Security!, How secure is it? Options

[Tashiro]

So, for those of you running Shadowrun, how secure do you tend to make the facilities being infiltrated? I'm sort of at a quandary myself on the issue -- I want the game to be at least reasonably realistic when it comes to security measures for the various companies, but if done that way, most running teams won't have the means or the know-how to overcome them (player-wise).

For example, I would expect most places to have cameras covering most hallways. These cameras would have a low 'signal' for people to hack into them, since they would have a physical connection to central security. So someone couldn't just walk in and 'hack' the cameras. The matrix for the cameras would be separate from any of the more public locations, to prevent hacking.

Most of the doors would not be connected to the matrix -- they'd have their own maglocks and such, independent from one another, so that people couldn't just take over the entire door-security system or hack the matrix from the first door they come to.

I would figure most security guards would have bio-monitors so that security would know the moment something happens to them. They'd also be connected to a skill database, so if something comes up, BAM, they have the skills needed to do the job.

I think most rooms, when not in active use, would have motion detectors.

I mean, this is all very 'basic' stuff, but it would screw any 'stealth crew' type runners, big time. :\

How do you handle security?

[kzt]

There are some assumptions made about how SR world security works that allows things like sequencers and passkeys to work. In the real world, electronic locks usually have lockout periods, often triggering alarms, if you enter several invalid credentials.

The RW issue with things like cameras and maglocks is that you have to run a power line to run them, so why the hell not run a network link instead of using wireless? But that is part of SR4....

Anyhow, there are going to be exceptions. For example I'd consider a "really secure" site to be the Joint Chiefs of Staff Sensitive Compartmented Information Facility inside the National Military Command Center. Really secure sites should have everything you can think of, with no approach you can see that would defeat the security, and furthermore you can safely assume that anything the players can come up with was thought of by the designers, or the reviewers, or the audit teams, or the security forces, or the penetration testers, or the red team. You can't hack anything, it's all fiber optics with RF shields on the power feeds, etc.

But there are not very many sites like this, and if your players are not getting a new "real" ID and permanent high lifestyle out of the Johnson they shouldn't even be thinking of trying a site like that.

[Backgammon]

One approach is to make it as secure as you can, then add flaws.

The guard captain is heavily indebted to the mob, so is open to bribes or favour from mob contacts.

The camera system, supposedly covering every inch, has a known defect and in often has to reboot (or hell, isn't even on - you'd be surprised how often that hapens).

Human element failure and technological failures are Shadowrunners best friends.

[Omenowl]

Improved invisibility and illusion spells can render cameras useless. Guards tend to be lax where access is limited (locked building, only authorized people are allowed in by the system, etc). Cameras with wires can still be tapped into.

Social engineering, maintenance crews, drones. PCs may even enter during normal work hours and not even be noticed. Some sits are fairly open to the public during business hours.

The doors are probably centrally controlled so guards can lock in or secure intruders. Having independent doors is a big pain to get them synchronized and PCs can hack the doors. The doors would probably not be guarded by ICs because processing power is not high enough.

Guards have sensors on them, but they can be spoofed.


Just remember security costs will be much less than the site they are protecting. If the cost of security exceeds the potential losses then it won't be implemented. A warehouse full of socks will have security against vandalism or environmental issues such as fire. A gold depository will have an entire military base protecting it.

[Tashiro]

Actually, to give you an example...
My wife works at a bookstore. Low key, indie bookstore. The security system is connected to one pad in the middle of the store, out of sight. When activated, you have one minute to leave and lock the door behind you, because the entire store is then covered by motion detectors. If triggered, you can't turn it off -- and the phones go dead. You have to wait until the police show up to check things out. If you added cameras to this, that's a really annoying security system for a Shadowrun team to deal with.

[rathmun]

Actually, to give you an example...
My wife works at a bookstore. Low key, indie bookstore. The security system is connected to one pad in the middle of the store, out of sight. When activated, you have one minute to leave and lock the door behind you, because the entire store is then covered by motion detectors. If triggered, you can't turn it off -- and the phones go dead. You have to wait until the police show up to check things out. If you added cameras to this, that's a really annoying security system for a Shadowrun team to deal with.

Mythbusters did a thing with beating motion detectors during an episode. Some of the successful techniques they found wouldn't work well against multiple motion detectors, but the one where they can't see you if you just move really slowly would still work, and wearing a chameleon suit would also negate the cameras. Now, you would take a long time to get to the pad, but once there you can hack it and own the place. (or your offsite hacker can do that now that you have a retrans unit there.)

[Meatbag]

Just remember security costs will be much less than the site they are protecting. If the cost of security exceeds the potential losses then it won't be implemented. A warehouse full of socks will have security against vandalism or environmental issues such as fire. A gold depository will have an entire military base protecting it.

That, and only that. Fiberoptic wires alone cost 5Y per meter, which adds up quickly. How many meters do you need to connect every single camera in the facility? There's a reason most facilities run wireless: it's cheap, and corps like cheap.

Also, going wired means less info for the security tacnet, unless they walk around with really long datajack cables. Most intruders aren't runner teams, so this is usually a bigger concern than having your cameras hacked.

Finally, all this assumes the Runners are sneaking in by remaining unseen, rather than using disguises and fake credentials. This can be stopped as well, but it comes down to employee convenience.

Most corporate executives don't like being asked for biometrics every time they open a door in the R&D wing, and it's a good idea not to piss off people that could repossess your cybereyes.

[Heath Robinson]

I've kind of been waiting for something like this. Schneier has a useful tool for designing security. Generate a series of "Attack" trees to encompass legitimate uses of the site, and a set to encompass illegitimate uses. Come up with a budget and start making choices that maximise the illegitimate use cost whilst minimising the legitimate use cost that can fit into the budget. Remember that everything costs at least three times as much for the security side.

Calculate the "cost" to attackers in the expected number of hits/threshold they'll face for each action.

[Traul]

Most of the doors would not be connected to the matrix -- they'd have their own maglocks and such, independent from one another, so that people couldn't just take over the entire door-security system or hack the matrix from the first door they come to.

Sounds paranoid to me.

In a building designed for public use, one would at least require a command to open all the doors in case of fire. If one can issue that command, one can spoof it.

It would also be a real pain to maintain access control, as each door has its own access data base. And the more complicated, the more likely there will be failures in that maintenance, meaning expired or wrong passcards do work.

The door to the most secure room in the building could work like that, but not the whole building.

[nezumi]

1) I establish the baseline security for the system, limited in cost by the value of what it's guarding, limted in complexity by the skill of the people maintaining it.

2) I reduce the security to meet other business and safety requirements (such as fire doors, backing up data and so on).

3) I reduce security as appropriate for cost-saving measures (if the cameras cost less to install by making them wireless, I may do this, if appropriate. If drones are cheaper than guards, I may do that, etc.)

4) I reduce security based on convenience, laziness and incompetence. The guard doesn't check badges, the cameras aren't properly watched, doors are left open so people can move boxes back and forth without having to swipe their card each time, passwords are left in the desk drawer, the firewalls aren't properly configured and are running at less than full rating, etc.

If I don't feel that's enough, I'll include specific flaws in the systems, such as the plasticrete that turns gelatinous when sprayed with a particular chemical and such.

If you don't make it tough, there's no challenge, and players have a tendancy to surprise, so don't feel bad about making things look tough. They'll figure out a way. They always do.

[kzt]

Mythbusters did a thing with beating motion detectors during an episode. Some of the successful techniques they found wouldn't work well against multiple motion detectors, but the one where they can't see you if you just move really slowly would still work, and wearing a chameleon suit would also negate the cameras. Now, you would take a long time to get to the pad, but once there you can hack it and own the place. (or your offsite hacker can do that now that you have a retrans unit there.)

And the pads normally are in a small hole not covered by motion sensors, as all the sensors have be not detecting something to arm every system I've seen.

[kzt]

That, and only that. Fiberoptic wires alone cost 5Y per meter, which adds up quickly. How many meters do you need to connect every single camera in the facility? There's a reason most facilities run wireless: it's cheap, and corps like cheap.

Like many things, the price given in the the book is for a small quantity bought retail. When you order a truckload from a wholesaler it's a lot cheaper.

And RW, SM fiber is actually pretty cheap. It certainly isn't $3 per foot per fiber. I had a 216 fiber cable 1500 feel long purchased and installed for $30,000 including labor and termination of 96 strands.

[TheOOB]

Most corps in shadowrun care more about ease of use then security. This is for two reasons. The first is that you need to create facilities the team can actually penetrate, and the second is that good security is expensive, and most corps are not willing to use up that kind of money. Overly tight security encourages runners to blow a hole in a wall and come through guns blazing rather then stealthfully infiltrate(and thus cause less damage).

It's a fact of life in the 6th world, runners will infiltrate your compound if they want to. Thus a corporation has to budget their security based on how much damage a runner would do if they infiltrated, and how much their security could stop them. You could cover the entire site with cameras and motion detectors, with drone patrols at irregular intervals, but that costs lost of money, causes problems with your workers, and really won't stop a good team of runners. Most corps find it more cost efficient to keep their projects secret and hope runners never come. Only the really black stuff gets the grade A security.

How I usually judge things is I assume that most facilitys use 10% of it's funds on security. And since security is divided among three fronts (physical, matrix, and astral), that is 1-5% of the funds spend on any one of those fronts. Unless the project is really expensive, thats not a lot to work with. If a facility is exceptionally secure, it could use up to 25% of it's funds on security, but that's only for things that absolutely must be protected(like the Grid Guide, or a Nano-Warfare project).

[Tashiro]

The first is that you need to create facilities the team can actually penetrate, and the second is that good security is expensive, and most corps are not willing to use up that kind of money. Overly tight security encourages runners to blow a hole in a wall and come through guns blazing rather then stealthfully infiltrate(and thus cause less damage).

That's a mindset I have trouble even comprehending.
1) A team can penetrate a secure system -- it just not be their usual method of operation to do it. A group who is used to the 'sneak in, sneak out' under cover of night may find such a method isn't going to work. Another team who is used to 'false ID, walk through the front door' may find that doesn't work either. It isn't so much 'can' as 'how', and I prefer that method of play. It was one reason that, as a player, I would presume to be given two week's leeway for any infiltration job my character was going to perform. He needed to know the layout, the security measures taken, and how things operated, so he could figure the most successful method of infiltration. Most players I deal with don't quite go that far, and prefer the 'try to sneak in, get cover blown, shoot way out' style of run. I call that a failed mission.

2) I've never, ever seen a team try the 'blow a hole in the wall' approach. If they did that, I'd probably have security shoot them dead, and they'd be wanted BADLY. It may just be my personal tastes, but I prefer my SR games to have a high level of realism, and trying to blow a hole in a corp's wall to grab stuff is definitely not realistic.

It's a fact of life in the 6th world, runners will infiltrate your compound if they want to. Thus a corporation has to budget their security based on how much damage a runner would do if they infiltrated, and how much their security could stop them. You could cover the entire site with cameras and motion detectors, with drone patrols at irregular intervals, but that costs lost of money, causes problems with your workers, and really won't stop a good team of runners. Most corps find it more cost efficient to keep their projects secret and hope runners never come. Only the really black stuff gets the grade A security.

Shadowrunning is a part of life in the 6th world, yes, but I don't see it as a 'let's make it only reasonably hard' approach. Like I said earlier, a low level indy bookstore my wife works at has pretty damn good security for what it sells. The thing is, security only has a high cost at the start, and then runs a low cost over an extended period of time (discounted if you do extended contracts). This security will cover multiple projects, and if you really want your projects secure, you want to convince people that trying to break in is generally a Bad Thing. I'm more of the mindset that if runners come, and they trip the system, the corporation is within their rights to make that team DED. That's why, as a player, I always go with the 'if you are seen, the mission failed' mindset, and so tend to look at everything I can about security and sec. countermeasures. I'm also willing to accept that some locations will take entirely too much time / effort to be worth a run unless the payoff is really, really, really nice.

[tete]

I tend to use the real world security then add magic. The biggest problem is people sill need to be able to work, thus your security will have holes.

Most reasonably sized facilities probably have 2 or 3 networks. 1 for the matrix, 1 for physical security(may or may not be on the matrix) and perhaps one for R&D(not on the matrix) and such if that level is needed. From there you have 2 types of systems. One that assumes someone will get in and locks them in or one that does everything to keep them out. Usually for off hours your going to have only a particular way to enter the building without setting off the alarm. So like the loading dock may be completely locked down on weekends, but one of the side doors you can use a passkey to go in. This can be true of hallways inside the building to. The employees though need to be able to get to their desks but it may be a total pain to do it. Going down the wrong hallway or using the wrong door even if you have the passkey will set off the silent alarm.

[Traul]

2) I've never, ever seen a team try the 'blow a hole in the wall' approach. If they did that, I'd probably have security shoot them dead, and they'd be wanted BADLY. It may just be my personal tastes, but I prefer my SR games to have a high level of realism, and trying to blow a hole in a corp's wall to grab stuff is definitely not realistic.

And that is precisely why it works: because most security personnel think like you.
http://en.wikipedia.org/wiki/Albert_Spaggiari

[GT3000]

I'm interested greatly in the this topic. I'm a student of the security profession and assuming the level of security is competent and well-versed in their craft, blowing a hole in a wall to breach a compound is effective at initial entry but it creates a focal point in which the bulk of the security forces will focus upon. To be effective with this method of intrusion you have to overpower the overwhelming bulk of the security forces or destroy their ability to communicate and coordinate. Both of which are extremely difficult to do unless you have the proper expertise be it electronic, physical, or in SR's case, magical. Most security situations will be lax unless the contents of the structure dictate an elevated security presence. Guards, cameras, drones, technical equipment, and other devices are extremely expensive. Even in lax situations security is bulked outside the area of interception. A proper security format for a building will have a centralized point off the main pathways with the bulk of the security force stationed there. Any guards, cameras, dogs, and etc outside this formal zone are merely used to raise the alarm and bring the hammer, so to speak, to bear.

[MaxwellHouse]

A few earlier replies referenced various uses of social engineering. At least in the various games I've been a part of, it seems that the bread and butter of bypassing security tends to rely upon it. The fact is, the cost of outfitting even a low-end retailer with motion sensors and cameras, rotating pass-key doorlocks and other simplistic security messures is rather negligible. Even in RL your common hobby shop that sells the books we base our shared world experiance out of have very similar setups that cost less than a grand at initial setup and run at low costs throughout their leases. The main weakness in any security network is the Wetwork behind it. Even a well paid, dedicated spider is going to have some price that would eventually bypass his/her moral foundation. You can throw a five million cred system at a runner group, and with enough planning, resources, and of course a realistic and giving GM they will eventually have the tools nessisary to overcome them.
Of course many runs are set within some,at least, simi-arbitrary time frame. This is about the most limiting factor in bypassing a well planned security network. Look at real life. Military grade security systems are hacked on a regular basis. I know that for myself my Soc. number was compomised due to lazy and innane servicemen. It happens, the tools may be in place but when the rubber hits the tread a lax employee or less-than-honest sarariman can and eventually will compromize the whole setup. Time is the factor that breaks a run and degrades it down to "stuff an assult cannon in an extra large gym bag and pray Lonestar has it's second string on the streets tonight".

[tete]

I'm interested greatly in the this topic. I'm a student of the security profession and assuming the level of security is competent and well-versed in their craft, blowing a hole in a wall to breach a compound is effective at initial entry but it creates a focal point in which the bulk of the security forces will focus upon. To be effective with this method of intrusion you have to overpower the overwhelming bulk of the security forces or destroy their ability to communicate and coordinate...

Not if your in and out in 20 seconds... Watch Heat, Collateral, and Miami Vice while all fiction I think Michael Mann shows how important the element of surprise is and how horrible it can fail if your timing is off. Ronin is another good one but its not Micheal Mann.

The secret to breach charges is in and out, your either going in guns blazing or you know your going into the room you need and are grabbing what you want and leaving before anyone can react.

...Both of which are extremely difficult to do unless you have the proper expertise be it electronic, physical, or in SR's case, magical. Most security situations will be lax unless the contents of the structure dictate an elevated security presence. Guards, cameras, drones, technical equipment, and other devices are extremely expensive. Even in lax situations security is bulked outside the area of interception. A proper security format for a building will have a centralized point off the main pathways with the bulk of the security force stationed there. Any guards, cameras, dogs, and etc outside this formal zone are merely used to raise the alarm and bring the hammer, so to speak, to bear.

Or you can have a bulk of your security outside the building. This is generally the situation for the "lock them inside" type. Your expecting them to breach security but you know that from your remote offices you can have 100 cops (or whatever) down on them in 3 minuets from one or more locations. The building just has to lock down and keep them in.

[kzt]

I'm interested greatly in the this topic. I'm a student of the security profession and assuming the level of security is competent and well-versed in their craft, blowing a hole in a wall to breach a compound is effective at initial entry but it creates a focal point in which the bulk of the security forces will focus upon.

No, physical security relies upon time. It takes x seconds to cross the fence, y time to breach door, etc. The purpose of locks, alarms, etc is to detect intruders as rapidly as possible and delay them as much as needed. This determines how your security force is deployed and responds. If someone uses a level of force or expertise that wasn't accounted for the response team will find nothing to stop, just an empty room with a big hole in the wall.

Look at mil-hdbk-1013 1a if you want some nitty gritty details. http://www.wbdg.org/ccb/NAVFAC/DMMHNAV/1013_1a.pdf You could do some interesting scenario design here if you wanted, but the issue is that role-playing games are usually a lot faster then real life.

There are more interesting docs at http://www.wbdg.org/ccb/browse_cat.php?o=30&c=80

That site has a lot of cool stuff if you poke around some.

[Omenowl]

Ok, let's face the fact shadowrunners are as heavily armed and trained as SEAL team 6. Ever watch the embassy rescue in South America they do use demolitions. The entire operation tends to last less than 10 minutes. This is how long your police and guards have to respond before shadowrunners are gone.

Shadowrunners have the advantage of surprise, choosing of their timing, and heavy firepower. Most guards are underpowered and reactive. So if the characters come bursting in with shaped charges, a tricked out van or helicopter this is not unusual for a shadowrunner. Most facilities aren't intended to stop this kind of assault. The goal by security is delay and contain until reinforcements arrive.

From first hand knowledge and talking to several people I can say the more secure the location the more lax the guards. I have known MPs who slept in guard towers protecting nuclear weapons. I know that many federal buildings have contractors protecting them with a few professionally trained police to ensure quality. Same is becoming true of military bases. I also know of guards who would turn off alarms because they always went off (motion detectors were the worst especially where leaves and gophers were concerned). I have also seen where one could easily penetrate security during normal business hours and take items by just claiming to be movers.

I have seen security measures implemented because of a supposed threat that cost more than the threat itself. It also reduced productivity and many people actually bypassed the security because it was so onerous. Have 15 different passwords and people save them in physical format or on their person. This defeats the whole purpose of having passwords. Security costs productivity. A 100% secure system is one with 0% productivity. Smaller firms actually have better awareness to unauthorized individuals than large organizations because people know each other.

Getting in is always easy. It is getting out and away that is the hard part.

[Tashiro]

Ok, let's face the fact shadowrunners are as heavily armed and trained as SEAL team 6. Ever watch the embassy rescue in South America they do use demolitions. The entire operation tends to last less than 10 minutes. This is how long your police and guards have to respond before shadowrunners are gone.

Shadowrunners have the advantage of surprise, choosing of their timing, and heavy firepower. Most guards are underpowered and reactive. So if the characters come bursting in with shaped charges, a tricked out van or helicopter this is not unusual for a shadowrunner. Most facilities aren't intended to stop this kind of assault. The goal by security is delay and contain until reinforcements arrive.

I have never, ever, ever seen a SR team like this in any game I've played, or ran. No demolitions, no tricked out vans, no helicopters. Most of the equipment I see my groups get is internal stuff (cybernetics, bioware), or efficient ordinance / armour (chem suits, stealth suits), rather than going for the big boom.

Mind you, most of the players don't make military characters, they think more 'street' level and 'shadow ops' rather than 'military'. Probably for the best.

[TheOOB]

I have never, ever, ever seen a SR team like this in any game I've played, or ran. No demolitions, no tricked out vans, no helicopters. Most of the equipment I see my groups get is internal stuff (cybernetics, bioware), or efficient ordinance / armour (chem suits, stealth suits), rather than going for the big boom.

Mind you, most of the players don't make military characters, they think more 'street' level and 'shadow ops' rather than 'military'. Probably for the best.

Different styles of play. In truth, for a ultra high security set-up, the best solution is usually to create a distraction while you go in guns blazing. Sometimes quicker is better then quiet.

[Blade]

A good security requires 3 elements:

1) Something to block intruders. A door/firewall/ward. It has three purposes: first it will deter 99% of possible intruders, second it let you know who's an intruder and who isn't and third it slows intruder down.
But no security is perfect, so the intruder will eventually get past the barrier. That's why you need:

2) Something to detect intruders. A camera or patrolling or standing guard/an Analyse program/a watcher spirit or a mage. They'll let you know that there is an intruder.
Now that you know, you need to act. You need:

3) Something to prevent intruders from doing whatever they want to do. A combat drone or strike team/an IC or a spider/a combat spirit or a combat mage. It can mean calling the police or an off or on-site security. In somes cases, this security can be put in action after the intruder have left: they'll use the data of the detection systems to catch them.

If you miss any of the elements, your security is ineffective.

[Thanee]

So, for those of you running Shadowrun, how secure do you tend to make the facilities being infiltrated? I'm sort of at a quandary myself on the issue -- I want the game to be at least reasonably realistic when it comes to security measures for the various companies, but if done that way, most running teams won't have the means or the know-how to overcome them (player-wise).

Yeah, that's an inherent problem with Shadowrun.

If you use all the means they (realistically) should have available, then it would be pretty much impossible to get in.

I have one golden rule, when it comes to that.

The premise of Shadowrun is, that Shadowrunners exist.

This means in turn, that Shadowruns happen, and that can only be, if they make sense to happen.

So, in conclusion, security cannot be so perfect.

This is also not that unrealistic, as looking at real world examples, there is often a lot of money to be saved just by being a bit lax with security issues.

The highest priority facilities surely will have security that a typical runner team cannot tackle, but then those should not be the target of such runs either.

Pick the targets right and pick the security level right, so that the whole thing works out.

Bye
Thanee