34 minute read
INTERVIEWING
Random Lessons from the Room: Part Two
This is the second in a series of articles where we will discuss lessons that we have learned over the years while interviewing tens of thousands of individuals.
Profile of the Subject
While the word “profile” has some negative connotations, we use it as a generic term to organize our thoughts and make some broad generalizations about individuals whom we are planning to interview. Our goal is to determine in general terms how an individual might act during an interview or upon discovering an investigation of them is underway.
We can come to many accurate conclusions of a person by looking at their lifestyle, relationships, interests, or other choices they make in life. Where they choose to live or shop may speak volumes about their self-image and how they evaluate themselves
and others. Clearly, examining relationships and how they interact with friends, acquaintances, or strangers can lead to assumptions about loyalty and commitment to others.
One important question to always ask about an individual who might be interviewed or become a target in an investigation is how the person reacted if they had ever been questioned or disciplined before. The interviewer could also include a broader question relating to how the individual handles conflict. In general, people have developed a strategy that either works for them or that they return to when faced with conflict or unpleasant situations. If the interviewer can determine with some accuracy what this strategy is, it can then be planned for during the interview. This prediction can often prepare the interviewer for the most likely response a subject may make to an investigatory interview.
by David E. Zulawski, CFI, CFE and Shane G. Sturman, CFI, CPP
Zulawski and Sturman are executives in the investigative and training firm of Wicklander-Zulawski & Associates (w-z.com). Zulawski is a senior partner, and Sturman is president. Sturman is also a member of ASIS International’s Retail Loss Prevention Council. They can be reached at 800-222-7789 or via email at dzulawski@w-z.com and ssturman@w-z.com.
© 2017 Wicklander-Zulawski & Associates, Inc.
Anticipate Problems and Plan for Them
Once the subject has been profiled to determine their likely response to the interview or investigation, the investigator can then anticipate likely problems and prepare a plan for how to handle them. The investigator now goes through a series of what ifs and thinks about the resources and strategies that will be necessary to counter them.
For example, what if the subject decides to get up and walk out of the interview? First, the investigator should consider the evidence available indicating the subject’s guilt and whether it is sufficient to terminate the individual’s employment or perhaps bring criminal charges. Depending on the company’s policy, there may be a requirement that clear evidence of the individual’s guilt is available before an interview can take place. In other organizations, circumstantial evidence or even a location’s high shrinkage may be enough to initiate an investigative interview.
Depending on the organization’s policy, it is often useful to partner with a human resource representative or senior manager to determine what admissions from the subject are necessary to terminate the individual’s employment. Get a line in the sand on the decision and a commitment to an outcome. This upfront commitment can save much anguish for the decision maker. In addition, human resources can tell the investigator what will happen if the subject simply decides to end the interview and walk out. If the evidence is sufficient that action may result in termination, will HR suspend employment pending the conclusion of the investigation, or should the subject be returned to their work assignment? Clearly understanding the options before the interview allows the investigator to have a plan in place with clear outcomes that do not require improvised decisions or solutions on the spur of the moment.
Other possible subject actions to be considered are: ■ What if the subject wants to record the interview? ■ What if the subject wants to have a parent or lawyer present during the interview?
continued from page 12 ■ What if the subject wants to delay the interview to a later date or time? ■ What if the subject explains away the evidence available to the investigator?
The questions might seem endless, but the prepared investigator can often anticipate the most likely problem areas and develop a plan of action or a strategy that can be employed if needed.
Ask What the Fact Giver Wants to Know
Another stumbling block for an investigator is assuming he knows what the fact giver, human resources, or management wants to know about. Don’t assume. Ask.
While it might seem straightforward, what areas should be covered during an interview? It never hurts to ask the decision makers involved in the investigation. The information needs of the different parties can be varied and often far afield from one another. The director of human resources might be interested in the various trainings the individual received and whether they understood them. They might also want to establish that the person knew what they were doing was wrong and in violation of the organization’s policies. Someone from operations might be interested in the procedures currently in place and management adherence to them at the subject’s location. Legal, on the other hand, might have other information needs from the investigator since they will be responsible for defending the organization’s decisions or potentially litigating civil or criminal actions.
There’s nothing worse than the investigator returning from interviews only to discover they didn’t ask the right questions or explore areas of particular interest, which didn’t occur to them at the time. The failure to inquire was really a failure to plan the interviews and to account for the needs and interests of the other parties involved.
Know What Must Be Proved
The investigator must have a clear idea of what must be proven to establish a case to terminate employment or prosecute. In a criminal case, this relates to the elements of the crime set out by statute, while a policy violation may not be as detailed. For example, in a theft case the investigator must prove the ownership of the property. This can be done using company documents such as a purchase order, which establishes the organization’s ownership of the asset. If the ownership of the merchandise is in question, then the criminal charge might be the theft of lost or mislaid property. Second, the investigator must prove the individual had the intent to permanently deprive the organization of its asset. This intent might be established by video, documents, witnesses, interviews, or some combination of these and other investigative findings.
An organization’s policies are generally not set by statute but rather the company’s employee handbook. The handbook covers a variety of areas relating to employment, benefits, safety, and expectations relating to employee behavior. Typically, violation of a company policy can result in anything from a verbal reprimand up to and including termination of an associate’s employment. The ultimate penalty decision will be made based on the investigative findings and the employee’s explanations regarding the facts established in the investigation.
One of the more common violations in a retail setting is related to the discount policy. Many organizations will offer employees an opportunity to purchase company product at a discount, which may extend to certain family members or others as set by the policy.
If an investigator revealed the investigative findings to an employee establishing the individual’s violation of the discount policy, then the associate might be able to just say, “I didn’t know the policy.” HR might view this as a training issue rather than an act of dishonesty by the associate. The issue then becomes a failure by the investigator to establish the employee’s intent to purposefully violate the policy. If the investigator had the associate tell his understanding of the policy, HR would now know whether the act was a training issue or an attempt to defraud the company.
In other situations, a violation of policy might be tempered by the general practices of the facility. While an associate might be acting outside of policy, there may be legitimate reasons why he or she is doing so. On occasion, we have conducted investigations that exonerated employees’ rule violations. In one instance, the employees had been directed by the general manager to ignore safety rules to speed production and shipping at the facility. The investigative interviews corroborated the general manager’s directives and established his intent to violate policy while mitigating the employees’ violation of policy. This resulted in retraining the associates at the facility in current safety protocols and termination of the general manager for his blatant disregard for his employees’ safety.
It is critical for the investigator to know what must be proved in any investigation so that a clear decision can be made on the facts of the case. At the same time, knowing the information needs of the various parties involved in the decision-making process can make the eventual finding easier and more satisfying for all involved. Finally, having the evidence of the individual’s intent and guilt limits the likelihood of future litigation or complaints of mistreatment by the subject.
We will continue our lessons from the room in our next column. If you have any lessons you would like to share, send us a note, and we will try to include them in our future articles.
SECURITY’S SECURITY
ARE YOUR SOLUTIONS PART OF THE PROBLEM?
By Garett Seivold, Contributing Writer
There may be no better symbol of the nation’s modern, high-tech military—not to mention US military might—as its fleet of predator drones. So it surely caused a few red faces at the Pentagon when it was discovered that insurgents in both Afghanistan and Iraq had used $26 software to intercept live video feeds from the unmanned planes.
Oops.
Or consider a story relayed by the Alliance for Enterprise Security Risk Management about an interruption to an organization’s computer network. Initially thought to be a server crash, it turned out to be the result of RAM being physically stolen from servers in the data center by thieves who couldn’t be identified because building surveillance cameras were malfunctioning. The organization in question? A police department.
Again, oops.
All industries have had similar oops moments. Security experienced one in October 2016 when network-connected surveillance cameras and DVRs were implicated as a primary distributor of the Mirai botnet, which enabled DDoS attacks on eighteen data centers around the world and disrupted activities at some of the Internet’s biggest names, including Amazon, Spotify, and Twitter.
Securing Loss Prevention Technology
The cyber vulnerability of security devices is a hot topic at security conference roundtables and in industry webinars these days. It’s not hard to see why. There is growing pressure on loss prevention to enhance store operations and boost sales. We’re in an environment of high—and growing—expectations. So a security device that doesn’t clear an even lower bar—by failing to provide payback as promised—is not likely to go over well with the senior team. And a security investment that doesn’t actually deliver security or, worse, a security device that actually introduces security risk? Well, that seems like a career killer.
LP executives must ensure that connected security devices do not provide hackers a new way to enter the company network. “You can’t allow your security solution to become a threat vector,” warned Gavin Bortles, president of Kepler Networks, a network engineering services provider. David Tyburski, chief information security officer for Wynn Resorts, echoed that view. “We can’t be injecting risk—we are supposed to be about reducing risk,” he said.
As for why it does happen, why at any given time you can monitor nearly a million private security cameras online, or why a recent multimillion-dollar security install at a massive theme park had IP addresses written right on the security cameras, there is blame to go around.
It’s wrong to assume just because they are security systems that manufacturers have made them secure, according to a study by the Government Accountability Office (GAO) on vulnerabilities in federal facilities. It noted, “Cyber-security experts that we interviewed generally said that building and access-control systems are vulnerable to cyber attacks. One expert, for example, noted that control systems were not designed with cyber security in mind.” The US government has said connected devices pose “substantial safety and economic
risks” and has called for immediate action to improve the security of Internet of Things (IoT) devices—but has proposed no specific penalties for manufacturers that fail to comply.
Bill Bozeman, president and CEO of PSA Network, an organization of 200-plus electronic security systems integrators, thinks manufacturers of security products need to do a better job of ensuring their safety. “They get a D in my book,” he said in a recent conference address.
The security marketplace is crowded with vendors hoping to take advantage of a hot market, and not all of them do proper due diligence with respect to the security and safety of their products, warn experts. Even product testing can’t always offer the same safety assurance it used to, a representative from Underwriters Laboratories told LP Magazine, because today’s software-driven products are dynamic and update functions and features on the fly.
Roger Johnston, PhD, founder and CEO of Right Brain Sekurity, a firm that conducts vulnerability assessments, believes that vulnerabilities—in the very security devices that are designed to offer a company protection—are more common than security and LP practitioners think. According to Johnston, engineers Roger Johnston and manufacturers focus on simplifying user operation and the service of devices. These very conveniences, however, often make it simple to tamper with them.
Vendors aren’t the only ones criticized of cutting corners. Integrators have also been in the hot seat for, among other things, calling a system install complete with default passwords still in place. Joe McDonald, chief security officer for Switch, an information technology and services firm, said “integrators have to do a better job” to ask clients about their password protocol and to not leave a project until it’s secure. The risk from
connected devices is simply too great, he warned. “A camera is a network port hanging on your perimeter.”
Ultimately though, the problem—and the solution—is in the hands of end users, said Johnston. “If customers don’t demand good security, why would a manufacturer provide it? It simply puts them at a competitive disadvantage. The problem is that customers have been absolutely happy to simply believe salespeople when they say that their devices are completely secure.”
That attitude can get organizations into trouble, according Chris Nickerson, founder of information security (infosec) firm Lares Consulting and an expert in red teaming and adversarial Chris Nickerson modeling. “Most companies probably put too much faith in vendors and security products,” he noted in an ISC West conference address.
No security device is 100 percent secure, according to Johnston. “The manufacturer might look briefly at security and send engineers for a quick look, but the vast majority of security devices in use, including in loss prevention, have not undergone a true vulnerability assessment in an effort to understand how they can be attacked,” he told LP Magazine. “So LP continues to field devices without understanding their level of security or, in many cases, without understanding them well enough to use them to their optimal effectiveness.”
Johnston recommends that LP executives cut through the crowded vendor field by asking them to explain how their products can be defeated. “The first thing to do is to ask your vendor, ‘How do you defeat this thing?’ And if they say you can’t, then they either don’t understand security or aren’t being up front. They should be able to tell you, these are the possible attack security scenarios, and these are the ones you should expect most,” said Johnston. “Only when manufacturers are pressured by customers to answer questions about how their products can be defeated will they start to feel pressure to pay attention to their security,” he added.
The optics of LP deploying insecure security devices is plainly terrible—but perhaps understandable. LP and asset protection departments implement systems and devices to address immediate problems and risks, so addressing the vulnerability or risks in those very solutions can seem like a secondary exercise. But as LP relies more on technology, and security devices are increasingly connected to the network,
In a study presented at the 2016 International Workshop on Trustworthy Embedded Devices, researchers noted that 39.7 percent of cameras and surveillance systems analyzed on the Internet in 2010 were running with default credentials. “This basically means they are completely exposed to any kind of attack such as video-feed eavesdropping, malicious firmware updates, and DNS hijacking,” concluded the study.
LP needs to be extremely confident in the efficacy and security of those systems.
When technology serves at LP’s core—with procedures and staffing built around it—a flaw in the technology or system design creates a vulnerability that can persist undetected. It takes an average of six months before a network intrusion is detected, noted Christian Morin, vice president of cloud services and chief security officer at Genetec. “That’s six months of free roaming for a hacker, which could be because a surveillance camera never had its firmware updated,” he said.
In this specific way, it’s riskier to rely on security technology than people, the oft-perceived weak link. While it’s true that security personnel can create vulnerability when they lose focus or make a mistake, the risk is transitory. A system or device flaw creates a constant opening, one that attackers may be able to exploit repeatedly.
Christian Morin
Dangerous Connections
For years, the most retailers worried about with respect to a surveillance camera was whether it was positioned to mistakenly capture customer cardholder information. Now, networked security cameras present the greatest risk to enterprises from the array of IoT devices, according to a November 2016 report by researchers at Zscaler, a cloud-based information security company. “Now that [cameras] are a network device that can be the subject of attack, you need to take the possibility into consideration,” said John Bartolac, cyber-security expert and senior manager for cyber strategy at Axis Communications. “Imagine what a day without online sales could do to a retailer. It is devastating.”
Connected devices can provide substantial benefits to retailers and loss prevention practitioners. Effective use of these devices can cut expenses, John Bartolac
improve operational efficiency, reduce loss, and drive business. Connectivity allows for building automation and centralized control and can simplify cumbersome tasks such as installing software patches and updates. And it’s flexible—allowing a system to grow and scale—and a web-based control platform allows users to manage from any web browser, anywhere with Internet access.
With connection, however, comes risk. For example, Zscaler researchers found one security camera brand communicated with its parent company in plain text and without authentication tokens, giving attackers the opportunity to introduce their own firmware; another camera transmitted user credentials for its streaming capability in plain text; and another had an unprotected remote-management console. An infected video camera could allow intruders to monitor an environment and plan physical attacks as well as cyber attacks, explained Deepen Desai, director of security research at Zscaler.
In a recent FBI bulletin to private companies, the agency warned that exploitation of connected devices to conduct attacks “will very likely continue,” and some cyber-security experts warn that ransomware tactics may soon extend to IoT, locking critical devices until an organization pays a ransom. In the 2017 Black Hat Conference Attendee Survey, digital attacks on noncomputer systems ranked tenth on attendees’ current list of worries; however, it was identified as the risk that they think will be their number one concern in two years’ time.
“The reality is that each and every one of those security cameras, network video recorders, and IP-enabled controllers are small computers—and as you add more computers and widgets to the mix, you greatly expand the surface of attack,” explained Morin.
If not deployed and maintained properly, networked-enabled operational technology, such as point-of-sale (POS) terminals, fire-suppression systems, video surveillance cameras, building control, and access-control systems, can provide hackers an avenue into an organization’s network. “Connected devices offer great benefits, but you need to be sure these things are protected,” said Bartolac.
One issue is that manufacturers with a background in the physical security industry have traditionally built them, which means they focus on features important to building managers and may not give systems a thorough code review. Consequently, applications may not have been hardened against known software vulnerabilities to reduce or eliminate the risk of network attack.
It seems illogical, but there has traditionally been very little focus on the security aspects of networking physical security systems. In a study of the typical components, communication protocols, and deployments for the most common physical security systems being put on the network, researchers concluded that “physical security systems are inherently vulnerable to traditional network-based attacks.” The risk is something that retailers have started to recognize. “I’m seeing retailers making themselves more aware of the risks, probably because of the marriage of LP with IT,” said Bartolac. “They’re starting to look into what kinds of things can create risk and what kinds of solutions are appropriate, especially as systems are getting more complex.”
Still, only 30 percent of organizations say that managing third-party IoT risks is a priority for them, according to a 2017 survey by the Ponemon Institute, The Internet of Things: A New Era of Third-Party Risk. And the most basic of mistakes continues to provide hackers with a reliable way into company networks. “It blows my mind that some companies will keep out-of-box passwords for every device and never change them,” said Bartolac.
In a study presented at the 2016 International Workshop on Trustworthy Embedded Devices, researchers noted that 39.7 percent of cameras and surveillance systems analyzed on the Internet in 2010 were running with default credentials. “This basically means they are completely exposed to any kind of attack such as video-feed eavesdropping, malicious firmware updates, and DNS hijacking,” concluded the study Security of CCTV and Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations. The researchers said the 2010 figure still accurately suggests “the scale at which video surveillance systems are exposed and vulnerable to cyber-security threats.”
To address this basic but persistent vulnerability, LP needs to ensure use of complex passwords that are rotated
One issue is that manufacturers with a background in the physical security industry have traditionally built them, which means they focus on features important to building managers and may not give systems a thorough code review. Consequently, applications may not have been hardened against known software vulnerabilities to reduce or eliminate the risk of network attack.
on a regular basis, including during times of attrition whether it’s from resignations or layoffs, according to Christian Romero, a former LP executive at Neiman Marcus and now data privacy and protection associate at the Technocracy Group.
Another problem is perhaps more basic than poor password management. “I think, unfortunately, it’s common that LP or security will add these devices without duly informing the information security people,” Morin told LP Magazine. “So these devices exist on the network, but the people in charge of protecting the network infrastructure are unaware of them.”
To address that gap, some retailers are changing both the “how” and “who” of device management. Terry Sullivan, LPC, president of the Loss Prevention Foundation, was part of such an evolution during his stint at Lowe’s, from when LP would vet its own purchases and occasionally butt heads with IT to having every piece of LP technology—right down to a new printer in the LP office—being vetted by the IT group and tested in its lab.
“It was a big change in the last five years. It used to be if we liked it, we’d test it, and we bought it,” explained Sullivan, who encouraged the change after becoming director of LP operations at Lowe’s. “I told our people to put down their swords and their shields, and that it makes sense, so let’s do it.” Although it may require ceding authority and responsibility to IT, collaboration with IT is vital to implement new LP technology safely, Sullivan suggested.
Ongoing management of LP technology is also an area fraught with risk, Romero told LP Magazine. Although LP is typically the owner of security devices, the focus of LP practitioners is often elsewhere. “From
Christian Romero Terry Sullivan a management standpoint, LP looks primarily at the function of the device and how a camera or system is working,” he said. “Rather than taking a more holistic view of what management of that device should look like.”
LP operations must be deliberate when selecting, testing, and adding new security devices to the network. Not all network security devices are designed for security, and there is no guarantee, if a flaw is found, that a manufacturer will roll out a timely fix. Additionally, not all vendors do the same amount of testing. Consequently, choosing trusted manufacturers and integrators is critical.
Cyber Solutions
Even basic security precautions may be ignored in the manufacture and installation of security devices. Although retailers can push vendors and integrators to give greater attention to the security of security devices, LP practitioners—since they live with the consequences—must own the responsibility.
LP executives that oversee network-connected security systems and devices need to assess the risk of those systems to cyber attack and must take steps to reduce the risk. “The crux of the issue is that not much energy or effort is put toward properly managing the life cycle of these devices,” explained Morin. “We’re happy with the video we’re getting, so we forget about them. There is this impression that a device will last five, seven, or ten years, and that is when we’ll touch it again,” he said.
Success starts, then, with a strategy.
When the GAO examined the cyber risk to security systems at the Department of Homeland Security (DHS), it found that select protection solutions had been deployed but that the broader effort was hampered—and vulnerabilities weren’t addressed—because DHS lacked a clearly defined strategy to maintain its focus. Worse, it found a lack of agreement on exactly who was responsible for addressing the integrity of the systems, which is a precursor to taking action, the report concluded.
A viable overall strategy to address cyber risk to security systems should entail defining the problem, identifying the roles and responsibilities for securing systems and devices, analyzing the resources needed, and identifying a methodology for assessing cyber risk to security devices. Such a programmatic approach is important as other LP issues can easily divert attention and cause retailers to lose focus from what may seem like the abstract risk of a cyber attack on an IP camera.
LP operations must be deliberate when selecting, testing, and adding new security devices to the network. Not all network security, devices are designed for security, and there is no guarantee, if a flaw is found, that a manufacturer will roll out a timely fix. Additionally, not all vendors do the same amount of testing. Consequently, choosing trusted manufacturers and integrators is critical.
“What are their security practices? Do you trust the company in general? Who is writing the software? You have to be careful of a backdoor into your network,” said Genetec’s Morin. “I don’t want to say you need the more expensive cameras, but you want to get something that, out of the box, offers you a more hardened device,” added Romero.
LP magazine interviews with industry experts elicited additional advice, which will not only help LP address vulnerabilities but may also help to improve the operational efficiency of devices and systems: ■ Adopt a suspicious attitude about the cyber security of devices, advised David
Willson, CEO of Titan Info Security
Group, a risk management and cyber-security consulting firm. ■ Go beyond the sales pitch. Evaluate the security of a security device as closely you do other criteria, such as compatibility, features, and price. ■ Be flexible when evaluating products.
Studies have shown that more than half of security end users have their minds made up on the products they want when entering a project. But rigidity can result in overlooking vulnerabilities, warn experts. ■ Work exclusively with vendors who offer a road map for security; provide specific hardening guides for its network security devices, such as IP cameras; proactively post common vulnerabilities and exposures on their websites; and regularly issue software and firmware updates. Unless you see a road map for security for a vendor’s product you should skip it, said Bozeman. ■ Limit authorization and access to
LP network devices and ensure that appliances maintain a log of all activity to facilitate forensic review. ■ Look for technology partners that carry liability insurance. Insurance will require that an integrator or vendor undergoes an audit by the carrier to make sure they have continuity plans in place and the like. It provides at least a minimum amount of assurance that the company’s security has been examined, according to Morin. ■ Establish best practices for low, medium, or high device protection, and then follow the appropriate measures depending on the risk level associated with a specific device, advised Bartolac. ■ Solicit the help of IT to select trustworthy vendors and integration partners. Factors such as who built the hardware, where the software was developed, what security practices are in place to protect the source code—these are all security assessments that infosec departments are accustomed to doing, noted Morin. “LP should get their help to select a vendor and leverage their expertise,” he recommended. ■ Disable unused services and only install trusted applications to reduce the chances that a would-be perpetrator could exploit a system vulnerability, advised Bartolac. Also, place cameras where they’re out of reach of a potential attacker’s tampering, he added. ■ Segment security devices from other company data to the fullest extent possible. “Keeping CCTV wholly separate or segmented from payments
absolutely would be a best practice to limit your exposure,” said Romero. ■ Develop internal technology expertise so that your team can ask necessary questions and knows issues to look for, such as core protocols that lack security mechanisms, vendors that employ proper encryption methods and mechanisms, and devices lacking secure configuration. LP must possess a skill set that is commensurate with the level of responsibility they have for device IT security, cautioned Romero. ■ Consult best practices. In addition to vendors’ hardening guides, security groups and associations have put forth technical guides and best practices to follow, such as basic safeguards suggested by the Security Industry
Association Cyber Security Advisory
Board’s Beginners Guide to Product and
System Hardening.
Physical Frailties
While connection vulnerabilities provide armchair hackers an easy inroad, physically infiltrating a facility to facilitate data theft or destruction is still “crazy easy” for a skilled adversary, according to Nickerson. Access control, badge systems, and other intrusion prevention and detection systems rarely stop his team from getting where they want in a facility and doing what they would need to do to compromise its network.
Johnston holds a similar view of device vulnerability. As the former head of the vulnerability assessment team at Argonne National Laboratory, he has conducted vulnerability assessments on more than 1,000 physical security and nuclear safeguard devices, systems, and programs, and it’s his opinion that all security technologies and devices can be defeated—usually “fairly easily.”
In addition to not undergoing a rigorous vulnerability assessment by the manufacturer, there is a problem with chain of custody, which fails to get much attention, according to Johnston. “The typical security manufacturer isn’t likely to have good insider threat security,” so product tampering at the source is a risk. In November, for example, it was discovered that preinstalled software in
some Android phones was sending data to China, including information on where users went, whom they talked to, and text message content.
“Then [the security device] will sit on loading docks, and then sit again, sometimes for months, somewhere at the end user, and only then is it installed,” said Johnston. “But no one knows what the interior is supposed to look like, and manufacturers don’t supply pictures, so it’s impossible to tell signs of tampering.” A skilled adversary can install a man-in-the-middle (MiM) attack or compromise a device in some other way with just a few minutes of access, he noted.
Additionally, security product design often facilitates tampering by using housing that is thicker than necessary in order to make servicing devices easier. “So there is all kinds of physical room inside it for someone to put in a device to capture data and conduct MiM attacks. And end users don’t usually go around and check for alien material inside their security devices, so you have successful attacks,” said Johnston.
When physical devices fail, it can often render other security investment moot. For example, organizations are putting a lot of faith in encryption and authentication technologies. But companies often remain vulnerable because encryption can’t correct underlying vulnerabilities. “Data encryption and authentication provides reliable security if and only if the sender and the receiver are physically secure, the insider threat has been mitigated, and there’s a secure cradle-to-grave chain of custody on the hardware and software; usually none of these is true,” Johnston explained.
True security requires a secure chain of custody right from the factory, effective tamper detection built into devices, and manufacturers conducting independent and imaginative vulnerability assessments. But all three are almost universally lacking for most security devices, Johnston warns.
Vulnerabilities of some kind extend to all popular security technologies—prox cards, biometrics, even emerging retail favorites like RFID, says Johnston. RFID attacks can be performed at each stage: during communication, at the tag level, and on the tag reader. “It’s easy to shield from an RFID device. You can block, jam, or counterfeit RFID signature. People are sometimes regarding RFID as a higher-security approach, but it’s just a bar code and maybe worse because it’s not hard to hard to spoof RFID from across the room or from the parking lot,” he said.
The vulnerability of RFID relates to what Johnston thinks is the most common mistake in retail—confusing inventory with security. “It’s thinking that, because they know where parts and pallets are and can keep track of things, that it can act as a security system,” said Johnston. “You can have both security and inventory with the same system, but you need to analyze it as an inventory system and then separately analyze it as a security system. Too often retailers will just look at it as an
MicroFlex Tag
Bug Tag 2 Snare
What’s New in Merchandise Protection?
Designed to withstand tearing, the uniquely versatile MicroFlex black lock tag maximizes deterrence while minimizing the impact on the customer experience and product display.
The flexible Bug Tag 2 Snare from Alpha®, is an innovative display solution that integrates three working components to provide comprehensive protection while enhancing the customer experience.
CheckpointSystems.com 800.257.5540
inventory system but also use it for security. Or else retailers buy it for inventory, and there is a case of mission creep, and they start to use it for security.”
Compounding the problem is that inventory folks often have the money to buy all the hardware, with security being an afterthought. “But you need to build the security piece in from scratch,” said Johnston. “You can’t Band-Aid security onto an inventory system.”
More broadly, he says that LP executives need to be careful not to assign security technology powers it doesn’t possess and must recognize that security devices themselves are often not secure, which makes them vulnerable to spoofing.
Accept Defeat—And Win
Although device security is a technology problem, both Johnston and Nickerson suggested the need to address it culturally. Their domains are different—Johnston’s is vulnerability assessments, and Nickerson’s is penetration exercises—but both strategies require a retailer to be OK with learning about their weaknesses. And that can be a struggle. “Even if you can’t redesign a product, if you understand its vulnerabilities, you can at least enact some simple countermeasures, and you don’t have to spend a ton of money,” said Johnston, who recommends that organizations perform their own frequent, imaginative, independent vulnerability assessments to find security weaknesses.
He suggested picking individuals from outside the LP department who seem psychologically predisposed to finding problems and suggesting solutions. “Pick people from the mailroom or the graphic arts department, the smart, creative types who are always finding loopholes.” These are just the kind of people who in a vulnerability assessment (VA) can provide fresh insight into how creative adversaries might defeat your security systems, said Johnston.
“The problem at a lot of organizations is that they’re afraid to encourage employees to think about these kinds of things, and they’re also afraid of what they’ll find,” Johnston added. It doesn’t help that in physical security, unlike cyber security, making changes is sometimes viewed as admitting to past negligence. “Some organizations will even halt a VA once they find vulnerabilities because really what they wanted was to rubber stamp their program and to say they looked at it,” he said.
Johnston said retailers should strive to develop a culture where uncovering vulnerabilities is seen as positive—and to be willing to accept that a legitimate vulnerability assessment will always find attack possibilities. “And you don’t have to find every vulnerability for it to be worthwhile,” he added. “At least you can go after the low-hanging fruit, and say that this attack and this attack are the most likely, so you can make some valuable, practical changes.”
Nickerson sees a similar mindset holding organizations back from undertaking much-needed physical penetration testing; many don’t want to see the expensive technology they bought easily compromised. But it’s a shortsighted attitude that practitioners and their organization’s need to rid themselves of, Nickerson suggested. Don’t think of a red team’s success as security’s failure. Instead, see it as new information to help adjust and improve security. “The more we think from an adversarial perspective, the more we can know if we’re getting what we want out of our systems,” he advised in his conference presentation “Breaking Physical Access.”
Looking at your security devices from the perspective of attackers will always point out flaws, but knowing whether it’s worth addressing them requires a detailed risk assessment, something else Johnston thinks that LP practitioners could do better. “There aren’t good or bad security devices. It depends on what you need. However, ‘we don’t want stuff stolen’ is sometimes the extent of the risk assessment,” said Johnston. “But when you’re looking for the best car, it depends on what you want the car to do. Is it to win the Indianapolis 500? Is it to impress the neighbors?” So even though a security system will have its vulnerabilities, “it may be the right system given the adversaries you have, the budget you’ve got, and what you’re protecting,” said Johnston.
Johnston and Nickerson suggest that to successfully harden a security system or device against attack requires LP to first acknowledge that it’s a possibility and then be willing to gain a deeper, more honest, understanding of their technology. Learn how it can be attacked. Understand the intricacies of what systems can—and can’t—do. And appreciate which threats devices can and can’t protect against. “But it’s often way less thought out than that,” said Johnston. “It’s people in charge of security buying something because the salesperson says it’s good. I actually see the whole thing more as a security culture deficit rather than a device security issue.”
– Roger Johnston, PhD, Right Brain Sekurity
GARETT SEIVOLD is a journalist who has covered corporate security for nearly twenty years. He has been recognized for outstanding writing, investigative reporting, and instructional journalism. He has authored dozens of survey-based research reports and best-practice manuals on security-related topics. Seivold can be reached at GarettS@LPportal.com.
