Viewpoints

Preventing cybercrime through environmental design

Kevin Townsend, 22 July 2020

Applying community-building principles to improve data protection

Crime Prevention Through Environmental Design, or CPTED, defines the premise that any community – whether a place of business, office building or neighborhood – can be made safer and more secure by efficient planning and design. The architecture and layout of the space, employee training and community building all play a role in making an environment as inhospitable to criminals as possible.

The goal of CPTED, as described by the US National Crime Prevention Council, is to both reduce the rate of crime, and make the users of a space feel safer and less fearful of crime. These physical CPTED principles can also foster positive interactions and a sense of community among the users of a space, by making the environment naturally conducive to safe, positive engagement and minimizing the potential for hostility or bad actors.

The basic premise

The basic premise underlying CPTED is that most burglaries and casual criminal behaviors are opportunistic. CPTED is designed to reduce opportunity, and to make the opportunistic thief think, ‘This is too hard – I’ll move on to the next property which looks easier to burgle.’ It will not protect the property from the well-resourced thief who arrives prepared and well-equipped – but, in reality, there are not many of those around.

The same principles can apply to our computers, and especially our home computers. We should design our computer environment to be unwelcoming to the casual burglar/hacker – who will be deterred by the difficulty and go elsewhere. We can’t stop the nation-state attacker armed with reams of zero-day exploits – but, despite what the media tells us, there are few of those around.

This blog will explore how we can apply the tried and tested principles of physical CPTED to help protect our computers from the primary threat – the casual, opportunistic hacker.

The four principles of physical CPTED

Natural surveillance

Natural surveillance refers to making any potential intruder or criminal as visible and recognizable as possible. When designing any physical environment, careful thought should be given to visibility around the access points and line-of-sight considerations. This applies both to the layout of the environment and for any surveillance devices such as CCTV. Architects and environmental designers should minimize areas with poor light and avoid creating hiding spots, such a soft and bushy shrubbery.

Natural access control

Any potentially valuable target or critical access point should be designed carefully to keep angles of approach under control. There should be no quick in-and-out angle of ingress to any vulnerable area. The environment should be designed so that both foot and vehicle traffic is naturally guided to high visibility, easily controlled areas. This can be done with both physical and psychological barriers; queue lines that form a snaking pattern and even a simple rope barrier can be effective. This will reduce the attractiveness of the area for potential criminals and prevent any criminal from feeling in control of a situation. 

The point of access should be controlled either by wardens, a ticket/token access mechanism, and/or a good solid lock.

Territorial reinforcement

Crime is encouraged when an environment feels like a ‘no man’s land’. When there is no way to tell who should and should not be there, a criminal can feel camouflaged within the crowd. This is overcome through territorial reinforcement; a sense of authority and inclusivity among those with the right to access and use the space can be fostered, and a way to clearly identify ‘outsiders’ – like visitor tags or guest passes – can be adopted. Any security must be easily recognized and should maintain a visible presence throughout the environment.

Maintenance (and target hardening)

The ‘broken window theory’ in criminology states that evidence of previous crime – or even perceived evidence of previous crime – will encourage further crime. Seeing a broken window will encourage criminals to intrude, break more windows or otherwise vandalize the property. This, in turn, will create the impression that a building is ‘crime-friendly’. Because of this, it is vital to keep any area well-maintained and clean; as soon as the indications of a possible crime appears, it’s easier for an actual crime to follow. Target hardening is a more practical application of this; as well as the environs, potential intrusion points have to be well-maintained. Windows should be reinforced, strong locks used and replaced when necessary, and any way in which an intruder could force entry must be strengthened.

Applying CPTED to computers

With a little imagination, applying these physical principles to the virtual world of computing is surprisingly simple. We can think of our computer as any physical property or environment, like a building. It has entrances and exits, contains valuables and has light areas and dark areas, and has the same opportunistic burglar threats as our home. Using CPTED principles, we can make it an unattractive target for the casual hacker.

Natural surveillance

The basis of natural surveillance for our computers is simple, especially for our portable devices – do not let them out of our sight. Do not let friends, neighbors or even relatives use them unaccompanied. For companies, the use of glass-framed computer rooms that are permanently well-lit ensures that anyone in the room is clearly visible. Use CCTV/webcams to monitor strangers at the front door at home, and the computer room entrance at the office.

Any physical point of data access should be properly secured. This can directly overlap with CPTED in architecture when applied to building access and server room maintenance, but it also applies to our personal devices. We have to avoid carelessness with our phones, IoT devices and anything else which holds our sensitive data – including items such as portable gaming devices on which we might have saved our payment information. Keep these devices under surveillance and don’t leave them lying around where opportunistic criminals might have a chance to surreptitiously steal them.

We can move natural surveillance into software and networking as well. Good, reliable anti-malware services like Avast Antivirus will constantly monitor for malware, make us less vulnerable to attacks and help to remove any malicious software that does find its way onto our systems. When possible, software should be designed to make it obvious when an unauthorized user is accessing them – Google email, for example, will automatically tell us if someone else, somewhere else, has logged into our account. The same is true for networks, which should have the means to detect anomalous user behavior. Behavioral anomaly detection (BAD) technology will constantly monitor the network traffic and report unusual user or process behavior, highlighting the presence of an intruder.

Natural access control

Natural access control (that is, user authentication) is one of cybersecurity’s most important principles. We discuss authentication issues and current developments in detail here: The Authentication Puzzle

Networks, devices, software and services all have critical access points. These could be user logon pages, administrator tokens or authorized devices. We need to look at where sensitive information is stored and trace all potential means of access back to their origins, and then take steps to make sure these access points are as secure as possible; both in their core design and in how they’re used.

This means that developers and software designers need to keep any authentication framework as secure as possible. Any security vulnerabilities discovered need to be patched urgently, and any form of authentication should follow current best practices. The user, meanwhile, must keep any relevant software up to date and use strong login credentials. Use a password manager to create and manage strong passwords, and use Avast’s Hackcheck to see if any of your passwords have already been compromised. Two-factor authentication (2FA) should also be activated whenever possible. Managing network access is equally important; any multi-user environment needs to be properly segmented to avoid authentication issues.

Territorial reinforcement

Territorial reinforcement in CPTED encourages clear, visible distinction between authorized users of the space and ‘guests’, as well as providing highly-visible and responsive security. In the cybersecurity world, this principle can be adopted by encouraging awareness and practice of the best security behavior. This applies to a business’ staff and management as well as the users of a product or service. Thorough staff training in best practices, and a culture of swift incident-reporting must be adopted. 

Users should be given access to as much information as possible about how to keep themselves protected, but products should also be designed with security in mind; authentication should mandate strong passwords and access control features – such as automatically logging out the user after a period of inactivity – should be part of the design. On an individual level, we can practice territorial reinforcement by protecting our home network with a firewall such as the one included in Avast Antivirus. We have to practice strong password security; never let anyone else use our passwords, and never re-use the same password across different accounts.

Businesses can improve security through a form of territorial reinforcement by joining any relevant ISACs, (Information Sharing and Analysis Centers). Active in the US and Europe, these groups allow security teams to share the most relevant information depending on business sector, without compromising any corporate secrets from their company. By collating information from its members, an ISAC is able to issue timely threat warnings to those members along with advice on the most effective response, reducing the risk of security compromise and reducing the damage from any that do occur.

Three emerging technologies that practice territorial reinforcement are currently primarily designed for business networks, but will undoubtedly become more common in standalone computers in the future: micro segmentation, isolation, and deception.

Micro-segmentation divides the environment into different functions, and then demands re-authentication whenever a user or process moves from one segment to another. If any segment becomes infected or compromised, the compromise is contained within the single segment, and cannot infect the entire environment.

Isolation (already available for stand-alone computers) isolates what can be compromised from that which can compromise it. A typical example would isolate the computer from the internet. In a simple form, a special receiving device would receive pages visited on the internet. It might convert the ‘image’ of the page to a pixel-based graphic which is delivered to the user. The user sees exactly what was on the visited page, but any possibility of hidden malicious code has been stripped out.

Deception is the art of tricking attackers. A false – but attractive – network is hidden within the real one. Since it is not part of the legitimate network, detection of any activity within the deception network is absolute proof of an interloper. Necessary steps to monitor and/or eliminate the interloper can then be taken.

Maintenance

While maintenance is the least in-depth and most broad of CPTED’s principles, in cybersecurity it may be the most important aspect of all. Lack of maintenance might be the single biggest contributing factor in successful cybercrime. Almost every time there is a significant wave of data breaches or a new malware, a great proportion of its success comes from exploiting old vulnerabilities in unpatched software, including the devastating WannaCry and NotPetya outbreaks in 2017.

It is vital that users and organizations keep their tools up to date; this means patching any software we use as soon as possible, and upgrading anything that has stopped being supported by the developer. We must also stay up to date with our password security; use Avast’s password checker and update any passwords that could be circulating for sale on the dark web. Organizations need to stay on top of zero-day vulnerabilities and issue fixes as soon as they can, while making sure to adopt the right means of disclosure for the circumstances. 

We highlighted the ‘broken window’ theory in physical CPTED – evidence of damage attracts other criminals. This also translates to the virtual world. The moment you pay a ransom, you tell the entire criminal fraternity that you are a potential extortion target. The moment you click on a suspect link, you tell the fraternity that you are susceptible to social engineering. In both cases you are likely to attract the attention of other criminals.

A note on target hardening

Target hardening is sometimes considered to be a fifth principle of physical CPTED. It has a direct correlation to systems hardening in computers, where it includes elements such as secure operating system and application configuration, enforcement of rules and policies in the systems’ governance and use, and the implementation of a strong patch regime. But it also involves the removal of unnecessary, unwanted, or overly permissive applications.

The basic purpose of systems hardening is to reduce the attack surface and make life harder for the attacker – which is indeed the whole purpose of CPTED. In some ways, then, target hardening is as much an effect of CPTED principles as it is a separate principle. When we incorporate strong natural surveillance and access control, reinforce our cyber-territories and keep all our services up to date and well-maintained, target hardening will be the natural result and potential criminals will have a much harder time effecting an intrusion.

Issues and adaptations

Any security professional needs to learn, first and foremost, this truism: there is no such thing as perfect security. No device, network or service can be guaranteed to be invulnerable to a sufficiently determined and well-equipped hacker. But perfect security is not the intent of CPTED. Its purpose is to apply enough obstacles to deter the biggest single threat to computers – especially those used at home – that is, the casual, opportunistic hacker who does it simply because he can.

There are, however, two further issues that can be considered in a cyber version of CPTED principles. The first is ‘security by design’. It is a requirement in many security frameworks that designers build security into the basic design of all new systems. If developers produced systems with CPTED principles bult in, they would be more secure than they are today. This is not going to happen. The commercial necessity of getting new ideas to market quickly and before anyone else means that security is almost always an afterthought.

The second is that there is a supply chain element to cyber CPTED that does not exist in the physical world. Computer systems are bult from many different parts from many different suppliers located in many different countries. In the cybersecurity world, every single step of the supply chain represents a potential vulnerability that needs to be secured. We have a more in-depth analysis of supply chain vulnerabilities here. If CPTED is to be successfully applied to cybersecurity, the supply chain needs to remain in focus at all times.

The purpose of cyber CPTED

We have demonstrated how successful physical security principles can translate into similar cyber security principles. It is important to note that there is no comprehensive CPTED checklist; it is as much an attitude of mind as anything else – an awareness of an environment’s vulnerabilities. The purpose of cyber security CPTED principles is to introduce obstacles that will deter the casual hacker, just as physical CPTED principles deter the casual burglar.

Burglaries don’t happen because the burglar is determined to rob a particular house; they happen because the burglar spots a vulnerable property and takes the opportunity to rob it. When faced with a hardened target that is difficult to access and which makes the attacker feel exposed, that attacker will move on to an easier target. CPTED makes life harder for the criminals; CPTED principles applied to cybersecurity makes life harder for the hackers, ensuring they move on to a less protected target.