the firewall itself that has not been remedied.
Instead, they’ll expend their energies on the applications that are visible through the firewall as these are often easier targets. The firewall is a security application, so it will have more robust safeguards than the average enterprise application. Also, it is the applications themselves that hold the sensitive data they are searching for.
Identifying the weakest link and mitigating risks
So how do you identify your IT security design’s weakest link? You need to perform a comprehensive risk analysis. From this, you should see which risks are easiest to exploit. But identifying the weakest link is not enough. With extensive risk data, you can rank risks by severity and focus on mitigating the most serious risks first instead of those that are easiest to deal with.
Security resources should be allocated dependent on risk severity. And given that resources are not infinite, addressing all risks is not possible. There must be an endpoint, and this is determined by gauging what the parameters of acceptable risk are. What qualifies as acceptable risk will vary from one organization to the next.
Addressing the weakest link is fundamental
If you are going to have a secure design for your IT infrastructure, then identifying and defending your weakest link is essential. Addressing the weakest link means you avoid a strategy similar to erecting a gate and expecting an attacker to run straight for it while there are no walls around the gate to limit their access.
With a focus on the weakest link, you expend your time and energy on the risks that matter most. Only after you have secured your weak points can you have some reasonable comfort your systems are protected from attack.
Featured image: Shutterstock