 |
| USAF Security Forces members conducting a site survey (Source: USAF) |
"Come on, dude. It's Idaho! No one is ever going to attack us" was a common talking point at my first duty station in the military. It can be difficult when you spend everyday near multi-million dollar aircraft to see their strategic importance particularly when they're located in the "middle of nowhere". Sadly, before 9/11, this attitude was more commonplace than some would care to admit. Nowhere was that more apparent than our original perimeter fence which consisted of two rusted barbed wires, humongous decorative rocks, and almost nonexistent perimeter patrols. On September 11, 2001, the way we and countless other military bases thought of security changed. The base's security posture changed within hours and our "sleepy" installation soon seemed better fitted in Tel Aviv than Idaho. As time went on, that posture too changed. However, a process was adopted to address the dynamic security environment.
One of my jobs in the military was as the Non-Commissioned Officer In-Charge of Physical Security. In short, I managed the physical security program which provided protection for all of the military base's critical weapon systems and their support elements. A key component to that job was conducting various site surveys to evaluate the security already in-place and to make recommendations as to what could be done to enhance it and to address any deviations from accepted security protocols. Basically, I ran around the base thinking of ways I could break and steal things. Over time, I got to be pretty good at seeing what I later called the "security landscape" from my adversary's point-of-view. A good security practitioner does this in a few ways.
- Knowing the threat
- Knowing the importance of the asset
- Talk to subject matter experts regarding the asset
- Knowing the existing defensive measures for the asset
- Knowing what the accepted security practices were for the asset
- Examining the asset and its defensive measures in person
- Testing those measures with exercises using probable attack patterns
This methodology is not new. Site surveys have been around since before Roman times. Supposedly, Caesar would conduct special patrols of his defenses. When he would catch soldiers without their shields or being proactive, they were dealt with severely. Today, many in the public and private sector use what's commonly referred to as the CARVER model which was originally developed as a targeting tool for used by US Special Operations Forces to quickly and thoroughly analyze enemy critical infrastructure to identify a critical node against which a small well-trained force can launch an attack to disable or destroy that infrastructure. CARVER uses a matrix to determine the likelihood of an attack based on several factors:
- Criticality
- Accessibility
- Recuperability
- Vulnerability
- Effect
- Recognizability
Here's a model of that matrix:
I can't stress enough the need to actually see the asset and the area around it in order to make a proper assessment. To do this, you must first go in looking at every conceivable attack venue whether it be cyber or an intrusion. Get a tour and walk around. Next, talk to the experts to determine what's critical to the assets operation. Next, look at similar attacks on similar assets. Then determine how an untrained and a skilled attacker would approach the target. Identify surveillance locations, chokepoints, and avenues of approach. Look for existing defensive measures. Are they adequate? Are they outdated? Finally, sit down and do the most dreaded part of this job - make a report to the decisionmankers.
In the video below, you'll see a counterintelligence site survey being depicted in the Cold War. It's interesting to see the similarities behind my approach and theirs. Would you do something different?
