• United States




Night at the information security museum

Apr 21, 20175 mins
Access ControlComputers and PeripheralsData Center

Earlier this week, Ira Winkler wrote What security practitioners can learn from the United's failures. He astutely noted that organizations should learn from failure, and ideally the failure of others. I'll take his lead and provide another learning opportunity for information security professionals.

Physical security is a fundamental part of information security. In fact, operating systems base much of their security controls on an assumed secure physical infrastructure.

Museums are a great example of where effective physical security comes into play. Like information security teams, museum security is often understaffed with limited budgets.

Museum physical security incidents provide an excellent learning mechanism for information security teams. With that, I'd like to look at three major museum incidents and provide a lesson learned from each for information security professionals.

Isabella Stewart Gardner museum

This is the granddaddy of all museum thefts, where 13 pieces of art were stolen from this Boston museum in 1990 worth over $500 million. It's the largest private property theft in US history. While never proven, circumstantial evidence points to a low-paid security guard who facilitated the thefts. After 27 years, the case is unsolved.

Lessons learned: Unsolved cases make it harder to draw lessons. But it seems as if one of the museum guards was allegedly involved. Be it Edward Snowden, the unnamed Sony Corp. employee or myriad others; insiders with access are a threat that most firms don't consider.

Many firms think that starting a program to defend against insider data theft makes it seem like they don't trust their employees. Yet these same firms won't think twice about locking the office supply closet or securing the room with snacks. Confidential data should be at least given the same level of security consideration as printer toner or M&M’s.

The CERT Insider Threat Center at the Carnegie Mellon Software Engineering Institute is the best place to start your data gathering around insider threats. Their research has information to help identify potential and realized insider threats, institute ways to prevent them, and establish processes to deal with them if they do happen.

Bode Museum

Just last month, one of only six Royal Canadian Mint issued Big Maple Leaf coins, worth $6 million, was stolen from the Bode museum in Berlin, Germany.

German police said that the thieves used a ladder to break into the museum around 3:30 a.m. Investigators haven't revealed how the burglars managed to avoid setting off alarms and leave the museum unnoticed while carrying the heavy coin. News reports said the theft itself was meticulously organized and reminiscent of the plot of a Hollywood film.

Utilizing a 2 1/2-hour lull in the early hours of the morning when Berlin's public transport shuts down, the burglars walked along the empty light-rail tracks running adjacent to the museum. They proceeded to bridge the four-meter-wide gap between the museum and the tracks using a ladder, jimmying open a window on the museum's top floor.

Police later discovered the ladder discarded on the tracks after they were alerted to the break-in around 4 a.m., only 15 minutes after investigators believe the burglars made off with their loot.

Lessons learned: The Gardner theft started around midnight, with this one around 3:30 a.m. Graveyard shifts often have bored and lonely skeleton staffs. Adversaries are more likely to launch an attack on a holiday weekend, than on Tuesday afternoon.

CSOs must ensure that their staff (both internal and outsourced) monitoring systems and networks are there during the wee hours of the night and on long weekends.

In addition, these attacks are done with a significant planning and exploitation of weaknesses in design and architecture. Did museum security staff see the light-rail tracks as a threat? Did they mitigate against it? The attackers knew the weak points of the museum and thought outside of the box. Internal security teams must think both inside and outside of the box if they want to protect their data assets.

National Gallery of Ireland -

In 2012, Andrew Shannon ruined a Monet masterpiece worth $10 million by punching a hole in it with his fist. Shannon initially said he felt faint and fell into the painting. But a security video showed otherwise, to which he was convicted and sent to prison.

Lessons learned: Comprehensive physical security goes a long way. The video shows that the Monet was well secured into the wall to prevent someone from dashing away with it. But since there was no additional protection, Shannon, while no heavyweight, could issue a knockout punch to the painting.

The CCTV also showed Shannon lied. In IT, the equivalent is logs. While you can't stop every event; if you have a good logging strategy in place, it makes finding the culprit and the cause much easier.

When it comes to data, the principle of least privilege is your friend. Don't give users more access than they need. Far too many users have administrative privileges, and many will have access rights they no longer need. Regular checks for appropriate access are in order.


Ben Rothke, CISSP, CISM, CISA is a senior information security specialist at Tapad and has over 16 years of industry experience in information systems security and privacy.

His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design and implementation of systems security, encryption, cryptography and security policy development.

Ben is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill). He writes security and privacy book reviews for Slashdot and Security Management and is a former columnist for Information Security, Unix Review and Solutions Integrator magazines.

He is a frequent speaker at industry conferences, such as RSA and MISTI, holds numerous industry certifications and is a member of ASIS, Society of Payment Security Professionals and InfraGard.

He holds the following certifications: CISM, CISA, CGEIT, CRISC, CISM, CISSP, SMSP, PCI QSA.

The opinions expressed in this blog are those of Ben Rothke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.