Photo Credit: roo pokomon via Compfight cc
Erik Weisz was born in Budapest in 1874, although he went by many names during this life, you may know him best as Houdini. He came to fame in US Vaudeville and through tours of Europe where he would escape from increasingly challenging and bizarre situations, involving handcuff, ropes and locks, often at seemingly great personal jeopardy. He was not the first escapologist or the last, but his name is probably the most synonymous with the art form.
There are a couple of analogies I would like to take from this for the world of Information security.
The first is related to the image of physical locks and security apparatus. When we see a man such as Houdini, or the modern day equivalent David Copperfield, tied up and locked into an airtight container, we assume there is no way to out. We are lead to believe that the situation is effectively hermetically sealed. We know in practice that every time Houdini escaped, there was an obvious backdoor or trick that was being used to allow him to gain his freedom. Although Houdini would sue anyone that tried to repeat his tricks, we know in general terms that his skillset included technical knowledge, the ability to operate in very small spaces and tight time windows and finally the use of specialized tools. This sounds awfully like a hacker to me, don’t you think?
In reality, the processes and technology applied by companies to make sure security policy is implemented effectively are akin to the ropes and locks that were used to bind Houdini. If users do not follow processes correctly or if they allow private information about the setup of the organization to be shared inappropriately, it Is the equivalent of hiding a lock pick in Houdini’s mouth before locking him in. Houdini was not a magician, he was an illusionist. I don’t want to burst anyone’s bubble, but there is no platform 9 ¾ with a steam train on it. Harry Houdini exploited zero day vulnerabilities for a living and used social engineering to get information to allow him to earn a living.
The other analogy I would like to briefly touch on is the view of users of corporate InfoSec policy and practice. If we are not careful, we end up with users seeing process and technology as a way of tying the user and the business up in knots so that it cannot move. Implementation of any policy should be intuitive and able to operate freely without the potential of being a straitjacket that chokes day-to-day business or creativity and innovation. Our job as professionals is to see that business sees our worth without seeing us as a restriction of trade.
Finally, It is worth remembering that when he was not performing amazing feats of escapology, Houdini had a spare time interest in debunking fake Spiritualists (although that may be redundant English IMHO). Some of the best gamekeepers in the field, are those that previously sought to poach. The field of ethical hacking is still, if not in its infancy, then barely past the toddler stage. Combining social and technical hacking into an ethical service may be our best approach to proactive control of our environments and intrinsic risk mitigation.