Krebs On Security has a very interesting article on how (unnecessary or badly managed) complexity (in this case, a third party web analytics service providers) led to the hacking of the RSA Security conference web site (rsaconference.com) – see the irony there? One of the top security conference’s web site hacked using methods described in one of the papers being presented there? Low tech phishing emails were used at one of the providers employees to obtain credentials.
Maybe there were lapses at the provider – the human risk factor can’t easily be eliminated. This does, however, bring to light the kinds of risks that organizations are exposed to – due to the additional (and sometimes unnecessary) complexity that gets built into systems. As Krebs says in the article – “targets are only as strong as their weakest link”. How strong is your weakest link?