View
232
Download
0
Category
Preview:
Citation preview
8/6/2019 Physical Security, Security Theater, & Snake Oil
1/16
Physical Security,Security Theater, and Snake Oil
Roger G. Johnston, Ph.D., CPP
Vulnerability Assessment TeamArgonne National Laboratory
http://www.ne.anl.gov/capabilities/vat
8/6/2019 Physical Security, Security Theater, & Snake Oil
2/16
http://www.youtube.com/watch?v=frBBGJqkz9E
The greatest of faults, I should say,
is to be conscious of none.
-- Thomas Carlyle (1795-1881)
8/6/2019 Physical Security, Security Theater, & Snake Oil
3/16
- Not easy to get a degree in it from a major4-year research university.- Not widely attracting young people, the best & the brightest.- Few peer-review, scholarly journals or R&D conferences.- Lots of Snake Oil & Security Theater.- Shortage of models, fundamental principles, metrics, rigor,
R&D, standards, guidelines, critical thinking, & creativity.
- Often dominated by bureaucrats, committees, groupthink,linear/concrete/wishful thinkers, cognitive dissonance.
Physical Security: Scarcely a Field at All
8/6/2019 Physical Security, Security Theater, & Snake Oil
4/16
Problem: Lack of Research-Based Security Practice
The Journal of Physical Security
http://jps.anl.gov
A free, online, peer-reviewed R&D journal
8/6/2019 Physical Security, Security Theater, & Snake Oil
5/16
Definition
Security Theater: sham or ceremonial security;Measures that ostensibly protect people or assets butthat actually do little or nothing to counter adversaries.
8/6/2019 Physical Security, Security Theater, & Snake Oil
6/16
Security Theater
1. Best way to spot it is with an effective thorough VA.
2. Next best is to look for the characteristic attributes:
SenseofurgencyAverydifficultsecurityproblemInvolvesfadand/orpettechnologyQues=ons,concerns,&dissentarenotwelcomeortoleratedThemagicsecuritydevice,measure,orprogramhaslotsoffeelgoodaspectstoitStrongemo=on,overconfidence,arrogance,ego,and/orpriderelatedtothesecurityConflictsofinterestNowell-definedadversaryNowell-defineduseprotocolNoeffec=veVAs;nodevilsadvocate
ThetechnicalpeopleinvolvedaremostlyengineersIntensedesiretosavetheworldleadstowishfulthinkingPeoplewhoknowliOleaboutsecurityorthetechnologyareincharge
8/6/2019 Physical Security, Security Theater, & Snake Oil
7/16
Origins of the Term Snake Oil"Ancient World: medicines made fromsnakes are believed to have curative powers.
1880: John Greers snake oil cure-all.
1893: Clark Stanley (The Rattlesnake King)sells his Snake Oil Liniment at the WorldsColumbian Exhibition in Chicago. A big hit.Turned out to contain no snake extract, butrather mineral oil, camphor, turpentine, beef
fat, and chile powder.
Today: A product is called snake oil if it isfake, shoddy, or severely over-hyped.
8/6/2019 Physical Security, Security Theater, & Snake Oil
8/16
Why High-Tech Devices & Systems AreUsually Vulnerable To Simple Attacks
Many more legs to attack.
Users dont understand the device.
The Titanic Effect: high-tech arrogance.
Still must be physically coupled to the real world.
Still depend on the loyalty & effectiveness of users personnel.
The increased standoff distance decreases the users attention to detail.
The high-tech features often fail to address the critical vulnerability issues.
Developers & users have the wrong expertise and focus on the wrong issues.
8/6/2019 Physical Security, Security Theater, & Snake Oil
9/16
Blunder: Thinking Engineers Understand Security"
...work in solution space, not problem spacemake things work but aren't trained or mentally inclined to figure out how to makethings break
...view Nature or economics as the adversary, not the bad guystend to think technologies fail randomly, not by deliberate, intelligent, maliciousintent
are not typically predisposed to think like bad guysfocus on user friendlinessnot making things difficult for the bad guys...like to add lots of extra features that open up new attack vectorswant products to be simple to maintain, repair, anddiagnose, which can make them easy to attack
Engineers (including packaging engineers)...
8/6/2019 Physical Security, Security Theater, & Snake Oil
10/16
More skeptical, critical, and imaginative thinking. Avoid confusing Threats with Vulnerabilities,
& Inventory with Security.
Bribe people! (to test them but more importantlyto let it known that an attempted bribe might be a test)
Stop using layered security (security in depth) as a cop out.
What Can We Do Better?
Cynics Dictionary
layered security: Were desperately hoping that multiple layersof lousy security will somehow magically add up to good security.
8/6/2019 Physical Security, Security Theater, & Snake Oil
11/16
What Do We Need To Do Better?
Be proactive to theInsider Threatincluding mitigating disgruntlement andeducating employees about social engineering.
Less prevention, more mitigation & resilience! Posters with eyes.
See Biology Letters 2, 412-414 (2006).
Remind people why they shouldbe good. (Based on new psychology research.)
Embrace the new security paradigms.
8/6/2019 Physical Security, Security Theater, & Snake Oil
12/16
Changing Security Paradigms
OldParadigm
NewParadigm
Securityiseasy&binary. Itsnot.
Vulnerabili=esarebadnews. Vulnerabili=esaregoodnews.
HighTechisasilverbullet.Technologycanhelp
butsecurityisaboutpeople.
Thinklikebureaucrats&goodguys. Thinklikethebadguys.
Thereisonerightanswer.Fakerigor
&reproducibility.Accountability
throughfear,scapegoa=ng,&firingpeople.
Weembracecrea=vity,flexibility,
uncertainty,cri=cism,ques=ons.We
watchforthedangersofcogni=ve
dissonance.Wemo=vate&encouragegoodsecurityprac=ce.
Compliance-basedsecurity.
Wemustdomorethanmere
compliance.Some=meswemust
pushbackagainstcompliance.
8/6/2019 Physical Security, Security Theater, & Snake Oil
13/16
Changing Security Paradigms
OldParadigm
NewParadigm
SecurityProsprovidesecurity.
Employees,contractors,vendors,and
visitorsprovidesecurity.Security
Proshelp.
Metrics:Knowing&following
thesecurityrules.
Metrics:Beingproac=ve,showingindividualini=a=ve,beingcrea=ve
andresourcefulduringWhatif?
exercises.
Produc=vity&Securityareenemies.SecurityisharmedwhenProduc=vity
isharmed.
SecuritygetsconfusedwithControl,
BigBrother,andSecurityTheater.
SecurityisharmedbySecurity
Theater,andwhenPrivacy&Civil
Liber=esaretrampled.
8/6/2019 Physical Security, Security Theater, & Snake Oil
14/16
8/6/2019 Physical Security, Security Theater, & Snake Oil
15/16
http://www.ne.anl.gov/capabilities/vat
For More Information...
8/6/2019 Physical Security, Security Theater, & Snake Oil
16/16
Argonne National Laboratory~$738 million annual budget
1500 acres, 3400 employees, 4400 facility users, 1500 studentsR&D and technical assistance for government & industry
Recommended