LP Magazine

SEP-OCT 2017

LP magazine publishes articles for loss prevention, asset protection, and retail professionals covering shrinkage, investigations, shoplifting, internal theft, fraud, technology, best practices, and career development.

Issue link: http://digital.lpportal.com/i/874445

Contents of this Issue


Page 21 of 79

inventory system but also use it for security. Or else retailers buy it for inventory, and there is a case of mission creep, and they start to use it for security." Compounding the problem is that inventory folks often have the money to buy all the hardware, with security being an afterthought. "But you need to build the security piece in from scratch," said Johnston. "You can't Band-Aid security onto an inventory system." More broadly, he says that LP executives need to be careful not to assign security technology powers it doesn't possess and must recognize that security devices themselves are often not secure, which makes them vulnerable to spoofing. Accept Defeat—And Win Although device security is a technology problem, both Johnston and Nickerson suggested the need to address it culturally. Their domains are different—Johnston's is vulnerability assessments, and Nickerson's is penetration exercises—but both strategies require a retailer to be OK with learning about their weaknesses. And that can be a struggle. "Even if you can't redesign a product, if you understand its vulnerabilities, you can at least enact some simple countermeasures, and you don't have to spend a ton of money," said Johnston, who recommends that organizations perform their own frequent, imaginative, independent vulnerability assessments to find security weaknesses. He suggested picking individuals from outside the LP department who seem psychologically predisposed to finding problems and suggesting solutions. "Pick people from the mailroom or the graphic arts department, the smart, creative types who are always finding loopholes." These are just the kind of people who in a vulnerability assessment (VA) can provide fresh insight into how creative adversaries might defeat your security systems, said Johnston. "The problem at a lot of organizations is that they're afraid to encourage employees to think about these kinds of things, and they're also afraid of what they'll find," Johnston added. It doesn't help that in physical security, unlike cyber security, making changes is sometimes viewed as admitting to past negligence. "Some organizations will even halt a VA once they find vulnerabilities because really what they wanted was to rubber stamp their program and to say they looked at it," he said. Johnston said retailers should strive to develop a culture where uncovering vulnerabilities is seen as positive—and to be willing to accept that a legitimate vulnerability assessment will always find attack possibilities. "And you don't have to find every vulnerability for it to be worthwhile," he added. "At least you can go after the low-hanging fruit, and say that this attack and this attack are the most likely, so you can make some valuable, practical changes." Nickerson sees a similar mindset holding organizations back from undertaking much-needed physical penetration testing; many don't want to see the expensive technology they bought easily compromised. But it's a shortsighted attitude that practitioners and their organization's need to rid themselves of, Nickerson suggested. Don't think of a red team's success as security's failure. Instead, see it as new information to help adjust and improve security. "The more we think from an adversarial perspective, the more we can know if we're getting what we want out of our systems," he advised in his conference presentation "Breaking Physical Access." Looking at your security devices from the perspective of attackers will always point out flaws, but knowing whether it's worth addressing them requires a detailed risk assessment, something else Johnston thinks that LP practitioners could do better. "There aren't good or bad security devices. It depends on what you need. However, 'we don't want stuff stolen' is sometimes the extent of the risk assessment," said Johnston. "But when you're looking for the best car, it depends on what you want the car to do. Is it to win the Indianapolis 500? Is it to impress the neighbors?" So even though a security system will have its vulnerabilities, "it may be the right system given the adversaries you have, the budget you've got, and what you're protecting," said Johnston. Johnston and Nickerson suggest that to successfully harden a security system or device against attack requires LP to first acknowledge that it's a possibility and then be willing to gain a deeper, more honest, understanding of their technology. Learn how it can be attacked. Understand the intricacies of what systems can—and can't—do. And appreciate which threats devices can and can't protect against. "But it's often way less thought out than that," said Johnston. "It's people in charge of security buying something because the salesperson says it's good. I actually see the whole thing more as a security culture deficit rather than a device security issue." SECURITY'S SECURITY "Even if you can't redesign a product, if you understand its vulnerabilities, you can at least enact some simple countermeasures, and you don't have to spend a ton of money." – Roger Johnston, PhD, Right Brain Sekurity GARETT SEIVOLD is a journalist who has covered corporate security for nearly twenty years. He has been recognized for outstanding writing, investigative reporting, and instructional journalism. He has authored dozens of survey-based research reports and best-practice manuals on security-related topics. Seivold can be reached at GarettS@LPportal.com. 22 SEPTEMBER-OCTOBER 2017 | LOSSPREVENTIONMEDIA.COM

Articles in this issue

Links on this page

Archives of this issue

view archives of LP Magazine - SEP-OCT 2017