143
9Chapter
Did You See That!
(Observation)
If I were to prescribe one process in the training of men which is fundamental to success
in any direction, it would be thoroughgoing training in the habit of accurate observa-
tion. It is a habit which every one of us should be seeking ever more to perfect.
Eugene G. Grace
Introduction
Observation is the central principle of security. It is both a deterrent and a detector. It is a deterrent
because people are less likely to do something illicit if they believe someone will see them doing it, and
it is a detector when an illicit act is seen. Observation is not limited to
sight; it can be a function of any of the fi ve senses or any number of
mechanical or technological sensors. A magnetic switch on a door
observes (senses) when the door is opened or closed; a motion detec-
tor observes something moving through a space and so on.
From a security standpoint, observation is the monitoring of activities to identify suspicious or mali-
cious activity and invoke a response.  ese are the three components of observation: monitor, detect,
and alarm.  e monitor component observes the current state of something, detectors observe changes
to the state, and alarm components generate an alert when the change to the state crosses one or more
thresholds. A threshold is the point or value above which something is considered an event. A threshold
can be binary (the door is open, the door is closed), based on multiple factors (the door is open and
300 milliseconds have passed) or a scale (the temperature is normal, the item is overheating).
Observation is a major component of facility design. Buildings are uphill from the parking
area, landscaped with ground-level plants, have glass-walled reception areas, and well-lit entry-
ways to facilitate the observation of approaching vehicles and people. Interiors are designed with
open spaces lled with 5-foot walled cubicles, straight hallways, and windowed offi ces to facilitate
the observation of sta activities. Observation in operations may include posting guards or using
Strategy requires thought, tactics require
observation.
Max Euwe
TAF-K11348-10-0301-C009.indd 143TAF-K11348-10-0301-C009.indd 143 8/18/10 3:09:28 PM8/18/10 3:09:28 PM
144Security Strategy: From Requirements to Reality
video surveillance to observe people’s actions and monitor safeguards. Observation in operations
also includes alarm systems such as smoke and fi re detectors. Information systems are equipped
with antivirus, intrusion detection, and other controls that observe
what comes into the system to see if it contains any malicious con-
tent or represents an attack pattern. All of these examples are based
on observation because observation is what invokes response and
response is what is required to curb malicious activity. Preventative
controls, locks on doors, chain-link fences, turnstile gates, and the
like, are not designed to stop malicious activity; they’re designed to retard the e ectiveness of an
attack so that it can be observed and responded to.  e e ectiveness of security is based on our
ability to observe what is happening and invoke a response.
Observation Objectives
A large portion of strategy in general is based on observation—for example, observing what the
competition is doing, observing what customers want, and observing our capabilities. When
we do strategic planning, we seek tools that improve our observation: business and competi-
tive intelligence, surveys, focus groups, and the like. Why? Because observation is what gives
us the ability to respond to changes in our business or technical environment and make good
decisions on how to address those changes.  e principle isn’t any di erent when it is applied
to the realm of security; the only thing that changes is the scope.  e essence of our strategic
security objectives is to have unsurpassed observation capabilities. Ideally, we want no gaps in
our observation; we want to be able to observe and detect every instance of malicious activity.
Of course, the ideal isn’t obtainable, but keeping the ideal as the goal allows us to continuously
close the gaps.
Observation is directly linked to the principles of timeliness and response.  e better our
monitoring, the quicker we will be able to detect something is wrong and raise an alarm. Real-
time observation invokes real-time responses, but not all observation is real time. For example, the
periodic review of a log fi le or an audit trail will detect security events from the past; reviewing
video surveillance tapes is a similar example.  e timeliness of our response is based entirely on
the timeliness of our observation.
Observation is also key to the principle of economy from two standpoints.  e rst is econ-
omy of response.  e quicker the response, the less the potential damage from the malicious
activity. Second, is the economy of force. Superior observation provides the information required
to make a reasoned response that only pulls in the resources required to e ectively address the
situation. Automation can also reduce the number of people required for observation tasks. For
example, installing a continuously monitored camera may eliminate the need for a guard, or
combining video feeds onto a single monitoring station can reduce the need for monitoring per-
sonnel. Superior observation also facilitates coverage because the information it provides helps the
response commander make better decisions.
Observations frequently overlap, for example, when someone comes into work, the card
reader observes the persons entrance into the facility, video surveillance records the entry, and the
authentication server observes the person’s log-on. is provides a level of redundancy, but it also
improves the quality of the observation.
Finally, observation supports the principle of preparedness by providing an early warning of an
eminent attack or, in the case of reconnaissance, helping prepare for future attacks.
Safes are not designed to keep people
out, otherwise they wouldn’t have doors
on them; they are designed to make it dif-
cult for some people to open the door!
Unknown
TAF-K11348-10-0301-C009.indd 144TAF-K11348-10-0301-C009.indd 144 8/18/10 3:09:28 PM8/18/10 3:09:28 PM
Did You See That! (Observation)145
Observation, whether defensive or off ensive, is a critical component of security strategy and
will always be one of our key objectives. All our tactics should include an observation element
that can alert us when an attack is imminent or manifest. Furthermore, we should construct our
observation capabilities so that we can use the information to eff ectively direct responses to the
key points of attack.
Observation Elements
Observation can be divided into three elements: reconnaissance, sentry, and command.
Reconnaissance provides early warning of potential danger so we can prepare defenses; sentry
provides evidence of an existing attack so we can respond; and command provides the information
needed to use our forces eff ectively against the key points of attack. Each of these elements has
slightly diff erent applications in facilities and IT security.
Reconnaissance
Off ensive units use reconnaissance to learn about an enemy’s strengths, weaknesses, plans, and
schedules for the purpose of engagement (i.e., to attack them). Reconnaissance for defensive
purposes focuses on learning what will be targeted in the future and what tools (weapons) and
maneuvers will be used so that countermeasures can be put in place and personnel prepared for
the potential attack. Reconnaissance (recon) is a critical component of a good defense.  e more
you know about your opponent’s capabilities and attack plans, the better you will be able to
plan and deploy the resources needed to minimize their eff ectiveness. During the early years of
the Internet, reconnaissance was a lost art. Security and networking professionals were aware of
dangers like Distributed Denial of Service (DDoS) attacks, but no one was actively working on
defenses against those attacks, nor was anyone tracking what malicious code the hacking com-
munity was developing.  en one day in 2000 hackers hit eBay, Yahoo, Amazon, and E*Trade
with a massive DDoS attack, and suddenly understanding DDoS attacks and defenses became a
critical part of defensive security planning.  e pattern was similar for other attacks as well: little
reconnaissance, ineff ective responses, and massive damage.
Today, that pattern has changed substantially; there is more emphasis on preparedness. Large
software vendors and Internet Service Providers (ISPs) work together to quickly identify and
thwart attacks, and several employ spies to recon hacker activities. One company even used a
widely publicized hack of their website to “up” the notoriety of their sta spy in the hacker com-
munity. His (phony) achievement gave him celebrity status and access to a much broader array
of hacking activities. Some might classify this tactic as an o ensive rather than a defensive one,
and that might be true if the purpose was in ltration. Infi ltration tactics involve getting past the
enemy’s frontline defenses and attacking lightly defended rear areas. Paratroopers were used for
this purpose in World War II. But that isnt what we are talking about here; we are only gathering
intelligence. We are not trying to put them out of business; that’s the work of law enforcement.
Communications companies like AT&T do extensive tra c analysis to identify attack patterns;
Microsoft and other vendors of security products track malware outbreaks. Still others employ
Honey Pot Systems to recon potential exploits and intrusions, and to capture malicious code for
submission to antivirus vendors. Honey Pots are basically decoy systems that do passive recon-
naissance. When attacked, they respond like a real system would, but in the background they are
capturing information about the attacker and the tools/exploits they are using.
TAF-K11348-10-0301-C009.indd 145TAF-K11348-10-0301-C009.indd 145 8/18/10 3:09:28 PM8/18/10 3:09:28 PM
146Security Strategy: From Requirements to Reality
Reconnaissance is a manual control; it requires someone to go out and observe the enemy.
Some of this recon can be done through “Hacker” websites, but spy techniques that get you into
the underground world of black-hats are far more eff ective. It can also be far more challenging;
it takes time to make the necessary inroads and build a reputation. Hiring a hacker is one way to
shortcut the process. Someone who is an active member of the hacker community has the ability
to gather information about emerging exploits, targeted systems, and hacking trends.  is is infor-
mation that can be used to facilitate preparedness through the identifi cation of potential exploits
(something a hacker can also help with) and the deployment of appropriate countermeasures.
Hiring someone full time to perform defensive intelligence gathering is cost prohibitive for most
organizations, but a number of excellent subscription services such as the SANS Internet Storm
Center, Security Tracker, and Symantec DeepSight provide excellent reconnaissance information.
Some are free, and others have a yearly subscription fee (approximately $20$30/month).
Sentry
Sentries are deployed along the perimeter of an encampment to provide attack or imminent attack
notifi cation.  e amount of advanced warning is a function of the sentry’s fi eld of view. In medi-
eval times, during the day a sentry at the top of a castle tower had a broad view of the surrounding
countryside and could provide an early enough warning to get the gates closed and defenders in
place before the attackers arrived. At night this capability was greatly diminished, and so the gates
were kept closed at night and more sentries deployed. Sentry positions were often enhanced with
noisemakers or other devices designed to alert sentries to movement along the perimeter. Today
the military uses electronic sensors and night-vision goggles to improve sentry observation. Bill
learned how e ective this type of monitoring was while looking for a good place to eat lunch on a
naval base.  ere was a nice grassy knoll near where he was working, so he headed across it to fi nd
a place to sit down. He hadn’t walked 100 yards along the outside of the security fence when a jeep
pulled up alongside him and a rather displeased offi cer asked him who he was and what he was
doing. Little did he realize he was walking along the perimeter of the ordinance bunker setting off
the motion sensors as he merrily strolled along!
Physical Security
Observation tactics in physical security focus on two areas: improving human surveillance and
improving event detection. Surveillance means to continually observe or to watch closely. Not
all surveillance is necessarily visual; it could be audio (i.e., eavesdropping) as well. And not all
surveillance is human, some can be electronic—for example, a home confi nement ankle bracelet
continuously monitors the distance a person is away from the confi nement sensor. We will not be
covering the latter scenarios but will focus on human-based visual observation.  e eff ectiveness
of human surveillance is based on three factors: fi eld of view, resolution, and training.  ese fac-
tors are the same for people looking directly at the scene or monitoring it with video.
Field of view is what is visible from a given observation point or perspective.  e larger the
eld of view is, the more things that can be observed at one time. Cameras tend to have a more
limited fi eld of view than the human eye; consequently, they are equipped with pan and tilt func-
tions that allow them to quickly change perspectives. Field of view is enhanced by elevation; for
example, standing at ground level, a person can see approximately 2.75 miles, but standing in a
100-foot observation tower, a persons fi eld of view increases to 12.5 miles. Buildings are elevated
above parking areas to provide a better view of vehicle and foot tra c approaching the building.
TAF-K11348-10-0301-C009.indd 146TAF-K11348-10-0301-C009.indd 146 8/18/10 3:09:28 PM8/18/10 3:09:28 PM
Did You See That! (Observation)147
Field of view is diminished by obstructions. Reception areas typically have glass doors and fl oor-
to-ceiling windows, so that reception personnel have a clear view of people approaching the build-
ing. Landscaping uses low-lying shrubs and plants that do not obstruct the view. Field of view is
enhanced by light and diminished by darkness so the walkways and the main entry to the recep-
tion area are usually well lit in the evenings. Resolution relates to the quality of detail in the image.
For example, HDTV has a higher resolution than standard television. Resolution is diminished by
distance, monitor size, lighting, and the optical characteristics of the viewing device.  ings at a
distance and things on a small video screen are diffi cult to distinguish; video cameras have a zoom
feature to improve distance resolution. Most video viewing systems have an option to switch to a
larger monitor to improve resolution.
Resolution is aff ected by low lighting, excessive lighting, and poor contrast.  ese three fac-
tors all make it diffi cult to distinguish details in an image. Driving a car on a rainy night is a
good illustration of the rst two. Its hard to see any details in the dark, and then someone comes
around the corner with his high beams on and blinds you so you cant see anything in the light.
e third factor, contrast, is what makes one thing stand out against another. People wear light-
colored clothing at night so they can be better seen. Commandos wear black clothes and paint
their faces black so they cant be seen. A great example of this factor was a company that kept
having issues with people breaking in at night. Even with guards and good lighting, the black-
clothed bandits were still able to climb over the fence and get into the building.  e solution?
Paint white stripes on the blacktop outside the fence line.  e contrast between the white stripes
and the black clothing made the bandit’s movements easy to spot. Night-vision cameras, infrared
projectors, and night-vision goggles can also help deal with low-level light or poor-contrast situ-
ations. Sunglasses help humans deal with excessive light, and cameras typically have aperture
adjustments to deal with the issue. Each factor is a trade-off : When you zoom in, you reduce the
eld of view; when you increase brightness in one area, you reduce resolution in other areas. A
great example of this is Bills security review of a data center.  e exterior of the building was
monitored with video cameras.  e parking lots were lit with moderate-level sodium vapor lights,
and the sidewalks around the building were lit with bright halogen lighting.  e cameras adjusted
their aperture for the bright lights; consequently, nothing in the parking areas could be seen on
camera. Quality of optical characteristics covers a couple of di erent things; in cameras it can
refer to the quality of the lens, the color abilities, and the number or pixels in the receptor. A black
and white camera with a low pixel count and a poor-quality lens has the worst resolution, and by
contrast, the color camera with a high pixel count and a high-quality lens has the best resolution.
For humans it is related to the physical characteristics of our eyes—nearsightedness, farsighted-
ness, color blindness, and so on.  e nal factor is training.  e eff ectiveness of surveillance is
based on our ability to accurately interpret what we are looking at. Our life experiences help, but
the only way to become profi cient at identifying malicious activity is through training: classroom
and on-the-job experience.
Event Detection
Malicious activity can be identi ed through the use of event detectors. In most instances, event
detectors do not discriminate between good and bad events; they simply report a state change to a
controller that decides whether or not to take action on the event. Most controllers are computer-
ized devices that analyze and forward events to a responder; on some occasions, the event is sent
directly to someone for analysis. Detectors can be deployed to monitor just about any physical
state. Table 9.1 presents a list of the more common types of detectors and how they are used.
TAF-K11348-10-0301-C009.indd 147TAF-K11348-10-0301-C009.indd 147 8/18/10 3:09:28 PM8/18/10 3:09:28 PM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset