Where culture and security clash
- 24 June, 2014 01:47
Physical perimeter security can differ from facility to facility, with myriad factors playing into what exactly is implemented, including budget and the assets that are being protected.
But what about geographical location and, subsequently, culture?
It's not one of the more obvious aspects that people consider when examining security, but it factors in more than one may think. Perimeter security varies from country to country, and their cultures have often proven to be both to the beneficial and detrimental.
Generally speaking, there is a stronger culture of security overseas and most businesses are equipped with more stringent measures than what we see stateside, according to Eric Milam, managing principal at Accuvant.
"Most organizations in the US, they appear to be somewhat behind the rest of the world," he says. "Tailgating protection, knee knockers, man traps...we encountered that a lot more in Europe."
Bill Besse, vice president of consulting and investigations for Andrews International LLC, an affiliate of U.S. Associates, who has also spent time overseas, points out that the more intense security measures aren't just found in European countries that voluntarily opt to implement them -- though he does concur that many financial institutions there have higher levels of security than here in the US. There also countries that more or less have no choice.
"I think there are some cultural differences in locations where they've experienced horrendous terrorist incidents," says Besse. "The national scene plays into [perimeter security], all the way down to the culture, and a lot of it has been event driven."
Besse, who spent time in Istanbul, Turkey, recalls that because of extremist activity like bombings, any building of consequence was equipped with magnetometers, baggage and parcel screening, and x-ray technology. Everyone who entered was subject to search and inspection, but people were generally unfazed as it was simply part of the culture, part of living in an area so fraught with dangers.
"People now accept that as a standard kind of thing," says Besse. "Standoff distances are increased, retractable anti-vehicle barriers in the avenues of approach to places like hotels or government buildings...over the years, it's become kind of an accepted thing now."
Besse also reflected on his time spent in India and Israel, where he says he found the situation to be similar. After the 2008 terrorist attacks in Mumbai, the country amped up security in the form of K9 units, armed guards, and magnetometers in large commercial and hotel facilities. In Israel, vehicle screening at the perimeters of shopping centers and other major areas are commonplace.
"Culturally, it's an acceptable way of conducting business in the state of Israel," says Besse. "It's a huge cultural shift from places like the US and other places in the world. It's pretty much day-to-day protocol in places like Israel where they feel that security has to be done properly and in a certain method."
But for all of the stringent perimeter security that can be found overseas, Milam has found that social engineering has proven to be an effective way to circumvent those measures, and cultural differences are often a factor in his team's success. He mused about the time an American company requested he and his team at Accuvant attempt to access their warehouses in Japan, and how easy it was for them to essentially walk right in.
"It's basically two American boys who don't speak a lick of the language," says Milam. "But once we got to Japan, we found that they're taught to be helpful and respectful and not always question people. They're going to want to help us instead of asking directly, 'What are you doing here?'"
Milam went on to explain that, like with every physical security pen test, he and his team did prior research and preparation. But in this particular case, he and his partner had it easy: they were able to find pictures of the company's employee and contractor badges online. So, after printing out fake badges, Milam went over to Japan with a falsified letter saying he was coming from an American company and to be given access to the facility.
"We played the role of dumb Americans while we were there," he says. "We got cars from the hotel, stepped out of a Mercedes at the [target] building, and nobody questions us. They just let us into the secure environment. One door in, one door out. We took pictures of ourselves with our arms around the guard at the end."
To further ensure that the warehouse security would have to venture out of their comfort zones to question Milam's authority, he made sure to arrive at the site when it was 3 AM back in the US, where the company's headquarters (where he was ostensibly sent from) are located. If any of the guards wanted to call and confirm that Milam was actually supposed to be there, they would have to drag somebody out of bed -- and it appears that none of them were willing to do that.
"What we found was a submissive environment, they never want to seem disrespectful in any way, shape, or form," says Milam, who adds that he encountered the same type of environment while pen testing the same company's warehouses in China. "They didn't want to disrespect us because we looked like we had the proper badges. They weren't used to having someone from the US come over, and here we were with our friendly faces and big badges."
In some cases, even the badges weren't necessary; peoples' reticence to challenge what Milam was doing at their building was more than enough. He mentions a time he was hired to infiltrate an oil refinery company's building in Holland and how, due to the use of man traps -- where you swipe a badge, step into a tube, get scanned, step out the other side -- he couldn't just walk right in.
"So I hung out in the smoker area on a Wednesday...I don't know if it's Holland in general or just the company, but they give them that day off to be home with their families," says Milam. "So I befriended a lady and told her, 'Yeah, my boss had to go home on an emergency flight. I don't know who he was working with, but this guy isn't here today either.'"
The woman replied that it was no problem and proceeded to vouch for Milam to security, who did not even look him up before giving him a visitor badge and passing him through the man trap.
It hasn't always been quite so easy for Milam and his team, however. He recalls another time in Spain when he was pen testing the same oil refinery company and, after some preliminary recon, ran into some trouble. Ultimately, however, the culture's gender dynamics ended up working in his favor -- and thus to the detriment of the company's security.
After doing recon on what the company's badges looked like and creating legitimate-looking facsimiles, Milam acquired a credit card-sized board built by Hardkernel (equipped with Kali Linux) and set it to call back to a command and control server through a secure channel. The only problem was, he needed an open conference room where he could plug it in.
"So we pegged the chief legal officer, found his signature, wrote up our own letter about, 'Help these guys any way you can. This is a snap audit, nobody was told,' and put his signature on there," says Milam. "Everything looked legit."
Armed with the letter, Milam proceeded to ask the woman at the front desk of the building for access to a conference room.
"The thing is, middle aged women feel more empowered to pull you aside and ask you what you're doing there," he says. "She did a good job grilling me for about 10 minutes, I got it all on video. I handed her the letter and you could tell on her face that she wasn't buying it really."
But as Milam continued to press, the woman eventually agreed to take the issue to the head of the plant, at which point the company's security began to unravel.
"She hands him the letter and he very quickly shut her down," says Milam. "He said, 'I don't care what you're saying, this person needs access.'" So Milam was promptly given access to a conference room, where he plugged in the board and opened a reverse shell for the command and control server.
After the fact, Milam suspected that cultural aspects had played into the situation at hand.
"Even though this lady was doing the right thing, in this environment in Spain, it seemed like the men overruled the women," says Milam.
Despite the company's ultimate failure to protect itself, however, the initial resistance was a good start and in some cases might have even been enough to deflect less persistent threats. Other simple measures that make life more difficult for attackers -- like limiting egress points or having all employees funneled through one point, says Milam -- go a long way, too.
Perimeters are expanding too, which also has to be taken into consideration when planning security. "There has to be more than one security perimeter," says Besse. "Barriers have to be designed in perimeter zones, so if a perimeter is breached, that doesn't put the adversary in direct contact with the asset. It provides the earliest warning possible that someone or something is attempting to penetrate the security of an organization."
Even the outermost zone should present a difficult front for adversaries, however, because the more adversity an enemy encounters early on, the better. As Besse points out, attackers aren't going to waste their time on targets that stonewall them.
"This is a core premise I've noticed over years in the field: attackers attempt to breach the perimeter, and if they determine it's difficult, they often move on," says Besse. "They're going to move onto the path of least resistance."
That's why, he says, regardless of what you're protecting, you obviously don't want to be the softest target. But the other side of the coin is that being the hardest target doesn't always make for an easy road either.
"You might want to be the hardest target," says Besse. "If you're the government protecting nuclear weapons or military assets, then you might very well want to be the hardest target. But there's going to be a cost associated with that."
So if a company is dealing with a budget, like most organizations or enterprises are, they should perform a thorough assessment of their risks and whether or not they're really all that great. From there, they can determine what their potential losses are and what their level of protection should be.
"And sometimes," says Besse, "being the hardest target makes you an attractive target."