Monday, February 18, 2008

Learning from It Takes a Thief

The Discovery Channel's It Takes A Thief is an interesting method of advocating home security. For those who haven't watched it, the basic show format is that two hosts, both former burglars who have turned their lives around, first break into a house - with the owner's permission, then upgrade the house's security and retrain the owners before trying it again.

For those who have never participated in a physical security penetration test, this is a reasonable introduction to one form of penetration testing. If you're a security professional, or have physical security expertise, you'll probably note that their targets are selected for the wide variety of issues that they have, and that some of their actions as shown would make a security professional fail - things like entering the house without a written 'get out of jail free' card. You'll also note that while they make quite a few upgrades for physical security, there are often ways around the systems that are installed. If you're questioning that, read their security tips - their goal is to make the house a harder target than the rest of the neighborhood, not to make it invulnerable.

In either case, the families that are on the show do appear to get real security improvements and the impact that the show makes on their habits is real - at least in the short term. Let's hope that a year or two from now the show goes back to check how the participants are doing with their habits and whether their systems have continued to both be used and to function properly.

There are a few interesting things to note in comparison to what many of us might have considered: a penetration test by an electronic penetration testing company.

  1. The hosts select the owners by checking a number of houses in a given neighborhood, rather than the owners soliciting the testing. This remarkably similar to the unsolicited companies and individuals who look for vulnerabilities in software and websites.
  2. The owners are allowed to watch, but cannot respond to the event. In most penetration tests, organizations are encouraged to let their normal defenses respond as they normally would, typically with some level of cut-out to ensure that escalation doesn't cause damage or down-time. While one episode does see the police called on the host while he is robbing the house, the owners never come home and children or others are never in the house for the event.
  3. Technology, infrastructure, and process are reviewed and upgraded. This is very similar to the result of an electronic penetration test, however the hosts provide the upgrade. A model where the assessor does a risk assessment and determines the security improvements to be deployed (albeit, with the understanding that much of it is vendor driven based on advertising) is intriguing. You don't see a companies often doing this sort of publicity, but wouldn't it be an interesting marketing strategy?
  4. The homeowners watch video of the robbery as it happens. Typically senior members of an organization merely receive a report, as electronic penetrations are typically not as dramatic to watch. The impact of a home invasion and theft has a great impact on the homeowners, and the visceral feeling can't be easily replicated in a summary report of findings.
This is, at the end of the day, a live physical security penetration test. Identities are not fully disclosed, although people who recognize the homeowners or know their neighborhoods would be able to identify them and would be familiar with their security systems and their valuable possessions. That's an interesting potential issue, as the homes chosen thus far have typically had valuable possessions reaching into the hundreds of thousands of dollars.

I'll be pointing their home security tips out when I give talks on physical security - having a TV show example is a great way to reach my audience, and awareness at home is a great lead in to awareness at work.

Creative Commons licensed photo credit Flickr user Ben Scicluna

No comments: