In Part One of this series, the idea of the three waves of security was introduced, with the Physical Security 1st Wave having established the principles and ideas of security used in the next two Waves. The 2nd Wave is “Wired” IT Security, which is maturing with standards, technologies, and operational approaches and is being applied by businesses. The 3rd Wave is RF Security, which addresses new vulnerabilities and requires different tools and methods to mitigate risk. One of the security challenges that 3rd Wave Security has to overcome is its invisibility to human senses. As with most things, out of sight is out of mind, creating organizational risk.
As stated in Part 1, the first step in improving a risk position is to perform an independent full spectrum assessment on an organization using all three security waves. In addition to the standard approach using 1st and 2nd Wave security assessment methods, a 3rd Wave security assessment needs to be performed. This includes a full spectrum RF penetration test which actively evaluates an organization’s RF emissions from desktops, servers, and infrastructure, as well as critically evaluating the RF emissions within and around the organization’s premises. Once completed, decisions based on the value of information, threat, and perceived risk are used to determine the mitigation strategy.
The range of options in protecting information spans from virtually no protection, like a receptionist guarding a door, to an intelligence community secure facility. The issue can be categorized into two problems to solve. While physical and “wired” IT vulnerabilities still require fixing, much has been published on these topics and is available on the Web. The rest of this article will focus on the protection of the organization’s most important information in a highly protected RF enclave, or what is called a secure work environment (SWE). Protection techniques used in an SWE can be applied to more general spaces based on an organization’s identified threats and risk tolerance.
A basic comprehension of RF is required to understand what considerations should be made in securing a work environment. Any RF system will have an emitter at some power level radiating out of an antenna. This can be intentionally designed or inadvertent based on the shape and type of materials surrounding the source. The antenna can have gain which strengthens the signal in a direction depending on its type. The power is reduced by one over the distance squared from the antenna, with additional attenuation of the signal due to intervening material like walls or films on windows. Normal intended communications will have a second antenna receiver pair designed to complete the communication. In the case of an unauthorized person trying to capture the RF signal, they will probably have an antenna with gain aimed at the signal of interest and have a very sensitive receiver to capture and process the signal. This simple system represents the variables Power, Gain, and Attenuation that can be manipulated to defend or capture a signal.
SWE concepts are used to limit unauthorized individuals’ access to emissions. SWE techniques can be used in boardrooms, server rooms, or auditoriums where sensitive information is being accessed. Examples of this sensitive information may include company intellectual property, strategic planning documents, merger & acquisitions data, sensitive legal discussions, and software test environments using real data for testing.
One of the security challenges that 3rd Wave Security has to overcome is its invisibility to human senses. As with most things, out of sight is out of mind, creating organizational risk.
The fundamentals of the 3rd Wave are the same as the 1st. The RF environment has portals for entry (typically called access points), methods for identification of individuals, barriers created to prevent access by perceived threats, response strategies for intrusions, and protected enclaves for the most important information. There is no universal solution, as each organization’s location and physical situation is different. This requires custom solutions depending on adjacency to other organizations in the same building or in another tower. In RF security, the core principle is to provide access to those that need it and to deny or make it hard for others to access susceptible signals. Some areas of concern where SWE techniques might be applied are:
WiFi – Possibly the largest risk that can be mitigated. Testing involves analyzing the walls for attenuation and, if not sufficient, installing RF-attenuating paint or foil, putting RF-attenuating film on windows, adjusting the power of the WiFi access point by lowering transmit power or employing directional antennas, ensuring the security features of the WiFi device are configured properly, and using devices like wireless intrusion detection systems. WiFi is used as a host protocol for many applications like wireless computing, webcams, building control systems, and cell phone high speed connectivity, to name a few. This may be the most important area to fix based on the results of an assessment.
Cell phones – Of course the most secure policy, especially in a bring your own device (BYOD) environment, is to not let cell phones into an organization’s space. This is especially true for visiting individuals that are not part of the organization and have no obligation to maintain organizational security. Solutions for visitors include lockboxes or an RF-attenuating bag to hold their phone. For members of an organization in general spaces, a distributed antenna system (DAS) can be installed to ensure all cell communications go through a company-protected system instead of being susceptible to rogue systems. Also, as in the WiFi situation, attenuation on the walls and windows can aid in limiting cell phone propagation outside of spaces owned by an organization when a DAS is employed.
Bluetooth – There are many attacks that can be used against Bluetooth, often taking advantage of its automated connection process. Class 2 Bluetooth devices like cell phones transmit about 32 feet, which can potentially enter adjacent rooms. The most important security step is to change the default password and to disable Bluetooth when not needed, as there is rarely a reason to allow persistent access for an attacker.
SCADA (supervisory control and data acquisition) – In the creation of new “smart buildings” with building automation systems (BAS) and in the retrofit of older buildings to accommodate this technology, RF technology is increasingly used to reduce the cost compared to a wired system and increase flexibility as new technology becomes available. ABI Research indicates that the market will top $43 billion by 2018, and this growth will provide opportunities for hackers to go after HVAC, lighting, security and access, and fire and life safety systems.1 The control systems use many different protocols, including proprietary RF, ZigBee, EnOcean, Z-Wave, WiFi, and others. The bottom line is that the infrastructure around an organization’s office needs to be considered in the overall security assessment.
Unintentional signals – When electrons accelerate on wires that occasionally have the right length, they can emit unintentional signals. There is a whole discipline called TEMPEST where practitioners test and develop countermeasures to inhibit free space transmission, denying access to attackers. During an assessment these can be discovered, introducing ways to mitigate the problem.
It was stated at the beginning of this article that the most important first step in improving an organization’s security position is to get an assessment, followed by implementing the recommendations based on threat, cost, and operational impact. While this is a great approach, its only weakness is that technology and attacks change. One day an organization may be secure, but the next day they can be vulnerable. Persistent monitoring is common in the first two waves of security, but it is rarer in the RF Wave. Companies are now developing affordable tools to perform persistent monitoring, varying from emitter-specific devices aimed at one signal to those covering the complete attackable spectrum to mitigate the risk.
- Asmag.com: “ABI: Global commercial building automation market to reach $43B by 2018.” May 2013. <http://www.asmag.com/showpost/14829.aspx>