“You can be sure of succeeding in your attacks if you
only attack places which are undefended.” -- Sun Tzu
“Emerge from the void, strike at vulnerable points,
shun places that are defended, attack in unexpected quarters.” -- Ts’ao
Kung
As these ancient Chinese experts on warfare indicate, our
adversaries like to study us, determine our weaknesses,
find our vulnerabilities and exploit them.
The challenge for professionals is to identify those
vulnerabilities. I have found most professionals like to think they know the
strengths and weaknesses of their programs. I regularly hear people say: we are
the best one’s to assess our program because we know the company. However, it
is amazing how quickly we can develop “blind spots” and that is the value of a
third party assisting you in identifying weaknesses.
A Red Team is an independent group that
challenges an organization to improve its effectiveness. The purpose of
identifying these weaknesses is the ultimate goal of enabling you to understand
what new countermeasures need to be employed to protect your assets. These
assets include and is not limited to your supply chain/ actual men and woman that
work with you. A Risk Assessment, that includes a Red Team test of existing
approaches, is extremely valuable in achieving that goal.
This is an example of how that concept can work in a live
security environment, however, it can also function as a tabletop exercise.
During a strike detail, the security company’s management
decided they needed to test their security team’s effectiveness. They had
several sites to cover but were concerned with one of the sites, in particular.
That particular site maintained several databases that housed all the customer
information for the entire east coast, along with all the statistical
information for the company nationwide.
A “Red Team” test was designed to see how far a motivated,
disgruntled employee could get within the facility without being discovered and
what kind of damage could be done. The Red Team came to understand that the
facility was very open during operations and there was little or no control
over secure areas. This meant that all the employees had knowledge of where
critical areas were located and had unchallenged access to those areas.
The Red Team’s task was to attempt to enter the facility and
place markers (match books from the hotel where the operators were staying)
throughout the facility, and see if they could do so without getting caught.
After a several days of surveillance the Red Team decided to do a penetration
test during the night shift because it was determined that was when security
was most lax and there were the fewest security personnel.
The Red Team entered the facility through the main gate
while the security officer was on patrol and that position was unmanned. The
team had determined that it took the officer ten minutes to complete his rounds
and the security officer was very predictable. Upon entering the facility the
team timed its movements to avoid patrols by other security officers. Since the
patrol officers never varied their routes and never stopped or doubled back, it
was an easy task. The entire facility was approximately twenty thousand square
feet and there were five security officers patrolling at any given time.
The Red Team began to make its way through the facility
placing markers in critical areas. Some of the areas included a compressed gas
cylinder storage room and the server room. One of the Red Team members was even
able to access the server using a security code found in an employee’s desk
drawer. With physical access to the server room, the team member was able to
down load several large files containing proprietary information. As the team
moved through the facility they made their way to the office of the company’s
Vice President’s office and were surprised to discover a covert camera
monitoring system complete with monitors, pan tilt zoom cameras, a digital video
recorder, remote data backup, and remote viewer -- none of which were in use
and upon further inspection had apparently not been in use for over a year. The
system monitored all critical areas, entrances, loading docks, even the lunch
room. That system could have been disabled.
The Red Team had placed a total of 32 markers throughout the
facility and even placed one under a fire extinguisher less than ten feet away
from one of the security officers. During the debriefing, the security officers
were all questioned about any activity they had seen the night before, when the
test was taking place. None of them said they saw anything. Then one officer
said he had seen a bunch of match books on the floor that he didn't remember
seeing before but he had not reported it nor did he look around even though, in
retrospect, he thought it was strange. Apparently the Red Team member that had
placed the match book on the fire extinguisher unintentionally had dropped a
few extra books on the floor when he had reached into his pocket to get the
matchbook he placed on the fire extinguisher.
The exercise identified vulnerabilities and
remotivated security officers to improve their professionalism.
It is important for security and management professionals to
realize that being closed minded and thinking they have “good” security is a
counterproductive way of thinking. If you believe there is no need for
improvement in your security program, you have a recipe for disaster. No one
has all the answers but if teamed with a good, professional third party, the
resulting “team” can ultimately help provide a safer and more secure
environment.
Part of the reason there is a security function is to
protect life and property. That means putting aside preconceptions and ego. I
have NEVER conducted an assessment or security test that did
not identify some shortcomings. This includes some of the supposedly most
secure facilities in the world. Guess what…no security is perfect and you can
always improve.
"Good security in not cheap... and cheap security
is not good". -- BB
No comments:
Post a Comment