110

SPRING 2009



SouthEast Education Network



PRODUCTS & SERVICES

Security 101:Who’s in Charge?

By Jonathan Kendall

PresidentKendall Design Group

(This article is part three of a three part series.)

n the first two parts of thisseries, we discussed thepsychology of those in chargeof the security of our schools.We discovered the findings of Nobel Prize winner DanielKahneman and Amos Tver-sky in the research of Prospect The-ory, which details the phenomenonthat on-average, the well-meaningpeople in charge of our children’ssecurity take significantly morerisks with the lives and property of the students, faculty and staff thanwas anticipated.We also examined why peoplechose to solve the wrong problem.An example is installing a new se-curity system or product, and thenbelieve they have avery secure campus,when, in fact, they haveopened themselves to anew world of risk andliability because of notstudying the problemthoroughly. Because this“solution” was not vet-ted in the context of their unique institutionwithin the larger frame-work of integrated se-curity, it has the potential to causemore security risks than it solves.The process of security and risk analysis planning was discussed indetail. We must look at the assetsto protect, all of them includingthe students, faculty, staff, materials,technology, intellectual property,facilities, etc. We must explore andprioritize solutions, and put them inthe perspective of the institution’srequirements and goals, examinethe total costs in terms of money, re-sources, time and freedom, amongother issues. And we are obliged toexamine the positive and negativeinteraction of the solutions betweenthe various assets, systems, technolo-gies and processes. Only then can wemake a decision in the best interestof the institution. An acceptable levelof risk can be attained only throughcareful planning.Now that we have the reasoningand the planning process in place,let’s take a look at security-based Re-turn on Investment (ROI) and Failureof Investment (FOI), and some newtypes of attacks on the horizon. Butfirst, security takes a team.

Security — A Team Activity

The security team is a key compo-nent to the success of enhancing se-curity and reducing risk. As the oldsaying goes, there is no “I” in team. Itis not a one-person job, or a one-de-partment job. In the event of a crisis,a team of experts in physical, elec-tronic and cyber securitywill need to work togetherand minimize the impactof a security incident.A diverse group of se-curity experts ensures theteam can share experi-ence, compensate for gapsin knowledge, see and ex-ploit synergies, while al-lowing for specialization.In a security organizationof one, or without a broadrange of experience and open dia-log, this sharing cannot take place.Problems can occur in an organiza-tion where securing assets are keptin silos. For example, the informationtechnology (IT) gets the computerinformation and anti-virus security,while the police get the physical se-curity of the hardware when stolen.The perspective of combining the ITand security technologies are lost andfiefdoms are built. Then the securityteam will be cut back to a skeletoncrew with loose ties holding themtogether. The communication breaksdown, everyone has something elseto do and the security platform is notin place when it is needed.A whitepaper by SecureWorks,Inc., a company in Atlanta, says, “Secu-rity experts are a bit like firefighters.They go through intensive trainingthat prepares them for an emergency.Firefighters spend the time betweenfires preparing for emergencies,spreading the word on preventionand gaining additional knowledge.When the emergency arrives, theyhave to operate on little more than in-stinct. There’s no time to look thingsup or make sure it’s being done right.When it’s all done, they return to thefirehouse and start the cycle again.There is a big difference betweenfirefighters and security experts —the latter don’t get to use the coolfireman’s pole.”

Why a Team? It is theBlended Attack

The idea of combining the worldof cyber crime and physical crimeis the future for the educated, intel-ligent and professional criminal. Thecurrent weapon for the pedophile isto use the Internet and chat roomsto lure the child victim into a “rela-tionship” and then coax them into aphysical sexual assault, thereby com-bining the cyber and physical.The more advanced criminals, es-pecially those with the high qualitycomputer skills that are being taughton campus today, will be able to eas-ily use this expertise in different andunique ways. These methods canbe used to disrupt communicationssuch as a computer text message alertsystem or a campus audio annuncia-tion warning system, while the “lonewolf” attacker combs the campus forvictims. Or what if the attacker hacksinto the warning systems to create aseries of false alarms, or “false posi-tives,” to lower the campus communi-

▼

Jonathan Kendall

www.seenmagazine.us

SouthEast Education Network



SPRING 2009

111



PRODUCTS & SERVICES

ty’s trust in the electronic systems?Then the attack can be carried outwith a slower response by authori-ties as the community just thinks itis another false-alarm.The real possibility is that a muchlarger, more dangerous terroristgroup could be planning a largerscale attack on a campus similarto the Russian school attack inSeptember 2004, where terroriststook control of a school, ending ina siege when approximately 300people died, including 150 children.The event made international news,something the leading terrorists areanxious to do.

Make the “blended attack” a part of your security plan and train rig- orously for it.

Highly educated criminals aremost likely to use computer andelectronic system-based “cyber”attacks in a blended fashion com-bining offensive cyber elements toworsen the damage and obstruct-ing recovery during a physical at-tack. The most probable targets forsuch attacks are important peopleor assets, response police and medi-cal services, and security systems.Cyber only attacks are also in-creasingly executed by even newcomputer science students just tosee if they can do it. All the hardwork is done because the code ison the web. They can either do itfor fun, or proﬁt, and this is happen-ing everyday at every institution.Just check with your IT staff.The risk of a criminal or stu-dent using the blended attack, orGod-forbid a campus terrorist at-tack would be reduced by ensur-ing that blended attack scenariosare included during contingencyplanning and vulnerability analyses,increasing surveillance and ongo-ing assessments, and enhancing in-formation sharing among campusand community security services,police, IT, and emergency services.Blended attacks can be brokendown into four general types:

Cyber to Enhance Physical.

This isthe most likely type of blended at-tack. Attackers would use the cybercomponent of the attack to increasethe chaos caused by the main, physi-cal assault. This type of attack wouldbe launched after the physical com-ponent and would target systemsand assets used by response and re-covery personnel, maybe the cam-pus text system, 911 or large scaleannouncement systems. This is themost obvious attack scenario for acollege campus.

Cyber to Facilitate Physical.

Thistype of attack is likely and may be-come increasingly attractive to at-tackers as they face your increasedsecurity measures. In this attack,an electronic or cyber componentis used as an enabler for a physi-cal attack. The cyber assault wouldprobably be launched before thephysical attack. This attack wouldbe intended to defeat security sys-tems, gain access to certain areas,or delay security force. And it mayincorporate some form of socialengineering or tricking one’s wayinto a system. This type of attack could use a cyber attack to degradecommunications-based securitysystems or block automated noti-ﬁcation systems. The attack wouldrequire considerable technologi-cal sophistication, like the studentslearn everyday, to effectively impactthe campus resources. Many wouldsee this as a workable challenge,even a badge of honor just to get itto work!

Physical to Enhance Cyber.

This isless likely than the ﬁrst two attack types, but may become attractive asattackers look for ways to increasethe impact of an event. This typeof attack would use a physical at-tack to compound the problemsof a cyber attack. It would likelybe aimed at disabling the securityprevention, monitoring or responsetechnologies needed to effectivelyrecover from a cyber or hack-attack.The most likely targets are large,high-proﬁle objectives and assets,perhaps a large or famous campus.Depending on the type of cyberoperation, this type of attack couldbe executed by any group capableof cyber crime. But it would take agroup such as terrorists who wantto make a political “statement.”

Physical to Facilitate Cyber.

Thisis the least likely of the blendedattacks and the most difficult tosuccessfully execute. This type of attack would use a physical attack component to gain access to assetsrequired for the cyber componentof the attack. It would likely be tar-geted at very specific assets andwould require an extremely highdegree of coordination. This type of attack could be used to gain accessto a secure facility, possibly research,from which a critical network could be accessed. For example, agroup of attackers could launch aphysical attack against the campusfinancial information to gain accessto monetary records. It is likely thatthis type of attack would only belaunched by a well resourced, high-ly organized group. This is more TVplot material, it is unlikely that anindividual or smaller, ad hoc groupwould have either the resources orthe competencies to execute an op-eration of this complexity on cam-pus.If you have an intelligent “adver-sary,” bad-guy, or criminal intenton perpetrating a misdeed (in thecase of a criminal-minded studenton campus) with time (classes donot last all day), resources (the stu-dent has the full resources of yourcampus at his disposal), emotion(revenge for example) and intellect(the student is a student so theyare pretty smart), they are going tostudy your defenses, campus, tech-nology and your processes. And if you have something like a rule, ID,or locked door, they can figure outa way to bypass it, and these folksare always figuring, then you havea weakness, a vulnerability. A weak-ness in cyber security can lead to afailure of physical security and visaversa.It’s the blending of risk and safety

see WHO’S IN CHARGE? page 112

112

SPRING 2009



SouthEast Education Network

✇

CAMPUS SECURITY

Who’s in Charge?

continued from page 111

for people, equipment, information,resources, and money.

Return on Investment (ROI) and Fail-ure of Investment (FOI)

“Most (administrators) wanthard numbers to make financialdecisions, and we live in a worldwhere you can’t always have that,”says Rich Mogull, research directorat Gartner G2 Cross-Industry Re-search. “I mean, what’s the ROI of afire extinguisher?”The numbers do exist; they justneed to be found. The AmericanSociety of Safety Engineers (ASSE)states in a report that the ROI of fire extinguishers is approximatelya $3 return for every $1 invested.This estimate is based on fire extin-guishers, like physical and IT secu-rity, showing up as a part of a largersafety/security purchase. It is logicaland makes sense that there wouldbe a high ROI on preventive equip-ment such as this. Often, regulationmandates fire extinguishers but thatdoes not change the fact that theyhave a high ROI.Someone might suggest that,since there were no fires last year,there was no ROI. If that is the atti-tude at your school, it’s time to initi-ate some awareness and educationbecause that is not how risk man-agement works. How about this: If you wear your seat belt but do notget in a car accident, does that meanyou should not wear a seat belt, oronly use it occasionally on “high-risk trips,” because there was no return?Of course not, it is a low risk, highreward activity, and because returnis not just measured in a rigid worldof dollars and cents, and what did ordid not occur, but in the real worldof what might occur and how like-ly it is to occur. That is the heart of risk management. It involves beingready for something bad to hap-pen by investing in strategies andsystems to stop it from happening,monitoring when it does happenand responding appropriately. Relatethat to a school shooter or a dormrapist or property theft. You did nothave a school shooter this year. Doesit make sense to ignore the possibil-ity or have security solutions in placeto prevent it?Many people do not believe thatyou can truly have Return on Invest-ment on security. Security is not nor-mally an investment on which youexpect to make a monetary returnas it is resources spent to protect in-vestments that further the goals andacademic mission of the institution.We can look at security from a dif-ferent perspective than we do withother purchases. Maybe we shouldlook at it differently and measure itdifferently.With Failure of Investment (FOI),a term coined by Andy Willingham(known as Andy, IT Guy), we canlook to differentiate between thefailings of people and the failings of security-based technology and sys-tems. People screw up. They can bemessy and emotional. They can havea bad day and get bored, and they of-ten don’t know what to do or howto work something correctly whena traumatic event like an attack oc-curs. They can get flustered. Technol-ogy fails because it is designed, built,configured and maintained by thesepeople. People who often cannot seethe system beyond a mechanism toperform a simple set of tasks. It failsbecause it is put in place to do thatset of tasks and when faced with do-ing something different it doesn’tknow what to do so it fails to pro-tect, or monitor or respond. It failsbecause smart-bad-guys find ways towork around a security system or asecurity process that one consultantsays are “brittle” or too rigid and setin its ways. Much like people can betoo set in their ways.Security fails for a variety of reasons.There are improper configurations,easy work-a-rounds, poorly trainedstaff, implementing wrong technol-ogy, protecting the wrong assets, onesystem causing another system tofail, lack of awareness and poor usertraining. All of this can lead to FOIbut there are other conditions, too.Failure can occur when technologyisn’t updated, monitored or properlymaintained. Failure occurs when theprocesses that make for security andlimit risk aren’t done on a regular ba-sis, correctly and conscientiously.The classic example is adding se-curity camera monitoring. Thesesecurity camera systems are sold asa great deterrent to crime, and it isoften insinuated that real-time moni-toring will reduce crime. But this isnot true. The cameras are very rarelymonitored and the odds of someoneactually being at the monitor at theexact moment an attack is happening,recognizes the attack, and responds,is so rare as to be on the scale of win-ning the lottery.Study after study shows that theysolve very few crimes and they are avery poor deterrent to criminals. Vid-eo is rarely viewed in real time and,only rarely, when the crime is actuallyin full view with the correct lightingand angle of view can the old foot-age be found and used to investigateand prosecute a criminal. Obviously,this prosecution is after-the-fact, so itdoes not act as a very good preven-tion methodology. These systems canbe a high-cost, low-reward, classicFOI if not implemented effectively,that can trick an institutions’ admin-istration into thinking they are welland truly secure.We must ask: How does this hap-pen? How does it get to the pointwhere these systems and productsare neglected or never properly im-plemented? Is it because people donot understand the real threat or thereal assets to protect? One can imple-ment security to meet compliance,satisfy audit and provide enough pro-tection to say they are doing some-thing, or it can be visible “show of se-curity” that makes the evening newsbut does not solve the real problem.It is critical to take it to the nextlevel of thinking by making integrat-ed physical, electronic and informa-tion security a priority. It means hav-ing support from the president and