Lessons for Layering
A manufacturing company, aware that its existing product anticounterfeiting tag could be easily defeated by being itself counterfeited, added a second anticounterfeiting tag. The idea was that an adversary would now have to defeat two tags. The use of two tags, however, confused retailers, who stopped checking the tags completely. The new layer of security completely negated the original layer and made it easier for criminals to counterfeit the product.
That’s one example of how the concept of layering can backfire. In another, a trucking company was using GPS technology to track critical shipments. Truck drivers, aware of this sophisticated security technology, no longer worried much about watching their trucks at truck stops. In at least one case, a truck cab was left unlocked with the keys in the ignition because the driver assumed that the GPS would stop the bad guys. Predictably, significant thefts and vandalism occurred. The GPS system that was supposed to enhance security instead weakened it because it led staff to ignore commonsense security measures.
Security managers might rest easier thinking that their layered security program will protect their companies. However, as these real-life examples illustrate, having multiple layers of security without a clear strategy can open up an assortment of new problems, complexities, and vulnerabilities. If security managers aren’t careful, layered security can also lead to over-confidence, sloppy thinking, a flawed mind-set, and a lax security culture. An organization with complex, multiple layers of security may be less secure than one with a single layer that is carefully thought through, taken seriously, conscientiously maintained, and constantly tweaked to deal with new challenges and threats.
To ensure that the security program is actually protecting a company’s assets, managers must understand the types of layered security that may be implemented and the pitfalls associated with such programs. Layered security comes in two general flavors—serial and parallel. Most security managers employ a mixture of the two.
Serial security is the most common type of layered security. It involves nested layers. A typical example might be a facility having a fence at the perimeter to keep out the general public. At the entry gate, there may be a card to check credentials or some kind of automated access control system, such as a card reader or biometric device. Deeper inside the facility, there may be roaming guards, CCTV, safes and vaults, and intrusion detectors. Typically, this kind of nested serial approach is designed with the idea that an adversary will encounter ever-increasing levels of security as he or she moves towards the interior of the facility, where the most critical assets are kept.
Another example of serial layered security can be found on consumer tamper-evident packaging. Anyone opening an over-the-counter pain killer, for example, may first need to break open the box, then remove the frangible clear plastic film around the bottle cap before opening the bottle and finding a foil seal. Hiding evidence of tampering may require repairing all three levels—the box, the frangible film, and the foil seal.
The parallel approach to layered security involves having multiple security measures all in the same general area. The theory here is that the adversary will confront multiple security challenges more or less simultaneously. Commercial access control devices, for example, often attempt to deploy parallel levels of security. They may require a badge and a password, PIN, or biometric signature to grant facility access.
The hardware may also employ a tamper-indicating or hardened cover, along with a mechanical tamper switch just inside the cover to sound an alarm should the device be opened. A human guard may be present to oversee the whole access control process. An adversary intent on defeating the access control must—at least theoretically—deal with all these security features more or less simultaneously.
Security managers should therefore prepare for certain challenges when considering or using multiple layers of security. These pitfalls can lead security managers to ignore problems, rely too heavily on technology, and develop programs that are too complex. While these apparently complementary programs seem good in theory, they have various weaknesses.
Paralysis. The most common problem with layered security is that the mere existence of multiple layers automatically shuts down any attempt to improve any one layer or the overall security program. Having multiple layers of security should never be an excuse for being satisfied with the status quo. Each layer must be taken seriously in its own right and optimized to the extent practical. All layers should be constantly adjusted in a holistic manner that takes into account new vulnerabilities discovered in any of the other layers as well as changing conditions, technologies, and threats.
Culture. The second greatest potential hazard with layered security is that it can lead to a poor security culture. Too often, the idea that we have multiple layers of security leads to a mindset that no one layer of security is all that important because the other layers will compensate. This can lead to a lackadaisical attitude towards security in the organization, and it may create a general lack of personal accountability. For example, if an employee observes unfamiliar personnel engaging in questionable activities, he or she may be hesitant to challenge them on the assumption that they could not have passed through all of the layers of security if they didn’t belong there. The recent White House gate crashers incident exemplified this problem.
Overload. When layered security is viewed as the automatic approach, there is a risk that some security managers will begin throwing all kinds of strategies, products, hardware, and technology into the various layers with minimal thought. This can lead to wasting large amounts of money; chasing after the latest fad, technology, or security product; confusing and discouraging security personnel and other employees; and creating such a complex environment that little critical and skeptical thinking about security can take place.
Even if the security program is cautious in its approach to layering, splitting funding and attention between many layers of security may mean that none of them receive sufficient resources. At the very least, security program managers with many layers typically have problems figuring out where to intelligently spend extra funds to gain the greatest marginal increase in security. By contrast, if the organization has one or a few layers, it can be easier to spot where to spend extra money or focus additional attention.
Redundancy. Security managers who proclaim the advantages of layered security often view each layer as a backup or redundancy measure for either serial or parallel layering. Frequently, however, the various layers have such completely different purposes that they can’t reasonably be considered backups for each other. For example, many government facilities have a security fence and also use tamper-indicating seals for critical assets stored inside the facility. The purpose of the fence is to delay or discourage unauthorized outsiders from entering the facility. The purpose of the seals is typically to detect theft or tampering with critical assets by insiders—the very people who are granted authorized access through the fence because they possess a security badge, PIN, or other credentials. If the fence fails, the seals won’t prevent someone from penetrating the facility. If the seals fail, the fence will not protect the assets from insider attack.
Similarly, software security measures for countering external computer hacking are not a backup to gates and guards. Just because each layer in an overall security program is intended to provide some sort of security does not mean that each layer will compensate for the weaknesses of all the other layers when they serve completely different security functions and have utterly dissimilar attributes.
Interactions. In many layered security programs or devices, the focus tends to be on each layer alone and in isolation, not on how all the layers interact to provide overall security. Understanding the interactions is extremely important because easy-to-exploit vulnerabilities in security often exist at the interfaces.
The security team must, therefore, understand how different measures complement each other as well as how they get in each other’s way. For example, a company used a standard lock to secure a door. The key was held at all times by the on-duty security guard. When management decided to add an extra layer of security, they installed a key storage cabinet. The key was taken from the guard and stored in this locked cabinet along with keys to other sensitive areas of the facility. Unfortunately, the cabinet was poorly designed and could easily be picked or forced open, allowing an adversary to gain access to the key cabinet and take any number of keys. Thus, the new layer, in the form of the key cabinet, compromised the security provided by the original lock.
Another potential danger inherent in serial layers is that they tend to focus security’s attention on concrete physical assets such as desktop computers, manufacturing equipment, cash, or raw materials, which are often stored deep within the nested layers. This approach may end up weakening the focus on protecting more important, spatially distributed, and less tangible assets, such as databases, intellectual property, trade secrets, company reputation, and personally identifiable information.
Threats, vulnerabilities, and consequences should drive how the security layers are configured; the spatial layout of the layers themselves should not determine what we protect most. For example, an organization’s CEO, key technical or financial people, essential business data, or important IT equipment may be the most critical assets for keeping the organization in business during times of crisis. Regardless of their location, they need to be the focus of the protection.
Complexity. Layered security tends to be complex, and complexity is usually not conducive to good security, because it creates the potential for confusion and increases the ways in which the system can be defeated. This is one of the reasons low-tech methods can so often defeat high-tech security.
Even more dangerous is the fact that the complexity inherent in layered security often makes it much easier for groupthink to set in. This is a type of bureaucratic wishful-thinking mentality where no one individual is willing to step up and ask the necessary, skeptical questions, challenge the entrenched view, or think like the adversary.
So what should security managers do to avoid problems created by layering? First they should decide whether all the layers are really needed and helpful or determine whether overall security might improve by getting rid of one or more layers or modifying how they interact.
Managers should also be aware of the warning signs that a new layer might not be helpful, such as when the new layer is getting installed primarily because funds have become available or because of a mandate from nonsecurity executives.
Yet another warning sign is when there are common modes of failure, such as when an attack on the power source could shut down both the new layer and an older layer it was meant to backup. It’s also of concern if security managers don’t have a specific vulnerability they are trying to address with the new layer or if they can’t clearly explain how the new layer will improve overall security. Managers should firmly make sure that the new layer will not distract security personnel, and that it won’t dramatically increase the complexity of providing security or the time and costs involved.
In situations such as the GPS tracking example mentioned, where front-line personnel give up on the original security layers in the false belief that the new layer is a panacea, education is an effective countermeasure. Employees must be convinced, through training and regular reminders, that security is only improved if the original security measures are maintained and taken seriously.
Chain of Events
Layered security is often useful despite its potential pitfalls. Layered security can be especially useful or appropriate when assets need temporary extra protection due to a heightened alert status or when unusual situations arise. Having many levels of security can also slow down the entry of employees and visitors, giving security personnel a chance to interact with them on a personal level and perhaps detect suspicious behavior or threatening attitudes thus detering or discouraging an attack.
Additionally, layered security can be useful if the goal is to visibly present the image of a hardened target to show that the organization takes security seriously. The hard-target image can deter both insiders and outsiders from attempting to commit theft or other crimes against the company.
Another reason for layers is that sometimes security managers can get funding for a new layer of security but not for upgrading existing security in an optimal manner. It may make sense to add the new layer anyway, as long as it does not reduce overall security.
Finally, layered security is sometimes the only way to reduce risk when technology falls short. This is probably the case with most tamper-evident packaging. Current techniques are so easy to defeat that throwing on multiple layers of security may well be warranted.
Everyone knows that a chain is only as good as the weakest link. But we forget the corollary: that additional links won’t solve the problem. It’s the same with layering. To borrow an analogy from consumer safety, a car may have multiple safety features including seat belts, air bags, a tempered windshield, headrests, and a crash resistant body. However, you should still get your faulty brakes fixed and drive cautiously.
The bottom line is that layered security—well planned and well executed—has its place, but it must not be blindly or mindlessly implemented or used as an excuse to avoid thinking continuously, critically, creatively, and skeptically about risk mitigation.
Roger G. Johnston, CPP, is head of the vulnerability assessment team at Argonne National Laboratory in Argonne, Illinois. He is a member of ASIS International.