SECURITY IN DEPTH“WHEN SECURITY THEATRE JUST ISN’T ENOUGH”

1

Pickalaserpointer……

Disclaimer

2

The material presented here is solely the opinion of the presenter. It does not represent, nor does it hold the endorsement of any third party, organisation or professional body.

Any information provided within is for the purposes of security awareness and education. The presenter does not endorse the commission of unlawful or unethical acts.

All responsibility rests with the individual.

Sothestandarddisclaimer….

AIM & FORMAT

3

◉ Introduce “Security In Depth” as a wholistic approach to security – high speed, low drag tour

◉ Utilise a government perspective, The PSPF

◉ Provide inspiration for application in your own working space

◉ Periodic “boredom buster” interludes covering physical security and failures

◉ Questions are encouraged – I’d prefer to talk with you, not at you.

Sohere’swhatIwanttodoandhowIplantodoit….

Who are you and what do you know?

4

Soaboutnowyouareprobablyasking……….

Former NSW Police Officer12 years, 2000 through 2012 Designated Detective Sergeant Rank Specialist Detective at State Crime Command 2007 – 2011

5

FirstatGangs&OrganisedCrimeSquad,focussingonOMCGsinparticularHAMC.SecondmentstojointoperationswithNSWCCandACC.Notable-SydneyAirportBrawlHAMC/CommancherosMCrelatinginmurderofAnthonyZervas.

DrugsSquad-ChemicalOperationsUnit.JointoperationswithACS,ACC,AFPandNSWCC.InvestigatedChemicalandequipmentdiversion,ClandestineLaboratoryResponsesandManufactureInvestigations.IfitwasHAZMATandrequiredapolicingresponsewhenwouldcopit,includingIMPExplabs,cannabis/DMTextractionand“mushroom”labs.

Things I did:๏High Risk / High Profile Investigations

๏Deployment of Physical and Technical Surveillance

๏Technical Surveys (pen testing) and Risk Assessments

๏Intelligence collection and assessment (Social engineering, HUMINT, OSI)

๏Operational Planning and Assessment – Overt & Covert

๏Risk Management

6

Pen testing in the real world (aka “Peeling the Security Onion”)…

7

tunnelratting,sneakingaroundinthedarkandbushwalking……..

Red Teaming for keeps (When you have to assault the stronghold)…

8

attendingsocialclubmeetings,actingasajudgeforMasterMethChefandlearninghowtocontinuebreathingjusttoriskmysafetyinotherstupidways…..

Security Advisor, Locksmith and Safe Technician

๏Locksmiths Guild of Australia - CPL ๏SCEC Approved Locksmith ๏GSA Safe/Vault Inspector/Technician ๏Bespoke advice and solutions for High Risk/

Special Circumstances Clients

9

WhenIresignedfromtheNSWPoliceIneededsomethingtokeepmeoffthestreets,soIdecidedtocontinuedevelopingsomeskillsinlearntinpolicing.

Inthepastnichemarketedmyselfasaonestopsecurityadviceandengineeringshopforpeoplethatwerereallyparanoidoractuallyhadareasontobeconcerned-pharmacystorage,firearmsdealers,collectiblesandantiquities…

Government Security Advisor๏Former Assistant Agency Security Advisor ๏Driving “Security Culture” Changes

10

MovebacktoACTpromptedashiftbacktogovernmentwork.Thisrequiredusingoldskillstotacklenewchallengeslikefindingwaystoprotectthegovernmentfromitsownpeopleandencouragingpeoplewithnobackgroundinsecuritytounderstandwhyitmayactuallybeimportant…

What am I doing now?

Nothing!

Happy to discuss opportunities…

11

Security in depth is not security theatre!

Security Theatre = measures that make people feel better as opposed to fixing or managing to root problem.

12

ThistalkdealswithSecurityinDepth,soitimportanttodefinewhatthatisnot…..

Airportsajoke-buymeabeerlaterforsomeinterestingstoriesCameras-unlessplannedandmonitoredgenerallydon'tpreventbreaches,justgiveevidenceSecurityGuards-Somearewindowdressing,somearegood,butingeneral“paypeanuts,getmonkeys”

Boredom Buster 1 – Security Theatre Example

- OR “Why I hate mag locks on gates………”

13

Ok,timeforoneofthosebriefinterludes.

Thisisagreatexampleofsecuritytheatre.

14

Maglocksrelyonalignmentforstrength.flex=misalignment=weakness

somenicesecuritytheatre.Accesscontrolonabikecage-looksprettysecureeh?Prettyredlightonthecardreader-“ACCESSDENIED”.Notthatmuchofaconcernuntilyoudelvedeeperandfindoutwhatworkrelateditemspeopleleaveintheirpannierswhilstusingchangeroom.Fartherreachingsecurityimplications.

Nottomentionalsothebrokensystemsyndrome.likeoverlysensitivealarms,peoplegetsickoffalsealarms-eventuallytheyignorethemorworse,turnofnotifications.

More MAG LOCK Failure!

15

ElectronicinstallersloveMaglocks,astheyareeasiertofit.Problemisthattheystillrequiresomeskilltofit.Selftappersinwoodusuallyfailduetoweightandstresses.Reallyneedtobethroughbolted.

IWon’tmakecommentontheabortionofabracket.Sometradiesareonlygoodatpluggingcomponentstogether,otherswouldfabricatethebespokesolution.

Somehelpfulsoultapeditonthedoorastheywereworriedaboutitknockingsomeoneinthehead.

The Stronghold Doctrine vs.

The Security Onion

16

Inordertodiscusssecurityweneedtocomparetwopopularapproaches.

Thestrongholddoctrine-whichfranklybelongsbackinthetimesofcastlesandforts.

Themorecontemporary“SecurityOnion”-whichINFOSECworkerswouldbefamiliarwith.

The Stronghold DoctrineA robust perimeter and a single point of entry keeps threats out!

However, it provides a single point of failure that allows threats to run rampant once inside and usually ignores other vulnerability factors……

17

Whathappenswhenthebatteringramfindsit’swaythroughthefrontgate?Yep-rapeandpillageinsidethecastle.

The Stronghold DoctrineSingle Points of Failure - PHYSEC

High Security Cylinder vs. Low Security Hardware

Proper Hardware vs. Improper Execution

18

Examplesofstrongholddoctrineinphysicalsecurityandthecreationofsinglepointsoffailurecausedbysinglemindedapproachtoproblems.

Nicehighsecuritycylinderandblockerstripondooredge,howeverrivetedonwithaluminiumrivetsinsteadoftamperresistantfasteners.Easytodrillout,easytoshearoffandeasytoreplace.What’sthatplatehiding?Probablyabighole.

Otherexample-Nicefullplatefurniture,butfailonthecutoutforcylinderandlackoflatchguardonoutwardopeningdoor.

Rememberthesefailpointsastheywillbecomemorerelevantwithavulnerabilitydemonstrationvideolaterinthepresentation…

The Stronghold DoctrineSingle Points of Failure - INFOSEC

Air gapping vs. USB attack vectors

User Control vs. Password Insecurity

19

ExamplesofthesinglemindedstrongholdapproachinINFOSEC.

Youcandefendyournetworkandairgapfromoutsidethreats,butwhatabouttheemployeewhodecidestostealinformationthattheyarealreadyauthorisedtoaccess?That’saprettyneatsetuptoEXFILdataandwiththeexceptionofafewplaces,unlikelytobedetected.Orwhataboutifyouarejustamaliciousactorwithabeef,prettygoodwaytointroduceathreat.It’sastoundinghowmanyplacesprivateandpublicsectorstillallowforremovablestorage.Theonlyrealprotectionisphysicaldisablingofports.

Inthesecondexample-youcanimplementusercontrolallyouwant,butrelyingsolelyonaPWforauthenticationintroducesitsownissues.EndUsersstrugglewithevermorecomplexpasswordsandresorttotheold“encryptedpostitnote”inthefilingcabinetordeskdrawer.Butitsokright,becauseitslockedupwithahighsecurityfurniturelockok?Becausenoonewouldevermasterkeyfurniturelocksfortheeaseoffacilitiesstaffright?

The Stronghold DoctrineSingle Points of Failure - PERSEC

Identification vs. Verification

“Perception of Trust” vs. Identifying Risk Factors

20

Peoplearegenerallyourbiggestsecuritythreatforavarietyofreasons.

Weallconfirmtheidentitiesofnewemployeesandcontractorsbeforegrantingthemanyaccessdon’twe.Whichmayormaynotincludea100pointidentitycheck?Just100points?Becausefingerprintchecksaretoointrusivearen'tthey?Sofalseidentitiesaside-onceweknowwhosomeoneis,thatmakesthemagoodpersonautomaticallydoesn'tit?Buttheirrefereessaidthey'reagreatpersonandofcourseweknowsomuchabouttheirrefereesdon’twe?Woulditbediligenttoperhapsseeifthey'vedonebadthingsinthepast?Identificationdoesnotequalverificationoftheirhistoryandconduct.Relyingsolelyonidentificationdoesnotprecludeanadversepersonneloutcome.

Sooncewe’vecheckedoutwhotheyareandthatthey'vedonenothingwronginthepast,thatmeansthey'llneverdoanythingwronginthefutureright?Thisbeingtheperceptionoftrust.Relyingsolelyontheperceptionoftrustleavesyouopentotheinsiderthreat.

Byidentifyingsomeriskfactorswemaybeabletogetsomeinsightintotheirfuturebehaviour.Takeforexampleinfidelityandsitessuchas“AshleyMadison”.Thehackofthissitenotonlyexposedcountlessgovernmentofficialsandcontractorsthatcouldhavebeencompromised,butitwasresponsibleformakingsomesmall,butspecificchangesinthevettingpoliciesofsomeorganisations.Mainly,askingthequestion“Doyouhaveanyonlinedatingor“hookup”accountslikeTinderorAshleyMadison.

Placingasidetheethicsofanaffair,thebehaviourprofilemayindicateincreasedriskfactorsinthefuture.AshleyMadisonsays,“Lifeisshort.Haveanaffair”,whichtosomepeoplecouldconstituteaninvitationdownaslipperyslope-Haveanaffair…….comeintoworklateandhungover…..dosomeblowinthebathroomandsomeonlinegamblingatwork…….stalkacoworkerinyoursparetime……sellsomeworkinfotocoveryourcocaineandonlinegamblingdebts…..Itsoundsfarfetched,butitdoesdefinitelyhappen.

The “Security Onion”

Not just layers, but multiple layers of multiple approaches (Security In Depth)

“Who is it that needs to go or needs to know and how do we manage those needs.”

Security In Depth = Wholistic Security

The whole is greater than the sum of its parts

21

SohavingseentheperilsoftheStrongholdapproachwithit’ssinglepointsoffailure,welookatSecurityinDepththroughthe“SecurityOnionModel”

“Holistic Security vs. Wholistic Security”

“Holistic Security” “Wholistic Security”

22

Aquickoneforthewordnerdsintheaudience…

How do we achieve this mythical Security in Depth?

23

Should we reinvent the wheel?

24

What about existing standards?Numerous standards exist, mostly in isolation of each other.

- Locks (AS4145) - Security Screening (AS3555) - Intruder Resistance (AS3555.1) - Risk Management (ISO 31000) - Information Security (ISO/IEC 27001) - Employment Screening (AS4811)

Complicated/costly to implement and measure compliance against a plethora of standards

25

Basically,lotsofstandardsanditgetsmessy…..

What if I told you there was a cheap and easy to use system?๏Developed by some of the best minds in the security and risk

management fields

๏Millions of dollars spent on its development and continual improvement

๏Field tested on a large scale

๏Scalable and modular – use what you need!

๏Freely available (some features government and government contractors only)

๏Free steak knives (nah, just kidding)

26

Rollitlikeaninfomercial….

Boredom Buster 2 – PHYSEC Single Point Failure

- OR “your high security cylinder is irrelevant………”

27

28

Protective Security Policy Framework (PSPF)

29

◉ www.protectivesecurity.gov.au

◉ Policy, guidance and better practice advice for governance, personnel, physical and information security.

- PHYSEC - INFOSEC - PERSEC - GOV

◉ 36 Mandatory requirements or principles for government agencies, but these are applied against your own risk factors (varying levels of response for various risks)

◉ I like to call it - “The Security Sandwich”

AtthispointIwouldliketointroduceyoutohowtheAustralianGovernmentdoes“SecurityinDepth”.It’snearlyallavailablefreelyonlineatthewebaddressabove,soI’mgoingtoblastthroughtheseslidestokeepthingsmovingandinteresting.Feelfreetoaskmequestionslaterorexplorethesiteyourselfatyourownconvenience.

The Security Sandwich

30

INFOSEC

PERSEC

PHYSEC

Security In Depth:“Security-in-depth is a multi-layered system in which security measures combine to support and complement each other, making it difficult for an external intruder or an employee to gain unauthorised access. These can include physical, information, personnel or procedural measures.” – PSMP 4/2015

31

PHYSEC - “needs to go”

๏PSMP – Physical Security Management Protocol

๏Security Zones, Physical Security of ICT Equipment, Working away from the office, Event Security.

๏ASIO T4 Technical Security “Tech Notes”

๏SCEC – Security Construction Equipment Committee (Locksmiths, Consultants, Equipment)

๏Varied response example – “Security Zones”

32

INFOSEC - “needs to know”

๏ISMP – Information Security Management Protocol

๏Attorney Generals/ASIO – Security Classification System and arrangements for materials

๏ASD – Information Security Manual (ISM)

๏ASD Evaluations – AISEP Australasian Information Security Evaluation Program

๏IRAP – Information Security Registered Assessors Program (Consultants)

๏Varied response example – “Security Classification”33

PERSEC - “who”

๏PSMP – Personnel Security Management Protocol

๏Vetting practices guidelines, managing the insider threat and Identifying/Managing people of security concern.

๏AGSVA – Australian Government Security Vetting Agency (Vetting Practices)

๏ASIO – Insider Threats and people of security concern

๏Varied response example – “Security Clearances”

34

Boredom Buster 3 – Public Service Announcement

“Friends don’t let friends use Kwikset™ key in knobs”

- OR “Damn you Masters™, this stuff was almost gone….”

35

36

The Security Sandwich

37

INFOSEC

PERSEC

PHYSEC

AreminderofyourSecuritysandwichfromearlier…

PHYSEC–Bread–Holdsittogetherandgivesitaphysicalheft,lettucewrapsareforwusses.

INFOSEC–Meat–Information–It’swhatmakesasandwichandanorganisation.

PERSEC–Saladandotherstuff.Ascomplicatedasyoulikeit.It’swhatseparatesamediocreairlinesandwichfromasandwichmasterpiece.

Is your Security Sandwich Tasty?

Measuring conformance and performance with GOV:

“managing those needs”

๏Security Culture (Education) ๏Risk Management (ISO 31000/HB 167:2006) ๏Audit, reviews and reporting (Annual

assessment to Minister, ANAO, AGD) ๏Investigations (AGIS) ๏Business Continuity (ANAO)

38

39

ThePSPFisendorsedbySecurityDoge…

Application of principles: Pen testing & Red Teaming

(I’ve told you how to make it, here’s how to break it…….)

40

Target uses “Stronghold Doctrine”

41

Identify and then assault the single point of failure. Kick ass and take names…

Target uses “Security Onion”

42

“Peel the Onion” Persistent surveillance and intelligence gathering will reveal weaknesses. Usually occur where layers interact with each other (i.e. people, policies and procedures)

“Peel the Onion” What does this image tell us?

43

๏PIR not installed correctly. System probably not commission tested (installer lazy or inept)

๏Who put it there? (security not diligent, insider threat?)

๏Area outside cardboard is not covered (safe to work outside door?)

๏PIR sensor does not have anti-mask (mask for free movement)

๏Conduit down from ceiling “corridor of safety above” (suspended ceiling?)

and so forth…..

44

Ittellsuslotsofthings…..

Questions and Contacts

45

Linked In: Search “Anthony Craig Rumball”

LockSport Slack: “rumballsolutions”

Twitter: @rumballsolution