OPINION: 10 Simple Rules Every Security Professional On Social Media Should Think About

Social  media can be a great thing at times. It can connect you with other professionals, allow you to sound off on things in our industry, advertise your services, and even give you new insight into security matters. However, it can also be a very dangerous tool. Countless times, I've seen security professionals realize this inherent truth much too late. In every social interaction, there is an implied trust with our fellow netizens they will abide by certain unspoken "rules". Often, they do but more than often, they do not. I'd like to share a few rules that can help mitigate the risks associated with combining your personal and professional social media personas.

1. Be humble and listen to everyone's opinion. There seems to be a rash of security professionals who believe the best way to interact with those who disagree with them is to be brash and rude regardless of the interaction. Sometimes, it calls for being a bit brash and rude. However, I find it often does not. Don't make being adversarial a part of who you are on social media. You could potential "scare away" potential clients or employers. Don't be "that" guy. Seriously. If you don't want discourse, then social media is not the place for you. Chances are just because you're awesome in what you know doesn't mean you're awesome in all things you claim to know. Sometimes, other folks have legit ideas we can learn from. You don't always have to be right. A simple "I never thought of it that way" goes a long way.
2. Keep your "circle" small. A while back, I went to "private" on all of my social media accounts. Why? Am I talking secret stuff I don't want others to know? No. I just realized how much better my social media experience is by keeping my audience relatively small. Think of it like how you rate schools based on student-to-teacher ratios. Do you really want to have to interact with 90,000 people you don't know? Also, by keeping your "circle" small, you pick the people you want to interact with. There's a danger here, though. By being selective, you run the risk of limiting the amount of data you receive and it can enable subjectivity to some extent. With that being said, I'll add my next rule.
3. Interact with people who provide value and not an ego boost. When I went "private", I noticed I was far more selective and I tended to interact with people who "liked" my comments less and interacted more. There's a trap by having loads of people "like" everything you post. It can lull you into a false sense of security that you're a "big deal" and immune to legitimate criticism. Remember, this is the Internet. Just because you say awesome things does not mean people think you're awesome. You will make people upset sometimes. That's life. Some attacks will be personal. That is also life. Deal with it. My mother provided me with the best sage advice I've ever heard and will never forget - "Not everyone that smiles at you is your friend and not everyone who frowns at you is your enemy."
4. Don't say or do anything on social media you can't tell your mother or boss about. Seriously, you can limit half the drama that comes your way by just abiding by this simple rule. More professionals get involved in more drama online than they should because they forgot this. What does this mean? Don't write checks with your status updates your career and personal life can't cash.
5. Keep it real. I've written in the past about "experts" and how often it is easy to confuse real expertise with implied expertise. If you're really knowledgeable about something, feel free to talk about it like you do. If you're not, then take it easy and try to "stay in your lane". Many people find themselves in trouble when they forget to do this. Why? Everyone wants to be popular on social media and you don't get to be popular by staying in your lane all the time. Remember what I said about getting too many followers and "likes". Again, don't be "that" guy. When I'm talking to people on social media, I try my hardest to be upfront about what I know based on my experiences and from other sources. If you follow me on social media, you'll often read me telling people what's in my lane and what is not. I find when I do that, I receive much better interaction with professionals and I learn quite a bit more than I preach.
6. Don't make your social media persona to be something you are not.  The downfall of many professionals on social media can be traced back to forgetting this rule. Quite a few security practitioners seem to believe in order to have value, they have to inflate who they are or what they've done in the past. More often than not, they're found out and revealed without prejudice. You don't have to fake a degree or have an awesome job title to provide value in your social media interactions. I'm more impressed by a person who is totally honest about being a janitor and knows a lot on a topic versus a janitor who pretends to be an "expert" security "guru. As I always say, "Game recognizes game."
7. Use your manners. My advice to son is always, "I get more from pleases and thank-yous than I have ever gotten with a frown on my face." A simple "Thank you for the discourse" or an apologetic private message for an overly snippy comment has provided me with more value than my stubborness to concede a point ever has. With that in mind, as with everywhere you go in life, there will always be jerks. Try not to be one of them if you don't have to. Sometimes, a situation online may call for you to be one. I suggest resisting the temptation to do so and simply either ignore the other party or "block" them. This is the Internet and there are tools available wherein you can choose to be a jerk or not. At one point, my mother was a preacher's wife which is position replete with jealousy. She always told me, after an encounter with someone who she knew didn't like her, "Baby, sometimes, you gotta kill them with kindness."
8. Some things are better said in-person. This is too easy to explain. Keep private things as private as you can because once it leaves your computer, you have lost complete control of it. If I'm in charge of human resources at a company you applied to or I'm a prospective client and I noticed your social media accounts are chock full of indiscretion, you're probably not a person I want to hire and for good reason. Whatever your intent was will not matter to someone who decides your fate with the click of button without having to ever talk to you.
9. Never trust people to keep things private online. Salient advice I received from a friend once - "This is the Internet, nothing is as it appears." People are inherently untrustworthy. Why? Because they can always make disadvantageous decisions regarding you online without your knowledge and consent. There is very little you can do about this except following this rule. As the old adage from hip-hop goes, "Never trust a big butt and a smile."
10. You don't have to be first to speak during a crisis to have value. The first time I became popular on social media was during Christopher Dorner's rampage through Los Angeles. I made a few points which were re-shared a lot. After that, it seemed like every other crisis, I was being called on to give my opinion. Not too long after that, I did some introspective thinking and realized I was being wasn't always being called on to give my opinion or insight - I was seeking it out. I had fallen into the trap. Why is this bad? The reason I took the time to think on this topic was I noticed I was sharing incorrect and highly subjective information. In other words, I was misinforming people. My "circle" was kind and quietly called me on some of it. Here's what I learned: Being first, often, means being first with the wrong information and relying on firsthand accounts. Anyone involved in the intelligence community will tell you how this leads to a degradation of analysis and eventual disregard of the analyst responsible. Take your time and give your insight when it's helpful.

OPINION: Why Does It Suck To Think Like A Good Guy In Security

Day after day, on social media and elsewhere on the Internet, there are lots of folks who are seemingly shocked every time a bad guy shows up and acts like a bad guy. Seriously, how many times have you read or seen "I can't believe Suspect A was able to murder all of those people" or "If only they (security) did XYZ like I thought of during a conversation with my veterinarian who may have been in the military, that bad thing wouldn't have happened"? I see it quite a bit and frankly, I've decided it may be time to finally add my .02 about it.

Those of us in security who have spent some time studying "the threat" (insert whatever scary bad guy you're dealing with) understand what few who haven't studied it don't. No matter how awesome your protective measures are, they do little to mitigate (and certainly not "prevent") the attacker unless you start thinking a bit like they do. Herein lies the fatal flaw of most "white hats" and even some "grey hats".

1. You think of attacks in ways that you would conduct them. No offense but if you're protecting yourself against robbers but know relatively little of them, you may be looking to deploy solutions which don't work against that threat. One of the most painful things any security professional can hear when doing a site survey with a client from the client is "If I were the bad guy, this is how I would do it." More often than not, it is not how the bad guys would attack. Think security cameras in homes. Most people will deploy a camera at home with the thought the camera provides an extra layer of protection when in fact it doesn't. I have known several victims of home invasions who either had cameras installed or had an alarm sign out front. These are two commonly deployed deterrence tools that we know don't work. Instead, focus on the problem as if the bad guy would ignore the deterrence measures (because he will because we have little proof he won't) and proceed with the attack and use things like cameras as after-incident mitigation tools to catch the perpetrator later.
2. You think of your threat as one-dimensional. Most good guys see their threat based on commonly accepted precepts of what the threat is and how he has attacked in the past. Just because the bad guy only hit you or the other guy using one vector doesn't mean he won't try something different later. A great example of this is 9/11. Prior to the second World Trade Center attack, there were common beliefs that terrorists were only capable of performing certain kinds of attacks. What no factored in was changing realistic threat capabilities. In other words, we assumed the threat wasn't evolutionary in his tactics. Seriously, who could've imagine having to protect a building against two near-simultaneous aircraft crashes? Perhaps we could have had we accepted the idea that as we change so does the threat.
3. You think the threat is omnipotent and omnipresent. It's easy to get caught up in the hype of a threat. I do it sometimes. This is a natural defense mechanism after an attack has occurred. Why? No one likes to have their vulnerabilities exposed. After every mass shooting or act of violence that makes the news, we assume every venue that is like the one that was attacked is also vulnerable and being selected as the "next" target for another perpetrator.
   
   I remember fondly working on 9/11 on a small Air Force base on a perimeter patrol. What I recall the most are the initial attitudes people had of al Qaeda. We believed this one attack displayed a level of sophistication unseen by them before on US soil could be replicated on a massive scale. Every Muslim, ignorantly, was assumed to be a sleeper agent waiting for cues from "Muslim HQ" to attack us wherever and however they chose. The months and years ahead showed how far from the truth that was. Imagine how many countless resources were expended before we realized the fallacy behind this assumption.
4. You think your attacker "chose" you for a variety of reasons he didn't. People almost always assume an attacker chose to attack them or others for reasons they didn't. Rape is commonly thought to be a crime of lust because good people believe sex is the only reason you rape because it's the end-result. However, most criminologists and psychologists would agree rape is a crime of power. I would argue the majority of crime takes place for this very reason. Terrorism occurs because of this as does murder (what's more powerful than ridding yourself of someone permanently), drug dealing, fraud, and a host of other crimes. You're either fighting to obtain it (i.e. steal it from someone else) or committing crime to become more powerful. This confusion could possibly explain why most crime "prevention" measures based on policy fail at alarming rates - we're clueless on what truly motivates people to attack us.
5. You assume because you haven't seen the threat, he must not exist. Whether we see the threat or not, we should never assume he does not exist. While the threat can't be everywhere every time, the threat can still be very much. Never assume the absence of threat means he or she isn't going to show. You still need to adequately protect your assets as if today is the day you're going to be attacked. Remember, the attacker chooses the time of attack. You choose how well-prepared you'll be when it happens.

I'm not proposing anyone go out and hire a red team. I firmly believe one of the reasons we, often, fail so miserably at security sometimes is due to our natural inclination to think the bad guy thinks like we do when they don't. So how can we fix this?

1. Study your adversary. Seriously, pour over any open source intelligence you can on your threat. Read the paper and look for crime stories. Pick up a police report or two on similar venues like yours. I'll leave how you conduct your research to you. Just do it. Stop assuming blindly how the attack will go down or even who your adversary is.
2. Consider hiring folks who can think like attackers. I'm not saying you hire criminals but red teams hire specialists who can mimic attackers. Choose folks from a variety of backgrounds to round out your security team. By the way, by "background", I'm not talking education. I mean pick a team with a variety of specialists.
3. Test your systems with exercises. The only way you're going to learn is by testing how well your security program holds up against an actual attack. Consider doing this with little to no notice and have an after-action or "hot-wash" debriefing with your red team and affected staff right away. Finally, fix the vulnerabilities as soon as possible.
4. Reward outside the box thinking. When I was a young boy, I recall my fondest memories were playing games like "hide-and-go-seek" with my friends. The guys who were the most creative were the best at this game. Why? Because they were unpredictable. I'll leave how you choose to reward these folks on your own. Just do it.

PHOTO: Fake Cameras Provide Fake Protection

I can't even begin to tell you how many times I run into stores that have decoy cameras in lieu of real cameras. I also can't tell you how many countless times these same stores get robbed. Buying a decoy camera, in my opinion, are invitations for criminals. This is not to say most criminals can't tell the difference between fake and real. This is to say that many of these businesses and homes that utilize decoy cameras don't quite get what kind of mitigators they need to adequately protect themselves and their assets.

The added statistic at the bottom of this photograph is especially troubling because it dupes customers into believing they have added another layer of "security". This is correct in some respects. Remember what I said about "security" being a goal and less of an action? The problem lies in exactly the same place issues of semantics in security are - it relies on data that is either incomplete and more than likely, irrelevant to their protection needs.

We all know cameras serve a variety of purposes other than video surveillance. We also understand some vendors and property owners either have poor tools or are so under-trained they may as well not have a camera. However, when an incident happens, the last thing property owners want to tell the police and insurance companies (worse yet, a jury in a civil liability trial) is they thought a decoy or non-operative camera offered better protection.

If you're a property owner and considering one of these decoys, turn around and invest in a camera system you will monitor and maintain. If you're a pro, call these out and the dangers behind using them.