ozlockcon - security in depth · technician ๏locksmiths guild of australia - cpl ๏scec approved...
TRANSCRIPT
SECURITY IN DEPTH“WHEN SECURITY THEATRE JUST ISN’T ENOUGH”
1
Pickalaserpointer……
Disclaimer
2
The material presented here is solely the opinion of the presenter. It does not represent, nor does it hold the endorsement of any third party, organisation or professional body.
Any information provided within is for the purposes of security awareness and education. The presenter does not endorse the commission of unlawful or unethical acts.
All responsibility rests with the individual.
Sothestandarddisclaimer….
AIM & FORMAT
3
◉ Introduce “Security In Depth” as a wholistic approach to security – high speed, low drag tour
◉ Utilise a government perspective, The PSPF
◉ Provide inspiration for application in your own working space
◉ Periodic “boredom buster” interludes covering physical security and failures
◉ Questions are encouraged – I’d prefer to talk with you, not at you.
Sohere’swhatIwanttodoandhowIplantodoit….
Who are you and what do you know?
4
Soaboutnowyouareprobablyasking……….
Former NSW Police Officer12 years, 2000 through 2012 Designated Detective Sergeant Rank Specialist Detective at State Crime Command 2007 – 2011
5
FirstatGangs&OrganisedCrimeSquad,focussingonOMCGsinparticularHAMC.SecondmentstojointoperationswithNSWCCandACC.Notable-SydneyAirportBrawlHAMC/CommancherosMCrelatinginmurderofAnthonyZervas.
DrugsSquad-ChemicalOperationsUnit.JointoperationswithACS,ACC,AFPandNSWCC.InvestigatedChemicalandequipmentdiversion,ClandestineLaboratoryResponsesandManufactureInvestigations.IfitwasHAZMATandrequiredapolicingresponsewhenwouldcopit,includingIMPExplabs,cannabis/DMTextractionand“mushroom”labs.
Things I did:๏High Risk / High Profile Investigations
๏Deployment of Physical and Technical Surveillance
๏Technical Surveys (pen testing) and Risk Assessments
๏Intelligence collection and assessment (Social engineering, HUMINT, OSI)
๏Operational Planning and Assessment – Overt & Covert
๏Risk Management
6
Pen testing in the real world (aka “Peeling the Security Onion”)…
7
tunnelratting,sneakingaroundinthedarkandbushwalking……..
Red Teaming for keeps (When you have to assault the stronghold)…
8
attendingsocialclubmeetings,actingasajudgeforMasterMethChefandlearninghowtocontinuebreathingjusttoriskmysafetyinotherstupidways…..
Security Advisor, Locksmith and Safe Technician
๏Locksmiths Guild of Australia - CPL ๏SCEC Approved Locksmith ๏GSA Safe/Vault Inspector/Technician ๏Bespoke advice and solutions for High Risk/
Special Circumstances Clients
9
WhenIresignedfromtheNSWPoliceIneededsomethingtokeepmeoffthestreets,soIdecidedtocontinuedevelopingsomeskillsinlearntinpolicing.
Inthepastnichemarketedmyselfasaonestopsecurityadviceandengineeringshopforpeoplethatwerereallyparanoidoractuallyhadareasontobeconcerned-pharmacystorage,firearmsdealers,collectiblesandantiquities…
Government Security Advisor๏Former Assistant Agency Security Advisor ๏Driving “Security Culture” Changes
10
MovebacktoACTpromptedashiftbacktogovernmentwork.Thisrequiredusingoldskillstotacklenewchallengeslikefindingwaystoprotectthegovernmentfromitsownpeopleandencouragingpeoplewithnobackgroundinsecuritytounderstandwhyitmayactuallybeimportant…
What am I doing now?
Nothing!
Happy to discuss opportunities…
11
Security in depth is not security theatre!
Security Theatre = measures that make people feel better as opposed to fixing or managing to root problem.
12
ThistalkdealswithSecurityinDepth,soitimportanttodefinewhatthatisnot…..
Airportsajoke-buymeabeerlaterforsomeinterestingstoriesCameras-unlessplannedandmonitoredgenerallydon'tpreventbreaches,justgiveevidenceSecurityGuards-Somearewindowdressing,somearegood,butingeneral“paypeanuts,getmonkeys”
Boredom Buster 1 – Security Theatre Example
- OR “Why I hate mag locks on gates………”
13
Ok,timeforoneofthosebriefinterludes.
Thisisagreatexampleofsecuritytheatre.
14
Maglocksrelyonalignmentforstrength.flex=misalignment=weakness
somenicesecuritytheatre.Accesscontrolonabikecage-looksprettysecureeh?Prettyredlightonthecardreader-“ACCESSDENIED”.Notthatmuchofaconcernuntilyoudelvedeeperandfindoutwhatworkrelateditemspeopleleaveintheirpannierswhilstusingchangeroom.Fartherreachingsecurityimplications.
Nottomentionalsothebrokensystemsyndrome.likeoverlysensitivealarms,peoplegetsickoffalsealarms-eventuallytheyignorethemorworse,turnofnotifications.
More MAG LOCK Failure!
15
ElectronicinstallersloveMaglocks,astheyareeasiertofit.Problemisthattheystillrequiresomeskilltofit.Selftappersinwoodusuallyfailduetoweightandstresses.Reallyneedtobethroughbolted.
IWon’tmakecommentontheabortionofabracket.Sometradiesareonlygoodatpluggingcomponentstogether,otherswouldfabricatethebespokesolution.
Somehelpfulsoultapeditonthedoorastheywereworriedaboutitknockingsomeoneinthehead.
The Stronghold Doctrine vs.
The Security Onion
16
Inordertodiscusssecurityweneedtocomparetwopopularapproaches.
Thestrongholddoctrine-whichfranklybelongsbackinthetimesofcastlesandforts.
Themorecontemporary“SecurityOnion”-whichINFOSECworkerswouldbefamiliarwith.
The Stronghold DoctrineA robust perimeter and a single point of entry keeps threats out!
However, it provides a single point of failure that allows threats to run rampant once inside and usually ignores other vulnerability factors……
17
Whathappenswhenthebatteringramfindsit’swaythroughthefrontgate?Yep-rapeandpillageinsidethecastle.
The Stronghold DoctrineSingle Points of Failure - PHYSEC
High Security Cylinder vs. Low Security Hardware
Proper Hardware vs. Improper Execution
18
Examplesofstrongholddoctrineinphysicalsecurityandthecreationofsinglepointsoffailurecausedbysinglemindedapproachtoproblems.
Nicehighsecuritycylinderandblockerstripondooredge,howeverrivetedonwithaluminiumrivetsinsteadoftamperresistantfasteners.Easytodrillout,easytoshearoffandeasytoreplace.What’sthatplatehiding?Probablyabighole.
Otherexample-Nicefullplatefurniture,butfailonthecutoutforcylinderandlackoflatchguardonoutwardopeningdoor.
Rememberthesefailpointsastheywillbecomemorerelevantwithavulnerabilitydemonstrationvideolaterinthepresentation…
The Stronghold DoctrineSingle Points of Failure - INFOSEC
Air gapping vs. USB attack vectors
User Control vs. Password Insecurity
19
ExamplesofthesinglemindedstrongholdapproachinINFOSEC.
Youcandefendyournetworkandairgapfromoutsidethreats,butwhatabouttheemployeewhodecidestostealinformationthattheyarealreadyauthorisedtoaccess?That’saprettyneatsetuptoEXFILdataandwiththeexceptionofafewplaces,unlikelytobedetected.Orwhataboutifyouarejustamaliciousactorwithabeef,prettygoodwaytointroduceathreat.It’sastoundinghowmanyplacesprivateandpublicsectorstillallowforremovablestorage.Theonlyrealprotectionisphysicaldisablingofports.
Inthesecondexample-youcanimplementusercontrolallyouwant,butrelyingsolelyonaPWforauthenticationintroducesitsownissues.EndUsersstrugglewithevermorecomplexpasswordsandresorttotheold“encryptedpostitnote”inthefilingcabinetordeskdrawer.Butitsokright,becauseitslockedupwithahighsecurityfurniturelockok?Becausenoonewouldevermasterkeyfurniturelocksfortheeaseoffacilitiesstaffright?
The Stronghold DoctrineSingle Points of Failure - PERSEC
Identification vs. Verification
“Perception of Trust” vs. Identifying Risk Factors
20
Peoplearegenerallyourbiggestsecuritythreatforavarietyofreasons.
Weallconfirmtheidentitiesofnewemployeesandcontractorsbeforegrantingthemanyaccessdon’twe.Whichmayormaynotincludea100pointidentitycheck?Just100points?Becausefingerprintchecksaretoointrusivearen'tthey?Sofalseidentitiesaside-onceweknowwhosomeoneis,thatmakesthemagoodpersonautomaticallydoesn'tit?Buttheirrefereessaidthey'reagreatpersonandofcourseweknowsomuchabouttheirrefereesdon’twe?Woulditbediligenttoperhapsseeifthey'vedonebadthingsinthepast?Identificationdoesnotequalverificationoftheirhistoryandconduct.Relyingsolelyonidentificationdoesnotprecludeanadversepersonneloutcome.
Sooncewe’vecheckedoutwhotheyareandthatthey'vedonenothingwronginthepast,thatmeansthey'llneverdoanythingwronginthefutureright?Thisbeingtheperceptionoftrust.Relyingsolelyontheperceptionoftrustleavesyouopentotheinsiderthreat.
Byidentifyingsomeriskfactorswemaybeabletogetsomeinsightintotheirfuturebehaviour.Takeforexampleinfidelityandsitessuchas“AshleyMadison”.Thehackofthissitenotonlyexposedcountlessgovernmentofficialsandcontractorsthatcouldhavebeencompromised,butitwasresponsibleformakingsomesmall,butspecificchangesinthevettingpoliciesofsomeorganisations.Mainly,askingthequestion“Doyouhaveanyonlinedatingor“hookup”accountslikeTinderorAshleyMadison.
Placingasidetheethicsofanaffair,thebehaviourprofilemayindicateincreasedriskfactorsinthefuture.AshleyMadisonsays,“Lifeisshort.Haveanaffair”,whichtosomepeoplecouldconstituteaninvitationdownaslipperyslope-Haveanaffair…….comeintoworklateandhungover…..dosomeblowinthebathroomandsomeonlinegamblingatwork…….stalkacoworkerinyoursparetime……sellsomeworkinfotocoveryourcocaineandonlinegamblingdebts…..Itsoundsfarfetched,butitdoesdefinitelyhappen.
The “Security Onion”
Not just layers, but multiple layers of multiple approaches (Security In Depth)
“Who is it that needs to go or needs to know and how do we manage those needs.”
Security In Depth = Wholistic Security
The whole is greater than the sum of its parts
21
SohavingseentheperilsoftheStrongholdapproachwithit’ssinglepointsoffailure,welookatSecurityinDepththroughthe“SecurityOnionModel”
“Holistic Security vs. Wholistic Security”
“Holistic Security” “Wholistic Security”
22
Aquickoneforthewordnerdsintheaudience…
How do we achieve this mythical Security in Depth?
23
Should we reinvent the wheel?
24
What about existing standards?Numerous standards exist, mostly in isolation of each other.
- Locks (AS4145) - Security Screening (AS3555) - Intruder Resistance (AS3555.1) - Risk Management (ISO 31000) - Information Security (ISO/IEC 27001) - Employment Screening (AS4811)
Complicated/costly to implement and measure compliance against a plethora of standards
25
Basically,lotsofstandardsanditgetsmessy…..
What if I told you there was a cheap and easy to use system?๏Developed by some of the best minds in the security and risk
management fields
๏Millions of dollars spent on its development and continual improvement
๏Field tested on a large scale
๏Scalable and modular – use what you need!
๏Freely available (some features government and government contractors only)
๏Free steak knives (nah, just kidding)
26
Rollitlikeaninfomercial….
Boredom Buster 2 – PHYSEC Single Point Failure
- OR “your high security cylinder is irrelevant………”
27
28
Protective Security Policy Framework (PSPF)
29
◉ www.protectivesecurity.gov.au
◉ Policy, guidance and better practice advice for governance, personnel, physical and information security.
- PHYSEC - INFOSEC - PERSEC - GOV
◉ 36 Mandatory requirements or principles for government agencies, but these are applied against your own risk factors (varying levels of response for various risks)
◉ I like to call it - “The Security Sandwich”
AtthispointIwouldliketointroduceyoutohowtheAustralianGovernmentdoes“SecurityinDepth”.It’snearlyallavailablefreelyonlineatthewebaddressabove,soI’mgoingtoblastthroughtheseslidestokeepthingsmovingandinteresting.Feelfreetoaskmequestionslaterorexplorethesiteyourselfatyourownconvenience.
The Security Sandwich
30
INFOSEC
PERSEC
PHYSEC
Security In Depth:“Security-in-depth is a multi-layered system in which security measures combine to support and complement each other, making it difficult for an external intruder or an employee to gain unauthorised access. These can include physical, information, personnel or procedural measures.” – PSMP 4/2015
31
PHYSEC - “needs to go”
๏PSMP – Physical Security Management Protocol
๏Security Zones, Physical Security of ICT Equipment, Working away from the office, Event Security.
๏ASIO T4 Technical Security “Tech Notes”
๏SCEC – Security Construction Equipment Committee (Locksmiths, Consultants, Equipment)
๏Varied response example – “Security Zones”
32
INFOSEC - “needs to know”
๏ISMP – Information Security Management Protocol
๏Attorney Generals/ASIO – Security Classification System and arrangements for materials
๏ASD – Information Security Manual (ISM)
๏ASD Evaluations – AISEP Australasian Information Security Evaluation Program
๏IRAP – Information Security Registered Assessors Program (Consultants)
๏Varied response example – “Security Classification”33
PERSEC - “who”
๏PSMP – Personnel Security Management Protocol
๏Vetting practices guidelines, managing the insider threat and Identifying/Managing people of security concern.
๏AGSVA – Australian Government Security Vetting Agency (Vetting Practices)
๏ASIO – Insider Threats and people of security concern
๏Varied response example – “Security Clearances”
34
Boredom Buster 3 – Public Service Announcement
“Friends don’t let friends use Kwikset™ key in knobs”
- OR “Damn you Masters™, this stuff was almost gone….”
35
36
The Security Sandwich
37
INFOSEC
PERSEC
PHYSEC
AreminderofyourSecuritysandwichfromearlier…
PHYSEC–Bread–Holdsittogetherandgivesitaphysicalheft,lettucewrapsareforwusses.
INFOSEC–Meat–Information–It’swhatmakesasandwichandanorganisation.
PERSEC–Saladandotherstuff.Ascomplicatedasyoulikeit.It’swhatseparatesamediocreairlinesandwichfromasandwichmasterpiece.
Is your Security Sandwich Tasty?
Measuring conformance and performance with GOV:
“managing those needs”
๏Security Culture (Education) ๏Risk Management (ISO 31000/HB 167:2006) ๏Audit, reviews and reporting (Annual
assessment to Minister, ANAO, AGD) ๏Investigations (AGIS) ๏Business Continuity (ANAO)
38
39
ThePSPFisendorsedbySecurityDoge…
Application of principles: Pen testing & Red Teaming
(I’ve told you how to make it, here’s how to break it…….)
40
Target uses “Stronghold Doctrine”
41
Identify and then assault the single point of failure. Kick ass and take names…
Target uses “Security Onion”
42
“Peel the Onion” Persistent surveillance and intelligence gathering will reveal weaknesses. Usually occur where layers interact with each other (i.e. people, policies and procedures)
“Peel the Onion” What does this image tell us?
43
๏PIR not installed correctly. System probably not commission tested (installer lazy or inept)
๏Who put it there? (security not diligent, insider threat?)
๏Area outside cardboard is not covered (safe to work outside door?)
๏PIR sensor does not have anti-mask (mask for free movement)
๏Conduit down from ceiling “corridor of safety above” (suspended ceiling?)
and so forth…..
44
Ittellsuslotsofthings…..
Questions and Contacts
45
Linked In: Search “Anthony Craig Rumball”
LockSport Slack: “rumballsolutions”
Twitter: @rumballsolution