Monday, April 9, 2012

DREAD/STRIDE applied to physical security and urban exploration

As some of you may know, I have an interest in urban exploration.  I also have an interest in computer security, and learning about that field has introduced me to two concepts developed by Microsoft to rate threats, DREAD and STRIDE.

DREAD is a method of rating the seriousness of a threat. Scores are given for five metrics:
Damage - how much damage an attack could do.
Reproducibility - once the attack's been carried out once, how easy it would be for the attack to be replicated against another target.
Exploitability - how difficult it would be to carry out the attack.
Affected users - how many people could fall victim.
Discoverability - how easy it is to discover that the attack is possible.

STRIDE is a way of remember the six main kinds of attacks:
Spoofing - pretending to be someone else.
Tampering - altering data.
Repudiation - doing things without leaving a way to show that you did them (if this doesn't seem like as much of a threat as the others, imagine if you could withdraw money from an ATM and then convince the bank that you didn't).
Information disclosure - gaining access to stuff you shouldn't see.
Denial of service - preventing users from having access to information or services that they want to use.
Escalation of privilege - gaining the ability to do things that you aren't allowed to do.

Also, a clarification on the difference between urban exploration (where my interest lies) and physical security: urban exploration is exploring areas not often seen, for the purposes of discovery, education, and the joy of seeing usually-unseen things.  Physical security is the field of securing physical places.  For some people, the two come into conflict, when they attempt to explore illegal places (I myself prefer to stick to legal places, of course, but for the purposes of this post, let's think about the kinds of urban exploration that require accessing illegal areas).  I think of it using a comparison to computer hacking.  There are "white hat" hackers who attempt to access systems with good intentions (usually finding security holes so that the owners of the system can then fix them) and there are "black hat" hackers who access systems to do illegal things like steal information.  Urban explorers are the "white hat" hackers of physical security, compared to the "black hat" hackers better known as burglars.

I think metrics like these could be very useful for dealing with urban exploration.  Both urban exploration and computer security deal with ways to gain access to places that are (believed by their creators to be) secure.  However, these kinds of places vary, in the same way that computer attacks do.  So, let's adapt STRIDE to classify urban exploration.
Because proper urban exploration doesn't damage the environment being explored, these parallels won't be as direct as with DREAD.  Instead of different forms of attacks, it'll be different types of exploration. (And I wasn't initially intending to use the same letters, but it started working out that way so I kept going with it.)
Secret places - Not as much a specific physical location as any place that's not specifically secure but just isn't known to people.  The biggest focus of legal urban exploration.
Tunnels/basements - A lot of places have underground tunnels that can be explored, or unfinished basements and utility spaces.  These are a big target for exploration, as they're interesting and don't have the same level of personal connection to one individual (and so it seems less invasive to explore them).
Rooftops - one big area of urban exploration is gaining access to rooftops.  Pretty self-explanatory.
Interiors - The interiors of buildings finish off the trifecta started by below (tunnels) and above (rooftops).
Deserted areas - I find a simply amazing amount of beauty in places that used to be inhabited or used by mankind in some way and no longer are.  Whether it's deserted buildings, abandoned towns (Pripyat, Ukraine is a prime example, as are the ghost towns of the American west), or ancient ruins, they're always popular places for exploration.
Engineering/construction sites - Okay, this one was tough to get to fit the letter.  Buildings that are still being built are another of the big areas of exploration, and although once completed they'd fall into the tunnels/rooftops/interiors categories, they're definitely distinct when still under construction.

So that's STRIDE applied to urban exploration, and I think it covers almost all places people explore.  Now, on to rating those locations.  DREAD is used to rate the seriousness of a risk, and so when applied to exploration, it makes sense to have it be a rating of how likely people are to explore a place.
Desirability - How desirable is a place?  Does it have a good view, or interesting contents?  Does it look cool?  Basically, all other factors aside, how much people would want to get to the place.  If a place is extremely desirable, that'd be a rating of 5, if it's pretty boring, that'd be a 1.
Risk - How risky is getting there?  Some places are completely safe - you just walk there.  Others are absurdly risky, either because of injury or getting arrested - you climb the side of a building, or walk through a constantly-monitored hallway.  This one is rated the opposite way from how it might make sense to - if it's exceptionally risky, it's a 1, if it's safe, it's a 5.  (This is because the overall DREAD score is supposed to be a measure of how likely people are to explore a given area, in the same way that the computer security equivalent is a measure of how important it is to secure a system.)
Ease of access - How easy is it?  A location can be risky but overall easy to get to (you only need to walk through a door, but the door is almost always guarded) or absurdly difficult but not really risky (an abandoned building that requires a ten-mile hike to reach it).  1 is difficult, 5 is easy.
Affected locations - How many places are accessible in this method?  If ten roofs can all be accessed in the same way, once somebody's gotten to one, they know how to get to the rest.  However, if all the roofs somewhere are easy to access, but each one in a vastly different way, it might actually be easier to get to all the roofs where access is difficult but the same.  1 is if the method of access is unique, 5 is if it's the same a lot of places.
Discoverability - How easy is it to find out how to get to a place?  Difficult to find is a 1, easy to find is a 5.

There is still, of course, the question of why this is useful.  It could be used to rate urban exploration opportunities, but in my experience explorers couldn't care less about a number attached to an experience.  However, there is one group of people who would care about something like this, and that's the people in charge of stopping urban exploration.  When prioritizing measures to stop burglary, it's easy - you start by securing the most expensive or sensitive stuff, and then work backwards.  But with urban exploration it's not so easy.  If you take the approach of securing the very riskiest places, in the name of safety, you're only helping keep a few people safe, as opposed to much more frequently visited places that are only a bit less risky.  Alternately, if you focus on the most-visited places, you might leave unsecured some places where people could get seriously injured.  What you need is a metric that combines all of these different factors together, hence the usefulness of DREAD.  A place like the Rotunda roof might be dangerous and desirable, but it's also risky, difficult to reach, and is only a single place, so it'd score two 5s but three 1s, giving it only a combined 13.  Something like the UVA steam tunnels, though, would get around a 3 for desirability, 3 for risk, 4 for ease of access, 4 for affected locations, and 5 for discoverability, giving them a much higher score of 19, and thus indicating that it'd be more useful for people to try to secure them.  (And, as it turns out, I've heard about a lot more about security being added to the steam tunnels than I have about security being added to the rotunda.)
So, do people at places like UVA actually use this method?  Not as far as I know.  If I had to guess, I'd say they work based on two factors: how well known a destination for exploration is, and how easy it is for them to secure it.  This is great for giving an outward impression of safety, but by only taking into account two metrics instead of considering all five, UVA is missing out on potentially securing some prime targets for urban exploration.
(And I'm not going to complain about it one bit.)