 My name is Delcey. Many of you have not heard of me, so I put together a quick little briefing. I've been called Infosec Rasputin. Anyone who knows Rasputin knows why that's fitting. I also was voted the Gordon Ramsey of IT three years in a row. I've spoken here at DEF CON before, Hope, Pumpkons, Guy Talks, and other professional engagements. I'm also the Minister of Propaganda and Revenge for Attack Research. Those of you who have seen Delbert before probably recognize this. Anyone who recognizes the reference to Guides, rock on. So, Hacker Chick digs me. If you've read Hacker Chick's column, she's appreciating that having spent time with me back at the Alexis Park back in the old days. And that's enough about me. Any of you who know how to set a shell variable, close your eyes, set the shell variable for deity. And we are going to recite the Infosec Serenity Prayer together. So, once you set that shell variable, repeat after me. Deity, grant me the serenity to accept people who will not secure their networks. The courage to face them when they blame me for their problems. And the wisdom to go out drinking afterwards. I first recited this on exotic liability about a year ago, and then people haven't lived by it since. I think it's a good thing to start out any talk with. You're doing it wrong. What does that mean? It's a phrase meaning that the method you're using is not creating the desired result. That doesn't necessarily mean you're in error. But the effort you're doing and the manner in which you're going about doing things is not providing the result that you want. This is the number one problem I find in physical security. So, I'm not trying to insult anyone and not trying to say, ah, you don't know what you're doing, blah, blah, blah, blah, blah. What I'm saying is there are things that you don't know about yet that are going to come up and bite you in the ass. And that's what I'm here to tell you about. First off, let's start with what your goal is. Your mission is to design and implement a physical security system for a new facility with multi-factor authentication and video surveillance. Do you accept this mission? Oh, I said yes. I wanted to get out of New Jersey. So, physical security, lasers, iris scanners, fingerprint readers, high security locks, all that great stuff that comes to your mind, right? That's what you think of, right? You think of physical security, you see all these great toys and you're like, oh, wow, yeah. But the thing is that you can't just jump into it like that. And to prove this, I call upon Dick Marshenko, the rogue warrior. Proper previous planning prevents piss-poor performance. You cannot just jump into a physical security engagement and go, well, two of those, three of those, four of those, put them in the wall, we're done. It doesn't work that way. There is a definition for physical security. And how many people know the old saw about that, right? You ask three people what physical security is, you get four answers. So let's start out with defining physical security. Wikipedia. Well, I had to do something you would know. Physical security describes both measures that prevent or deter attackers from accessing a facility resource or information stored on physical media. Sounds pretty good, doesn't it? Come on. Good, yes, no? So let's see what the feds have to say. The NRC says measures to reasonably ensure that source or special nuclear material will only be used for authorized purposes and not end up in Gomez's basement. And then the state of Texas says measures that are used to provide physical protection of resources against deliberate and accidental threats. Now these all sound like pretty good reasonable definitions, don't they? Well, the number one definition of physical security is to ensure that Chris Nickerson stays out of your building for all four of you that have ever seen Tiger Team, you understand what I mean. So let's look at our methodology. There's five steps. Assessment, assignment, arrangement, approval, and action. These are critical. You go through these in this order, you will prevent problems from happening. So let's go over these one by one. Assessment, a thorough examination of the facility to be protected. What this means is you make a walk around. You buy a new pair of shoes and you look at the area that you're going to protect. My first walk around on this assignment, I walked into the loading bay, walked into a staples truck, took a case of photocopier paper, put it on my shoulder, walked into the building and walked into my office, unimpeded. After that I went out and got lunch. I came back to the front door, walked through the turnstiles, set off the alarm. The security guard didn't even look up from Facebook and I walked into my office. What you need to do is you need to make a physical assessment of the area you are going to be protecting. So let's dig a little deeper into that. Scope of the property. Am I just the third floor? Am I the entire building? Am I the parking lot? Am I the roof? Am I the parking garage? Know what you're going to be protecting. Look for all established points of entry and egress. Regular doors, fire doors, garage doors. A door that looks like it goes nowhere but it actually does. Potential points of entry and egress. Skylights, if your name is Lizzy Borden. A garage door that is next door but has a side door that leads into your building. Windows, glass doors. I hate glass doors. Can anyone see the logic behind having a glass door in a secure area? Well, yeah, I'll buy that. It's usually all yuppie, you know, wow, look at my amazing glass door. And I'm like, yeah, look at my amazing glass door breaker that I got from the EMT. You're not compromised. Look for existing security measures. Sometimes in a building there will have been a previous security system. It may still be there. It may be in use, it may not. Maybe you can use it, maybe it needs to be torn out. Are we using locks? Do we have to replace those locks? Who has the keys to those locks? Who has the master key to that lock? Is there a retired guy sitting at home with the key ring with the front door to your office? Sitting next to his Budweiser? Evaluation of the physical property. It doesn't mean just the property itself. One engagement I had, I took a walk for about a mile in each direction. A quarter mile away from the office was an ice skating rink. Opened to the public. The parents would dump their kids at the ice skating rink and leave them there on a Friday and Saturday night. I don't need to tell you the kids weren't ice skating. They were smoking and talking and sneaking their first beers. And then they decided they needed some money and they would walk across the parking lot into my facility, smash car windows and steal GPS's, and then sell them at pawn shops. So an evaluation of the physical property and the surrounding area. And then risk assessment. How much risk is there? Am I next door to a correctional facility? Am I next door to a bar? Is there a crack house across the street? Evaluate your risk and then you can build your mitigation. Next, assignment. Establish the required level of security for specific areas and assets within the facility. Not everything needs a three factor biometric laser generated lock. You will not spend $10,000 on a security system to secure the coffee room unless you like good coffee. So you assess high level, your data center, your executive offices, your finance and accounting offices. These are very important, high targets. I was invited by a CEO to do a security walk-through on a building once, and he damn near made bang bang in his pampers when I showed him his tax records for the last five years. Because the file cabinet was unlocked, the CFO's office was unlocked, the window to the CFO's office was unlocked and they were on the first floor. Prioritize in that manner. Medium level, all your entry and egress, your front door, your back door, your fire exits. Figure out what you need to do to protect them or if they're already protected. Also, your reception area and your elevator area should you have one. This is where people will come in and out of your office. This does not require a high level of security. Again, no $20,000 locks. But camera surveillance, yes. Do diligence. Who came in, who went out? Modeled those areas. Be a little more cautious than you would. Low level areas, your common areas and your cubicle farms. They are not a high security problem, but you still have to watch them. If you do your layout correctly, which I'll get to in a second, if someone takes a desktop out of one of your cubicle farms and walks to the front door with it, you should see them on six, seven different cameras as they go from one place to the other. And let me tell you, law enforcement loves that. Because if you only have the one camera, you see a guy carrying a computer. You don't see him going out the door. You don't see him going into the parking lot. You don't see him going into the basement. You have no proof. It could be anybody carrying a computer from point A to point B. So consider also insurance requirements. Some insurance companies require that you have a best effort or a minimum effort to secure in your facility. Make sure you meet those requirements, know what they are. Compliance requirements. PCI. Who here has to deal with PCI? Don't you hate it? Well, you may have some compliance issues like securing your data center, keeping your computers, your physical backups, your tape backups, CD backups, storage. These things may have to be secured at a different level. Fire code requirements. You can lock a fire door from one side only, not from both. Make sure that you're in compliance with your fire codes. Make sure that you can't just jimmy it open. Last night at my party, some folks thought they'd be brilliant. Jimmy'd opened a fire exit and tried to come up the back door without invites. They were caught. This is a good thing. And business requirements. Make sure at the end of the day, when you assign things correctly, that it fits with your business plan. You do not want your IT director locked out. You do not want your business to falter because an IT guy can't get into the data center to in the morning because the lock system has locked him out and your server is down and now you're losing business. And right now losing business is tantamount to death. Arrangement. I touched on that a second ago. Establish the most effective locations for your security devices based on your requirements. Placing your cameras with wide-angle lenses or focus lenses in particular zones, making sure that the zones overlap. I could, when I got done with my system, I could watch someone from the front door to their desk, out the back door on eight different cameras. As you walk through, you can track people. Again, this is important because you have to be able to prove bad things are going wrong. Also, if you're a James Bond fan, someone will kind of sneak up, go snip, snip, snip, and try and cut the cable on your camera. Now, if you've armored your cables, you don't have that problem, but if you didn't, here I am cutting the cable on the camera, but there's a camera over there and a camera over there that's watching me do that. So that's the idea of arrangement. Make sure that there's redundancy. Some places like to have mantrap doors. Who's, however, had to deal with a mantrap door before? Do you know what the captive audience is? Have you ever heard of the captive audience? That's when you walk through the first door of a mantrap, and then you walk out the second door of the mantrap, and you shut it, and the poor bastard behind you is going to walk into Taco Bell. Beep! Hey! Alright! That's called the captive audience. So, cameras, field of view, redundancy and tracking. Doorways, ergonomics and traffic control. You want to minimize tailgating. You want to encourage it. If you want to do what I was just talking about. You make sure that you don't have 35 people lined at the door to swipe their card and getting late to their desks every day. So ergonomics is important as well as security. You have to make sure you don't back things up. Make sure that there's a clear way in multi-factor authentication. Again, you don't need it everywhere, but you need it some places. Time-based restrictions. Some people like to say, general employees, 9 and 5, you have access. After 5, you can get to your desk, but you can't get to the executive area. You can't get to the data center. You can only get to your desk. Some places like this, I encourage it. Because I think that minimum access should be the rule. The bare minimum you need. Central has control. Be aware of your cabling limitations. Who uses PoE? How many times do you've been burned because you've gone outside of the maximum distance? Anybody? Beautiful design. Beautiful building. PoE stopped working halfway across because we needed repeaters. No one thought of it. Keep that in mind when you're doing your arrangement. Power. Do you have power for everything? Do you have redundant power? If the power goes out, all your locks suddenly fly open and you become a fire sale. Archiving and disaster planning. Keep your security logs safe. If by some reason a disaster hits, will your security system go to your backup area? Who here has a disaster recovery plan that has a second office? So, does your ID card work in both of those offices? If I close up office one and go to office two, beep, does it work? These are things you have to consider when doing arrangement. Approval. This part sucks. Submit all plans, cost schedules, and write a data to management so they can be duly rejected. Get quotes from multiple vendors. Know the lifetime requirements of your system. How many plans are? When it comes to cost, you always walk in with three plans, A, B, and C. Who knows this trick? Plan A is ridiculous. We'll get some dental floss and a laser pointer. Plan C. Well, there's this quarter million dollar thing that I saw at DEF CON. It shoots a laser and cuts somebody into 100 pieces like in that movie. Well, for 50 grand, we have a vendor who's going to come in here and secure our building with ID cards and cameras. Management says, oh, well, I think plan B is the best. Always go with three plans. Flexibility and options. Make sure that if suddenly somebody says we're putting a new door over there, you can actually add that new door into your system. Do you have the available space? Do you have the wiring? Do you have the electronics area? And options. We don't want biometrics right now, but a year down the line we get a new contract. We should probably have some kind of biometrics in there. Can your system handle that? Can you upgrade the system to that? Think ahead. Scheduling. Time frame for completion. This is probably the most abused thing in the whole process. You have to have a time frame. You will violate it, but you have to have it and make sure that you're not going to interfere with normal business operations. You can't get into the data center because there's a guy with a step letter there for six weeks putting a screw in the wall. Or you accidentally cut a cable. Or we need access to this part of the building. Construction is not an easy thing. Sometimes you have dust problems, asbestos removal problems. This will disrupt normal business operation. Take this into consideration. Action. We finally get there. Implement the physical installation of the system. This is the fun part, right? Not really. You have to oversee construction. You have to oversee inspections by building inspectors. You have to manage the problems and corrections that will inevitably be needed. You have to train. Train your security officers. Train your users. Establish policy and procedure. Very important because, again, you have to tell users what to do. And you have to have a policy in place who has a good security policy in their office. Who's been burned by not having a good one. Exactly. You get those people that say, well, I had an expectation of security. You signed that paper when you came on board. Well, I didn't know I couldn't give my access card to my girlfriend to come into the secure area and send off my desk. And I didn't know I couldn't know. You take care of that early on in the game. Also, testing. Very important. Test everything. Don't believe anyone. As some people say, trust in Allah but tie up your camel. Test every door. Test every alarm. Test every relay. Make sure that if you do something like you have a landline that sends an alarm to a central modeling location. If that fails, you have a backup. You have a little mini cell that sends a signal over the cell phone that says, hey, you've been broken into. And then some bastard like me comes along with one of these and says, no you don't. You're jammed. What do you do? Did you test for that? These are things you have to keep in mind. So, what could possibly go wrong? We have this solid methodology, right? We know what we're doing, right? We have made every contingency plan we possibly could, right? Well, guess what? No plan of operations extends with certainty beyond the first encounter with the enemy's main strength. We have known this since World War I. There will be problems. There will be things that can go wrong. And when they do go wrong, your methodology, your training, your experience, and your planning all go up in smoke. The first time somebody blocks their door open because they don't want to lock. The first time someone breaks into your building and something goes wrong. The first time you get hit by lightning, something goes wrong. But in the process of building this, a lot of other things can go wrong. And this is not against. The first thing you have to face is management. Before you even put drawing one on the board, before you put the paycheck out, you have to deal with management and getting your system designed. You have to deal with vendors. And that is no fun, but it can be. And I'll show you how. You have people who think they know more than you do. Who has a guy like this who has a guy who acts like this in their office. And construction workers, the guys who are going to install your system, you have to deal with them. And last, but not least, my personal favorite, your users. So let's kick it off. We start with management. What is management? Well, they are responsible for a few things. The pros are they provide your budget, they set the requirements, they tell you what you need to do, they run the show. The con is they know this. I write you a paycheck, you do what I say. It's very important to know that they set the requirements. You do not. Your job is to meet their requirements. Now you can nudge them along the way and tell them don't use dental floss and laser pointers, but at the end of the day, what they say goes. This is what it's like to deal with management. No, I'm the guy on the table. Now you see, I've given you your requirements and once you fail, I'm going to use this laser to torture you. That's what it feels like. Let me give you some examples of the things I've been through dealing with management. I want a state of the art, high tech system, FBI, CIA kind of security. This was told to me by a CEO of a rather distinct company. After about six weeks, I came back to him and I said, I can do that. Looking at the floor plan, here's my plan, $54,000. He looked me straight in the eye and he said, can't you just get something from Costco? Let's get a little warm in here. So, I had to teach him one of the most valuable lessons in physical security. I think this speaks for itself. You cannot expect miracles. I had a cheap Costco white box system that came out of China 20 minutes ago on an airplane. Other things, here's another good one. One of my personal favorites. I went to Best Buy and I saw an HDMI cable for $50. I went online and I saw one for $2. I bought it, it works beautifully. I want you to do the same thing for my security system. I tried to explain to this guy, I said, look, this cheap system you found on the internet breaks. There's no repair, there's no service contract. Oh, that's okay. I'll just buy another one. How many of you think that's ridiculous? Good, I feel vindicated then. So, I had to explain to him, you know, you want to replace your security system every six months and then where's your backup? Where's your video storage? Where's your records? Where's anything you need? That CEO came around after a while. When you deal with management, key things, be knowledgeable on the equipment technologies and best practices for your industry. Very important. If you are making car parts, you don't have the same problems if you're infosec. If you're infosec, you don't have the same problems as a bank. If you're a drug dealer, you've got more problems than I can even get into. But know what you need and know what's required for your industry. Understand the impact of your project. Go to management and say, I understand that we're going to have to shut down the West Wing for a week while we do this. Management actually will appreciate this. Prevent facts. Support your facts with documentation, no risk, impact and prove mitigation. We have a front door. The front door could be kicked in. Therefore, we are going to use solid steel front doors and crash bars, sensors located in the edges and we will have a camera on entry and egress. Now what you've just done is you identified the problem, you've identified the risk and you've shown how to mitigate it. And you did so in two sentences. Management will love you. You will get to take the boss's daughter to the prom. Present in a factual and respectful manner unlike what I'm doing right now. Show your work. I'm sitting behind every inch of your design. Why do we have 30 cameras? Why can't we have five? We have 30 cameras because we have redundancy in every zone. Oh, that sounds good. If you don't know something, you don't know something. Very important. There is no shame in saying, I don't know. There's a lot of shame in not finding out. Go back, find out and present and say, this is what I found. I didn't know about this. I didn't know that I could use a mushroom stamp as a biometric ID. Okay. They make these things. If you want one, I'll design it into the system. Most important, be prepared to lose gracefully and to win by being a sneaky bastard. You will lose against management. They have the ultimate veto power. Lose gracefully. You bastard! How dare you reject what I did? I put a... No. I understand your concerns, and I will address them and send you a new proposal within 30 days. Then go out drinking. The soda paradox. This is the most important thing I could tell anybody about dealing with management. This actually happened. Only the products have been changed without a guilty. This happened during a physical security engagement. Management. Get me a soda. I come back and say, here you go. Here's a Pepsi. Management. Why did you bring me a Pepsi? I wanted a Coke. Go get me a Coke. Sorry. Here's a Coke. Seems good so far, right? Simple. Little mistake. Okay. This is a Coke. I don't want this. A cheaper Walmart burn into the Coke. It's the same thing. It's a little cheaper. Why aren't you listening to me when I'm telling you what I want? Now, go get me a soda. All right. I'm sorry about that. Here's your Sam's Choice soda. Now, this is closer to what I want. The manager said, what's the calorie difference between this and the Coke? I don't know. Once you said you didn't want Coke, I just didn't look at Coke anymore. You said you didn't want this. But I need to know these things. You can't just ignore something because I don't want it. That is a quote. I had to sit in front of a CEO and have him tell me this. Now, make me a spreadsheet comparing the calories between the sodas. I go away and come back. Here's a spreadsheet with the calorie counts of each brand of soda. Who knows what's coming next? Where are the pictures? I want to see what the cans look like. I'm sorry, but you didn't ask for that. You asked for comparison of calorie counts. Why did you never listen to me? You don't know your job very well. I also want to know where the colon nuts are grown so in case I need to know that, I'll have that information. He actually said this. I want to be able to pick up my cell phone and call you and have you tell me this information should I ever need it because I don't know it. Well, there's only one answer to that. I can do that. This is not what you asked for. You asked me to bring you a can of soda and not give you a pictorial report on calorie counts. Why don't you listen to me? This is why I'm frustrated with you. You never listen to me. Well, at that point, there's only one thing to say. This is a true story. It wasn't soda. It was component parts of a security system. This is what you're up against and this is what you will end up with. Doot, doot, all aboard the failboat. Be prepared. Be prepared. Don't lose your cool. Understand this is what I said by losing gracefully and winning by being a sneaky vaster. If you have good management, your manager, like my contract master here, Charles Rawls, shut up, get it done, failure is not an option. That sounds a little brunt and harsh, doesn't it? What else is being communicated in that statement? I trust you. I know you know your job. Get out of my damn office and do it. This is the difference because when you get management like this, you have their trust, you have their loyalty, you have their support and they at least half believe you know what you're doing. And as a bonus, they usually take you out to dinner. That is management. Understand you are in a position of trust and responsibility. The future of the company is in your hands. The future of your career is in your hands. Treat the job, the people and everyone involved with respect. You'll get it back mostly. Mistakes are inevitable. Learning from them is expected. Not repeating them is mandatory. These are absolute golden rules. Keep them in mind. You will be given the opportunity to snatch failure from the jobs of victory. Don't do it. Remember the golden rule. Whoever makes the gold, whoever has the gold makes the rules. When you're dealing with the management, they are in charge. They are requirements of what they need, not what you think is best. Remember the chain of command. That's the chain you will be beaten with until you realize who is in command. And also accept that you may be in a situation where the management is right until proven less right and only you are capable of being proven wrong. It is really hard to accept that. But you need to if you're going to deal with high level management. You may end up working for people who are unpopular, unethical. People you don't like. People who don't like you. You might end up working for Microsoft. What do you do in a situation like this? You've got to work for this guy. What do you do? What do you do? There's only one thing you can do. Be a rock star. Even Elvis could shake hands with Nixon. Understand what you need to do to get your job done and to make the boss happy without compromising yourself and without compromising the company. Don't get angry. Don't get frustrated. Don't oh, screw you and walk out the door because that stuff will follow you. When you find success, you have something like this. I'm walking down the hallway and the CEO has a visitor. Visitor says, hey, this system is really nice. Whoever did this knew what the hell they were doing. The CEO never had a bad thing to say about me ever again after that incident. The proof is in your work. Make it look good. Vendors. There are a lot of vendors out there that have to deal with in order to put together a security system. So, first thing you need to do is understand vendors. About vendors, they provide the cool toys. They'll let you play with the toys. They know the history of the equipment. The bad side is they expect you to buy it. I love vendor samples. You get to play with some really neat toys. First thing you need to do is go buy this book. Every vendor I've ever known in one way or another are angry rules of acquisition. Without exception. They may not know it, but they do. Don't try to rub their ear lobes. But read the book. Rule number one. There are many, many, many, many vendors out there. Don't get locked into one. Don't be persuaded into only dealing with one vendor. There are a lot of vendors out there. Rule number two. You don't always need the latest, greatest thing that just came off the assembly line. They will try to sell this to you. You don't always need it. Rule number three. Always do with vendors between 11 a.m. and 2 p.m. You know why? That's right. They will be forced to buy you lunch. Also, before 11 vendors are drinking their coffee, hating their morning ride. Yeah, I'll get back to you later today. After two, they just want to hit the golf course. They want to go home. They want to be home. They're off the grill. Between 11 and 2, they have no excuse not to give you your answer. What's the easiest way to remember that? 11. 2. Victory. Here's the reality of the situation. Management has requirements for the security system. Those requirements are passed to you. You create an RFQ for quote. And eventually, the vendor gets around either approves it or denies it and then you start the whole game over again if they deny it. I want more, I want less, less money, more product, and you go through this circle again and again and again. This may remind you of your favorite punk group. However, you have to do it. So, never rely on a single vendor, boldly quotes always. Do not get caught in vendor wars. I'll beat his price. You're dealing with Bill, Bill's an asshole. I'll give you a better price. Now wait a minute, Steve here. Steve's too busy playing golf. I'll take care of you. You come over here with me. Don't get involved in that crap. Make it professional, keep it professional. Ensure the vendor is knowledgeable. A lot of vendors have a lot of products. They have 50 feet of catalogs on their wall. They don't know a damn thing about any product in them. Oh, you want a left handed spanner? Sure. Are we specializing in those? Oh, it comes in blue, pink, and graphite. Oh, they're the best I've used them myself. Vendor didn't know there was no such thing as a left handed spanner. Make sure they know their products. A lot of people just have a catalog they pick out of. Talk to them. Get the tech specs. Get any historical data. Do your own product research. Very important instead of going home and playing Warcraft. Get on the net. This product is great. This product is great. I hate this product. Mine the data of the internet. You will find people who say we bought this system and it's horrible. It's crap. We bought it and we loved it. Do your own research. Get details of all aspects. Warranty, service, training, make sure it's all there, and beware of upselling. Well, you can have a card reader, but I can give you a card reader with a keypad on it. It's only an extra 50 bucks and you're buying 300 of them. You just paid for his vacation. Do you need a keypad? No. But no. How many of you have heard that phrase? Would you like an apple pie with that? How many times do you say no? Damn near every time. Use the same logic. Don't be afraid to revise your RFQ. Don't be afraid to read it. Vendors will adhere to your RFQ religiously. If you say 50 feet and then the RFQ says five feet, you'll get five feet of cable. What is on the paper is what counts. Keep all paperwork, all quotes, and every revision of your RFQ. Number them. RFQ 1.0, 1.2, 1.3. And then when they come back and say, well, according to my paperwork, you never asked for that, and you go, oh no, look. Version 1.2 said five feet, but version 1.3 said 50. And that was the latest one. This is where vendors will get tricky on you. So keep your paperwork handy. Prioritize your needs, balance between budget and functionality. You should know that by now. Look for hidden costs. Well, here's a device. I'll sell it to you for 100 bucks. It's a card printer. It prints your ID cards. $100. They don't tell you that the replacement ink cartridges are $300 apiece. They don't tell you that the cards are about $1.50 apiece. Hidden costs that you get later. If you work with multiple vendors, make sure all the equipment operates correctly. It never does. I sell you product X. Here's product Y. Well, if you run an RS232 cable between the two of them and you set up terminal the right way, you can make them pass data between... No. No. Interoperability should be easy, built in. You should never have to ramshackle anything. If there is subcontracting, vet your subcontractors, make sure they know what the hell they're doing. Notice the capacitor up there. I know it's hard to read. The one on the left says 6900 microfarads. So does the one on the right. But when you crack it open, 2,200 microfarad soldered inside and made to look like the same product. This will happen to you. And if you don't know what the Jarvis 2000 is, go home tonight. Look it up online and you'll be glad I didn't tell you about it. Support contracts are very important. Who's had to deal with a support contract? Okay, you pay a lot of money for those support contracts, don't you? Do you get anything out of them? If I get a 24 by 7 support contract that I'm paying $30,000 for, I'm sorry, I don't want to be outsourced to India. I don't want to be outsourced to Pakistan. I don't want to be outsourced to anywhere. 24 hours a day, 7 days a week, I want someone who says we'll be there in 30 minutes. We'll replace your system. We'll replace the part. You do not want somebody who is just sitting there reading a book. Click on the blue button. What did it do? What do you mean the screen turned blue? Turn your computer off and on again. You don't want to deal with that. Do you know what happens when you pay $30,000 for a support contract and they outsource it? Do you know what happens? You get this. You've got a beautiful support infrastructure, but you've got people who are sitting there reading a procedure book. They don't know the equipment. They can't help you. Make sure that when you buy a support contract, you're actually getting support. Vendors will play on your heartstrings. Oh, I really need this. I had a vendor tell me he needed this because he was going to lose his house. You've got to buy for me or else I'm going to lose my business. There are no honorable bargains involving exchange of qualitative merchandise like souls. They will try to get you to sell your soul. Don't do it. Quantitative merchandise like time and money. Those are the two resources you have and you have precious little of both. Words of advice for young people from William Burroughs. Next, the people who think they know more than you do. Everyone's got one of these in their office, don't they? They usually don't know more than you do. They make you look good and they annoy the management, but they never shut up. Everyone's a rock star at home. I went home and read up all about this last night on Wikipedia. I know more than this guy does. Let me design the security system. No. This was said to me one day when the alarms were going off in the server room and it's 105 degrees up there. I'm opening the doors bringing in fans, AC is broken, CEO comes in and says, well, you know, I went to MIT. So I know a little something about this. Let me explain. The temperature sensor, as he pointed to the sprinkler on the ceiling, it's 105 degrees up there because he rises. Down here where the computers are, it's nowhere near that. It's not a big deal. 20 minutes later, every machine thermal shut down. He stopped me from doing the work on the system. Then he came screaming, oh my God, everything's down. Guess what I told him. Know the difference between facts and water cooler talk? Well, you know what I read in Wired magazine? Well, that says enough right there. You know your business, so you know what you need to do. If they play the brownie point game, don't get involved. If they play politics, don't get involved. If they cite AM talk radio, run. Cut sheets are your friend. Look at your cut sheets. Don't rely on things like, well, my friend's cousin's brother works at the magazine and he read a copy of that on the loading dock. No. Cut sheets in facts. Don't play buzzword bingo. Don't be jar jar. Know what you're doing. Know what you're saying. Let them kiss ass while you kick ass because you know what you're doing. What about biometrics? Oh, biometric three phase multi-home active authentication is the best. Your first reaction is to say, I don't want to listen to this. You're a terminal fool. The management says, excuse me, boom, your whole argument just went up in flames. What you should say is, as through your requirements, the RFQ contains two factor authentication with an option for biometrics is a third. Pending budgetary constraints, the cut sheets are in your RFQ. Management will love you. The guy will look like an idiot and hopefully he will be quiet. Here are three things you never ever say in a business meeting. Those of you who have seen Leisure Town, you know this by heart. You don't say, oh, well, we'll use internet exploder instead of nut scrape and micro sloth and then don't do this. There's only one golden rule. Shut up. Say what you need to say. Say no more. Say no less and get the job done. Construction workers, this is my favorite. They have very reliable timing. If they say they will be there at 6 a.m., they will be there at 6 a.m. When they say they're leaving at 3, they will be gone and you will not see them again. They know all the trade secrets. They tell good jokes. They will only do exactly what you tell them to do every time. Know their schedule. Meet the foreman. Talk to the foreman. Go over the blueprints with the foreman. Know what they're doing. I watched them install locks on the outside of the door. Shouldn't the lock be on the inside? Well, the blueprint says outside. Well, they will do exactly what you tell them. Supervise the construction. Expect to find surprises. Expect to pay to fix them. They built a door for me into a small data room with three racks in it. One day, I'm walking by and I hear, what the hell is going on? Technician went inside the two doors. On the left hand side of the room, the doors slammed shut. There were two server racks between him and the exit button. There was this much space and he had effectively locked himself in the room and couldn't get out and was beating on the door. Construction workers in their form into the first line of defense when it comes to building inspection. You will have to go through building inspection. So make sure you listen to them. They know the inspectors. They know the drill. They know the local codes. I went head to head with one guy and lost. He said, you can't do this. It's against code. What code? The code. Can you show me the code? Okay, we're done here. Reject. And you can't open your building. So listen to the construction workers. Even if the only adjective they know is the one you see on the screen. I've had a construction worker say exactly this to me during a project. Know how to translate that. Construction workers may not speak English. This is a reality. Deal with it ahead of time. Work with HR. You cannot correct them. You cannot tell them no, don't do that. You cannot tell them change your plans if you can't communicate with them. This is another reason why you need to get to know the foreman. Also if you can't communicate with them you don't get to hear the good dirty jokes. Things will go wrong. I guarantee you things will go wrong. So not all problems can be solved with a quick hack. A quick easy fix right now is going to be a problem down the line. Don't blow up your bicycle tire with bagpipes. Pizza and beer is cheaper than overtime. Set it off, right? You buy them some food and booze. They stay an extra hour. Users. We've all had to deal with users. So let's go through this one quickly. First of all, they're the reason you're here. They love to take your classes. They don't have to work. But they expect the system to work the way you want it to. They want it to. Not the way you designed it. You cannot get rid of people this easily. It's not that easy. Here's the deal. Users have said to me, these are actual quotes. It's an unnecessary inconvenience to have a password. Fine, my pin code is 1-2-3-4-5. That's final. Your system is a piece of crap and I refuse to use it. These are things users have actually said to me. I don't want to have to use the system. It's for other people. If you don't unlock my door, I'll just prop it open. There's nothing in my office worth securing. I don't care if you can make it work. I can't. Watched a guy once pretend to punch the buttons on the keypad and said it wasn't working. I'm like, you're not even pressing the button. I want people to be able to access my area only during work hours, especially if they're working late. Gene Spafford lit the way for me on this. If you have responsibility for security, you have no authority to set rules or punish violators, your role is exclusively to take the blame when something big goes wrong. Keep this in mind. This is wisdom. We don't get this every day. Understand your role and the role of HR when dealing with users. Don't threaten users. Don't imply well, it'd be horrible if you lost your job for breaking security compliance. Don't do that. That's not your job. It's not your place. Don't overstep your authority. Document, document, document. Always keep a level head. HR may not support you. HR has the best interests of the company, not you or the user in mind. HR may lie. The user may lie. Here is some of the greatest things I've ever heard come out of an HR department. Two people said you said it and you say you didn't. That's two against one. You lose. I want you to make it as difficult as possible for the internal security force to access and use our security system. I say you didn't get permission to move that equipment. Now three other people said you did, but that's how I see it and that's how it is. My favorite, I don't have to take into consideration how things make you feel. My job is to make sure that you do not say things that make other people uncomfortable. So train users in a clear, concise and firm manner. Who knows who that is up there on the photo? Thank you. That is Pavlov. Don't make a user feel like an idiot. Firm but polite, remedial training without punishment is the best way to go. Involve users in troubleshooting. Type your card for me. Type that in. Okay, here's where you're going wrong. It works now. That's the difference between a thank you and a few when you're dealing with users. Encourage users to report security problems and malfunctions in the system. In conclusion, who here can read Latin? Ones, Monday, criatura, quasi-liberate. What we mean here is all aspects of your security system reflect your entire security system. Weakest chain, weakest link in the chain. All things reflect the quality of your security system. So there is no minor problem. There is no little thing you can overlook. There isn't anything you can just forget about. Everything matters. And that's what I had to say. Thanks. Go out.