Tuesday, June 30, 2015

VIDEO: Folks, DON'T try ANY of this at home!!

I found this video on Facebook. The author, Idan Abolnik is a Krav Maga "expert" and former Golani unit member. While his bio is impressive, I'm not quite sure who has a range that will allow this or the risk acceptance he and his participants seemingly do. I caution you: DO NOT TRY THIS AT HOME!!!

Wednesday, June 17, 2015

OPINION: The Color of Legit

Be forewarned – this involves critical thinking:

The death of a childhood friend and subsequent similar homicides at the hands of criminals with guns in our inner cities has brought me a great amount of reflective pause about how we visualize the legitimacy of homicide victims. Seemingly, there is a great abundance of news headlines featuring homicides that have become all-too-familiar. The victims are usually young, African-American, and live in some of our most populated cities – places which used to be known for significant wealth and prosperity but now are a reflection of something much darker. Their assailants are also described as young, African-American, and from the inner-city. If we’re being specific, there’s also the added description of the homicide which usually “tells us all we need” – the murder was “gang-related”. Many times, our initial summation and often ill-informed analysis hinges on these circumstances. That “analysis” takes just under a few seconds but the power it conveys lasts a lifetime.

What’s most striking is in this internal discourse of legitimacy is not that we’re wrestling with the notion of whether the crime happened but whether the victims “deserved” to be killed and if so, whether a crime even occurred. Come on, admit it. How many times have you heard of a 16 year old kid in Chicago being murdered and saw the words “gang-related” in the article somewhere and thought “Figures”? Oh, you haven’t heard of those kinds of homicides before? No worries, we’ll cover that later.

This perception just doesn’t end with race. “Legit” victims have political parties, live in certain neighborhoods, and subscribe to our favorite religions. I’ll make a small wager – I could post the names of Chicago’s shooting deaths and won’t get near as many “retweets”, “favorites”, “shares”, or “likes” as I do when I post about cop deaths or guys in the military. Don’t get me wrong – I served in both capacities and those deaths were honorable and deserved being mentioned. That being said, what does it say about the value we place on human lives, when we feel certain deaths are worth more of our attention than others. Those officers died on those streets to stop crimes like those murders from happening, yet we’re astoundingly silent when it comes to remembering those dead. Why is that? Is there some part of us that can’t or won’t acknowledge a certain dark truth which is not “all lives matter”?

I was on the podcast, CovertContact not too long ago and somewhere in my rant there, you’ll probably notice I was very emphatic about something I feel will be a pressing national security issue soon. If we don’t embody what we preach which is “all lives do matter” in every fiber of our national fabric, then those who continue to feel devalued will act as those they and those who look just like them have no value. 

Sadly, the crisis we have growing exponentially doesn’t require me to furnish any statistics to make this point – the truth is all too apparent. That simple but very present reality is that unless victims match our skin color, go to our churches, believe in exactly the same things we do, and are willing to admit our supremacy on matters where we disagree, their lives are as meaningless as those “retweets”, “favorites”, “likes”, and “shares” I mentioned before. This is not a crisis we should crave or even begin to think we’re adequately prepared for. Care not because their lives matter but care because all lives truly do matter.

RIP Danny Williams, 29 years old, college graduate, Christian, father, son, brother, cousin, and loyal friend.

Friday, June 12, 2015

OPINION: Why Security Is Killing Risk Management

   For more than a little while, I have been writing quite a bit about the difference between security and mitigation. In that time, the United States has been riddled with numerous security breaches in both the physical and cyber realms. Whether they were riots over allegations of police brutality or breached firewalls protecting sensitive data, our headlines seem to allude to a failing state of security.
   As a professional who is on social media quite a bit, I have witnessed, firsthand the hysteria surrounding these incidents. Every attack seems to be tweeted or blogged about to a point bordering on obsession. To be honest, I could not be more enthralled. Sure, these events are quite insightful for practitioners wherein we learn how to defend against similar attacks in the future or conduct them ourselves. But that’s not what excites me. No. I’m thrilled to see events which demonstrate the connection between the psychology behind security, the illusion of protection it provides, and how our confusion about the differences between security and mitigation has created our current security crisis.

Security vs Mitigation

   In order to understand how security is killing risk management, let’s go over a few key terms. First, as stated before, security is nothing more than a psychological construct to provide us with the assurance that we’ve done everything possible to keep us safe from various threats. Humans are very fearful of their demise and naturally, see threats to their survival as intolerable. Often, this feeling of security comes from repeating “safe” behaviors and providing what we assume are adequate protection measures. This, as we all know, is often based on untested data and the myth wherein victims can think in much the same way as their assailants.
   Protection is what we do proactively to deter, deter, delay, and destroy attackers, through mitigation. A great example is an executive protection detail. No successful detail operates on the assumption they can prevent attacks. Everything they do is with respect to the attack happening. This is what makes them very good at what they do and why so many in this field go on to become successful throughout the security industry.

   Security, as we know it, is often done with the mindset victims can prevent attacks. For example, we lock doors because we assume they will deny an adversary entry. What we fail to grasp is that the lock is there to delay the attacker so natural observers or victims can have sufficient time to detect the attack and take action. Many victims enter into a mindset where a locked door is all they require to be safe, without sufficiently comprehending the scope of the adversary’s capabilities and the target’s inadequate mitigation tools. Knowing the difference between security and mitigation is a great start to understanding the importance of risk management over just feeling safe. Heck. It’s the key to it.

The Important and Not-So Subtle Difference Between Threats and Vulnerabilities

   Speaking of risk management, there are a few other terms I think we should cover. Risk management has two fundamental keystones - threats and vulnerabilities. Often, we confuse threats with vulnerabilities in ways we don’t catch always. For example, I’ve seen people react to discovering a vulnerability as being one of the worst security events. This couldn’t be further from the truth. In fact, I find knowing there are areas where a potential bad guy can exploit to enable their attack to be quite insightful. Sure, we like to catch these vulnerabilities before an attack but that’s not always the case. What’s our insurance policy for such attacks? Planning ahead as if it’s already going to happen. What do we call that? Oh, that’s right - mitigation. Threats are merely bad actors who use vulnerabilities to conduct kinetic operations against their targets.

   Sometimes, I feel as if we forget that catching bad guys is the goal of effective protection measures. The threat will come and you should be prepared long before they do. You could plug every hole you can find but ultimately, as I heard throughout my military career, “the enemy gets a vote”. He will find a way in, inevitably, that you will miss. You should plan as though Murphy’s law is actually true. Often, no matter what you do, you may not catch the bad actors. This leaves you with having to take away as much power from the enemy’s punch as possible. Whether you’re reinforcing concrete or hardening firewalls, the premise is the same - if you can’t beat ‘em, make it hard as heck for them by shoring up existing vulnerabilities and anticipating the impending attack.

   Perhaps, two of the most important and misunderstood terms in risk management are probability vs possibility. I see you over there laughing. If you are, then you probably know exactly why this is such a pet-peeve of mine. With every major security event, there’s always someone on social media who declares “the end is nigh”. They begin rattling off how bad the breach was and then end by telling you how bad it’s going to get. Very few times, do you actually receive any sort of mitigation advice. If you’ve been following me since the now-infamous OPM hack, you’ve no doubt heard me prattle about this.

   Most of the consternation about the state of security is centered around our confusion between probability and possibility. This was perfectly illustrated by a not-so recent story about the Islamic State capturing an airbase which had a few MiGs. Immediately, social media erupted with reports and predictions about ISIS flying MiGs very soon. If you know anything about training modern pilots and how the U.S. conducts targeting operations, you know this is not likely to happen. In other words, the probability of MiGs flying over ISIS territory is very small. Sure, it’s possible but not likely. A reality star who isn’t a narcissist is possible but not very probable. This is important to remember because security measures often fail based on how possible something is rather than it’s probability. Countless resources are expended on something that is not likely, while we ignore the threats we encounter daily. Successful security organizations employ measures based on a balance struck between a high probability of attacks happening always and the needs of the end-users.

Protect Yourself By Understanding Your Risks

   Risk management is nothing more than understanding what you have, whether you can lose it, who or what could take it from you, and what it will take to get it back or recover from its loss. In essence, risk management is nothing but acting proactively against a probable threat and ensuring you’re able to protect and if need be, recover from its loss or damage. The problem is, if social media is any indicator, many companies and organizations don’t do this. Again, let’s briefly discuss the OPM hack. I saw the eyeroll. I know we don’t have all the facts. I get that. I digress.

   OPM was allegedly hacked by attackers who stole sensitive data on federal employees. This is, understandably, big news. As it should be. The attackers were able to gain the information by attacking non-patched Department of Interior servers. The information, according to folks formerly in the intelligence community, is extremely valuable counterintelligence information and compromise is completely unacceptable. What’s striking is, as I have noted on Twitter, the servers were connected to the Internet and vulnerable to outside attackers. Yet, neither OPM or the Department of Interior bothered to patch the servers or encrypt their data. They, presumably, thought the threat of attack was minimal and did not require adequate mitigation. Imagine the likelihood of uproar had they just simply encrypted the data they stored. The government did everything I said earlier not to do.

   So what’s the answer? Simply, don’t do security but do mitigation. Being proactive with protecting yourself and your assets doesn’t require hiring Blackwater/Xe to track down Chinese hackers before they strike. No. Tailor your protection to what you will do when the attack occurs, the mission and goal of protection (detect, deter, delay, and destroy attackers), and what it will take to recover from the attack. Balance your measures between the likely or probable threats versus those that are possible but not highly likely. Before venturing off into the great abyss of security’s greatest enablers (fear, uncertainty, and doubt), I implore you to “see the light” and find the “truth” in mitigation through risk management.

About Us