Red Cell: Penetration-Testing Your Anchor Point
Establishing and implementing a security plan is not a one-time event. It is a process that requires continuous testing and improvement. Security plans are established at anchor points in order to protect those inside from not only outsiders and non-members, but also from any insiders who have criminal intentions. While I believe that behavioral analysis provides security practitioners with the information and insight needed to accomplish these goals, the concept has also been gaining traction in other areas. In a recent article published in the Wall Street Journal: Risk and Compliance Journal about how to “How To Crack Down On Insider Threats,” Gordon Hannah, a principle in Deloitte & Touche’s Security practice, notes that by adding behavioral profiling to existing security practices, organizations “can effectively neutralize the insider threat and mitigate the risk a single individual can cause.”[1] These insider threats can span the spectrum of violence from being bullied by a coworker, the theft of intellectual property, harassment or even an active shooter scenario. While the threat of insider attackers is widely acknowledged, the ability to proactively identify these workers with dishonest intentions continues to be a challenge. One way that organizations can reduce this risk from insiders is through the practice of penetration testing.
The penetration test, which is commonly used in the context of computer and network security, is a way for security officers to determine how capable they are at preventing both internal and external threats. The goal of a penetration test is to identify where you are vulnerable so that you can later determine how to plug that gap. The process begins by establishing a baseline for the entrance that insiders will have to pass through. By going through the steps and process outlined in “How I Break Down A Video,” we can establish the patterns that are present and have a quantifiable structure to build off of.
Step 1 - Baselining: Where the penetration test requires a focused effort is on the different groups of insiders that use the entrance you are trying to protect. One example is the anchor point that gets established inside of an airport terminal at the individual gates. There are a number of groups that are allowed into the jet-way once their credentials have been verified: passengers, flight attendants, pilots, gate attendants, maintenance staff and the crew that resupplies the planes with the food and drinks. For the gate attendant who serves as the bouncer and sentry at this particular anchor point, her task is to assess each of these groups and know the patterns that each group is supposed to follow. These are the insiders with a legitimate reason for being there, or those trying to appear to be insiders. Consider the following picture taken of the people attempting to board a Southwest Airlines flight.
For the sake of clarity and the specific purpose of the article, I’m not going to elaborate on the complete baseline for this anchor point, but I recommend that you first go through the baselining process and then consider how the following commentary would fit into the larger established norm.
Passengers stand in line in numerical order in their assigned boarding group. This forced channelization helps the gate attendant observe the behaviors of those about to board by separating them from the other people sitting in the area. Members of this group might show elements of familiarity or unfamiliarity, based on how frequently they fly, but if a passenger shows familiarity with one stage of the boarding process for a Southwest flight, they should show familiarity with all steps in the process. Those familiar with Southwest’s boarding process should also behave in a way that indicates comfort. As passengers line up to enter, the gate attendant could focus her attention on someone displaying familiar cues yet are also uncomfortable. This could be due to an annoying or loud traveller nearby, but the deviation from the familiar and comfortable will identify someone who stands out and can let the attendant know to contact this person and attempt to discover the cause.
The flight attendants and pilots would also show a high degree if familiarity with the boarding process. This familiarity is common with insiders and they have a great deal of experience in airports. Even if they are in an airport they haven't travelled through before, because all Southwest gates are set up the same, they should be very familiar with the layout and the process for them to check in and board the plane. The pattern of flight attendants would be different from passengers in three areas. First, they won’t be waiting in line like the passengers. Second, the flight attendants would also show that they have a pre-existing relationship with the other members of the crew as many teams work together day in and day out. As they walk up to the gate, I would expect them to be arriving as a group and being friendly towards each other in a way that I would not expect from passengers who were not travelling together. Finally, because flight attendants regularly work the same route, they might also show indicators of familiarity with the gate attendant at the airport. While flight attendants and passengers both have a process for boarding the plane, the processes are different enough that they both required being defined and differentiated.
When observing the maintenance staff working at the gate, they might not have a clear boarding process the way the passengers and the flight crew do, but they exhibit behaviors that would indicate familiarity. The maintenance staff might not have a pre-existing relationship with the flight crew on a personal level, but may display familiarity based on the responsibilities that each provides while the plane is at the gate. For example, a member of the maintenance crew would know which attendant to talk to if there are any problems, or to let them know when they are complete with their work.
By establishing a baseline and expanding on the behaviors and details for each and every group that has access to an anchor point, you now have a very well-defined norm and can begin planning your penetration test.
Step 2 – Red Cell: It is at this point where the red cell comes into play where you can identify the specific behaviors that would deviate from this baseline and begin to outline possible causes for each. If the baseline is comfortable, define why a member of the flight crew would display over-the-top-dominant, uncomfortable or submissive cues. You can also define how a member of these groups might act if questioned or challenged when they are innocent and when they have violent intentions. This red cell phase is the planning time of the penetration test and a chance to look objectively at each possible situation and vulnerability.
Step 3 - Test: Once you have established a baseline and red celled how a criminal would behave in different scenarios (dominant, submissive, uncomfortable, comfortable) you can instruct the people tasked with testing the security measures on specific behaviors they should exhibit in their probing attempts. The person responsible for maintaining security at the gate first has to know how to observe and classify each cluster of behavior, and this is an opportunity to coach and mentor the attendant on the behavior she observed of a passenger and how she did (or didn’t) respond. The goal of the actual test is to not determine which group of insiders is the risk, but to determine the vulnerabilities in the bouncer and coach that person to greater effectiveness.
This ability to coach the guards is one additional benefit to defining the role of the bouncer the way we did in the “Identifying Anchor Points” article. By understanding the dominant cluster of behavior, you can mentor your guards (or whoever is tasked with scanning those approaching your building, police department, or patrol base) to determine how intense a display of dominance is required to meet your security goals. If there is an event at the building you are responsible for protecting, maybe you choose a higher-intensity dominance for the special circumstances that wouldn’t be necessary on slower days. By looking at each behavior in the cluster, you can tailor the security posture to meet the needs as well as compensate for guards less capable at observing the subtle behaviors that he should be searching for.
Testing Your Anchor Points: As we have noted throughout this issue, treating an anchor point like a habitual area, or simply assuming that security is effective, is extremely risky. Even if your anchor point doesn’t require the same degree of security as an airport terminal, it doesn’t change the need for penetration testing. While an airline is attempting to reduce the risk of flying as much as possible, some office buildings might accept a greater degree of risk because of a lower probability of attack. Regardless of where on the security spectrum you are operating, the penetration test is designed to identify the vulnerabilities that a security plan is supposed to address. How the security gaps that you find in your penetration testing get fixed is a decision often made by top-level leadership, but the objective planning and testing that I’ve talked about in this article and in this issue of The CP Journal provides those leaders with the information needed to make intelligent security decisions.
[1] http://deloitte.wsj.com/riskandcompliance/2013/09/10/how-to-crack-down-on-insider-threats