It Takes a Thief

Yesterday I watched an episode of the Discovery Channel series It Takes a Thief. This is the essence of the show:

  1. Business or homeowners agree to have the physical security of their property tested.

  2. Former thieves case the target, then rob it blind.

  3. Victims review videotape showing how thieves accomplished their task.

  4. Victims exhibit shock and awe.

  5. Hosts help victims improve the physical security of their property.

  6. Former thieves conduct a second robbery to assess the improved security measures.


I have mixed feelings about the show. First, I'm not thrilled by the attention given to the former thieves. Reading this question and answer session with them made me uneasy. I justify watching the show and mentioning it here because the lessons for security are helpful. However, it seems to be rewarding criminal behavior and glorifying theft. I would feel better if these guys acted more like Frank Abagnale (who has had to deal with controversy in our industry). Mr. Abagnale always expresses great regret for his crimes and has worked tirelessly for decades to improve security.

Second, I was disappointed to see how naive the business owners were with respect to security. They expected a door latch weaker than the one pictured at left to "secure" a door on their property. The host of the showed just pulled hard on the door and yanked the latch right off the frame! This reminded me of Web site owners expecting a hidden directory to hide files not meant for the public. I don't mean security by obscurity; I mean expecting ridiculously weak measures to have any effect beyond those who simply follow the rules. I guess my take-away from that reaction was the idea that security measures meant to be effective for law-abiding citizens, but no one else, aren't really security measures at all.

Third, it took a "penetration test" -- step 2 -- to demonstrate the weak security posture of the property. The owners were shocked to see the intrusion occur on videotape. What's worse, their reaction still emphasized not inconveniencing their guests. What?!? Why should I want to even stay at their hotel or do business with them if my personal information, property, or safety could be so easily compromised? The reality is I feel safer knowing the business takes security seriously, and it doesn't take bars on windows or guards with guns to improve security postures.

Fourth, I was really glad to see a strong emphasis on monitoring as part of the new security plan. The host and team deployed nine video cameras across the property, along with improved door locks and the like. Also note that it took reviewing videotape of the original (staged) intrusion to understand the property's weaknesses. Sure, a "vulnerability test" could have enumerated all or most weaknesses, but knowing how the criminals in the case actually operate can be more valuable. When the second pen test happened, the property owner detected the intrusion attempt and confronted the testers. (In real life the police might have been called instead.)

If you want other thoughts on this show, read Marcin's post.

Comments

Unknown said…
I've watched this show off and on as well. I think I'd watch it more, but really each episode is pretty much the same principles over and over. Don't leave things unlocked. Know your assets. Be realistic about what little protection you have, etc. Then again, even just today I heard someone say, "wow, I just don't think like a criminal like that," when discussing the merits of using cable locks when out at a trade show booth.

While I think that is an honest reaction for some people, I think many others simply deny that an insecurity incident will happen to them, which in turn "justifies" flimsy protections or lack of any real secure actions. How many times do you hear someone defend their home security posture by saying, "I know it's not the greatest, but what are the chances...." Lots of people pay lip service to security, but then don't do jack about it.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics