A look at Security Theater and how it applies to modern security philosophy. This is presented to the Oklahoma Information Warfare Summit #9 October 5 2016
9. Your Security Theater
• Get in their head
• Never stop learning
• If something works…..
DO IT!
Editor's Notes
The term Security Theater is often credited as being coined by Bruce Schneier to describe the Transportation Security Administration (TSA) and its practices. Through the years we have generalized it, but for the most part, it is still based on the same principals. Essentially, this is practices that make people feel good about their situation through several processes. And I use processes because that is what they end up being. We give people the feeling that they are safe when flying by putting them through and overly bureaucratic process. People in essence feel secure because there are all these people doing things! And bonus… They are all doing the same kinds of things. If I fly from Stillwater I will go through the same process as someone who flys out of Alanta. This sameness, makes us feel secure. It is familiar… Unfortunately, the formulaic mode we have come to expect does very little for actual security. If every TSA agent is taught to look for zebras, we just dye it’s hair black and suddenly it is safe…
This approach costs us lots of money and in the end, we are getting very little for our money. Many reports over the summer indicated that failure rates as high as 95% were found in testing. This testing was not even doing anything like dying zebras, it was taking zebras through the checkpoints. So, from a classical cost benefit analysis, we are getting a really bad return on investment.
We put out faith in systems that feel good. We trust doors and gates to keep out the bad guys, who may not even think of the device. I will often to just to the side of a gate and look to see the quality of the fence. Often times it is not very good. When I teach escape and evasion I tell people that might find themselves locked in a typical office room to simply break through the wall. Sheetrock is easier to go through than a wooden or metal door…
We often spend large amounts of money on the latest greatest locks. Again, the lock is only as good as the system that surrounds it, but even when all else is good, even the best physical locks have been picked by someone. What we end up creating is keyrings with tons of keys to be carted around.
Key pad or key cards? Better, right? High tech is always better… Unfortunately, at security conference after conference we hear talks from people who have been able to quickly and easily bypass these systems.
Another thing we do to feel more secure is higher security guards. We go to banks and if they are any size at all there is the guard. Some places I visit also have them in grocery stores, drug stores, etc. Are they effective? They are wearing a uniform, therefore they must be professionals…
Poll Title: When required to change passwords <=90 days what do you do?
https://www.polleverywhere.com/multiple_choice_polls/MFPnYcXT1l1Ssba
Text CRAIGBUCHANAN717 to 37607 once to join, then A,B,C,D, or E
PCI requires:
7 characters
Numbers and letter
Not same as previous passwords
No 2 passwords the same in the system for new passwords
Require change after temp password
Lock after 6 attempts
Lock after 15 minutes idle
Crypographic encryption on transfer
Best Practice recommendation (i.e. will get gigged but not necessary loose your ability to process)
Change every 90 days
http://pcipolicyportal.com/blog/pci-compliance-password-requirements-best-practices-know/
CJIS
8 characters
Not in dictionary nor proper name
Not = User ID
Expires within 90 days
Not identical to previous 10
Not transmitted without encryption
Not displayed when entered
https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
Probably the #1 thing we as system admins do to make security less secure in the name of FEELING more secure is set these stupid password policies. Sure, getting people away from using dictionary words, their legal name, their nickname, their user ID, etc. is a good idea, requiring needlessly long and complicated passwords that change every 90 or worse yet 30 days is just bad security. By making the password too hard for the person to remember without spending time (and we are giving them less than 90 days here) to memorize it. The reasoning seems to be that if passwords are obtained that the bad guys only have so long to use them.
Research has shown us this is a wrong approach. In probably the best run research in to this subject University of North Carolina at Chapel Hill studied the password histories from their university (Zhang, Y., Monrose, F., Reiter, M., 2010). (https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf) What they found was that about 50% of the people would resort to making some kind of pattern to remember their passwords. Adding a number at one end or the other, changing a letter, ETC. This allowed them to create algorithms that were pretty successful at breaking passwords over successive changes once they had broken any one password. Other researchers have found that another common approach is that users will write it down. Considering the poor state of physical security, what this means is that anyone we let in to our “secure” spaces and have a treasure trove of passwords. Many pin testers will tell you this is easier and quicker than trying to brute force encrypted passwords.. Lastly, others will simply change their passwords enough time to get around the counter.
We are also seeing an increase in the use of biometrics. Almost all phones now have some kind of fingerprint reader and/or facial recognition system. These systems give a false sense of security for people as I am sure most of us know. At these and other similar conferences over the last couple of years there is almost always at least one person giving a presentation on how to defeat these with very simple hacks. (pictures of the person in question, photo copies! of someone's fingerprint, etc)
Now that we have poked fun at the problem what is the solution? We need to reexamine how it is that we look at security. We have been playing lip service to security for so long that we need to step back and look at what experience and social sciences tell us about what people really do.
When I was in the infantry I was taught how to guard facilities as part of our core training. We were taught by the book but where then told that we need to use our intuition. Over the years working with security companies, private security contractors, and law enforcement, I can attest that this is in fact the best first defense. Empower the humans in your system to question the motives of those they encounter. We have seen that social engineering is the easiest way to defeat a lock, so make social engineering part of your training! Teach employees at all levels that it is Ok to not be customer service oriented if they get uneasy about a person. We can not be afraid to profile. It makes no sense to be afraid to ask questions of someone who is statistically likely to be a criminal and give the 3rd degree to someone who is not.
Access control needs to reach a balance between ease of use and security. Having 30 keys to every employee to do their job might not make the most sense. If you have to have many zones, look at technological solutions and manage them correctly. Management needs to be brought in to the loop so they can see the real cost benefit to purchasing the correct setup for their organization and then making sure that it gets used. A state of the art access control system is worthless if all the doors get propped open because it is not set up correctly and too frustrating for employees.
Similarly, if money is spent on the correct camera system for a given location it will make it far more effective. Finding the technology that provides the correct level of coverage can greatly reduce overall man power. This is one of those areas where good money spent up front can save on labor costs and down time frustrations.
On the computer side of the equation we need to reevaluate if what we are doing is for feeling or effect. Again, policies need to take a realistic view of what people are likely to do in regard to our policies. We have to stop forcing employees to do things that to them make little or no sense because they will not put for the effort. We as policy makers should have written policies that we can then pick apart and decide what works and what does not. Get rid of the bad and keep the good. AND if you have any power over it at all, start with passwords. If there is no breach or other indications that passwords have been compromised, don’t make people change them. Once we are not changing passwords at impractically short intervals, we can then require stronger passwords.
For those things that need extra security move to 2 or 3 factor with systems that are easy for employees to do right. My overriding philosophy when it comes to policies is make it easiest for employees to do the right thing.
The next phase of this process is the one that almost nobody thinks of and that is training. Even when we decide to train, we end up against the realities of the cost of training. These costs are no insubstantial when you consider the costs of trainers, facilities, missed work, disruption in process… Where you make back your money is in making your entire workforce security officers. Once they know the reasons why they are required to do the things for security they are doing, they are going to be (on average) more likely to follow through.
The last piece is probably the hardest. You have to empower your employees to do what you need them to do. People need to know that when they question a vendor, customer, or fellow employee that management is not going to come down on them. They need to know that making a mistake will not get them fired, but instead will be a learning experience.
Now let us bring this full circle. While it is fun to poke fun at security that does not actually secure things, we have to ask ourselves why it is done in the first place… Well, because in some cases it does work and in others it makes people feel better… On the latter, that might not be a bad thing.
We as an enterprise need to get better at being in others heads. (Both our enemies and our employees.) We need to learn from other security experts, psychologists, social scientists, and even magicians what works. I would submit that just because something is not providing true security is not a reason to not do it. The goal of terrorist is to disrupt our sense of security and for the vast majority of the people (i.e. those not in the security industry) security theater does just that, it makes people feel more secure. Israel has been successfully engaging in security theater for years to great success. It is all in how you apply it. I will leave you with a few …
Fake cameras. When I upgrade a facility from analog to digital I will often keep the old big analog cameras in place. If I auction them off I will not get much in return and because on average they are big they are noticeable. If people see a camera, they are more likely to have a change in behavior. (This is a form of the Hawthorne effect.) This change is normally for the better as people being watched tend to do things that they think will leave a positive impression. It can also be that some will delay or even stop an illegal act if they believe it will be observed by an outside party
Bonus tip… Even posters with eyes that watch an area make people less likely to engage in negative behaviors…
Signs. Reminding people that they are being recorded has also been shown to reduce criminal activity. In my own case, I had a series of buildings that were being broken in to on nearly a weekly bases. Put up signs indicating that things were being recorded, and the break-in's stopped. Even in places where no actual cameras were installed.
Uniforms. It is amazing what the simple presence of uniforms can do. Studies have show than employees who wear a uniform act more professional and also that people who see an official looking uniform are less likely to engage in negative behavior. In Israel where you see uniforms everywhere, these individuals are often the first to be attacked. This does however give others the chance to avoid lethal injuries.
The bad guys are always probing, exploring, and learning. We as defenders have to do the same thing. This is an active battle but more akin to Go than Chess. The battle is as much about having a large breadth of knowledge and improvisation as it is about strategy. Even if you are not certified, consider those things that give CPE’s and do them. Teaching college or votech security classes can also help as the new students can keep you on your toes.
And lastly, I want to say that you should seek out those things and work and do more of it. This may seem like common sense, but there can be monumental pressure, epically from sales people and consultants, to change for the sake of “staying nimble”. This is the same fallacy that gave us changing passwords, but hold steady. If you have a system that is keeping you safe and your employees productive stick with it, and focus your efforts on detection of threats.
Question/Answer by John Langdon
http://www.anopticalillusion.com/2014/09/questionanswer-by-john-langdon/#respond