Fellow ISSA Orange County Board Member Terry Gold will be doing a 4 hour training at the annual DEFCON (23) Conference in Las Vegas on August 7th. The training will be focused on training white hats and security researchers focused on red team engagements on methods to compromise complex electronic physical security systems.
It is a departure from the common information security topics we often discuss, so I asked him a few questions to find out more:
PK: What exactly are “complex electronic physical security systems” anyhow?
TG: These are systems that are the brain of protecting a corporate enterprise, government, or critical infrastructure from being physically compromised – people gaining access to facilities, or parts of them that they should not. It is easy to only notice locks on doors, but behind the scenes there is an equivalent to a whole domain controller ecosystem that is all electronically controlled to impose rules, restrictions, alarms and granularity of who can access which door (but not the other). So attacking these is no different than many of the IT systems already being managed in many respects – just not under the same visibility or sets of controls.
PK: This seems out of scope for InfoSec, how is it relevant?
TG: Oh wow, I get this comment often. It is immensely relevant to InfoSec more than they often realize. If I am an attacker, physical access is king. If I can gain some command and control of an organization’s physical security system or process (or combination is typically the goal), it is REALLY bad. First, all of the systems are now built just like IT systems. You may see a lock on a door, but what you don’t see is the server, wiring, control boards in the wall. It is a SYSTEM, and all interconnected to the data center, R&D, executive suites, anywhere really. Getting inside an organization physically opens up a whole new host of possibilities because once inside, looking like everyone else (physically or from a system level) I automatically become trusted to the level that I am impersonating. I no longer have to dumpster dive on the outside but can do it from the inside – plant devices, plug into ports, skim passwords wirelessly, invade networks, steal documents, take photos, or worst, sabotage operations and bring systems down.
PK: Organizations typically have a physical security organization that is responsible for this, so why should InfoSec even focus on it?
TG: Good question. First, because the impact affects them. These attacks can be used to compromise targeted IT systems, data and IP as well. Second, I do a great deal of consulting in the F500 space in this area (as well as IT systems) that assesses not just systems but how and why physical security built the programs the way they did – from asset assessment, to threat model to controls. I find that over 95% of the time, for even the largest global organizations, none of those three things were done in a manner that aligns with how InfoSec would buy into. Typically is entirely skipped over or based on an old standing practices of cookie cutter “facility operations”. Third, the systems themselves are pretty weak in how they are developed because the maturity model for secure development lags behind (less pressure from their facility customers to do a better job) so technically, you find all sorts of stuff you won’t often find anymore on the IT side – so it is easy to exploit if you know where to look. Last, there is little anomaly detection, so once i look like an authorized person, you are done. There is seldom any way for an organization to detect and remediate.
PK: On that last point, isn’t that what surveillance cameras are for?
TG: That is one of the biggest misconceptions. Surveillance cameras are generally there to primarily recall/replay events based on knowledge that an event ocurred. This doesn’t help much to prevent incidents. Also, surveillance isn’t viewed all the time (if an enterprise has over 1,000 cameras, which many do, it is impossible to staff that). Even if they are, the people watching can’t know the face of every employee to determine if every action is valid. Also, even still, I will demonstrate in the training how surveillance can be spoofed even if someone is watching. They will think I am authorized even if looking at a previously enrolled photo against what they see. Also, a lot of the time, officers find that the camera had low bandwidth and quality is horrible. Or worse yet, attack the camera on the network to compromise other systems that control it. Yep, its pretty bad. Every InfoSec person should meet with their physical security personnel and review their policies against yours, do a mapping, and see what shakes out. You will be amazed.
PK: This is pretty scary. Do you have real world examples of this?
TG: Yes, many lessons learned form previous engagements. Funny thing is that in the vast majority of clients in the beginning think that it isn’t a big deal or isn’t relevant. Then we go in and do some real jaw dropping things by combining unthinkable combinations of methods that are really quite low tech and readily available. I’ll be gong through these in the training. Mostly focused on how to get into the tough areas and impact IT.
PK: So what will your course cover and who is attending?
TG: So the course is posted HERE at DEFCON. More details are posted HERE at Peerlyst. It is really built for red team hackers that are going to go out there, get hired to perform assessments, and my goal is to enable them to do it better so that customers can improve, and force vendors to make better systems. the class is full, and it seems to be more diverse than that. There are actually a few physical security folks in there trying to learn more themselves because they can’t get this type of information from their vendors and integrators.
PK: This isn’t your usual topic. How did you get into this stuff?
TG: Well, I think anyone in security for more than 10 years generally didn’t “decide” to get into security as there weren’t specific course studies like there are today. That is true for me where I started out in IT, then security, and held true how I got into physical security. I was doing alot of PKI and smart card deployments for large organizations and they wanted to re-use the card to be compatible for physical security. All of this stuff was proprietary and the company I was with that developed the crypto and provisioning software (the same company that did the CAC for DoD) was hijacked by these archaic vendors not wanting to open anything up. The customer was hijacked and the vendor was too embedded to kick them out. We figured out how these proprietary systems worked, built decoding and migration tools to cut them out of the loop an give the keys back to the customer. After putting this into process and rescuing clients, other clients started calling by way of referral. It just took off from there to investigate what they had, why they did it, hey while I am in there lets align authoritative identity sources, roles, and improve overall internal roadmaps around this in general. It’s turned into a full practice the leverages research, methodology and purpose-built tools wrapped in a program to bring companies through this maturity model. It has been a journey and don’t really feel like it is work “outside” of InfoSec because looking at systems with the same principles and often integrating them in.
PK: You still do InfoSec work right?
TG: Oh yes. This is often confusing to people because the areas are so different. I would say half of my time is focused on physical security systems and the other half on InfoSec relating to Identity Management, authentication, crypto,and advanced trust model frameworks. About 25% of the time is around how to converge the two to improve security and operational efficiency. So they do intersect sometimes. But overall, physical security needs to, and will, align with InfoSec because the practices there are more mature and physical security needs to borrow from that. This will be an important transition for any CISO in the next 5 years – to ensure that they include the electronic physical security systems in their management portfolio that adheres to the same principles as any other system that involve servers, networks and controls. You can see an article I wrote detailing this transition HERE that outlines current verses future state along with what is driving it forward.
PK: Thanks for sharing and good luck.
TG: Thank you. Just going out there to share knowledge, learn new stuff, and and have fun.