Thursday, May 12, 2016

Why "security" fails (and how to prevent it, maybe)

It is not uncommon that serious organizational interest in improving security occurs after "security" fails. Sure, there are exceptions; however it is not an uncommon phenomena.

Why then does security fail?

If we never changed the oil in our car we would not wonder why it stopped working.

If we were to over draw our bank account, having never put money into it, we would not wonder why there was no more money.

So why then consider organizational security any differently?

Wednesday, July 24, 2013

While We're on Burglary Prevention - Window Shopping

Many burglary prevention materials out there contain language about not putting valuables by windows. They speak of electronics, jewelry, money and other items that can be pulled through a window quickly. Let's take a moment and consider another type of valuable that is rarely mentioned.

INFORMATION. Your information is valuable to someone at some point for some purpose. The intruder is looking to make their efforts easier.  So what can be seen from your windows?

Can an intruder see a calendar? Does that calendar contain vacation dates, children's appointment schedules, your doctor appointments, or other similar data? What else is left by windows, on tables, and car seats-dashboards-floors?

Take a moment and walk around the house to look into the windows. What do you see? What will a bad guy see?

On a related note, what is in the pictures you and your family are posting on the internet? Are there pictures of that calendar? Valuables?

Monday, July 22, 2013

The Card Trick - Burglar Style

Everyone seems to know one card trick or another. This one can be done with almost anything. The reason cards are often used is their inconspicuous nature and low cost. Consider this, whenever you or one of your neighbors go on vacation does anyone look out for the property? Collect newspapers, mail and clean up anything on the property that you might clean up anyways? This ties back into the concept of "covert channel" communications. The lack of presence at a property could be discerned by the lack of routine activity. Throughout our lives we set patterns and our individual patterns blend with the various groups around us. Someone paying attention to these patterns can easily see a change. A car left parked outside all day and never moved. This might be the second family car and the lack of movement could tip off a bad guy that the family has not been home. A dog that is normally outside in a fenced yard that is conspicuously missing during otherwise fair weather. Any of these could be a tip to the bad guy casing the neighborhood. And by casing, or observing, they could be exposing themselves to undue scrutiny by others in the neighborhood. To avoid this scrutiny the simple card-trick method is used. In addition to avoiding undue scrutiny it also permits the screening of a large number of target residences in one day - without the activity attracting too much attention by itself.

How many times have you come home to find a business card or flyer at your front door? Did you follow up with the business to purchase services? Probably not. Now if a bad guy, or team, were to blanket a neighborhood, or several neighborhoods, with these solicitations it might take a couple of hours. Say half a day tops. The next day, or maybe two days later, they might drive through the same areas and identify those houses that still have these items on the door. Would your neighbor know to check your front door and collect these items as well as mail and trash? In this way the bad guy can identify a number of targets with little effort. No doubt, at least one home owner might catch them at the door depositing the card and make an inquiry. The screening bad guy need only say he/she was just paid to deliver the cards and thereby avoid further inquiry. Or a more elaborate script may be followed whatever works best for them.

That's the card trick. Some sort of debris is left at a residence to identify a lack of attendance to its care. It is fairly easy to defeat this approach through diligence and neighborliness.

Sunday, July 21, 2013

Remote alarm system control

Remotely arming/disarming and alarm system management are popular features no doubt. Are they worth it? What is the best service for remotely managing your alarms?

What exactly do this offer? Remotely managed and controlled alarm systems are a relatively new consumer feature, although it has been around for about a decade. Service providers typically offer web access to your alarm system so you, the user, can make adjustments, set up reports, and sometimes even arm/disarm the system remotely.

This, of course, means your alarm system is accessible via the world wide web - the internet - and anyone with that access (like billions) may also potentially have access as well. Sounds daunting and maybe even discouraging. Is it a risk? Yes. Is it a manageable risk? Yes. Most of these systems offer a feature that allows a message to be sent (email or sms) whenever the account is logged into, so the user can quickly know that someone has attempted or gained access.

So what are the advantages of such a service? The obvious ones are being able to arm the system while you are outside the building. It allows you to disarm the system remotely so a friend can get in, a landlord, the fire department, et al. That's just the beginning. You can add/delete users on the fly or change user codes. Some providers allow sensors to remain actively monitored even when the alarm system is disarmed. Whenever a sensor's status changes the event is logged, and the user can create alerts (emails/sms) to identify whenever this event occurs. So a parent can see when a child arrives home, or opens the liquor cabinet, goes into space where a firearm is maintained, and so on.  

It also becomes possible to create a system with no "quiet zone" around the access door.  This last point is unique. Instead of providing greater convenience and control it opens possibilities for identifying intrusions. Without the "quiet zone" around the keypad the alarm system activates immediately upon entry. This is true both for the intruder and the legitimate user. The legitimate user should, of course, disarm the system prior to entering. There may not even be a keypad by a door to facilitate system operations. Or a dummy keypad can be placed by a door to allow the less intelligent intruder to "try" to disarm the system - slowing them down for both an apprehension by law enforcement and limiting their ability to collect items to steal. Most importantly, the detection time is shortened.

So, is this feature worth it? I wouldn't want a system without it. Is it possible for an accomplished hacker to bypass this aspect of the system? Yes, no, maybe, what of it. For now this is a more powerful tool for the threat it is designed - the burglar. The super-hacker is not who is likely to target your home, unless you in a position of power, prestige or fame in which case you should hire a professional to guide and assist you with a more integrated all-risk approach. For the rest of us the street criminal that is likely to target our homes can be better managed as you take greater control of your systems.

Friday, October 28, 2011

What is the best way to arrange alarm sensors?

It's the way that detects the intrusion the quickest and most accurately. And, that is done how?

Keep these in mind:
• What are you protecting and where is it? [the asset]
• What are you protecting it from and how will it get there? [the threat]
• What accommodations are needed to function with and within the protected area? [your activities]

The Assumptions:
The goal of the alarm system is to deter a criminal with a siren once an intrusion is detected and to summon a law enforcement (or private security) response. It is also going to provide some insight into the intruders path and possibly their intentions during the attack.

The asset is inside your home or business. There is most likely more than one asset and they are not necessarily grouped together. This makes for multiple areas to specifically protect.

The threat is coming from outside. This may not be true in reality; however it is an assumption for this exercise. It will need to pass through a door, window, wall, floor or ceiling to gain access.

You, your family, or your business associates might want to conduct some limited activity inside sometimes when the alarm is armed. Most of the time the location will be vacated when it is alarmed.

The Basics:
1. All exterior doors should certainly have a magnetic contact or other point sensor installed.
2. Exterior windows should also have magnetic contact or point sensor installed.
3. The areas directly inside the exterior doors and windows should have at least one volumetric sensor.
4. Large areas of glass, or glass that may be targeted by street punks, should have a glass break sensor.
5. Some individual assets may warrant specific protection such as sensors inside safes, or liquor cabinets (for teenagers).
6. The alarm control panel should be in a well protected location (rapid access to this will disrupt the alarm communication and response)
6a. If the communications module for the panel are located away from the panel it too should be well protected.

The Next Step (for the Unoccupied State):
The most likely path(s) that an intruder might use should be monitored by sensors. This offers insight to their activity during the intrusion. The degree of insight comes from the nature of the sensors that are focused on that asset.

The Next Step (for the Occupied State):
Think about where you wish to move while the alarm is armed. Plot this area on a set of floor plans if necessary. Now is it still possible to effectively detect an intrusion with these areas not monitored? In a perfect environment you and your family will be able to use the restroom and walk to each other without activating the alarm. This may not be ultimately possible; although it is with some creative planning. Keep in mind that some burglars have been known to move around the bedrooms of their victims while they were sleeping in the room.

With the sensors planned - we'll jump beyond the whole installation part - there is at least one more step. And it is quite possibly the most important one....

Sunday, October 23, 2011

Cyber Security Awareness Month - what's the hype about

"Every American has a stake in securing our networks and personal information" All the daunting and cool hacker stories today may leave the everyday citizen feeling... well a little uninvolved. NOT SO! Consider for a moment how this directly affects you....

You are a but a cog in the machine is the global information systems. You could be an important cog and never know it. First it's important to realize that most "hacking" is similar to the average burglary. Really it is. Remember the average burglary gains entry through an open or unlocked door or window, right? Well the average malware (malicious software - the projection of the hacker) gains access to your computer by getting past poorly maintained firewalls, anti-virus software that is not updated, and through unpatched/updated software applications. And what does this malware do you ask? What does a burglar do? The malware may roam your machine and look for interesting data, it may lay in wait for you to enter interesting information and it carries it away to for someone else to use. A burglar takes you TV and fences it. A hacker using malware may steal your credit card, social security number, phone numbers, addresses and what not, and then fence them on a website. Or they may just use them for their ends.

What is the most significant difference between a burglar and a network hacker? Threat Population! At any given time there are only so many people within travel distance of your home or office with the tools, expertise and desire to break into your home or office. Let's just make it easy and say the population of the metro area where you live and work. Now the available population for attacking your online presence is everyone connected to the Internet who can download a free software to seek out vulnerable machines and exploit them (so nearly everyone connected). The population difference for the threat is several orders of magnitude larger. Imagine a burglar that was able to cast out their thoughts (fanciful I know but bear with me) and in the telepathic scan can know who did not lock a door or window to their home or office without ever leaving the comfort of their warm soft couch and the other amenities that bring any lazy minimalist pleasure. That is what a hacker may do when they scan the portion of the Internet where your machines are connected. The easiest targets become apparent - the low hanging fruit of cyber theft.

Now an updated firewall, anti-virus software, and application software will not protect you from everything - not even close. Though it will cover the laziest of online miscreants. If you apply the Pareto Principle to this it means that 20% of your effort will be sufficient for 80% of the problems. Updating software also helps to keep it operating smoothly and efficiently.

Why mess with it if it works. I like to install it and leave it alone you say? Consider this analogy for unmaintained firewall. A firewall is a device or software used to separate networks. It's the difference between an open door and a door with an armed receptionist to manage authorized traffic. So you have a security officer come to your home every night to check and make sure everything is locked up and no one can get it. Now everything requires maintenance, even the officer. After a time the vision in his right eye begins to fade but he keeps reporting to you that everything is locked up tight. Then one day you hire a new officer because you had too and suddenly he reports that the last guy didn't see that one of the windows had been unlocked - the one on the right. Who knows how long that window has been open and your resources have been leaving through it.

When you get infected with malware you may be sending to your friends, and their friends, and their acquaintances. Just like a nasty STD. You send an email or message that the malware has attached itself to without your knowledge. Your friend trusts you and opens the email and maybe even an attachment. They're infected now too. The malware that your half-blind security let it might be sending these emails without your knowledge as well. So, please keep your software, firewall, anti-virus, and applications up-to-date. It's a start.

Friday, October 21, 2011

A bit more on sensors

Arranging sensors to protect asset(s) just isn't as simple as looking at set of property plans and sprinkling a pepper shaker over it and placing sensors where the pepper falls. The most likely impact is budgetary - these things cost real money. Next is the unlikeliness that the pepper shaker has such mystical powers as to predict an intruder's path. Lastly, there are some design considerations you might want to entertain that affect the usability of the system. For instance, you might want to be able to use the restroom in the middle of the night without summon the local SWAT team for assistance.

Placing sensors in your home, business or other facility must work within your financial constraints, protect the asset(s), and facilitate your use of the space. We'll work with a home for now as an example.

It is important to detect the intrusion as early as possible. The farther away that the attack is detected and assessed the greater the opportunity to prevent them from being successful - regardless of their intent. It is essential to keep in mind that simply detecting activity is not sufficient. It must be assessed to ensure the detection is legitimate and not an error. There is a point between when a attack begins and when they are successful called the Critical Detection Point. It is that point after which a response will not be quick enough to thwart the success of the attack. With home burglaries it is an unfortunate fact that a response is not likely to arrive very quickly. Why is this you ask. Police departments are overwhelmed with service calls, most alarm activations are false alarms, and a burglar doesn't need to spend very much time in a home to get some good stuff and escape. This may not be as true if you live in a very large house that resembles a museum. In that case there are other concerns. The average home burglar will either be sent away when a loud siren activates or they will not. We'll address the bad guy a little later.

Early detection and assessment. In some areas the alarm must be assessed by phone contact by the central station, or by remotely viewing closed-circuit television (CCTV) or microphones, or possibly just through multiple sensor activations. Let's assume you do not want to have any CCTV systems in or around your home. It may just be enough to arrange the sensors to demonstrate the intent of an intruder and decrease the opportunities for unnecessary police dispatches. This is simply done with layers of sensors.

Many security professionals discuss "Concentric Circles." This is just as it sounds. Layers of protection wrapped around the asset being protected. This is also called "Defense in Depth" as well. Unfortunately this is not so easy in a typical residential structure. There simply aren't enough worthwhile layers. The wall of the house is typically the first line of physical defense (excluding the deterrent value of lighting and other features) and maybe there is a sturdy bedroom door after that - unless the bad guys uses a window.

Think in terms of occupied and unoccupied conditions. Will you be setting the alarm in the evenings while you rest or just when the home is vacant? If you plan on arming the system while you are inside the structure, try to created "protected corridors." These should let you move where you need to while wrapping the adjacent areas with reliable detection zones. In addition to the restroom and childrens' rooms, allow yourself enough movement to assess any odd noises or activities while keeping the alarm armed!

Next we can consider sensor types and locations...

Picking up where we left off.... (so many years ago)

I sincerely hope no one has waited all this time to plan their alarm system. If you have I can only scratch my head...

We left off with the promise of some discussion of sensor types as they relate to planning an alarm system. Here we go...

But first, it is important to determine whether the system will be monitored remotely by a central alarm station or just a local alarm with a siren. Monitored systems provide the opportunity to summon help and come with a fee for the service. Local systems may be cheaper but with the limitation that the only help will need to be within the sound of the alarm and choose to respond. Insurance companies will often require the system to be monitored as well

Alarm systems use sensors to detect activity and there are a very wide variety of sensors to choose from. They can be classified a number of different ways. There are sensors to detect movement, changes in temperature, the presence of water (flooding), capacitance (changes to an electrical field), light and so on. The typical consumer system will normally be a combination of balanced magnetic switches, some sort of volumetric sensors, possibly glassbreak sensors, and maybe panic buttons. Here's a real quick translation:

A balanced magnet switch is commonly referred to as a "door contact" and consist of a magnet next to the sensor to complete the electrical circuit. When the door opens the magnet moves and the sensor detects the break in the circuit. The balanced aspect of the magnet makes it more difficult to defeat the sensor as shown in one of the Beverly Hills Cop movies. These sensors are useful on doors and windows or any objects that may be moved.

Volumetric sensors monitor an area (volume) and include such examples as acoustic (microphones), microwave (radar), passive infrared (ambient heat). There are dual-technology sensors that use a combination of these capabilities to either increase the likelihood of detection (increases false positives) or to increase to the certainty of a valid detection (increases false negatives). The difference between the two choices is nothing more than how the logic within the sensor is configured. This can be referred to as an "And" versus an "Or" that either requires one or both of the technologies to detect the activity. Glassbreak sensors are a form of volumetric sensor that listens for the sound of breaking glass. These are nice because they do not need an intruder to actually intrude before activating. They can also react to other loud sounds as well.

Panic buttons are personal alarm devices that simply allow a user to manually activate the alarm system. The central monitoring station sees each sensor type differently and therefore can place a greater emphasis on a panic button.

What makes the system valuable is the selection and arrangement of these sensors. Poorly selected technologies will generate excess false positives (nuisance or false alarms) and reduce the effectiveness of the response over time. You may have heard the story of the boy who cried wolf? Well alarm systems that cry intruder too often stop being believed too.

One important point to the selection and arrangement of the sensors is considering the asset(s) the system is meant to protect. Is it an expensive collection of something in one spot, random stuff scattered about, or just the piece of mind that no one is waiting inside when you open the door enter?

For a much greater (in every way) discussion of sensors try The Design and Evaluation of Physical Protection Systems by Mary Lynn Garcia.

Next... we'll take a look at arranging the sensors - tricks, tips, and pitfalls.