Hey everyone, I think we're gonna be starting again.
And I wanna be the one to introduce my dad
because growing up in this area,
where there a lot of us either,
some of us may work for agencies,
government entities around here,
but I happen to have the luck to grow up
in a household where my dad had an enormous set of lock picks.
And when I'd lock myself out of my car,
I wouldn't call a locksmith, I'd call my dad.
And anywhere except DC,
back then it was illegal to have lock picks
or use lock picks in DC,
if you were a locksmith or law enforcement.
But my dad taught me a lot about what I know interests
in breaking into things to figure out how things work
so other people can't break into them
and engineer them in a better way.
My dad, it was an operative with the CIA,
back, way back in the 70s, 80s, who knows?
But he'll probably be able to tell you more about that.
But I wanna introduce my dad,
he's gonna be talking about the convergence
of information technology and information security.
We have a bit of a gap right now.
So while we'll have, he'll describe it better,
but while we have some access control physical security
that are in facilities, the computer security hasn't,
the two aren't meeting
and they really need to for better security.
He's gonna talk to you about that.
He gave this presentation at Hackers on Planet Earth
last summer, I'm sure the slides have been updated
since then, but I'm really glad that my dad's gonna be
a presence in this hacker space here at Reverse Space.
We're setting up a kind of like a live test bed in here
for some projects we're working on.
We're gonna learn how some cameras work in here.
We're gonna learn how to beat them,
how to design them better.
And that's gonna be going on here in Reverse Space
under my dad's guidance.
So if you wanna come in and test your skills
and not only picking locks,
but seeing how some cameras work and how they don't work,
he will be leading up some projects on that.
But without further ado, this is my father, John Strauss.
(*audience applauds*)
Thank you very much, I appreciate it.
Looking forward to this.
I'm bored by seminars myself, so I don't have anything
set, so if you wanna interrupt or challenge something
I'm saying or whatever, interrupt at any time.
It doesn't bother me when I go to.
Also, I don't know what the makeup is.
Everybody who's not undercover, raise your hand.
(*audience laughs*)
Well, it's only three hands, what is that?
Yes, yes.
So I'm gonna be talking about security and IT convergence.
That's me.
I work locally.
And again, when I go to seminars,
I like to know who's talking at me
because I evaluate what they're saying.
I own and operate a professional engineering firm
for about 24 years.
We specialize exclusively in security and fire systems.
Prior to that, I was principal for security engineering
for Gage Babcock and Associates, and prior to that
I was operations officer, intelligence officer
with the CIA, that was an eternity ago.
Why should we care about convergence?
Why should we care about convergence?
And by the way, for those who are interested,
Gates never met Hoover, that's photoshopped.
(*audience laughs*)
But it's a terrific quote,
in many respects, physical information security groups
that coexist within organizations are as different
as J. Edgar Hoover and Bill Gates.
And that is the heart of the problem.
And you're gonna hear this repeated theme
for the next 45, 50 minutes, and that is IT community,
by the way, everybody here is an exception
to what I'm saying.
Everybody's, you're covered.
But the IT community is not very good at security,
but they think they are.
And the security community is horrible at IT.
And a few think they're not.
That's the heart of what I'm talking about.
But let's talk a little bit about nomenclature,
just for a minute, because it bothers me.
The problem is that the IT community calls
what I do physical security.
It bothers me, I go along with it, I mean, I can handle it.
But to me, a security system is made up of three parts.
Physical, physical security to me is barriers,
lighting, locks, roadways, stuff like that.
Electronic is intrusion sensors,
closed circuit television access control,
screening, things like that.
And then there's an operational part,
guards, procedures, management, SOPs, things like that.
It's those three elements together that make a system.
You go out and you buy a couple million dollars
in hardware and gadgets, you don't have a system.
You just simply have a truckload of hardware and gadgets.
So anyway, from now on, when I say security,
I'm not gonna use the word physical security.
But I'm talking about systems, all three.
And by the way, the importance of the three
varies all the time, depending on the application.
Sometimes the most important part's operational,
sometimes electronic, sometimes physical.
So that's my nomenclature.
So why should we care about convergence?
The effectiveness of both cybersecurity and cyber warfare,
and that's something that we're all very, very interested
in right now, particularly as a nation.
I don't think it's a secret that we're relatively
unprepared right now, particularly for cyber warfare.
It's linked to the positive negative aspects
of IT and security convergence.
IT and security have a symbiotic relationship
that has benefits and has liabilities.
Why is it critically important to understand
how convergence occurs?
Because convergence is creating overlooked
or ignored vulnerabilities, both in the IT community side
and physical security side.
Convergence is everywhere.
Shepherds.
Last year I did a questionnaire survey
in conjunction with American Society
for Industrial Security, ASIS,
and Security Management Magazine, that's their journal.
And we surveyed 100 large corporations.
Why large ones?
Because smaller corporations may not have
a security department, may not have an IT department.
But we wanted to see what's it like right now.
How much convergence has already occurred?
Just so you know, the average of the 100 companies
came out to annual revenues of 3.8 billion,
which means good sized company.
11,000 employees, IT department with 207 people.
Security department, 341 people, which by the way,
probably includes contract services.
And a security budget of a little over
five and a half million dollars.
One of the questions we asked was,
well, how much integration do you have right now?
Only 11% were fully integrated.
But I'm pleased by that number because just a few years ago,
it would have been one or 2%.
33% are totally independent.
And one of the many, many, many, many, many, many,
mantras of the security industry for years, for decades,
has been the mantra is we want to be standalone.
We don't want to be interconnected to anything.
We want to have everything our own.
We control it.
Nobody else can touch it.
The problem with that is the world has changed.
Almost, I'd say every camera,
close circuit TV camera you can buy on the market today
is gonna have IP networking capabilities.
You may not use it, but it's built into the camera
when you take it out of the box.
So the mantra of security being standalone,
we don't want to be involved with anybody else,
is not gonna work anymore
because you can't avoid being integrated.
It's simply not possible.
You can't do your job in security if you're not.
Convergence also is important.
Well, who has the status?
IT has a three to one ratio over security
in terms of status in a typical corporation.
And by the way, when I say,
when I'm using the word corporation,
I'm not necessarily only talking about commercial.
It could be any organization.
It could be a governmental agency.
These figures are relatively gonna track
about the same way,
whether it's a private corporation or a public agency.
Three to one.
I'm not gonna go into the details of that.
Three to one, IT status.
Now that has implications I'm gonna get back to,
but it has significant implications
for the future of IT and security.
What are the relationships between the departments?
72% say they're cooperative.
Well, that's great.
But 10% say they have a difficult relationship.
And let's make believe we're talking
about Fortune 500 companies.
That's 50 large corporations
in the billion, multi-billion dollar operating,
annual operating budget.
It's 50 corporations where IT and security
cannot work together for various reasons.
That makes both their jobs very, very difficult.
How often do IT and security people meet?
45% either don't ever meet or rarely meet.
Can you expect cooperation?
So we're talking about almost half the corporations
have a poor relationship between IT and security.
What kind of software are they using?
Again, remember, the mantra for security for decades
has been we don't wanna be standalone.
We don't wanna be a company that's gonna be
a company that's gonna be involved.
We don't wanna be involved.
Software they use 70% right now is proprietary.
The implication of that, of course, is if it's proprietary,
it means that you might be married to a particular vendor
for a long time.
It might be cost prohibitive to change the software
because data gathering panels throughout
your large office building or whatever,
all would have to be changed.
Linkages would have to be changed.
I mean, it gets to the point that you simply
can't afford to change.
Now I'm optimistic that 30% is not proprietary.
They at least have open protocols.
Some are open source, not too many,
but at least open protocols.
So that's optimistic and maybe this ratio
will change over time.
But right now it's not conducive for good convergence.
So question was asked, would facility security systems
be affected if the IT network was infected by a virus?
Well, 40-40 is interesting, but the most interesting one
is 20% don't know.
One out of five had no idea what this idea influenced or not.
Is security a risk to IT?
Well, Bill Zalot, a friend of mine who writes
for Security Magazine, different from security management,
in his survey he found that 42% of IT managers
believe that facility security systems represent
a risk to their network.
In other words, in the other direction,
by tying security into the IT network,
they have, at least almost a half of them said
they have a vulnerability.
That's absolutely true.
You have to understand the history of security systems,
particularly software, systems management software,
to understand why they think that.
And I'll get to that in a minute.
John. Yes, sir?
Just so you know, the convergence of human projectors
creates a huge shadow of a moment.
Oh, am I?
Sorry?
Convergence, yes.
Most major security systems management software
was developed at a time when cyber attacks
were either non-existent or it wasn't even a factor.
Some of them go back to the early 70s.
You're talking about 40 years.
And they're still out there.
R&D is a very, very small, tiny, minuscule budget
in most security vendor companies.
Or am I making it difficult for you to?
No, no, I thought I'd move the camera.
Go ahead.
If they're not spending on R&D, some of the,
I'm not gonna name names right now,
but some of them have basically done no R&D.
They've tweaked it a little bit.
They do a lot of, they bootstrap stuff onto it,
but it really hasn't changed in 30, 40 years.
Some major security software has never had any protection
against any kind of cyber defense.
And like I said, some major security system software
was cobbled together on their existing product
after the fact.
Has either that or has never been pen tested.
They put it on, they don't know if it works.
What kind of operating systems are typical then
for both departments?
Well, IT, well both of them
are predominantly Windows, obviously.
IT tends to be 96% of the companies were Windows.
4% Unix, no Linux.
Oddly, security is actually getting into Linux
much more than IT.
What's the most hacked software in the world?
Wrong.
Windows is the most hacked software in the United States.
On a worldwide basis, the most hacked software is Linux.
We just don't happen to use Linux in the US very much,
except for like embedded applications
and special applications, vending machines,
Coke machines and so forth.
They dial out and say, I need more Coke.
The other thing here is primary operating systems.
4% of the respondents didn't know what they had.
That's telling too, which means,
you mean 4% again of say 500 companies,
that's a lot of companies,
who have no idea what operating software they're using.
These guys just trying to hide,
you know, they're hiding kind of system today.
Not for operating system.
Yes, there is a, particularly in the security side.
But here, it really doesn't matter that much.
Security departments vulnerability to tax,
49% of their systems are periodically inspected by IT.
But that means 50% or not.
57% stated a security system software was never designed
against cyber threats.
And 57% didn't even have the ability to know
if their ports are being attacked or scanned.
All of the very few security systems management
software developer products that started
when they wrote the code to begin with,
they incorporated IT, cyber defense.
They tend to be part of building automation systems.
The downside of that, of course, is that security
is a tiny component of the building automation system.
It's not dominant.
In fact, again, I don't wanna name names yet,
but in some cases, if you wanna balance
the HVAC system in your building,
sometimes you have to shut down the security system
before you can do that.
Because it's part of the BAS.
They also tend to be very expensive.
In some cases, triple the cost or price
of non-BAS security management software
and are not widely used at the present time.
I was interested that we also asked the question,
well, do you have a building automation system?
About a third, almost a third said yes,
two thirds said no, and again,
that strange 7%, I don't know.
It's hard to believe you wouldn't know that.
So this goes back to what I was starting out talking about.
If we're talking about two IPT professionals,
the IT community, many believe they're security experts.
With some exceptions, like I said, everybody in this room,
most of them aren't, but they think they are.
I remember that I've done hundreds of surveys
of buildings and computer centers,
and I remember this infamous one in New Jersey I went to
where they were so proud of what they had
they had spent a big bundle, big bundle of money
on security systems and cameras and intrusion sensors
for their computer room, and I'm walking down the hall
and I saw a utility closet, a janitor's closet,
and they opened up the janitor's closet
and there was a suspended ceiling in there.
So I got a ladder, I climbed up, and yeah,
you could climb right over the wall
like I think someone did here earlier this morning.
You could go right inside, and I said,
do you have an intrusion sensor that's above the ceiling?
No, they didn't because they can't think like criminals.
Criminals would think of that, ordinary people don't.
Ordinary people are stymied by a locked door, right?
But that's the mentality.
Some IT departments hold a dominant position
over security departments.
I'll get back to that again a little more later,
but there's an increasing trend that IT
is actually managing the security of both private
and public organizations.
Why, because a lot of security is IT-based,
and the security people are not well-versed
and they're turning more into company cops,
and the actual management is being done
by the IT department, which doesn't think like criminals.
They don't have the mindset to do this effectively.
The other aspect of this that I think influences
vulnerabilities in both communities
is that chief technology officers a lot of times
have direct access to senior management.
Security managers generally don't have that kind of access.
Some IT professionals dislike, maybe even hate,
traditional security and security professionals.
There's an actual animosity, and in some cases,
they ignore, circumvent, and even sabotage
non-IT security systems.
And security practitioners are held in low esteem
because the fact of the matter is IT people
tend to be better educated.
They tend to have more professional careers.
A lot of security people come out of law enforcement,
may not, might have a ton of experience,
but don't have a lot of education compared to IT.
And some IT departments resist integration
into facility-wide security systems,
or having those systems integrated with them.
The problem is, when they do their own,
they typically are poorly designed and poorly managed.
And that's why, again, I stake my reputation on the fact
that the vast majority of IT departments and so forth
have poor security, but they think they're doing
a really good job.
It's only when you pen test them that,
and then of course,
sometimes, I remember one, again,
I try to keep those projects very, very confidential
for obvious reasons, but I remember this one
very, very sensitive facility,
asked if I and some other people working with me
could break into their facility,
over a weekend, starting Friday night until Monday morning
when people come to work, and their statement was,
of course, we know you can't do it,
we just wanna see how far you can get before we catch you.
Well, Friday night, by 8 p.m., we had gone in three times.
So I had two days, and they were funded days later,
and I had to do it.
So I had two days, and they were funded days, so.
So I remember I called a local airport
and had a hazmat suit delivered to me,
because I'd never tried that, to see how a hazmat would do.
I had theatrical smoke delivered.
So for two days, I got to play all kinds of crap
that I always wanted to try.
And they gave me the money to do it, so.
And then, after I did it, they did not want to report.
Nothing in writing, they said.
And they paid us everything to go away.
So.
All right, who reports to whom?
Again, it shows the status that IT has
that's significantly higher than security.
IT departments, 27% CEO, 26 CFO, 18% CEO.
You can add those up, and you're talking
about very senior management access.
On the security side, about half or a third of that.
73% of IT departments report to senior management,
only 40% of security departments do.
What titles?
Now, a lot of times, you can find out what someone's status is
by what they're allowed to call themselves.
Again, IT is much higher.
Particularly CISO, CTO, and CIO.
On the security side, most of them tend
to be called director of security.
And director, of course, is a non,
depending on how you look at it, is a non-title term.
Same as manager.
Now, this is kind of fun.
I wanted to get a sense of,
because the questionnaires that we got back
were filled out by both security and IT people,
and we really didn't have a good sense of what the mix was.
In other words, how many IT people,
did they collaborate to do it independently?
So I wanted to get a sense of how much I knew about IT,
so I asked, I said, and I didn't have the,
there's a little parentheses weren't there.
I just said, do you know what ISO is?
Do you know what it stands for, yes or no?
So 75% knew what ISO was,
International Organization for Standards.
46%, Six Sigma, Quality Control, and so forth,
and all the way down.
When it gets down to building automation systems,
remember that a lot of them had building,
a third had building automation systems.
Only 5% had ever heard of BACnet.
You can't be in the BAS if you don't know BACnet.
And then my concern was, suppose someone's BSing me,
saying, yeah, yeah, I know what that is.
Well, so I asked them, do you know CLATU?
Of the 100 questionnaires,
no one said they recognized CLATU,
and that was affirming to me,
because CLATU was a nonsense term
from the movie The Day the Earth Stood Still,
CLATU Baratonicto, right?
Had this been higher than zero,
then I would know somebody's BSing me,
but nobody said they recognized CLATU.
So I think it was a relatively honest survey,
at least as far as we could make it.
Part of the issue is your organization
tends to be part of the problem.
According to Absolute Software and Ponemon Institute,
last year in February,
56% of business managers disengaged their laptop encryption.
92% of IT departments report
that a laptop has been lost or stolen,
of which 71% resulted in data breaches.
And 61% of business managers share their passwords,
whereas only 4% of IT managers do.
So the organization is part of the vulnerability too.
So when you're talking about convergence,
about security departments and IT departments
melding together at some point,
you can't ignore the larger organization,
because those employees and those managers
are part of the problem and part of the vulnerability
that's created as well.
Of the 329 organizations quarried,
86,000 laptops were stolen over a one-year period.
The average cost per organization,
average cost per organization, $6.4 million.
And where did that cost come from?
The value of the intellectual property stolen
obviously is part of it.
There's also fees associated with data breaches,
and that is you have to go out
and you have to get people to come in
and figure out, do a damage control,
damage assessment, what was lost.
And there are certain, depending on who you are,
like you have DEA requirements and so forth,
there are no mandatory notification requirements
for data breaches as well.
The probability of any laptop being lost or stolen
any three-year period is five to 10%.
And only 5% of the laptops that are stolen
are ever recovered.
Now that's again, a convergence vulnerability.
That's because IT is not really good at security.
They don't think that way.
And security is rarely involved in helping them
protect things like laptops,
because IT tends to operate independently.
46% of the laptops contain sensitive information.
Only 30% had disk-based encryption.
Only 29% had been imaged for backup,
and only 10% included any kind of antitheft features at all.
No questions or challenges or comments?
All right, this is interesting,
particularly those who are not undercover here.
Internet sales, this is a convergence area
that a lot of people don't think about.
But the availability of the internet and internet access
means that you can buy stuff and sell stuff
in relative anonymity.
In other words, you don't have to walk into a store.
No one can ask for your credentials over the internet.
You can lie about it.
In 2005, not that years ago,
customs inspectors intercepted a package of badges
from Taiwan to an apartment in Bronx, New York.
The shipment contained 1,000 badges.
Man, you could read the rest.
Search of the residents revealed 1,300 high-quality
counterfeit law enforcement badges in the residence.
And by the way, this was a legitimate business enterprise.
This was nothing nefarious.
It was open to board, and this person
that actually had this stuff was actually selling
primarily law enforcement agencies.
But part of it was FBI badges.
And the irony here is, I don't know how well you can see it,
but the way you find out which one's counterfeit,
it's the better-looking badge.
So that kind of stuff, as well as paraphernalia used for
break-ins, red hat operations, and so forth,
hacking tools, O-days, all that stuff,
it's all very, very, very, very, very, very, very, very,
very, very, very, very, very, very, very, very, very,
very, very, very, very, very, very, very, very, very,
very, very, very, very, very, very good.
The O-days, all that stuff is conceivably available
anonymously over the Internet.
That is a convergence issue of a major kind.
Other aspects, like in fact that I was chatting this morning
about a week, just a week ago, I played back a TVL recording
infrared LED collars around her head. And they gave this effect. You could see the body,
you could see the figure, but you couldn't see the face because it was bloomed out.
And it's a German company that sells it, the device is on the right. I'm dubious about
whether this really works. It could be mythology. I've been looking into it for the last couple
of days with no success. I'm not making any headway on that. In fact, I tweeted and I
went on LinkedIn and everybody else. And so far nobody's come back with any useful support.
I want to know, has anybody actually benched or lab tested this technology? I have a feeling,
I have two problems with it. One is that infrared energy, any monochrome camera can see into
the ultraviolet and the near-infrared spectrum, particularly around 700 nanometers, not to
about a thousand nanometers it drops off. All monochrome cameras have what's called
a cut IR filter because the wavelengths are different. You create focusing problems by
allowing too much IR. Not only that, but you have a balance of adjustment problems. So
the cut filter should block a lot of the IR unless someone's, why would anybody take the
cut filter out? Wouldn't make any sense, particularly for a monochrome camera. The other problem
is that, I don't want to get too, I don't know how technically, but human beings run
about 2.7 microns wavelength by our energy. I'm sorry, 9 to 12 microns. Ordinary glass,
silicon dioxide. You put glass in front of a passive infrared sensor or any infrared
source. It'll block infrared energy beyond 2.7 microns, which means you put glass in
front of an IR sensor, it can't see a human being. And yet you don't get a trouble light
or anything like that because it's still working. It just simply can't see that part of the
spectrum. And since the glass on the lens on the camera is glass, anyway. But on the
other hand, maybe this is a vulnerability. But again, this is a convergence issue. Yes,
sir? I used to use CCD cameras like the standard cameras you get at Best Buy to find IR illuminators.
You can see with the camera the IR illuminations you can't see with the economics. Yeah, and
what's interesting to me is the fact that somebody was tweeting with me just a day or
so ago about that. It's fascinating to me because some of this, it brought this up to
me as if this is new technology. And I pointed out that over 30 years ago there is US Customs
in particular and back then called BNDD, Euro Narcotics and Dangerous Drugs, had something
called a Firefly. And there was a little tiny IR LED transmitter, battery powered. You could
barely see it. And they put it on a piece of cargo or a car they wanted to track. And
then they'd get up in a helicopter and put on IR night vision goggles. And you could
be five miles away and this thing looked like explosions. So you just, to follow a car or
a cargo being moved, you just follow the explosions from a helicopter at a height of 1200 feet.
That's 30, 35 years ago. So the stuff we have today is frankly not that different. I mean,
it's Firefly technology. Sir? We just tested it and it doesn't blind the camera, though
you can tell the LEDs are a lot easier than if you just look at the bare human eyes. Yeah,
my concern about this is and why I'm dubious is that LEDs in particular, because you have
a bunch of them on there, tend to be very directional. Yeah. Unless you've got a present
lens. So my thinking is if you just turn your head a little bit and you change your orientation,
your face shows up. So something that does work, and I've seen someone actually do this
with a scope and like a cell phone to turn it on and off. Aim with a scope, a green laser
into a camera, then trigger it using the cell phone and you can temporarily blind the camera
for the amount of time you need it. Yeah, yeah. In fact, in the movie Sneakers, we wrote
that scene, but it never got, never made final production. Didn't it? It made it in, shoot,
shoot. Who's the guy that directed Malcolm X? He also directed that bank robber movie.
Spike Lee. Spike Lee, yeah. Spike Lee's movie about the bank robber. When they came in,
they had some kind of equipment that they aimed at. It seemed like that was kind of
simulated in the same. Yeah. Well, but this thing is not to blind the camera, but it simply
puts so much IR around your face that it can't be recognized. Anyway, it's a convergence
issue. People say as a technology breakthrough, I look at it as convergence. It's IT and security
coming together to either create a solution or create a problem. Then Photoshopping, like
I did earlier. It creates all kinds of vulnerabilities. That is the IT capability of doing Photoshopping
and security requirements for good credentials. It's so easy to phony up credentials right
now. This is the one I did myself. It was easy to move everything around. Of course,
part of the training that security ought to get from IT people is how do you recognize
bad credentials? Because they're so easy to do right now.
Are you going to talk about convergence in passports with IT and security?
Actually Tiffany has a whole thing on RFID and the US passports that we have time she
has a whole presentation on that. But the notion that RFID credentials including passports
are not vulnerable to hacking is BS. It's already been demonstrated. In fact, I think
Black Hat had a demonstration. Then another critical convergence issue is the internal
threat. What happens if you're on the inside? Whether on the security side or the IT side?
FBI, for example, had its own problem. So did the CIA. The access to the internet and
IT technology just makes the insider threat so much more dangerous. One of the big questions
I have about Manly, for example, in this WikiLeak business is what the heck was wrong with their
system? Back in, again, decades ago at the CIA, everybody, if they could, had to spend
some time in what we used to call purgatory. That is, you had to spend some time in the
records area so you understand what they have and how it works and what's reasonably requested.
Everybody down there, we were warned, don't check out your neighbors, don't check out
your relatives, don't check out your girlfriend or boyfriend because they'd pick you up right
away. Now how the heck did Manly get 500,000 to what, 2 million documents and nobody said,
wait a minute, why is one man requesting 2 million documents, downloading them? I don't
understand. Where were the checks and balances? Not only that, but that should be something
so easy to follow. So what's the best way to mitigate vulnerabilities caused by employee
misconduct? Well, there's certainly, the answer is better cooperation between security and
IT departments and the way you get better cooperation is you get them to talk to each
other, have regular meetings, cross train, take security people and bring them into the
IT world and give them some IT training. Take IT people and bring them into the security
world and have them go through a few ASI conferences or whatever, cross train them. Security awareness
training, a lot of times, for example, bad credentials, if you know about bad credentials,
if you're alerted to it that there might be counterfeit FBI badges floating around there
and you know what they look like, you can discover it, but it starts with awareness.
And then general security education. But finally, I think part of the solution is enforcement
of rules and standard operating procedures, enforcement. But to quote, to paraphrase Al
Capone, you can accomplish more with security awareness training and benevolent despotism
than you can with security awareness training. What Al Capone says, you can accomplish more
with a kind word and a gun than you can with a kind word. So it's the same idea. Enforcement,
I mean, right now, if you break the rules and violate the rules, there are virtually
no consequences most of the time. We're undergoing a sea change in security, both IT security
and traditional security. Certainly the World Trade Center attacks in 1993, 2001 created
that to some extent, the Murrah Building in Oklahoma City. The birth of Homeland Security,
it's a juggernaut. I think they could do a lot better, but considering how little time
they had and how it was rammed through, on the one hand, I can admire that they've accomplished
so much, but they have a long way to go yet. Security systems have been immersed in IT.
That is, when you talk about electronic security systems today, you're talking about basically
cyber type of technology. Security centers now are intelligent, have artificial intelligence.
A lot of times they use fuzzy logic. That is non-digital cyber thinking. In other words,
it's not a yes or no, it's a probability saying I'm about 98% sure that there's been
an intrusion, whereas in the old days it was either 100 or a zero. And that made it a lot
easier for the hacker, for the attacker. When I'd red team something, I would attack the
circuit that was designed to minimize nuisance and false alarms. That was my first priority.
If you're going to attack, for example, a fence intrusion system, and I say this because
there's only one good one in the world, probably, and that's Israeli Tau wire, but all these
others, they're meant to create a window of alarm opportunity lasting about 50 seconds to about 90 seconds,
depending on the system. Which means that if you have an outdoor fence system and you have a lot of wind,
we have deer moving around grazing on shrubs next to the fence, and they set off the alarm,
the system checks again. Am I going to get another signal, another signal, another signal?
If at some point after 90 seconds, 45 to 90 seconds, it doesn't get a signal, it says,
okay, it's probably nothing. So if I go out there with bolt cutters and I cut a link in
a chain link fence that has an intrusion sensor on it, but I only make a cut every 95 seconds,
I'm not going to set off the alarm. And I could cut a hole the size of nut to send a
regiment through, as long as each cut is 95 seconds apart. So that's the part of the system
that's vulnerable, and we can fix that. And one way we fix that is using intelligent video,
artificial intelligence, and particularly fuzzy logic. Japan established a fuzzy logic
institute about 20 years ago. Most people in our community, in the US, we don't even know
what fuzzy logic is. Need to beef that up. Mega corporations have entered into security,
I'm talking about Fortune 100 companies, finally discovered there's a market there and they
can make a lot of money. That's changing, that's a sea change for security because they're
finally putting in R&D dollars, whereas small companies couldn't afford it, these huge corporations
can. It's a little bit like, you know who invented the transistor that revolutionized
the world? What company invented the transistor? Bell Labs. Exactly, Bell Labs. PNP, NPN, these
guys worked at the Homer Research Center in Bethlehem, Pennsylvania, worked for Bell Labs,
and Ma Bell back those days had all the money in the world. And Ma Bell said, here, there's
a bunch of money, do whatever you want, there's no agenda, you don't have to report anything,
make your own project. And they ended up inventing the transistor. Global war on terror has changed
security and particularly has a tremendous impact on convergence. The renewed growth
of public law enforcement, I'll get back to that in a minute, that's a very significant
one that everybody overlooks. 9-11 changed law enforcement. Trial lawyers discovered
security, that changed security. All of a sudden liability exposure is a factor, both
for the IT and the security side. The 1993 attack in the World Trade Center, the last
litigation was only finished about a year and a half ago, resulting in billions of dollars
in awards. And then the cost of security. We have to be smarter in security. You can
read the headline yourself. New Jersey officials fear terrorists could poison gumball machines.
That is not where we want to spend our homeland defense money. Or I remember I blogged a little
bit about Senator Collins from Maine. Half the time I spend half my time in Maine. She
directed Homeland Security money sent up to Fort Kent. Those from not from Maine don't
know where Fort Kent is. Fort Kent is on a Canadian border. Al Qaeda couldn't find Fort
Kent with a map. I don't think their security department needs anti-terrorism paraphernalia.
So we just have to be smarter. What are the costs? Well, nobody knows. Costs are overlapping.
They're stuck in odd budgets. If you look at a construction project, you rarely will
find a line item for security systems. It will be part of electrical, some will be in
HVAC, some will be in infrastructure. Costs overlap. State and Homeland Security costs
a lot of times are not captured deliberately sometimes. Security spending is poorly defined.
Is offense a security item or a line of legal demarcation? Is offense a security purchase?
It's worthless in terms of intrusion. I don't care what kind of offense you make and get
over it in seconds. So it's a line of legal demarcation as far as I'm concerned. There's
very little security value. But what budget are you going to find it in? Don't know. Overseas
figures are almost entirely missing. And for liability reasons, again, trial attorneys
have discovered security. Most companies and governmental agencies don't want to talk about
problems because of liability exposure. 1989, 1990, me and two other guys published a book,
Private Security Trends, projecting a 30 year period from 1970 to 2000, what our forecast
was, what we think security is going to go. We need a new study because we have no idea
what the costs are right now. Our figure back then was, by the way, the entire, I'm talking
about nobody had done a study like this before. And when we found out that private security
became bigger and more expensive than public law enforcement in 1977, that was basically
a shock to everybody. Nobody knew that. And then it kept diverging. We're almost private
security by 2000. It was more than two times the size of public law enforcement. But 9-11
happened and all those other factors I talked about. Well, I don't know what the costs are,
but I think this is what happened. I think public law enforcement is above private security
again.
So what's included in those numbers? Are you talking law enforcement included intelligence,
does private security include company IT departments?
The only thing that was not included was overseas.
But what is included?
Public law enforcement was state, federal, and local law enforcement, including corrections.
And on the private side, it was mainly corporate security, whether it could be contract guard
services or it could be proprietary guard services. But in any event, I think the crossover
occurred. And now law enforcement, public law enforcement is probably well over private
security again. But we don't know. Somebody needs to do a new study.
Some more thoughts. Typical office building today cost about $116 a square foot. Overseas
diplomatic facilities now running about $450. It was up to about $700, but they've cut it
back finally. But the recent visitor center for Congress came out to almost $1,000 a square
foot. Huge difference.
Let me talk just a minute about risk assessment, because part of convergence in that is what's
the risk to the IT side, what's the risk to the security side? Well, this is my personal
opinion. There may be those who disagree with me, but in my personal opinion, most structured
risk assessment methodologies, a lot of times called RAMs, and I think all of them, have
very limited value and some of them are totally worthless, despite the fact that you could
easily spend $60,000 to $100,000 per assessment.
One of the reasons is that they're designed by academics who don't know anything about
security. Again, I'm not going to name them so I don't get sued by them, but when you
really look at it, and I got certified by them just so I could actually use it and train
and so forth. When you really poke into it, you find out that they said probability of
one, which means the most improbable thing you can imagine as far as the risk assessment
methodology is concerned, will happen. An asteroid hitting this building is as likely
to happen as someone stealing my wallet if I leave it in my car. Makes no sense. How
can you equate those two in probable events? And again, in my opinion, the best risk assessments
if you're going to do them are subjective, not objective, and ought to be done by an
expert on a subjective basis, on a case specific basis. A cookie cutter approach where you
try to say here's an assessment for all office buildings. Wouldn't you say that a federal
courthouse in South Dakota has a lower risk of a terrorist attack than a federal courthouse
in Manhattan? And yet, as a nation today, we spend the same amount of money in both.
You regard the risk as identical. Makes no sense to me. However, I'll tell you what the
secret is. That's the secret. Just a few minutes on understanding threats. Kevin Mitnick popularized
the term social engineering. Again, when I have done Red Team or Black Hat or whatever
you want to call it attacks, social engineering is the greatest vulnerability there is. That's
the first place you look. Try to convince someone to break a rule. I remember getting
movies, sneakers, when Redford's trying to get into the building, River Phoenix is delivering
a whole pallet full of Drano, and Redford's carrying a balloon and a cake and he can't
get it because his hands are full, he can't get his wallet, he can't get his ID card out.
That's realistic. The Drano guy was to get the security guard involved with something,
and Redford's yelling at him, so what he does, he lets him in the door. That's social engineering.
It almost always involves getting someone to break a rule. And convergence, the problem
with convergence, the lack of cooperation and conversation between IT and security,
traditional security, is at the heart of this problem. Because if IT, for example, doesn't
like facility security, it's easy to break their rules. They're not your rules, it's
their rules you're breaking. You're keeping your rules, and that's what you exploit.
Let's see if... Oh, that doesn't work. Well, there's a sound file there, but anyway, it's
from the sneakers. Anyway, wrapping that up then, conclusions. Security departments will
be increasingly subordinated under IT over the coming decade. By 2020, my guess is at
least 70% of the organizations will be fully integrated between security and IT. I think
facility managers will have a growing role in security, and security managers per se,
or security directors, will decline. They're already declining an average of 2% per year
organizationally across the board. Why facility managers? Because if facility manager runs
everything in a building, from snow melt systems to HVAC to hot water to everything, and since
security is part of it now, part of the building, built into it, building automation systems,
they're going to be in charge of running it. And again, the security manager is going to
become the company cop. Titles are going to increase, like CTO and CSO, and security manufacturers,
however, over the next decade, are retooling everything they have with IT and computer
security in mind. So it will be no longer cobbled together, stuck on after the fact.
They're reinventing their products, redesigning their products, and they're building cybersecurity
right into it. Convergence will lead to more RFID applications. I think biometric access
control is going to become commonplace. In fact, the likelihood that facial recognition,
which is not ready for prime time yet, you walk up to a building, the building sees you,
recognizes you, and you walk in, it knows you're there, and it knows when you leave.
I think that's only a couple years away. We can do it right now, but the failure rate's
about 2%. But if you're talking about thousands of people, 2% is too high. Once it gets down
to like a tenth of a percent, or half a percent, then it's going to be real. Long-range facial
recognition is almost here. The resolution capability of cameras, megapixel cameras,
right now we're up to, if you got the money, you can go up to 32 megapixels now on one
camera. And the possibility of going to 100, maybe 200 megapixels is certainly possible
in the near future. Video surveillance is already exploding. New York City, nobody knows
exactly, but they probably have neighborhood of 12,000 cameras networked right now. London's
been doing this for a number of years already. More artificial intelligence and greater use
of the internet for non-secret... In other words, if you have a camera looking at a door,
why should I spend company or government resources on some kind of private WAN or LAN when I
can go to the internet because if, oh, I suppose my neighbor taps into that camera, who cares?
It's looking at a blank door. Let them look at the door. At the same time, however, I
can use them for surveillance. I remember I did a project in Hong Kong some time ago
where what's called the Ocean Pier, where they had... Hong Kong never had, back then
at least, never had a lot of crime, but a lot of petty stuff, you know, purse snatches
and things like that. So we did. We put cameras all over the shopping mall and then remodulated
all the TVs in an expensive apartment building that was part of the mall complex. So elderly
people who had nothing else to do could turn on a specific channel and they would see all
the security cameras on the pier. Sometimes like Queen Mary arrived and they could see
celebrities coming off. But other times they'd say, hey, that kid's doing something. They'd
get on the phone, they'd call the cops, Hong Kong police, and they intercept them. And
that's free security. You don't have to pay for it. And only then they loved it.
I think the IT community will lead writing convergence standards. And if the US doesn't
start changing its ways, the European Union's going to dominate writing those standards.
It is dominating right now. I'm not saying we're not involved, but we're not involved
as clearly the EU is way ahead of us in writing standards. I think security will finally incorporate
into building codes. There are about three national governing building codes in America.
And when you say building code, you translate that. 90% of all building codes are fire codes,
fire life safety codes. You don't really write codes about how to build something. It's fire
life safety codes. But none of them really have any meaningful security involvement.
That's going to change. And stuff that's going to disappear, print newspapers, paper checks,
CRTs, pay phones, paper maps, pennies, iPods, desktop computers, VCRs, card readers, incandescent
light bulbs, supermarket checkout lines, car keys, will all disappear over the next 10
years. Maybe entirely or almost entirely. And the final point. And that's the presentation.
Thank you. I didn't get to use my laser pointer.
Thank you.