Security is a complex and connected web. Though there are many different categories within the all-encompassing field of security, there are still certain lessons that translate across the disciplines. Physical security can largely be seen as a manifestation of the ethereal elements of cyber security. Both the digital and the physical worlds of security rely on the same basic principles. Though they may require different tools and skills to be truly understood, there are several lessons lock pickers can teach you about cyber security.
1. Code of Conduct
The first thing that lock pickers learn are the two rules of lock picking (sometimes known as the two rules of locksport). The first is, “Do not pick a lock that you do not own, or have not been given permission to pick by the owner.” This is the ethics of lock picking. It is a reminder of the difference between curiosity and legality. Because of the laws that regulate the possession of lock picks in most states, moral lock pickers must always remember the scrutiny their interest places them under. The same rule applies to cyber security professionals. You need to always act in accordance with the laws.
The second rule of lock picking is less straightforward. It states to, “Never pick a lock that is in use.” A lock picker needs to realize that they are trying to undermine the security of the lock they are working on. When you seek to defy the essential nature of a device, there’s always the danger that it will break. A professional locksmith will need to pick locks that are in use, but this rule exists as a reminder of the danger of overcoming security.
For ethical hackers, they know that a network can be jeopardized, files can be corrupted, companies can suffer downtime, etc., by unnecessarily testing network security. There is always an inherent risk to testing security. The implications of what you are doing must always be honored.
2. Interest is Power
Lock pickers are always finding new ways to open locks. This means that companies are always making products to fix new vulnerabilities. The end result is a field of study that is always in a state of flux. This makes it necessary for lock pickers to stay up-to-date with their knowledge and skills. If you are not on the ground floor of understanding a new device, you are behind the times. If you do not learn the newest bypass for a lock, the next evolution will confound you further. In order to combat the constantly shifting tide, a lock picker must be interested in their work.
Interest makes learning easier, and it also leads to more learning. But without interest, there is nothing to keep a lock picker hooked on learning the necessary information to stay relevant. Electronics and software security change at a blistering pace, and without the investment of being interested, it is too easy to fall behind. But with lock picking, even a break from practice can lead your talents to atrophy.
Lock picking is a perishable skill, which means you lose your ability by doing nothing. A lock picker knows that losing interest does not just mean falling behind; it means losing what you had. The more interested you are, the safer your skills are.
3. Everything Can Be Opened
The nature of a lock is to open. It is also to close, but never forever. A lock that lets the right people in is a lock. A lock that lets no one in is broken. Lock pickers understand this is the essential flaw built into all security. It is not meant to keep everyone out – it is meant to let the right people in. All you need to do is get the lock to open for you even though it shouldn’t. But a lock does not necessarily need to open the way it was intended to. A picker knows it will open, so it can be opened. There is no such thing as perfect security.
This is the lesson that keeps lock pickers on the path to self-improvement, but it can also lead to frustration. You are no longer able to say “it can’t be done” because the reality is that you cannot do it or no one can do it yet. Cyber security experts have to learn that anything they build or try to bypass is flawed from the beginning.
Every lock has a key – how that key works tells you everything you need to know about how to refine your bypass.
4. Think Like Every Enemy
There are many ways to pick a lock. You can rake it, pick each component individually, use comb picks, bump keys, and the list goes on. At the end of the day, if you really need to get in, you can try cutting the lock or hitting it with a hammer. The point is that the most complex method of entry is not always the way to get in. As a lock picker, you try and see what will work. When you are picking a lock you know nothing about, you start by testing it like a beginner. Can you move your pick around in the keyway with consistent tension? Then you start to experiment with more precise attacks.
Plenty of people tell you to think like a person trying to compromise your system, but few tell you to think like every person trying to compromise your system. This prevents you from getting lost in your own head. Thinking like the criminal who watched a few YouTube tutorials grounds you and will help you anticipate a real threat. Someone may just get lucky, so part of your job is knowing how lucky they would need to get.
Part of being an expert is being able to think like a person at any level of knowledge in your expertise. This is your edge. You can attack a lock like every enemy, so it is important for cyber security professionals to understand the mind of a black hat hacker.
5. Be Patient
Picking a lock requires a tremendous amount of focus and patience. Working too recklessly can lead to broken tools and even broken locks. But in the best case, impatience will just make the process of picking the lock to take much longer. When you are in a rush, there are things you miss. And the more patient you are, the less you miss.
A lock communicates very subtle messages to the picker. This is called feedback. Subtle clicks and movements of the internal mechanisms give away secrets hidden in the device. Patience gives the awareness you need to observe these signals.
You can be someone who works fast, but you should never be someone who rushes their work. In regards to cyber security, looking for flaws is made all the more difficult by giving into a time crunch, and that is a common source of failure. The time frame is not the issue – it is the mental attitude that matters. You should never rush when you are in a hurry. As a lock picker without patience, you are relying on luck. It forces you to come to terms with the fact that things are going to take as long as they need to. Even if you have to use six different methods to open a lock, you must use all of them calmly.
Be smart with your time but understand that losing your cool is the easiest way to lose the battle.
There are many lessons that the different security disciplines can learn from one another. How lock pickers look at their moral obligation gives a deeper understanding of what it means to find security exploits. It provides understanding of the inherent flaws in your field, the ability and responsibility to think like anyone who is trying to undermine your system, and the patience to do it all with a clear mind. With those insights, you can become a more well-rounded security professional.
About the Author: Ralph Goodman is a professional writer and the resident expert on locks and security over at the Lock Blog. The Lock Blog is a great resource to learn about keys, locks and safety. They offer tips, advice and how-to’s for consumers, locksmiths, and security professionals.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.