Protecting Firewalls with Brick Walls
They say "an armed society is a polite society". Generally, because people in such areas know that committing a crime might see them on the wrong end of a gun-barrel. In Australia, the relative scarcity of personal weapons is such that your average home burglar isn't particularly worried about getting shot. On the other hand, they are often concerned about the risk of a cricket-bat being delicately applied to their head or simply being sat upon by an angry homeowner until the cops arrive. Commercial Offices are a completely different story however. In fact, criminals can very easily talk their way out of most situations.
Alert Staff Member: Who are you and what are you doing here?
Intruder: Err.. Is this 260 King Street?
Staff Member: No. You're in the wrong place. Can I see some ID?
Intruder: Oh sorry, I'm in the wrong place. No worries, I'll go.
Can you imagine the staff member detaining the intruder? Of course not, and the crims know it. The odds of getting caught in an office are slim. The odds of being arrested and charged, even more so. Staff who would never let a stranger into their home, will happily ignore them in the workplace. Meanwhile, the pickings in offices are immense - laptops, mobile phones, wallets, car-keys, house keys and that's before you even consider the enormous possible value of information assets - client databases, corporate plans, documents and information.
In our experience, it is (ironically) larger offices, with far higher security budgets that are attacked. All the access control and identification systems in the world, are worthless if intruders can simply tailgate an employee into a protected area. Generally, other staff will make the natural (and very wrong) assumption that a person 'must be okay' because they are in the secure area. In other words, these sites are like a chocolate egg - with a hard exterior shell, but a soft, chewy centre.
Information Security and Physical Security
Modern security practices are in many cases, based on principles of defence which are hundreds or thousands of years old. A few hundred years ago, castles and the jewels they contained, were protected by large walls, a moat, drawbridge and guards. Today's corporate assets (jewels) are protected by firewalls (castle walls and moats) , access control systems (drawbridges) and intrusion detection systems (guards). The only significant difference in defending against modern, online criminals is there's no replacement for boiling oil which is nearly as satisfying (or effective).
Similarly, the practices used by attackers - deception, fraud, theft and intrusion, are not substantially different. Today's "phishing" scammer is yesterday's Three-card Monte dealer. Historic similarities are also why certain types of malicious software are known as a "Trojan Horse", referring to the incident described in Greek mythology.
Having said that, the 'phone phreakers' and 'hackers' (in the good sense) of yesterday are some of today's finest IT security practitioners, with an intimate understanding of technology and weaknesses inherent to it.
However, Information Security Professionals are often not versed in the principles of defence, warfare or from a related military/law-enforcement background. This is often because of the pool from which they are recruited. Many former police and military know little of computers and their security. Conversely, IT Security experts frequently do not understand specific physical security issues. How many IT gurus, who could fit out the inside of a datacentre and configure all its servers blindfold, know how thick the glass which surrounds it should be?
The Talentless Hack
Several years ago, as part of a routine security review, I was bet that I couldn't defeat a new firewall which had been installed at a client's premises. The client had assumed I would be sitting in our lab, trying various exploits and technical attacks over the network as had been the case for previous exercises. I knew the amazing level of technical skill the company possessed and didn't bother. Instead I simply followed an employee into the premises and another into the server room, unplugging the firewall, carrying it out and placing it on my client's desk. Bet won.
Did I mention staff held the door open for me as I carried their equipment out of the server room?
The exercise illustrated a key point to the organisation. What's the point of having the world's best configured firewall, if a smack-addict can walk in off the street and steal it? Admittedly I was in a better suit.
My company has been engaged on numerous occasions to test the security of medium to large organisations. On nearly all assignments, we were able to bypass extensive (and expensive) security systems and very readily gain access using the age-old techniques of charlatans, con-men, criminals and other tricksters. A nice suit, confident attitude, a convincing story (and from time to time, Jedi Mind Tricks) is usually more than enough. Intruders tend to be very confident when they know they can easily escape.
Such easy bypass of security protocols generally came as no surprise to our clients, who often expected their staff to be the 'weak link'. This was good, as they didn't have any false sense of security. However, we would then turn the result these exercises into valuable training tools. All the posters in the world warning of "stranger danger" and imploring staff to "close the door" and prevent tailgaters, aren't nearly as effective as a single hidden video, showing someone being followed into a secure area. For added effect, video of our intruder 'borrowing' someone's security pass and then using it to swipe laptops and handbags, has even more impact. The aim is never to embarrass - it is usually the failure of a whole system, not an individual - and we tend to be pretty light hearted and humorous about it. However, the impact is enormous. After reviewing what happened and discussing how it could have been avoided, the results are absolutely stunning. In most cases, the improvement in staff awareness takes place literally overnight. It is of course important to repeat the exercise periodically to combat staff turnover and forgetfulness.
Understand something: Staff want to feel safe at work. Not only do employers need to have security in place to meet their Duty-of-Care to employees, they can use staff desire for security to protect corporate assets as well. In general, staff want to protect their employer as well. If a business suffers loss, that can affect jobs. There is no reason why security should remain the responsibility of the 'security manager' or the 'security guard'. Security is ultimately the responsibility of every member of an organisation. I say this notwithstanding reality-disconnected security licensing authorities who may take a different view.
However it is no good concentrating primarily on either IT Security, or physical security, rather than looking at both, as part of your broader organisational security objectives. Ignore one, to your peril.
IT Professionals are (finally) becoming more aware of the requirement to patch servers, harden systems and monitor network traffic. However they also need to concentrate on more boring matters such as walls, doors, windows and who's coming through each.
Remember though, that while the weapons and techniques of criminals may have changed, the fundamental principles of security have not. Even though you may not fully understand all there is to know about IT Security - viruses, online intrusion, cyber snooping or Physical Security - walls, doors, alarms, guns and so forth, doesn't mean you cannot work at addressing these issues. Remember, you don't need to understand the workings of an internal combustion engine in order to drive a car well. Although it helps.
What is most important, is to carefully identify all issues which are relevant, and ensure these issues are being duly addressed. If not by yourself, than a qualified person. If you're not sure, you should get someone to help you out. You do not want to find out after an intrusion, that you had it wrong.
Originally published in the Sep/Oct 2008 issue of Security Solutions Magazine.
Calamity is one of the first Australian security companies intimately familiar with both Physical Security and information/IT Security. We invite you to look around our website and find out more about our complementary security service offerings.