When I was a kid I used to love skipping stones on the water with my Dad. We would do this for hours and one day I joked with my Dad that what if those ripples became waves and wiped out a city. The mind of a child is a wonderful and strange place. It’s amazing when we look at the impact of actions and how they can impact the world around us in strange ways that we might have never considered. Chaos theory comes to mind when we consider things such as what is commonly referred to as the butterfly effect. This is a phenomenon that describes how a change that occurs in a seemingly innocuous way can have a ripple effect with significant impact elsewhere.
My common tongue in cheek response here is the law of unintended consequences. You stub your toe on the bed frame and the stock market crashes. A flippant analogy but it paints the picture.
I recently heard a story from a co-worker who told me about an experience where he was waiting to board a plane in London. The boarding process was sheer anarchy and people were unclear where they were supposed to be or what was happening. What was normally a cohesive boarding process for this particular airline had descended into madness.
How did this happen? Every time I travel there is always a chance that a flight might be cancelled or delayed. It’s always a possibility. That’s just the nature of it. But, rather than spit venom at the airline staff (which is NEVER advisable) I often wonder what pebble dropped in the pond to cause this ultimately. In my co-worker’s case it all tracked back to a fire at a hotel in an random city in the US.
This caused me to pause. I was immediately struck by the apparent incongruous nature of it. How did a fire at a hotel in the US lead to boarding gate chaos in an airport in the UK? What happened was that a flight crew for this particular airline was staying at a hotel in Random City, Random State when a fire broke out in the hotel. This caused the crew to be up for most of the night and they were forced to wait outside while the fire crews worked to contain the fire. As a result, they were in no condition to fly the next day.
Their flight was ultimately cancelled. Thus began the knock on effect. With that plane being taken out of the supply chain the airline had to scramble to activate other crews to fly in to Random City to collect the plane. This now took two planes out of action and now three crews. The ripples from something as simple as a fire at a hotel.
When we hold this example up to the cold light of an information security practice the parallels are startling. Take the case in point of a project that is going live in your environment in the next couple hours. There is a communication error that no one seems to be able to resolve. The firewall admin makes a rule change on the fly and then suddenly everything is working again. Wunderbar!
But wait, what was that change the resolved the issue that allowed the massive project go live? No one takes the moment to review it. They just slap each other on the back and enjoy the moment. Years later, the fix returns to haunt the company when a data breach takes place effecting the very same application that the team was able to take live years later. Peeling back the layers it becomes clear that the “fix” was the root of the problem. The change which was not documented or vetted through any sort of process turns out to have been an allow any to any rule. Wide open access.
Worse still, the “temporary” administrative level account that was created for a contractor that was never locked and had an easily guessed password. Something that a multi-factor implementation would have helped to mitigate as an example. Another pebble in the pond.
These are a simple examples but ones that hit home for many security professionals who have suffered through similar horror stories. When we work to secure our environments we need to ensure that the steps that we are taking from a tactical approach are not going to cause strategic failures in the future that would well be the next hotel fire.