Earlier in my career I spent several years working in the physical security sector, working on advanced detection technologies. Since I joined Commtouch, I have been surprised by how many parallels there are between the physical and logical security sectors. Both are founded on ’hardening’ your perimeter to ensure that – hopefully – only invited guests come in, by making it difficult for all but the most highly-motivated intruders to enter. Where you set the level of protection is directly related to the risk and impact of intruders gaining access. For example, locks and possibly even a burglar alarm at your home ensure that your belongings are secure from all but the most well organized thief, but just using those to protect a nuclear power plant is not nearly enough. This post is the first of an occasional series that will discuss lessons learned in the physical security sector and how they could be applied to logical security.
The traditional approach to physical security comes from the military and is “guards, guns, and gatesâ€. The idea is simple, it places obstacles (fences) in the way of intruders and uses guards (with or without guns, according to perceived threat) to control access through fixed entrances (gates), checking entrants to ensure they should be allowed in. Over time complementary technologies have been added to extend the view of the guard beyond what they can see with their own eyes, but always building upon this foundation. So far, so good; when the resource to be protected is static – like a building – and access should be controlled– like a nuclear power plant- this is reasonably effective, if expensive. But what if the resource is not static?
Several years ago I met with the Head of Security for a Federal agency. Their job carried two key responsibilities; the first was ensuring all agency facilities were secure, the second that all senior executives were safe from harm. Because of the work done at the agency, there was risk for all personnel, but for executives it was directly life-threatening. The meeting covered their traditional security approach and discussed why that was not sufficient…
The agency Director travels extensively, accompanied by one of two highly-trained, armed security details. Hotels are specially selected, and wherever the Director stays the detail arrives beforehand and ‘secures’ the area by taking over an entire floor. The security detail uses rooms adjacent to the Director and deploys surveillance technologies to monitor the Director’s room 24/7, as well as accompanying them on all visits. This approach was considered ‘best practice security’, but on one recent occasion it had failed badly.
The Director returned to their hotel room after a day of meetings with sensitive foreign partners to find a briefcase in the middle of the room. The Director opened the bag assuming it contained dispatches only to find items for an unknown person including a large sum of money. The security detail was immediately alerted and followed protocol; first moving the Director to another location, then evacuating the hotel and finally, having bomb-disposal experts from the detail examine the bag.
After examination it was determined that the contents of the bag belonged to another guest in the hotel; when that person checked in they gave the bag to the concierge and asked for it to be taken to their room while they went to dinner. By mistake, the concierge took the elevator to the wrong floor, walked down the hallway, entered the Director’s room, deposited the bag and left. This all happened without anything being seen by members of the security detail, who continuously monitor portable surveillance cameras deployed throughout the hallways and the Director’s room.
As you can imagine the impact of this security breach was extensive. While the bag and its contents were innocuous, it could easily have contained a deadly threat. The previous Head of Security was terminated, the entire security detail was sent for retraining and we began work with the new Head to deploy technologies to ensure this security loophole was permanently closed.
If you’ve stuck with me this far you’re probably saying “so what does this have to do with me, I’m not under threat of assassination?†The important lesson learned here is that threats are not static; they change in nature and methods over time. Because of this, the technology required to adequately protect against those threats also needs to adapt and evolve. While this is true for physical security it is even more so for logical security, where the number and type of threats grows with every day. For example, where signature-based antivirus was once sufficient, sophisticated multi-layered detection capabilities are now essential.
So, when you look at your own logical security approach ask yourself “am I doing enough to deter motivated ‘bad actors’ from accessing my systems?â€. If you are, congratulations. If you aren’t, talk to a security expert – and do it soon. While the impact of a breach may not be as drastic as the example I gave above, the potential damage to your business and reputation could still be significant.