physical security, security theater, & snake oil

8/6/2019 Physical Security, Security Theater, & Snake Oil

1/16

Physical Security,Security Theater, and Snake Oil

Roger G. Johnston, Ph.D., CPP

Vulnerability Assessment TeamArgonne National Laboratory

http://www.ne.anl.gov/capabilities/vat


2/16

http://www.youtube.com/watch?v=frBBGJqkz9E

The greatest of faults, I should say,

is to be conscious of none.

-- Thomas Carlyle (1795-1881)


3/16

- Not easy to get a degree in it from a major4-year research university.- Not widely attracting young people, the best & the brightest.- Few peer-review, scholarly journals or R&D conferences.- Lots of Snake Oil & Security Theater.- Shortage of models, fundamental principles, metrics, rigor,

R&D, standards, guidelines, critical thinking, & creativity.

- Often dominated by bureaucrats, committees, groupthink,linear/concrete/wishful thinkers, cognitive dissonance.

Physical Security: Scarcely a Field at All


4/16

Problem: Lack of Research-Based Security Practice

The Journal of Physical Security

http://jps.anl.gov

A free, online, peer-reviewed R&D journal


5/16

Definition

Security Theater: sham or ceremonial security;Measures that ostensibly protect people or assets butthat actually do little or nothing to counter adversaries.


6/16

Security Theater

1. Best way to spot it is with an effective thorough VA.

2. Next best is to look for the characteristic attributes:

SenseofurgencyAverydifficultsecurityproblemInvolvesfadand/orpettechnologyQues=ons,concerns,&dissentarenotwelcomeortoleratedThemagicsecuritydevice,measure,orprogramhaslotsoffeelgoodaspectstoitStrongemo=on,overconfidence,arrogance,ego,and/orpriderelatedtothesecurityConflictsofinterestNowell-definedadversaryNowell-defineduseprotocolNoeffec=veVAs;nodevilsadvocate

ThetechnicalpeopleinvolvedaremostlyengineersIntensedesiretosavetheworldleadstowishfulthinkingPeoplewhoknowliOleaboutsecurityorthetechnologyareincharge


7/16

Origins of the Term Snake Oil"Ancient World: medicines made fromsnakes are believed to have curative powers.

1880: John Greers snake oil cure-all.

1893: Clark Stanley (The Rattlesnake King)sells his Snake Oil Liniment at the WorldsColumbian Exhibition in Chicago. A big hit.Turned out to contain no snake extract, butrather mineral oil, camphor, turpentine, beef

fat, and chile powder.

Today: A product is called snake oil if it isfake, shoddy, or severely over-hyped.


8/16

Why High-Tech Devices & Systems AreUsually Vulnerable To Simple Attacks

Many more legs to attack.

Users dont understand the device.

The Titanic Effect: high-tech arrogance.

Still must be physically coupled to the real world.

Still depend on the loyalty & effectiveness of users personnel.

The increased standoff distance decreases the users attention to detail.

The high-tech features often fail to address the critical vulnerability issues.

Developers & users have the wrong expertise and focus on the wrong issues.


9/16

Blunder: Thinking Engineers Understand Security"

...work in solution space, not problem spacemake things work but aren't trained or mentally inclined to figure out how to makethings break

...view Nature or economics as the adversary, not the bad guystend to think technologies fail randomly, not by deliberate, intelligent, maliciousintent

are not typically predisposed to think like bad guysfocus on user friendlinessnot making things difficult for the bad guys...like to add lots of extra features that open up new attack vectorswant products to be simple to maintain, repair, anddiagnose, which can make them easy to attack

Engineers (including packaging engineers)...


10/16

More skeptical, critical, and imaginative thinking. Avoid confusing Threats with Vulnerabilities,

& Inventory with Security.

Bribe people! (to test them but more importantlyto let it known that an attempted bribe might be a test)

Stop using layered security (security in depth) as a cop out.

What Can We Do Better?

Cynics Dictionary

layered security: Were desperately hoping that multiple layersof lousy security will somehow magically add up to good security.


11/16

What Do We Need To Do Better?

Be proactive to theInsider Threatincluding mitigating disgruntlement andeducating employees about social engineering.

Less prevention, more mitigation & resilience! Posters with eyes.

See Biology Letters 2, 412-414 (2006).

Remind people why they shouldbe good. (Based on new psychology research.)

Embrace the new security paradigms.


12/16

Changing Security Paradigms

OldParadigm

NewParadigm

Securityiseasy&binary. Itsnot.

Vulnerabili=esarebadnews. Vulnerabili=esaregoodnews.

HighTechisasilverbullet.Technologycanhelp

butsecurityisaboutpeople.

Thinklikebureaucrats&goodguys. Thinklikethebadguys.

Thereisonerightanswer.Fakerigor

&reproducibility.Accountability

throughfear,scapegoa=ng,&firingpeople.

Weembracecrea=vity,flexibility,

uncertainty,cri=cism,ques=ons.We

watchforthedangersofcogni=ve

dissonance.Wemo=vate&encouragegoodsecurityprac=ce.

Compliance-basedsecurity.

Wemustdomorethanmere

compliance.Some=meswemust

pushbackagainstcompliance.


13/16

Changing Security Paradigms

OldParadigm

NewParadigm

SecurityProsprovidesecurity.

Employees,contractors,vendors,and

visitorsprovidesecurity.Security

Proshelp.

Metrics:Knowing&following

thesecurityrules.

Metrics:Beingproac=ve,showingindividualini=a=ve,beingcrea=ve

andresourcefulduringWhatif?

exercises.

Produc=vity&Securityareenemies.SecurityisharmedwhenProduc=vity

isharmed.

SecuritygetsconfusedwithControl,

BigBrother,andSecurityTheater.

SecurityisharmedbySecurity

Theater,andwhenPrivacy&Civil

Liber=esaretrampled.


14/16


15/16

http://www.ne.anl.gov/capabilities/vat

For More Information...


16/16

Argonne National Laboratory~$738 million annual budget

1500 acres, 3400 employees, 4400 facility users, 1500 studentsR&D and technical assistance for government & industry

physical security, security theater, & snake oil

Documents