Louvre lesson: Security is a complex, not only a process

Last month’s news footage could have come from an over-the-top movie, with a stolen cherry picker brazenly on the street outside one of the most important museums in the world, and getaway scooters standing by to zip the thieves away. That the loot stolen last month at the Louvre was literally royal jewels made the plot even more familiar-sounding.

But in a movie, the thieves might have needed more complex plotting to evade a deeply layered security system to accomplish their theft. 

The truth is that the theft at the Louvre made the news because it was high-value and bold — not because it required criminal genius to accomplish. 

It’s often said that security is “a process, not a product.” Another aspect this crime highlights is that the actions that make up the security process themselves rely on numerous interconnected parts; the weakness of individual elements reduces the effectiveness of the others. In other words, it’s a complex.

The password (was) Louvre

The museum faced, and faces, limitations of the kind that every business or other institution does: Limitations in time, budget, and practicality mean that security always competes with other concerns, including comfort, aesthetics, and usability. A perfectly locked-down museum would be one where visitors couldn’t even be admitted, and wouldn’t want to visit anyhow. 

In the case of the Louvre, though, video coverage which might have deterred this crime in the first place or led to an even faster resolution, was notably absent in two places critical to the thieves’ plan:  

• The museum’s Apollo Gallery had no cameras on the balcony where the thieves entered, which made the brute-force approach of an electric lift a practical attack.
• Despite a concerted effort since 2019 to put more cameras in place, a significant percentage of the museum’s galleries (more than 60%) lacked video coverage. 

But even if cameras had been in place, a further weakness has now been widely reported: The museum’s central electronic security system was protected by a password easy enough for a movie villain to simply guess in a short time. Difficult as it is to believe, that password was “LOUVRE.” 

Plenty of stones, and lots of glass houses

If you consider how such things come to be, though, maybe it’s not at all hard to believe. You’ve probably experienced that complicated security procedures are costly and sometimes frustrating. It also takes time to train people to use any system, and instituting new passwords or procedures always takes longer than you’d think. Initial passwords may be selected for convenience, and there are lots of plausible reasons that weak passwords exist in the first place — or why they stick around.

– “We’ll change this soon, when we’ve completed this upgrade.”
– “Let’s issue a revised password, but only when the rest of the team is back from vacation.”
– “This password doesn’t matter much, because further steps are needed to get into individual parts of the system.”
– “We’re about to institute a new password manager anyhow.”
– “We need a password that doesn’t lock us out on the third attempt again.”

Real-world security systems have to anticipate and build around the reality of complexity and imperfections. These imperfections may sound simple, but that doesn’t mean they’re easy to fix. No matter how many times it’s discouraged, employees will sometimes hold doors open for others (who may or may not be authorized). A password, or at least a password reminder, might be taped to the keyboard of a critical system. An often-needed panel may have its latch taped for easy access.

Just complicated enough

One important way to build around these easy-to-predict flaws is simply to require multiple means of authentication, so a password by itself is never enough to access a critical system. Hence, the popularity of physical security keys or ID badges, or the requirement that more than one person be present for certain high-security processes. (That taped-open panel may even be reasonable, if the surrounding processes and safeguards are adequate.) 

Or, when it makes sense, to use built-in encryption, and devices that automatically establish one-way connections between devices. Even a highly technical thief following the classic thriller-film tactic of intercepting a security camera’s feed — and replacing it with innocuous content while a crime or covert entry takes place — would simply be frustrated if that stream is encrypted, and if it took a ping from the camera to establish a connection at all. 

Tapping into camera feeds like this is a staple of fiction, but it’s not feasible with systems like Eagle Eye Cloud VMS. Even having a system-wide password isn’t enough, because that’s not the level at which the encryption takes place.

Most organizations aren’t protecting historic jewels – but they do need to protect people and property, whether that means stewarding lives in a school, or minding hundreds of customers’ cars in an overnight parking lot. Getting the security complex right isn’t easy, if you’re doing it yourself. That’s reason enough to take advantage of experts who’ve done it before — and learned from lessons like the Louvre’s. 

Timothy Lord

Timothy Lord has witnessed and written about IT security trends and the ongoing evolution of SaaS for more than 25 years.