Physical OPSEC as a Metaphor for Infosec
Normally when people publish their slides from a talk, there is very little verbiage on them, you don’t see the speaker notes, and some things may not make sense out of the context of the talk. I decided that I’d publish my slides in blog form, include my notes, and expand on a few of the items based upon the questions I got at the conference.
As a bit of background, I submitted more than one talk to Enigma, as is not uncommon for presenters. Truthfully, I did not think this one particular one would be accepted. The talk was entitled “Physical OPSEC as a Metaphor for Infosec.” The original version of this talk was about an hour, so there was a substantial amount of material removed and condensed for this version. I was given twenty minutes, so I decided it should be reduced to twenty slides, and if I averaged a slide a minute I would be golden.
The premise of the talk is simple enough - we security nerds often have to explain odd security items to normals, and sometimes a good metaphor works. It also helps me as a security professional to get into the mindset of thinking about security in your daily life, which always helps in this line of work.
Now all of us, not just infosec professionals, do automatic OPSEC all of the time. When you exit your car, you lock it. When you leave the house, you set the alarm and lock the door. It becomes muscle memory. There may be things you do when you are using your computer as well. I lock my screen when I get up from my desk as a matter of habit, and this is as a person who has worked from home for a couple of decades. My threat model here is mainly my cats, but even before that when I worked in an office (or I flew and visited the home office) I’d already developed that habit.
But that is part of the problem, when we define the risk we often do a poor job of it. The fact that clickbait headlines exist is proof. We tend to focus on the fantastic, and things like those catchy and scary headlines get our attention. RFID attacks are a good example of this. Where a theoretical attack could possibly occur against the credit card or passport in your pocket, in reality the odds are much greater that you will be mugged or pickpocketed instead. If you are a spy and you have a work access card that opens the door at spy headquarters then yes, your odds of an RFID attack are much greater than some rando on vacation. But not all of us are spies.
So let’s talk about risk assessment in the area of travel and touch on some of those physical OPSEC strategies. For our first big analogy we’ll use the concept of death - something that is going to happen to all of us. When you are out and about traveling either to a far away city or a coffee shop down the street, you probably would like to avoid being murdered. Thanks to all of the scary headlines, television, and horror films, it seems likely. Your odds of your life ending as a murder victim? They are 1 in 229. Considering that the odds of your life ending in a shark attack are much higher (1 in 8,000,000), you immediately think you need to really look out for murderers. But to give things some real world perspective, you are more likely to die via suicide (1 in 92), and vast majority of most of us will die simply because of our daily food choices. Heart disease is the number one killer in the United States - 1 in 6.
Of course the salesperson selling anti-murder blankets is going to focus on that murder statistic and probably not going to mention the heart disease. You have to learn to say yes, I get that being murdered is bad, but bare minimum I should start that diet and deal with any suicidal thoughts before I even think about an anti-murder blanket.
In general, people are bad at risk assessment, constantly preparing for murder and ignoring heart disease.
I am a person who has had weird things happen, which I have previously documented in a blog post about my paranoia. All of these things influenced me, but the one that brought about the most drastic change was the hotel room break-in, which is detailed in that same blog post.
Having my hotel room broken into and my tech targeted was my wake-up call. Those kind of attacks still happen to people involved in infosec, although I would deem them less common for ordinary normals. The main point for me was that things really needed to change.
Control. That was what I needed. At first I simply carried my laptop with me everywhere, but I was still extremely apprehensive. Between the hotel incident and other criminal encounters I have experienced such as several mugging and pickpocket incidents, I did an assessment of my risks. I pulled heavily from examples from the infosec world.
As a result of all of this thinking, I’ve written up security guides for travel for various employers over the years, and I’ve developed examples to give to security professionals to help teach them physical security concepts. I could also talk about security awareness to non-technical and non-infosec people, and use examples of physical OPSEC to explain computer security concepts.
By defining a threat model that involves an unknown attacker (spy/basic mugger/sly pickpocket) physically attacking instead of cyber attacking, I came up with a way to explain a few security concepts. Wrapping the entire scenario around travel helps in relating to others. A lot of people have anxiety about various aspects of the whole travel process, so it is easier to relate these concepts to them.
The main security concepts I’ll reference are as follows: reducing your attack surface, inventory control, patching, disaster recovery, multi-factor (sometimes referred to as two factor) authentication, and zero trust networking.
Since this all started for me with the idea of protecting myself while traveling, I started out with making a list of risks that could happen during travel time, and listed them from most common (airport delays) to the least common (zombie/extraterrestrial invasion). As you can see from the slide above, at the bottom I have our six concepts, and this one falls squarely into the realm of Disaster Recovery. This is what we do in risk assessment, we rank our threats.
This is not an inclusive list, but a decent starting point - I’ve experienced most of the items on this list while traveling. Sure it is an incomplete list - I don’t even include The Singularity or any reference to the inevitable robot uprising - but the list is intended as an example. Also, if you include all the half dead humans stumbling about the earth staring blankly at their phones, then zombies are already here, but we will still leave them toward the end of the list as rather unlikely.
As we move forward we will discuss various remediations, although some of the remediation done is in anticipation of really bad events that are extremely unlikely. I still do extreme things to protect myself, even when I know the odds against it happening are low. For example, I know another hotel room intrusion is rather unlikely (“Crime” is halfway down the list above), but I feel better about it and most importantly I feel like I am in control. Feeling in control helps one handle changes - even disruptive ones - a little easier. As you will see, my physical approach to my hotel room using a model of zero trust networking which all but eliminates the impact of the threat. As a result, I feel more in control.
The general concept of the gray man, or going gray, is not a new one. The idea is to try to blend in and not stand out. If you’re at a corporate meeting, don’t wear a swimsuit. Don’t wear a tuxedo to the beach. But when it comes to the gray man concept, the idea is to not just blend in when you’re in a crowd, but you try to actively look and dress in a way that really hides you. For example, when the brain is trying to interpret raw image data streaming into your skull from your eyes, bright colors actually invoke a response in a part of the brain that processes visual data, whereas muted drab colors like gray do not. Hence the term gray man.
From a physical OPSEC perspective, by decreasing stimuli that triggers the brain such as ball caps with logos, t-shirts with writing, and bright colors, you are less noticed. This is a great example of reducing the attack surface, and certainly involves a bit of inventory control - when traveling it cuts out your choices so you end up packing less. And you are decreasing your “zone of trust” you have around you, by closing off ways you potentially stimulate the brains of the various people around you, especially potential muggers and pickpockets scanning the crowd, looking for a victim.
I know the concept of “going gray” is gender neutral and when I’ve presented this it has been pointed out to me by women that they do their own version of this, and have done so for years and years. However if you’re interested in pursuing the “gray” aspect of this further, you’ll have to Google “gray man concept” to learn more.
Along the same topic of not trusting those in your physical environment and getting into a solid “zero trust” mindset, remember to limit the amount of information you give those around you when traveling out of town. This can be as easy as giving a common name like David or Mary for the barista to write on the side of your cup, or maybe giving information at a restaurant that you are “Smith, party of two” and when you walk up just state you’re alone. No one will notice a name like Smith being called out, but they would notice a name like Loveless (trust me on that one). This obviously helps reduce that all important attack surface.
If I have a meal at the hotel restaurant, if I charge it to the room I will make sure the signed check with my name and room number are handed to the waitstaff or hostperson. No point in leaving who you are and exactly where your room is located in the hotel on a piece of paper on the table - especially after a breakfast before you head out for the day. You’ve potentially left just enough information for a social engineer to gain access to your room while you are out. If I pay for it outright with a credit card, I’ll still hand it to waitstaff so my name isn’t found out.
Speaking of hotels, there are a few things you can do to help protect yourself, starting at check-in at the hotel’s front desk. If I fear I may be targeted directly by an unknown adversary, I will change rooms at check-in if they were pre-assigned. This is a rare attack vector for most people, and I mainly do it now just so I feel slightly more comfortable. But something I encourage people to do is to tell the hotel at check-in you wish to be listed as a Non-Registered Guest, or NRG.
NRG was originally intended to protect celebrity hotel guests, so if there was a pop star staying at a hotel you couldn’t call up and pretend to be the tour bus driver and ask to be connected to Taylor Swift’s room. If you call the hotel operator and ask for a person staying there, NRGs do not show up on the list of current guests. If you happen to learn the room number of an NRG, you can’t even call up the room from another room - you’ll get a message stating the room is unoccupied, which is the same response you will get for an unassigned room. Only hotel staff can contact you via the room phone. If you do need to have someone besides hotel staff contact you, ask if you can be registered under an alias instead of as an NRG, and let the people who might be contacting you what your hotel room alias is.
NRG is not something done at every hotel, but every 5 star hotel and large hotel chains property I’ve stayed at support it. It is also more common in larger urban markets than the ‘burbs or small towns. But it helps protect you from non-hotel personnel. This is more of that reduction of attack surface, in case you haven’t guessed already.
After the Las Vegas mass shooting in 2017, the hotels in Las Vegas made some changes to some of their security policies. Like most sweeping security policies put in place in the name of protection, interpretation of those policies by front line personnel often tends to vary. The privacy and security conscience attendees of Black Hat Briefings and Def Con had some legitimate concerns in the summer of 2018 regarding this interpretation. While I think the issue of hotel staff barging into your hotel room is both physically threatening and privacy violating, I’ve taken a completely different tact when it comes to what is in essence a room invasion - I mentally remove the threat.
This may seem lame, but just because an underpaid security guard could enter and possibly violate both hotel policy and actual local, state, and federal laws, don’t expect them to listen to your carefully crafted arguments about your rights. In the heat of the moment, I find it best to grab my tech and leave. I always assumed they can enter my room at any point, and actually assumed it long before 2017. I learned this at security checkpoints at airports - I assume the worse and when it has happened (TSA can often be aggressive) I was not surprised.
Ask at the front desk when you check in what their policy is regarding hotel security staff doing security checks in occupied rooms, and ask if you can call down to the front desk or request hotel credentials if a visit occurs. However just assume it will be bad, and if it isn’t, great.
As a part of disaster recovery, you prepare for problems. In travel, you do the same. You work out some scenarios and ask yourself “what would I do if…”
If the flight is cancelled, do you book another flight? Can you connect via an airport in another city? What about other forms of transportation such as rail, bus, or rental car? Working those scenarios out ahead of time will save you effort and a bit of sanity. If the hotel you had booked burns to the ground right as your Lyft drops you off, what is your next step? Something much more likely might be what happens if the hotel has a plumbing issue that renders an entire floor unusable, and when you arrive you are simply told “sorry we are out of rooms.” This one actually happened to me - finding another place to stay took a bit but I already knew of a couple of optional hotels I could keep in mind. As you can see, a repeating theme is emerging - plan for the worse, so when things bad happen you have a plan, but most of all you are less stressed.
This may not look like a reduction of attack surface or inventory control, but it is. A lot of what I carry might be included in a laptop bag often ends up in my pockets. For the full rundown on my everyday carry (EDC) check out my blog post, “A Security Guy’s Every Day Carry”.
However just singling out the wallets should give you an idea about the patching and zero trust aspects of an EDC. As you can see I have three wallets. In the picture above, the lower wallet is my main wallet, and is kept in a front pocket instead of a rear pocket. Applying a fix to an exist flaw which essentially closes a security hole is what I’d call patching. I patch two flaws in the wallet scenario - the wrist wallet in the upper right prevents me from revealing where my main wallet actually is, and the upper left wallet with the five dollar bill is my bait wallet. It goes in the back pocket where a wallet is usually located, and has a note for a would-be pickpocket to rethink their life. Don’t laugh, this is my third bait wallet.
This is it, everything I carry on a trip, regardless of length of trip. The backpack actually hold all of this - my CPAP machine, extra cables, a toiletry kit, and my clothes in a packing cube. Even the laptop bag will fit in the backpack, which means I can carry the entire trip on my back. There is nothing to check, so no waiting at baggage claim. I get off the plane, I can immediately head on to my destination. It also makes things such much more flexible on trips where there is interruption. By reducing what I carry and limiting quantities, I am much more agile.
By being much more agile, I can deal with pretty severe situations. Instead of listing in detail everything in the laptop bag, I’ll highlight a few things about it and cover everything in detail in a future blog post. Everything I really care about, such as my tech, my medications, and a few key survival items are kept in the laptop bag. Remember it can fit in the backpack, but there have been a few occasions when the overhead storage on the plane has filled up before I boarded and I have to check the backpack, I can quickly remove the laptop bag from the backpack and all of the hard-to-replace items stay with me. If the backpack gets lost or stolen by the airline, it is stuff I can replace quickly or don’t care about.
The added advantage is that I never leave important items in the hotel room when traveling, so my laptop bag becomes my day bag and goes with me everywhere, including to restaurants or a bar. This reduces a lot of the worry about my hotel room as the tech is never unattended, it is constantly in the possession of someone I trust - me.
I have a few odd items in my laptop bag that might need a bit more explanation, but these are things that are added to the inventory that do help reduce the attack surface. Having a small lockpick set and a tactical pen (it can break glass or function as a weapon, in addition to writing) probably make sense for a lot of security people. The silcock key is somewhat non-obvious, but since you can open those faucets on the side of buildings to get fresh water in a pinch, open weird sockets HVAC system covers, and has a couple of screwdriver attachments, it is a great addition that helps provide extra options in more extreme situations - and it is a great addition to a physical pen tester’s toolkit. The survival tin contains some cordage, fire starting options, and a few other odds and ends such as a compass. Most of it is really not needed, but it is small and helps me feel more in control.
The item in the upper right is a doorstop. Talk about a patch - you might run into a situation where you need to keep a door open that might shut and lock behind you, such as on a pen test. Another use is during an active shooter scenario, where you duck into a side room and shove that doorstop under the door. This isn’t that likely of an event (1 in 160,000 chance of being killed by an active shooter), but remember that situation involving the hotel room and being afraid someone might enter? Hotel staff has tools and various techniques to enter a hotel room, but a simple doorstop can prevent entry. Doorstops are inexpensive, light, and can cover a number of potential issues - but just as important it can make you feel safer even if you never have to use it. Having piece of mind can go a long way into remaining calm (or at least calmer that full panic) during an incident.
A brief word on the toiletries. While something like baking powder toothpaste makes sense to me because a small amount lasts forever and takes up less room that toothpaste, having Dr. Bronner’s soap in the small container at the bottom of the above picture is wonderful. It certainly helps reduce what I carry. Not only can it be used for washing your body, it can be used for washing your clothes in the hotel sink. This allows me to use the “wear a pair, pack a pair” rule to underwear, socks, and pants. Couple this with a several shirts that dry quickly, and I can pack less clothes. If weather delays lead to an extra day or two in the hotel until the airport opens, no problem. You’ll have clean clothes as long as you have Dr. Bronner’s and a sink.
Wendy Nather once said that the perimeter is anywhere you make an access control decision. The concept of zero trust hinges on this - it is not about saying you don’t trust this or that, it is about knowing when, where, and how you make those access control decisions. We do it with our physical self all the time, picking the well-lit street instead of the short cut through the dark alley, and it’s no different with computers.
So these were my slides from Enigma, with a bit of extra text based off of the Q&A and the various hallway comments after the talk. I hope this helps give you some perspective and extra insight when trying to explain security concepts to non-security friends and colleagues. Bare minimum I hope you got a few decent travel tips out of it as well.
[Edit 2019Feb22: the video is up.]