First, and possibly most important, thinking of the property line as the limit of responsibility is “old think” and lazy. It spawns from, hell I don’t know when, but it inhibits strategic thinking, or holistic thinking, or 360 thinking, or whatever term you may prefer to say thinking beyond the here and now. Threats exist “over there” before they exist “in here.” While that is not always true, it is often true. Consequently, looking “over there” provides insight of what is coming.
Here are a few points to consider in relation to the arbitrariness of the role the property line plays in security planning.
Covert Channel communications are those communications that violate communication policy, or any pathway used to illicitly transfer data, but it occurs in a manner not readily thought of or considered. It is most often spoken of in the context of information security and network security.
Imagine if a signal used to transmit data contained some “slack space” not ordinarily containing data. Now were someone to figure out how to utilize that space, and then insert data that is not recognized as data by the receiving station (person, etc). That individual could hide data, transmit data, and do so without fear of being caught for potentially quite some time. Steganography, or hidden writing, dates back to ancient times. The modern version of this is embedding data into slack space in compressed digital images. There are even open source tools to do this. Now you and your friends can send “secret” messages hidden in photos. More importantly, those on the inside of a network (your network) have been able to do it, with ease, for more than a decade.
Covert channels exist in non-technical environments as well. One example often identified is the predictability of US military action based on the late night orders of pizza and Chinese food for the Pentagon, or the presence of vehicles in the parking lot at night. These, and similar examples, can all apply to other organizations. For instance, what departments’ lights are on late at night and what does that mean?
Signal emanation and capture is not a new issue and should not be a surprise here. Everyone knows that radio waves cross property lines (and borders). This is now true of all the other signals used for data. WiFi, bluetooth, and microwave bridges to name a few. Hackers have demonstrated methods for harvesting bluetooth signals, intended only for short distance networking, at distances in the range of a mile away. Using parabolic antennas it is possible to collect these signals from greater distances for other stronger radio frequencies - most likely well over the property line. Encryption is a powerful tool, and certainly necessary for these communications, but it is not guaranteed secrecy. Encryption is based on time, therefore it is intended to protect the data for a period of time (based on how much processing power is put against breaking the encryption).
Refuse pickup and removal is always an issue with asset protection. Who is collecting refuse, what is contained in that refuse, and what are they doing with it. What data may be leaving in the refuse, who may want it, and what safeguards exist to limit the value to an adversary. For instance, printed budgeting data may be diligently shredded in the Accounting Department, but personnel in other departments with subordinate budget data may simply discard their copies. The diligent adversary might reconstruct the entirety of the target data from discarded constituent parts.
Hard disk drives that fail may be discarded, as may USB drives, DVDs (if they are still in use), and even network backup tapes. Even a non-functioning hard disk drive may be revived by an adversary to capture the data, and who has not picked up a USB drive someplace and curiously put it into a computer? Incidentally, this is also a malware distribution method - dropping a few USBs in a company’s parking lot is stupid easy and yet often effective.
Deliveries that bring assets and supplies can pose a unique issue. Granted this is technically on “this side” of the property line, but it started over the line. If there is a backup generator what safeguards exist to prevent the adulteration of the fuel? What prevents the delivery driver from delivering contaminated fuel, accidentally or intentionally? Are deliveries otherwise inspected for suspicious conditions? If hard disk drives are received are tamper-evident seals on the cartons intentionally inspected? What about vending machine deliveries of tamper-able items? Snacks, feminine hygiene, and the like? Are toiletries inspected? When catering is ordered are meaningful operations security details shared unnecessarily, such as who it is for or who may be in the meeting?
Tunnels and easements frequently can be found in urban areas crossing property lines. Easements might require unhindered access by a utility or other organization unrelated to your enterprise. What safeguards can be placed to confirm their identities and purpose? Tunnels are an entirely other issue. Once upon a time, during an audit of a facility containing a vault a tunnel was discovered underneath the vault. Why? The previous tenant of the building had used it for cold storage and cooling systems were installed below parts of the building. No one thought to inspect it before the vault was built. Further, this does not take into account sewers, electrical and phone utility tunnels that may traverse all or a portion of a piece of property.
Drones and other legal surveillance that can observe areas of the property not typically visible to the public. Drones are an emerging issue and the regulatory environment is still a bit fluid. Can a drone, even on the other side of the property line, fly high enough to gain a complete view of protected interior courtyards and roof areas? In the same line of reasoning, are there any structures that over the same vantage point, even if a considerable distance away? Contemporary video cameras have tremendous range with nearly unbelievable clarity and image density at those distances. Furthermore, drones can be used to collect signals as well. Has anyone taken a look at Google’s satellite imagery, or other similar services, to see what may be determined about the property from these images?
Employee security in near proximity to the property is as important as their protection on campus. Many employees have to walk to their car, bus, or down the street for lunch. What sort of nefarious or undesirable activities are prevalent just “over there?” What safeguard options exist? Can security personnel operate “off property” along these routes? Can video surveillance be established from “this side” of the property line? Can police patrols be encouraged, or even contracted, for these areas and times?
CPTED – Juxtaposition activities is similar to the above concerns for employee security. Are there activities, businesses, and properties, nearby that attract crime or delinquent behavior? How does this impact on actual security and on perceived security? Are there properties nearby with potentially disastrous operations, like fuel processing or storage, fireworks factories, chemical processes, or research facilities? What mitigation efforts can be prepared now, and maintained, to ensure “this side” is cared for in a worst case scenario.
These are just a few considerations for “that side” of the property line. What are you leaking and what is flowing over your property line. Raising the edge of one’s vision from the property line to a more distant horizon will, at some point, prove valuable. Also, consider who else around may have resources and tools, or are willing to coordinate mitigation efforts, to those problems greater than any one enterprise but in proximity multiple enterprises.
Good luck!
No comments:
Post a Comment