“The ease of defeating a security device or system is proportional to how confident and or arrogant the designer, manufacturer, or user is about it, and to how often they use words like “impossible” or “tamper-proof,”
That quote comes from Security Sound Bites, a book by Roger G. Johnston, Ph.D (physics), which is rich with similar maxims that Johnston learned the hard way in 23 years working on security at the US government’s Argonne and Los Alamos laboratories. Johnston is theoretically retired, but runs a physical security consulting business called Right Brain Sekurity, maintains a speaking schedule, and testifies across the US as an expert witness.
Blunt talking
Johnston has has some interesting things to say about data center security - but he does not mince words and is prone to injecting his maxims into the conversation. For instance, talking about security auditors, he says: “an organization will fear and despise loyal security assessors and others who point out vulnerabilities or suggest security changes… more than malicious adversaries.”
“Loyal” is a key word, as assessments can go one of two ways, depending on your definition of loyalty:
- Ensure the facility meets current best practices and all applicable regulations — compliance.
- Point out all the ways an adversary can break in and cause harm — real security.
The first assessment style gets the compliance job done, but Johnston says this job does not always link up with the real world: “People in the data center responsible for security compliance often have no interest in (or understanding of) security, do not permit it to interfere with their job, and will look at you like you’re crazy if you raise any real-world security concerns.”
He is not being tongue-in-cheek. Johnston, who is used to keeping adversaries out of top-secret locations, doesn’t mind being called crazy if his due diligence keeps the bad guys at bay.
Assessment process
When contracted to perform a vulnerability assessment, Johnston starts before the scheduled visit, checking out the data center’s exterior and observing any activity around the facility including vehicle traffic. Once officially on-site, and introductions are made, Johnston begins by asking the data center’s management what inside the building is important enough to steal or damage, and who would go through the effort to do so.
Answers range from “we do not know, we’re a colo facility” to having a detailed inventory of a client’s on-site assets. Most of the time, Johnston notes, asking about potential adversaries gets him quizzical looks or a “pardon me” comment. The questions continue with Johnston eventually asking about the data center’s security policies.
Asking about security policies may seem like an obvious step, and most organizations have the right procedures in writing. However, Johnston has a different purpose in mind — comparing the procedures with what employees are actually doing. Johnston adds, “At high levels in an organization, lots of detailed work on security policies, planning, documentation, scheduling, and charts/graphs/spreadsheets will be preferred over actually thinking carefully about security, or asking critical questions.”
Thinking like a bad guy
With a good idea of what is supposed to be happening, Johnston starts his tour of the facility. This is where it gets interesting. Johnston doffs his white hat for the black one and begins thinking like an adversary. Some of the things he looks for:
- Is security being used correctly?
- Is there unusual activity (doors propped open) by the loading dock area and back doors?
- Are the moral compasses of employees and contract service personnel especially security guards pointing in the right direction?
To be fair, Johnston checks all the in-place security systems such as mantraps, biometric readers, and video monitoring systems as well. But in his opinion, security technology is in place mainly for showing potential clients, visitors, and insurance companies that the facility is secure. Johnston adds he has yet to hear about an adversary caught in a man trap, and rarely about an adversary captured “in the act” by a video camera where it made a difference.
“In all honesty,” he continues, “adversaries often bypass or defeat security measures; this is often easy to do. On the other hand, there are usually simpler and safer ways for the bad guys to get what they want without directly challenging the strengths of existing security.”
Johnston cites an example. During an audit, a worker explains how he secured a room containing client equipment. “First, I changed the wooden door for a solid metal door. Then I installed an electronic door lock that requires people to key in a passcode to enter. An alarm sounds if someone enters the wrong code more than twice.”
After the employee was finished, Johnston points to the unsecured door hinges on the outside of the door and enlightens the employee with a maxim he attributes to Doctor Who: “The more sophisticated the technology, the more vulnerable it is to primitive attack. People often overlook the obvious.”
Chain of custody
Johnston is by no means anti-technology — it has a place. What does concern Johnston is the complete faith given to the capabilities of security technology, those who build the devices, those who install the equipment, and those who maintain it. Johnston feels, as with judicial evidence bound for court, critical security equipment should have a verifiable chain of custody. “Currently, adversaries can inject themselves into the process,” says Johnston. “Adding or modifying equipment to help achieve their goal.”
Johnston points out having a chain of custody process for all equipment is something that should be considered. If this seems far-fetched, it’s not — ask upper management at Juniper Networks, a well-respected network security company.
“Juniper warned customers on Thursday (17 Dec 2015) that it had uncovered ‘unauthorized code’ in the software that runs its firewalls, saying it could be exploited to allow an attacker to unscramble encrypted communications,” Reuters reported. “A former Juniper security executive said the flaw appeared to be a ‘back door,’ a reference to rogue code secretly inserted into a product to enable attackers to eavesdrop on users.”
Security culture
We said Johnston interacts with employees and contract service personnel, particularly security guards. He is a friendly guy, but that is not the reason for his visiting. He feels the health of an organization’s security culture determines how well the business will be protected. In fact, Johnston goes as far as to say, “Security culture, if properly done, is enough to protect data centers.”
The Security Culture Framework (created by Kai Roer) defines security culture as the ideas, customs, and social behavior of a particular people or society that allows them to be free from danger or threats.
As to what Johnston means, he offers some examples. Employees walking by a vending machine worker should know whether he is supposed to be there or not. Those same employees should also know if that Dell service representative can be in the server room unescorted or if that person is even an official Dell service representative.
For that to happen, Johnston believes a well-educated, happy workforce — including security guards (contract or employees), whom Johnston feels are treated and supervised poorly — will go a long way in keeping adversaries outside the building.