// A Physical Security Primer for the Community // // by dual // // http://www.oldskoolphreak.com "There are three simple principles to follow: keep people away, keep them out, and protect your plumbing." - Microsoft 5-Minute Security Advisor - Basic Physical Security Unfortunately, physical security is not as simple as most IT-centric books and websites lead you to believe. Effective physical security is not a checklist. Effective physical security comes form a methodology that is applied system-wide (the idea of "system" discussed later). This article will present the foundation of a methodology that can be used to secure assets of any value, and then discuss a few specific technologies and how they are used (and misused) in the methodology. Checklist? Methodology? Even more basic - What is physical security? First, what physical security is not. Physical security is not safety. For example, protecting your lab from accidental fire or storms and keeping harm from humans from said fire or storms is not security; that is safety. Security is the protection of assets from humans with malevolent intent, hereon called adversaries. Assets can be material objects, information or human life. It was said that a system-wide view to physical security must be taken. Here, system does not mean a single computer or network, but the entire entity within which an asset resides. To the example of a hacker's lab, the computers within the room, within the house, the people that reside and have access, any security technology used, and any off-site security elements. That is a system. Every element interacts in some way. Methodology ----------- With security and system defined, it is time to describe the methodology. As stated, the object of physical security is to protect assets from adversaries. So defining what is to be protected and its value is the first step. Let's take a hacker's computer containing dairy-fresh vuln code (ready full disclosure). To the hacker, this is a high consequence asset, meaning that loss of the asset is unacceptable. An off-site backup would mitigate risk, but let's assume this is not possible. In this system, the greatest amount of resources will be spent securing this asset. Suppose this hacker is also an avid gamer and must protect a rare collection of 2D Saturn shooters. The games are important, but not as important as the noteriety from such a fantastic piece of code. Therefore, less resources will be allocated to protecting the Saturn discs. As can be plainly seen, defining what to protect and at what level is a first and important step. As disturbing as this scenario may be, the hacker knows that a younger sibling covets the rare, round pieces of plastic. The desire for a classic, Japanese, vertically scrolling shooter transcends the notion of family - the young one is the adversary. Knowing the adversary, the hacker simply hides the discs or locks them up, easily foiling the sibling's plans. The key here is that the hacker knew of the threat. Determing the adversary is the next part of the methodology. Along with knowing what assets are critical to protect, knowing what adversary to protect against will determine the resources that must be allocated to establish effective security. With an adversary that's in grade school, little to no resources are needed to protect the Saturn discs. If the rogue nation state of Japan wanted to liberate the rare games using espionage, the hacker might not deem the discs worthwhile to protect due to the resources needed to protect them from such a threat. More likely, the hacker would not have the resources to protect against such a threat and would have to deem the scenario as acceptable risk. A more credible scenario would include a script kiddie neighbor who has seen some time in juvinile detention. A find like the hacker's code would be worth a simple B&E. This scenario will require much more resources than the familial adversary - the adversary has greater capabilities and motivation (or lack thereof) and the asset is much higher consequence. With those two things determined, the hacker can begin to add effective security to the system. What should the hacker do? Simple. The hacker just installs six CCTV cameras around his house and therefore has effective security. Wrong. Throwing technology (especially cameras) blindly at a problem is never the solution. Effective physical security consits of three elements detection, delay and response. Each will be explained, in order, to show how the methodology provides effective security. Detection is the first peice and for good reason. If no one is home when the kiddie launches his (physical) attack, and there is no security system, the kiddie will go undetected and have as much time as he needs to get the code he wants, whether by accessing the compluter or stealing it outright. Without detection, the adversary has the time to complete necessary tasks unhindered and walk away with the asset. with detection, let's say a passive infrared sensor (PIR) or a balanced magnetic switch (BMS), both sensors that provide detection, the adversary must complete necessary tasks (defeat delay) before response arrives. (There's some bad news for the hacker when we reach Response.) Delay, the next piece of effective security, must occur after detection. Delay is the implementation of technology or procedure that slows adversary progress. In the sibling scenario, technological delay (a locked box in a closet) could be implemented, sufficiently delaying the adversary (with a given set of capabilities) to allow response (the hacker responding to a door alarm) before the adversary completes his tasks. Procedural delay (hiding the discs) may achieve the same goal. To review, if deteciton is placed after delay in the adversary task timeline, or there is no deteciton, the adversary can defeat any delay and achieve his goal. To protect an asset, there must be detection to know that there is an attack, and there must be delay after said detection to allow response. Response, simply put, is the good guys catching the bad guys - the police responding to a burglar alarm. The bad news for the hacker (and most homeowners, unfortunately) is that local police response time is usually much longer than the average burglar's task time. The script kiddie can smash a window and walk out with a tower much quicker than the police can respond. That's where our friend delay comes in - slow the adversary to where he cannot complete his tasks before response arrives. So you can see that effective security must have detection, delay and response, in that order. The value of the asset will determine the amount of effort and resources you allocate to secure it. But what technologies are effective and where do they fit within the methodology, you ask? Let's discuss a few that are pertinent to a hacker. Cameras ------- Cameras are misused so much that they deserve their own section. And to sum up their misuse, only one statement needs to be made: Cameras are not sensors. Cameras in the above methodology would be used as assessment after detection is made. (Of course, this is a simplified generalization sufficient for this introductory paper.) Adding 20 cameras to a security system, and expecting a human to watch the associated monitors to detect wrongdoing, is a detriment to security effectiveness. The human is the detector, and a poor one at that. Humans are good for about two hours, are prone to distraction, need to eat, go to the bathroom, etc. Again, don't rely on a camera for detection. Get a good sensor, with a good anunciator (ideally, covert to the adverasry), and use the camera to assess the situation. Cryptography ------------ If you are familiar with distributed.net, then you know that it takes essentially immense resources to crack common encryption - the equivalent of 160,000 PII 266MHz PCs crunching approximately 1,700 days to find a 64-bit key. All but governement entities have such computing power, or motivation. So it can safely be assumed that encryption is effective delay. And delay it is. Data is a funny asset. Once it is "0wn3d" it loses its value - infinite copies can be made and can never be taken back. So, if encrypted data is unknowingly (to the owner) intercepted, or to tie this subject to the physical world, the entire box stolen, there is no detection and the adversary has unlimited time to defeat the delay (the encryption). But good encryption is extremely effective delay, ensuring the retention of the asset's value. Locks ----- Locks, a fascinating technology to be sure, are not so much misused as they are misunderstood. Take lockpicking for instance. Anyone familiar in the least with the sport of lockpicking realize that a thief isn't going to pick the lock on your back door. The thief is going to throw a brick through the window and enter that way. Locks are delay with respect to the portal they are installed. A Sargent & Greenleaf lock on a hollow laminated door would be foolish, as would a cheap Master combo lock on a steel-reinforced concrete door. Take this and consider computer tower or laptop locks. They offer delay, but little delay at best. And this delay does no good when the entire computer is stolen (screwdriver and Channellocks, anyone?). Even the laptop cable locks can be defeated with a simple hammer. Locks are a good idea, if not essential. But always consider adversary circumvention and the true implementation of locks as delay. Take this methodology and the technologies discussed and use the information while observing security technologies and procedures everywhere you go. Look around every building you enter - Are there glass break sensors? Security cameras? Security guards? - and apply the methodology inside your head. You'll begin to understand the strengths and weaknesses of (basic) security systems. And hopefully you'll start to consider, and possibly research, more advanced technologies (biometrics, x-ray, microwave sensors, etc.) that you may encounter.