OPINION: I Need to Vent About The State of Security

You may have noticed I haven't blogged in like forever. Yeah, I know. Look, I've been busy with life and stuff. Welp, I'm back. Wait. I've said that before? This time, I promise to be much more regular and consistent with my posting. I digress - I have a grievance about the state of our industry to air and dang it, you're going to read all about it.

So, you may have noticed a minor thing called a "national election" occurred while I've been away. You may have noticed the same thing I have since the election ended. EVERYONE HAS LOST THEIR MINDS!!! Seriously. It's been a strange time for every one of us. What's crazier than the public going bonkers over politics? Security professionals drunk on hype, the erosion of our professionalism, and fraudulent credibility have corrupted our analysis, jeopardized our assets, and enabled ineffective and inefficient security risk mitigation.

I'M NOT IMPRESSED



We're a failing industry, in short. Sure, we do our jobs and pretend as though none of this has an effect, while the public and the industry embrace perceptions based not on sound and trustworthy data but fear, uncertainty, and doubt (FUD). The public is encouraged to view threats based soley on identity rather than capability, opportunity, and motivation. Add in FUD and you have a consumer base who desire more and more radical solutions to solve what we, as security professionals over-complicate, due mostly to our intentional ignorance and discipleship to partisan rancor, confirmation bias, and ego.

New attacks can't simply be the products of luck or one-offs. No, these attacks, according to our "experts", are "advanced", "sophisticated", or "impressive". I could include other superlatives but you get my drift. These professionals are constantly being impressed by attacks whose effects are often unclear.

After the drone assassination attempt on Maduro, security professionals on social media were aghast and seemed almost terrified at the prospect of a massive global pandemic of wayward killer drones.

Okay. Okay. I'm a terrible human......

I admit it - I called the Maduro assassination attempt a "game changer". It wasn't because I assumed the worst. The drone attack was interesting and certainly, a bit surprising. I'm a guy whose job it is to address and mitigate such threats. While I was intrigued, I didn't lose much sleep. Why? Because there was a lot that could have gone right but didn't in that attack. In fact, the attackers chose a methodology which required far more resources and placed unnecessary risks on its operatives. This is especially true when you realize there were far simpler and effective means of killing Maduro. In fact, the drone attack placed innocent people in danger and had any one of them been killed, perhaps the attackers would have lost a great deal of support.

DO YOU EVEN CRITICAL THINK, BRO?!



These same "experts" are often impressed by al Qaeda and other groups for doing simple attacks. There are many counter-terrorism and physical security folks who often declare after every attack, we should embrace more and more drastic security measures in response. They never consider the drag on existing resources, the ability to stay in this threat reaction posture for long-term, and whether they're only inviting more problems by creating additional threats. These folks will suggest everything to include putting soldiers in classrooms after shootings, increasing security at hardened facilities, and demanding tools which have shown they're barely appropriate for their current use.

Have no fear! Your consummate security professional is up at night defending our honor and challenging these professionals to consider better solutions. I find a lot of folks in security who happen to do social media can be very reactionary and haphazard about how they communicate threats and mitigation. Is it appropriate or wise to denigrate how others mitigate threats, when your situational knowledge might be minimal, at best? Some people would argue that it is. I'm no badge defender and I certainly challenge bad practice. I also get how often we try to get mitigation in place, only to be told stakeholders would rather allocate resources or funding elsewhere. It happens all over practical security organizations. In fact, having to adjust your mitigation programming is one of the toughest parts of this gig.

For me, the asset is never "soft" or "hard" - it's about what attracts the bad guys to the target. I surmise most kinetic attacks occur on crowded spaces not because of a lack of visible security but because there is a crowd. I could go on and on about crowds but there's a real and transferable reason why wolves hunt sheep. The reason is easily deduced if you've ever seen wolves hunt sheep. Sheep can't stop being a part of a crowd. Wolves either hunt stragglers or those caught in the herd. Why? Because they're slow and they have limited egress points.

GAME RECOGNIZES GAME



I've blogged here before about the ways in which fraudulent "experts" taint our profession, so I won't beleaguer the point here. Here's what I will say:

1. There is an ever-growing field of "experts" who lack credibility or credentials who often imagine threats and mitigation, based on how it impacts their "bottom line". Don't get me wrong - I like to network and certainly, respect your hustle but I might be more inclined to buy your product or promote your ideas, if you weren't always trying to sell them to me like an over-eager crack dealer. Slow your roll. Again, I digressed.
   
   None of the aforementioned points I made aren't why I question someone's credibility or their credentials. They do cause me and others to take someone less seriously and see further marketing less as attempts to grow the industry with your knowledge and insight and more about how you line your pockets. I blame our collective anger and angst on 9/12 to be the root of the problem.
   
   The inconvenient but honest truth is after 9/11 the American people wanted two things: more security and revenge. Our industry, seeing the potential for unlimited growth, went bonkers trying to meet this demand. The government created the TSA. The Internet became a weaponized instrument against our foes both at home and abroad. We believed we were unprepared and needed to adhere to everything "unconventional" pertaining to security. We sold buzzwords like "hybrid warfare", "dynamic", and even my own favorite, "kinetic", without even a semblance of critical thought on whether if any of what we were seeing was "new" to everyone or just "new" to us. 


2. Rather than fixing a problem which required some TLC, we demanded everyone become Jack Bauer and lined our budgets and pockets with cash which promised not only job security but the most coveted of all security prizes - relevance. Naturally, the fakes and phonies came like vultures and they've been picking the meat off the bodies ever since.
   
   To be quite fair and honest, I've been called an "expert" by media and I know firsthand, they often mislabel you based on what sells their narrative or topic area to be discussed. When it happened to me in ways I couldn't articulate, I challenged those attributions. I've blogged about it here and explained how it occurred to friends and people I know in that community. As I saw the problem getting worse and seeing audiences and studios seemed less and less interested in what I said versus how I said it, I felt my work as a professional was more important than how awesome I did on an appearance. While I'm grateful for the opportunities that were given to me, my focus will always be on professional development, promoting sound mitigation ideas and best practices, and perfecting my craft. Just cast Cuba Gooding, Jr. in my biopic when I sign the movie deal.


3. What's worse than creating a side industry filled with the fake and greedy? Giving them a seat at the table of influence and policy. I'm not just talking media. No. I'm talking about Cabinet positions. I'm talking about boards. I'm talking about senior staff positions in major departments. The greatest danger we face from these people is not their inevitably, bad advice. It's their untested and untenable security "solutions" backed by flawed analysis and threat perceptions which we declare as "factual" and "balanced" because they suit infectious and malignant ideas which tarnish our industry and ruin public trust.

What can we do about our fellow practitioners and the public who are engorged with hubris, ego, and
grift? Can we save our industry before we transform into a conflagration of our parents' Facebook pages and the worst of Twitter, LinkedIn, and major news media?

1. Address their knowledge of the topic and the process from which they've derived their conclusions. 
2. Challenge how they receive data. 
3. Challenge who they vetted it with. 
4. Ask them if what they're seeing is repeatable. 
5. How do they establish credibility with their sources? You'd be surprised how many professionals subscribe to ineffective ideas on mitigation from sources who have no connection to security or our best practices. 

YUP. WE'RE SCREWED.



Whew! That's the bright spot. Wait until I cover all the stuff I hadn't covered in two years.

OPINION: Why Security Is Killing Risk Management

   For more than a little while, I have been writing quite a bit about the difference between security and mitigation. In that time, the United States has been riddled with numerous security breaches in both the physical and cyber realms. Whether they were riots over allegations of police brutality or breached firewalls protecting sensitive data, our headlines seem to allude to a failing state of security.
 
   As a professional who is on social media quite a bit, I have witnessed, firsthand the hysteria surrounding these incidents. Every attack seems to be tweeted or blogged about to a point bordering on obsession. To be honest, I could not be more enthralled. Sure, these events are quite insightful for practitioners wherein we learn how to defend against similar attacks in the future or conduct them ourselves. But that’s not what excites me. No. I’m thrilled to see events which demonstrate the connection between the psychology behind security, the illusion of protection it provides, and how our confusion about the differences between security and mitigation has created our current security crisis.

Security vs Mitigation

   In order to understand how security is killing risk management, let’s go over a few key terms. First, as stated before, security is nothing more than a psychological construct to provide us with the assurance that we’ve done everything possible to keep us safe from various threats. Humans are very fearful of their demise and naturally, see threats to their survival as intolerable. Often, this feeling of security comes from repeating “safe” behaviors and providing what we assume are adequate protection measures. This, as we all know, is often based on untested data and the myth wherein victims can think in much the same way as their assailants.
 
   Protection is what we do proactively to deter, deter, delay, and destroy attackers, through mitigation. A great example is an executive protection detail. No successful detail operates on the assumption they can prevent attacks. Everything they do is with respect to the attack happening. This is what makes them very good at what they do and why so many in this field go on to become successful throughout the security industry.

   Security, as we know it, is often done with the mindset victims can prevent attacks. For example, we lock doors because we assume they will deny an adversary entry. What we fail to grasp is that the lock is there to delay the attacker so natural observers or victims can have sufficient time to detect the attack and take action. Many victims enter into a mindset where a locked door is all they require to be safe, without sufficiently comprehending the scope of the adversary’s capabilities and the target’s inadequate mitigation tools. Knowing the difference between security and mitigation is a great start to understanding the importance of risk management over just feeling safe. Heck. It’s the key to it.

The Important and Not-So Subtle Difference Between Threats and Vulnerabilities

   Speaking of risk management, there are a few other terms I think we should cover. Risk management has two fundamental keystones - threats and vulnerabilities. Often, we confuse threats with vulnerabilities in ways we don’t catch always. For example, I’ve seen people react to discovering a vulnerability as being one of the worst security events. This couldn’t be further from the truth. In fact, I find knowing there are areas where a potential bad guy can exploit to enable their attack to be quite insightful. Sure, we like to catch these vulnerabilities before an attack but that’s not always the case. What’s our insurance policy for such attacks? Planning ahead as if it’s already going to happen. What do we call that? Oh, that’s right - mitigation. Threats are merely bad actors who use vulnerabilities to conduct kinetic operations against their targets.

   Sometimes, I feel as if we forget that catching bad guys is the goal of effective protection measures. The threat will come and you should be prepared long before they do. You could plug every hole you can find but ultimately, as I heard throughout my military career, “the enemy gets a vote”. He will find a way in, inevitably, that you will miss. You should plan as though Murphy’s law is actually true. Often, no matter what you do, you may not catch the bad actors. This leaves you with having to take away as much power from the enemy’s punch as possible. Whether you’re reinforcing concrete or hardening firewalls, the premise is the same - if you can’t beat ‘em, make it hard as heck for them by shoring up existing vulnerabilities and anticipating the impending attack.

   Perhaps, two of the most important and misunderstood terms in risk management are probability vs possibility. I see you over there laughing. If you are, then you probably know exactly why this is such a pet-peeve of mine. With every major security event, there’s always someone on social media who declares “the end is nigh”. They begin rattling off how bad the breach was and then end by telling you how bad it’s going to get. Very few times, do you actually receive any sort of mitigation advice. If you’ve been following me since the now-infamous OPM hack, you’ve no doubt heard me prattle about this.

   Most of the consternation about the state of security is centered around our confusion between probability and possibility. This was perfectly illustrated by a not-so recent story about the Islamic State capturing an airbase which had a few MiGs. Immediately, social media erupted with reports and predictions about ISIS flying MiGs very soon. If you know anything about training modern pilots and how the U.S. conducts targeting operations, you know this is not likely to happen. In other words, the probability of MiGs flying over ISIS territory is very small. Sure, it’s possible but not likely. A reality star who isn’t a narcissist is possible but not very probable. This is important to remember because security measures often fail based on how possible something is rather than it’s probability. Countless resources are expended on something that is not likely, while we ignore the threats we encounter daily. Successful security organizations employ measures based on a balance struck between a high probability of attacks happening always and the needs of the end-users.

Protect Yourself By Understanding Your Risks

   Risk management is nothing more than understanding what you have, whether you can lose it, who or what could take it from you, and what it will take to get it back or recover from its loss. In essence, risk management is nothing but acting proactively against a probable threat and ensuring you’re able to protect and if need be, recover from its loss or damage. The problem is, if social media is any indicator, many companies and organizations don’t do this. Again, let’s briefly discuss the OPM hack. I saw the eyeroll. I know we don’t have all the facts. I get that. I digress.

   OPM was allegedly hacked by attackers who stole sensitive data on federal employees. This is, understandably, big news. As it should be. The attackers were able to gain the information by attacking non-patched Department of Interior servers. The information, according to folks formerly in the intelligence community, is extremely valuable counterintelligence information and compromise is completely unacceptable. What’s striking is, as I have noted on Twitter, the servers were connected to the Internet and vulnerable to outside attackers. Yet, neither OPM or the Department of Interior bothered to patch the servers or encrypt their data. They, presumably, thought the threat of attack was minimal and did not require adequate mitigation. Imagine the likelihood of uproar had they just simply encrypted the data they stored. The government did everything I said earlier not to do.

   So what’s the answer? Simply, don’t do security but do mitigation. Being proactive with protecting yourself and your assets doesn’t require hiring Blackwater/Xe to track down Chinese hackers before they strike. No. Tailor your protection to what you will do when the attack occurs, the mission and goal of protection (detect, deter, delay, and destroy attackers), and what it will take to recover from the attack. Balance your measures between the likely or probable threats versus those that are possible but not highly likely. Before venturing off into the great abyss of security’s greatest enablers (fear, uncertainty, and doubt), I implore you to “see the light” and find the “truth” in mitigation through risk management.

Ten OPSEC Lessons Learned From The Good Guys, Bad Guys, and People-in-Between

If you've been in the security world long enough, you've heard of a term called "OPSEC" or operational security. This is a security discipline in which organizations or individual operators conduct their business in a manner that does not jeopardize their true mission. If you're a police officer who is staking out a house, it would be bad OPSEC to sit outside the house in a marked police vehicle. I think it's prudent we discuss this discipline so we can better analyze our own processes by which we protect ourselves and our operations. Reviewing the OPSEC process is a great place to start. The following come from Wikipedia (I know - it's super-scholarly):

1. Identification of Critical Information: Identifying information needed by an adversary, which focuses the remainder of the OPSEC process on protecting vital information, rather than attempting to protect all classified or sensitive unclassified information.
2. Analysis of Threats: the research and analysis of intelligence, counterintelligence, and open source information to identify likely adversaries to a planned operation.
3. Analysis of Vulnerabilities: examining each aspect of the planned operation to identify OPSEC indicators that could reveal critical information and then comparing those indicators with the adversary’s intelligence collection capabilities identified in the previous action.
4. Assessment of Risk: First, planners analyze the vulnerabilities identified in the previous action and identify possible OPSEC measures for each vulnerability. Second, specific OPSEC measures are selected for execution based upon a risk assessment done by the commander and staff.
5. Application of Appropriate OPSEC Measures: The command implements the OPSEC measures selected in the assessment of risk action or, in the case of planned future operations and activities, includes the measures in specific OPSEC plans.
6. Assessment of Insider Knowledge: Assessing and ensuring employees, contractors, and key personnel having access to critical or sensitive information practice and maintain proper OPSEC measures by organizational security elements; whether by open assessment or covert assessment in order to evaluate the information being processed and/or handled on all levels of operatability (employees/mid-level/senior management) and prevent unintended/intentional disclosure.

We should also recognize good guys aren't the only ones who practice this discipline. As a matter of fact, the bad guys do as well and many are quite good at it. The lessons we could learn from them, our fellow security professionals, and others are almost immeasurable.

1. NEVER trust a big butt and a smile. Yup. I started off with that. Bear with me. Many intelligence agencies and law enforcement organizations use sex as a means to get close to a target or person of interest. Most bad guys realize this. However, many do not to their own detriment. When involved with people in a relationship or sexual encounter, they get very close to you and your secrets. I liken these people to "trusted agents" who you allow close enough to you that can get more information than you're willing or able to share publicly. Poor OPSEC practitioners often forget this. Most of their security failures stem from this fatal flaw. I'm not saying to not be in a relationship or to eschew intimacy. If you're in a job that requires you adhere to sound OPSEC principles, what I'm advising you to do is to exercise due diligence and conduct a risk analysis before you do. Think Marion Barry, Anthony Weiner, and Elliott Spitzer.



Immortal words spoken during an EPIC fail.

2. Always have a thoroughly vetted back-story for your cover. This is commonly referred to as "legend" in the intelligence community. This is an identity in line with your established, synthetic cover. For example, I previously mentioned the hacker known as the The Jester in a previous blog post. Depending on which side you're on, he's either a bad guy or a good guy. However, the lessons he teaches us about cover are insightful. Whenever someone "doxes" him, he has a prepared and detailed analysis as to how he created that cover identity. Many times he'll use a name that does exist with a person who either does not exist or who he has cleverly manufactured using a multitude of identity generators. He'll use disposable credit cards, email, LinkedIn profiles, VPNs which show logins from his cover location, etc. He even engages in cyber-deception with other actors to establish various cover stories for operations that require them. Whether you like him or not, he's certainly good at one thing we know for sure - cover discipline.
3. NEVER trust anyone you just met. I see you laughing. Many people mistakenly believe they can and should trust everyone they meet. They will often claim they don't but their behavior says otherwise. As Ronald Reagan is often quoted is saying, "In God we trust, all others we verify" I firmly believe this to be the most crucial aspect of operational security. Proper trust is needed in any environment for the mission to be accomplished. However, blind trust can and will kill any hopes of a successful mission. Whether you're checking identification at an entry control point or planning cybersecurity for an online bank, you should always treat every introduction you don't initiate as suspect. Then triage people and their level of access according to risk acceptance. This is a lesson we learned with Edward Snowden. He'd only been at Booze Hamilton a few months before he began siphoning massive amounts of classified information he had no direct access or need-to-know. Another saying I'm fond of is "Keep your enemies close, but your friends closer." I'm not saying everyone you meet is going to steal from you or betray your trust. Like my momma always says, "Not everyone that smiles at you is your friend and not every frown comes from an enemy."
4. Shut the hell up! No. Seriously. Shut up. If you hang around the special operations community, you'll hear a term used to describe the work they do as "quiet professionals". Most successful bad guys realize the best way to ensure longevity to shut the hell up. Bragging about or giving "pre-game commentary" before an operation are guaranteed ways to get caught or killed. The truly dangerous people are the one's who never say a word and just do their work. Sometimes, lethality is best expressed with silence.
   
   
   
   
   
5. Watch what you leak. While we can keep our mouths shut, it is more difficult in the information age to keep everything connected to us quiet. In order to properly protect ourselves, we have to begin this process by conducting proper risk analysis. Is what I'm doing right now giving away something I don't want the public to know? Is the the device or medium I'm talking on able to give away information I'm not comfortable with sharing? Does my enemy have the ability to intercept or analyze what I'm doing in order to gain sensitive information? What "tells" am I projecting? These are a few of many questions you should be asking in order to ensure you're limiting "noise litter".
   
   

   

   In the information age, do I need to say more?

6. If you're doing secret stuff, NEVER EVER EVER EVER EVER, talk on the wire. Look at the Mafia as a perfect example of what not to do. As an OPSEC practitioner, you should never communicate on any medium that can give away your secrets or be intercepted. John Gotti got busted talking on the wire. A person rule of thumb: If it can receive messages, it can transmit messages without you knowing. Treat every computer like an informant - feed it what you're willing to share with your adversary.
7. NEVER ever touch or be in the same place as the "product". For the uninitiated, that is one of first rules of the dope game. Every successfully, elusive drug dealer knows to keep away from the "product" (read "drugs). Whatever the "product" in your "game", ensure you put enough distance between you and it. If you have to be close to it, then have a good reason to be with it.
8. Recognize "the lion in the tall grass". When practicing OPSEC, if there is one thing you should never forget is why you're doing it. The reason you're practicing it is simple - there are people out there that oppose you. Ignore them at your detriment.
9. NEVER say something you can't backup or prove immediately. Nothing says you're a person needing to be checked out better than saying things you can backup or prove. People who are trying to vet you will require you backup what you say for a reason. Be ready for this. A great example of this is demonstrated by people who claim to be connected to someone of stature in order to gain access. In this case, they're found out because the target asked the other party who could not confirm this.
10. Treat your real intentions and identity as that gold ring from Lord of the Rings. I'm not saying put your driver's license on a necklace so a troll who think it's his "precious" won't take it. First of all, that's too cool to happen in real life. Second, you'll look like an idiot. Finally, there are more practical ways of protecting your identity. For starters, never have anything that connects your identity to your operation. Next, if you have to use your real identity in connection with an operation, give yourself some ability to deny the connection. Lastly, NEVER trust your identity, intentions, or operations to anyone or anything other than yourself.

I've decided to include the more practical list from the "Notorious B.I.G." to drive home some of these principles:

TEN CRACK COMMANDMENTS

1. Rule number uno, never let no one know
   How much, dough you hold, 'cause you know
   The cheddar breed jealousy 'specially
   If that man *** up, get your *** stuck up
2. Number two, never let 'em know your next move
   Don't you know Bad Boys move in silence or violence
   Take it from your highness
   I done squeezed mad clips at these cats for they bricks and chips
3. Number three, never trust nobody
   Your moms'll set that *** up, properly gassed up
   Hoodie to mask up, s***, for that fast buck
   She be layin' in the bushes to light that *** up
4. Number four, know you heard this before
   Never get high on your own supply
5. Number five, never sell no *** where you rest at
   I don't care if they want a ounce, tell 'em bounce
6. Number six, that God*** credit, dig it
   You think a *** head payin' you back, *** forget it
7. Seven, this rule is so underrated
   Keep your family and business completely separated
   Money and blood don't mix like two *** and no ***
   Find yourself in serious s***
8. Number eight, never keep no weight on you
   Them cats that squeeze your *** can hold jobs too
9. Number nine, shoulda been number one to me
   If you ain't gettin' bags stay the f*** from police
   If niggaz think you snitchin' ain't tryin' listen
   They be sittin' in your kitchen, waitin' to start hittin'
10. Number ten, a strong word called consignment
    Strictly for live men, not for freshmen
    If you ain't got the clientele say hell no
    'Cause they gon' want they money rain, sleet, hail, snow

Don't forget the admonition from Notorious B.IG. gives that should never be diminished:

Follow these rules, you'll have mad bread to break up
If not, twenty-four years, on the wake up
Slug hit your temple, watch your frame shake up
Caretaker did your makeup, when you pass

An information security professional known as "The Grugq" gave a very interesting talk on OPSEC, I think it is worth taking a glance at (try to contain all laughter and bafoonery at the preview image - we're running a family show here, folks):