When I started on the InfoSec side nearly 20 years ago, I hadn’t a clue about physical security or that it even existed. Sure, I was aware that you needed a card to get through a door, but not the infrastructure or program behind them. I really didn’t have any interest, either, but got pulled into convergence projects and was required to dive in.
I had to figure out how to integrate LDAP, certification authorities, lifecycle events, and other elements to coexist with access control. It didn’t take long to conclude that the world of physical security didn’t build things in ways that anyone coming from the IT world would expect.
After finishing my first project, I didn’t intend to do more work in this space, but the projects kept coming and knowledge gained from the last became more valuable, and I got sucked back in. Despite the repetition, each project was a quest of investigation, problem solving and customization since all of these systems were completely proprietary with no APIs to the IT side or even between physical systems. Everything was a silo, proprietary embedded systems and databases, no disclosures of schema or extensibility, and each layer was basically just as obscure.
Getting Social Engineered and Making New Friends
After many cycles of breaking things and putting them back together, I’d received a call from “Dave,” who was really interested in my services. We spoke for an hour, and he told me a little bit about his project but mostly asked a lot of technical questions and said he’d be in touch. I didn’t hear from him and didn’t think much of it. A couple months later, Dave called and disclosed that his name is really “Steve.”
He cautioned that he’s going to come clean and ask for my help and would understand if I’m upset and unwilling, but he pleaded just to hear him out. He disclosed that he was a white hat and gets paid to hack into organizations and tell them how he did it before bad guys do it and don’t tell them – he’s a good hacker. He’d been contracted by a government agency to break into its facility, which was gated and guarded by armed guards. He explained the various things he’d tried to get into the facility, each more extreme than the last failed attempts, and was running out of time. So, he was calling many people to get an understanding of how these wonky systems really worked and what could be exploited.
He called me back because, to him, it seemed as if I had more intimate knowledge than any other person he had spoken to. Even within his network of hackers, this information wasn’t well-understood. I decided to work with him, and he ended up getting in.
Becoming an Ethical Hacker
Steve asked me to fly to New York and speak at a hacker conference to share this knowledge with the hacker community. I was reluctant. After all, I wasn’t a hacker, but he explained that I had unique knowledge to share and he’d tag along to make sure I was comfortable. I discovered that even though I’m the dumbest guy in the room, that’s not what these conferences are about but rather what you can learn and share. Even if you have knowledge in a very narrow area where no one else does, bingo!
In the years to come, I’d give countless presentations at hacker conferences, lead workshops, and participate on red teams. As much as I’d share that was new for the audience, I’d learn even more from them and come to realize that physical access systems weren’t only wonky but terribly insecure. They were open to nearly every attack that IT had long remediated. It was clear: The physical security industry didn’t have security within the systems on its radar, but neither their InfoSec counterparts nor the hacker community were aware of it.
My Own Cyber Reckoning
I’d come to realize that being good at designing information security solutions from known threats and building resilience against real-world hackers were two entirely different skill sets. One of the main differences is that it takes practice to think like a hacker. Another is that when you’re working in a traditional role, you’re obligated to follow rules and procedures of the organization (mainly so you don’t violate change management, controls, and tank systems). Hackers don’t follow rules, so the arena in which they practice is different. Good hackers reach a level of knowledge and creativity that most won’t understand unless they either become a hacker or get to know them and how they operate.
Over the years, I’d disclose my findings to clients, provide warnings of impending doom, but it fell on deaf ears. End users were dismissive, some vendors threatened to sue me, and industry insiders shunned me from their circles. I’d end up working for the few that did care, mainly when CISOs discovered how insecure their data centers were and the industry couldn’t or wouldn’t respond to it.
Betting that someday, more would care and there was more to discover, I’d go on to focus my research on building extensive threat models, heatmap analysis to illustrate how and where organizations were impacted, and take the mystery out of the equation for my clients. Over the past year, I’ve sensed a change, less denial and more acceptance that security within security may just matter.
“Someday” Finally Happened
Then SIA (Security Industry Association) called and told me and asked if I would speak at their 1st annual CyberSecured Summit. This was ironic since previously the association wasn’t really herding the industry toward accepting that there was a problem. However, it was very welcomed: After all, I only ever wanted people to get on board – not penalize them over the past. I felt compelled to ask if there were any restrictions as to the horror that I typically disclose on the topic. To my pleasant surprise, they told me “we must disclose the reality of the situation and if there are people in the audience that are offended by reality, well we can’t cater to them. Just sprinkle a little hope in there somewhere”. So we agreed that 75% horror and 25% hope might be the right formula.
It was really encouraging to see a full auditorium of insiders. SIA introduced me by stating that they asked me to give an unfiltered presentation. I didn’t hold back as to how bad the problem is, how deep the denial has run and my thoughts on what needs to be done. In the past, I would’ve been tarred, feathered, and chased out of the city. Instead, I was welcomed, appreciated, and valued. Since the conference, the sentiment continues to head in this direction. From magazines, to end users, and even manufacturers, the majority are recognizing that cyber is both real and relevant – and finally that denying is no longer an acceptable position. Really BIG props to SIA, for their evolution and approach in this area as individual people like myself can only influence so much.
So, 2018 marks the end of a painful era (for me personally). People are coming out of the woodwork with cyber titles (having no prior domain expertise and having been one of those in denial just a year ago) and solving the entire problem by locking down a port.
As frustrating as it may be to see such poor advice being given, I’m just glad to now be having “the conversation.” It will take time to evolve, just as InfoSec did. And that’s the second and most important lesson of security – there is no perfect and if you’re doing it right, more ugly stuff rears its head. The first lesson is that denial doesn’t work.
Catch my next post: “The Physical Security Industry finally welcomes cybersecurity. Now the hangover begins.”