Challenge "SECURITY" to improve its effectiveness

“You can be sure of succeeding in your attacks if you only attack places which are undefended.” -- Sun Tzu

“Emerge from the void, strike at vulnerable points, shun places that are defended, attack in unexpected quarters.” -- Ts’ao Kung

As these ancient Chinese experts on warfare indicate, our adversaries like to study us, determine our weaknesses, find our vulnerabilities and exploit them.

The challenge for professionals is to identify those vulnerabilities. I have found most professionals like to think they know the strengths and weaknesses of their programs. I regularly hear people say: we are the best one’s to assess our program because we know the company. However, it is amazing how quickly we can develop “blind spots” and that is the value of a third party assisting you in identifying weaknesses.

A Red Team is an independent group that challenges an organization to improve its effectiveness. The purpose of identifying these weaknesses is the ultimate goal of enabling you to understand what new countermeasures need to be employed to protect your assets. These assets include and is not limited to your supply chain/ actual men and woman that work with you. A Risk Assessment, that includes a Red Team test of existing approaches, is extremely valuable in achieving that goal.

This is an example of how that concept can work in a live security environment, however, it can also function as a tabletop exercise.

During a strike detail, the security company’s management decided they needed to test their security team’s effectiveness. They had several sites to cover but were concerned with one of the sites, in particular. That particular site maintained several databases that housed all the customer information for the entire east coast, along with all the statistical information for the company nationwide.

A “Red Team” test was designed to see how far a motivated, disgruntled employee could get within the facility without being discovered and what kind of damage could be done. The Red Team came to understand that the facility was very open during operations and there was little or no control over secure areas. This meant that all the employees had knowledge of where critical areas were located and had unchallenged access to those areas.

The Red Team’s task was to attempt to enter the facility and place markers (match books from the hotel where the operators were staying) throughout the facility, and see if they could do so without getting caught. After a several days of surveillance the Red Team decided to do a penetration test during the night shift because it was determined that was when security was most lax and there were the fewest security personnel.

The Red Team entered the facility through the main gate while the security officer was on patrol and that position was unmanned. The team had determined that it took the officer ten minutes to complete his rounds and the security officer was very predictable. Upon entering the facility the team timed its movements to avoid patrols by other security officers. Since the patrol officers never varied their routes and never stopped or doubled back, it was an easy task. The entire facility was approximately twenty thousand square feet and there were five security officers patrolling at any given time.

The Red Team began to make its way through the facility placing markers in critical areas. Some of the areas included a compressed gas cylinder storage room and the server room. One of the Red Team members was even able to access the server using a security code found in an employee’s desk drawer. With physical access to the server room, the team member was able to down load several large files containing proprietary information. As the team moved through the facility they made their way to the office of the company’s Vice President’s office and were surprised to discover a covert camera monitoring system complete with monitors, pan tilt zoom cameras, a digital video recorder, remote data backup, and remote viewer -- none of which were in use and upon further inspection had apparently not been in use for over a year. The system monitored all critical areas, entrances, loading docks, even the lunch room. That system could have been disabled.

The Red Team had placed a total of 32 markers throughout the facility and even placed one under a fire extinguisher less than ten feet away from one of the security officers. During the debriefing, the security officers were all questioned about any activity they had seen the night before, when the test was taking place. None of them said they saw anything. Then one officer said he had seen a bunch of match books on the floor that he didn't remember seeing before but he had not reported it nor did he look around even though, in retrospect, he thought it was strange. Apparently the Red Team member that had placed the match book on the fire extinguisher unintentionally had dropped a few extra books on the floor when he had reached into his pocket to get the matchbook he placed on the fire extinguisher.

The exercise identified vulnerabilities and remotivated security officers to improve their professionalism.

It is important for security and management professionals to realize that being closed minded and thinking they have “good” security is a counterproductive way of thinking. If you believe there is no need for improvement in your security program, you have a recipe for disaster. No one has all the answers but if teamed with a good, professional third party, the resulting “team” can ultimately help provide a safer and more secure environment.

Part of the reason there is a security function is to protect life and property. That means putting aside preconceptions and ego. I have NEVER conducted an assessment or security test that did not identify some shortcomings. This includes some of the supposedly most secure facilities in the world. Guess what…no security is perfect and you can always improve.

"Good security in not cheap... and cheap security is not good". -- BB