I try not to be one of those "Check out this Darwin Awards Winner" kind of guys. Granted, in our industry, we see a lot of fail. One could say our very survival depends less on FUD and more on fail. Or is FUD a component of fail? I digress. There's a lot of stupid in the video below. The gist is simple:
Geniuses, in prison, decided to FILM THEMSELVES IN PRISON doing the widely popular, "Mannequin Challenge".
Said "geniuses" uploaded video of their collective stupidity to YouTube.
Caught by San Diego County corrections dudes who are "currently investigating this incident".
Note:Dude, again, I am not an intel dude. NOT my lane.
A few days ago, I wrote an article about how political parties could deal with a hostile foreign intelligence service actively targeting them for exploitation. One of the techniques I recommended revolved around avoiding physical surveillance. The video below goes into a lot of detail regarding surveillance detection routes. It appears to have been a declassified intelligence community video from the 1970s(?). This is for purely entertainment purposes. If you think you need to add this to your repertoire, then I suggest doing two things:
Hire a professional to teach you. A video is no substitute for actual training. That said, the materials in this are dated and I would imagine any serious surveillance would have a suitable counter to any SDR. However; this sets a nice introduction into the topic.
If you need this and you're going against any significant intelligence threat, you might be already screwed. Seriously.
Resource This guy seems to know a lot more than I do on this stuff.
Note:I am nota cyber or infosec dude. Never have been. Never will be probably. It's not my lane. That said, I try my best to find good advice in these lanes and share them when possible. Your mileage will certainly vary.
So the Electronic Frontier Foundation (EFF) is having a "12 Days of 2FA" thing starting December 8. I may not agree with the EFF on some things but they're advocacy for a more private and secure Internet is something I am all for. Making folks more aware of the benefits and techniques necessary to enable two-factor authentication is awesome in my book. I'm not a tech dude but I will tell you a little about two-factor and why you should do it on EVERY SINGLE FREAKING ACCOUNT YOU HAVE THAT ALLOWS FOR 2FA.
Definition
The EFF has this to say:
Relying on more than a password to secure online accounts is so important because passwords are relatively easy to steal or compromise. Passwords can be vulnerable to eavesdroppers on cafe and airplane wifi, to tech company data breaches, and to phishing attacks. Add in a second factor, though, and an attacker needs more than just your password to access your accounts.
That second factor can take several forms, including:
A one-time verification code sent to you via SMS text message
A time-based one-time password (TOTP) generated by a dedicated app, like Google Authenticator and Authy
If passwords are compromised in a breach, there's an additional layer of defense for the attackers to overcome.
It nullifies a lot of brute force attacks. Even if you "guess" the right password, you still have to overcome 2FA.
Final Word of Advice
Having 2FA is NOTan excuse for a crappy password or for password reuse. Let's be clear - we all have passwords we've reused. That doesn't mean we should. In fact, we should remedy that as soon as possible.
Get a password manager
Register with sites that allow for
Lots of characters in passwords
Take security seriously (bug bounties, HTTPS, limited account enumeration, etc.)
Monitor your logins
Most major sites will show the IP of your last login. Monitor this regularly to ensure your credentials haven't been compromised.
So, I've been watching Westworld and it seems like killer robots are becoming a thing again. There are some really cool things with the bot featured in this slick ad:
It's seemingly quiet. For obvious reasons.
They went the fashionable "combat black" look. It's mandatory for anything being called "covert" these days. (snark)
It has loads of cameras. One of the primary purposes of the bot is to give human operators tactical situational awareness. The field of view seems to be okay and has what appears to be some PTZ stuff going on, though the cameras appear to be very stationary. If it relies on the vehicle to move the camera, then I'm curious whether that compromises noise discipline.
It comes with a Glock. Yeah. It's "G'd up from da floor up". My bad - that's street vernacular for "It has a working gun that can kill people". That said, I'm curious if the vehicle has a stabilizer to compensate for recoil. Also, where does the "brass" go? Surely, it's not optimal to have it eject in a way that it could lodge between the gun and the bot chassis.
My overall complaints about the bot:
It looks great in a video which means it will perform like crap once it gets deployed.
I need to see more Army-proofing. Ahem! How long before crazy G.I.s break it on its first run? Trust me - you need to be asking this question.
Humans have been doing a bang-up job of clearing rooms thus far without bots. Not sure how this helps in real world tactical environments. Yeah, shooters may not have to get too close to make the hard shots but....What happens when your suspect sees this thing and decides you're trying to make entry and kills hostages preemptively before you do?
Finally, I worry about the trial and error part of figuring out its limitations in the real world. An EOD bot is easy to square away because testing and training go hand-in-hand especially in a semi-controlled environment. This bot's armament would need to be tested along with its operators under conditions that mirror the real world both in risk and realism. In other words, let's see it clear a "trap house" with a barricaded homicidal subject armed with an AK-47 and has kids as potential hostages. We tend to be very "meh" about collateral damage (civilian deaths) in combat zones during drone strikes - I have a feeling we'd feel differently about a bot who killed a hostage due to operator error or mechanical failure. Thankfully, it's under human-control. Imagine what it can do if given analytics.
2016 was a huge year in security especially in light of our recent presidential elections. The election is always a big security event but unlike previous elections, the last few years have seen the country becoming seemingly more divided and somewhat consumed with protest activities. Additionally, cities that hosted political conventions had to have significant mitigation measures in place. A piece of public records information I'm always very curious about are the after-action reports of cities who have to host these events.
A fellow MuckRock user, Melissa Hill requested the after action reports from from several law enforcement agencies. She's gotten quite a few and I suspect others are forthcoming. I'll post more as they become available and I sift through the chaff.
NOTE: I decided to add this, even though it's not an AAR. Still worth a look to get a scope of the various organizations which supported the security mission at the convention.
DoD-NORTHCOM Defense Support of Civil Authorities Republican National Convention 2016 Presentation
Other than the election that was "interesting", 2016 had some very memorable moments. One of those "moments" was the "clown scare". For a few months, the entire country seemed to be besieged by reports of creepy dudes in clown costumes. If you're not familiar with American customs, I'd like to be the first to inform you that many Americans are terrified of clowns. Some of these sightings were of clowns in the woods who were trying to entice children to go into the woods with them. Yeah. I told you - creepy. As time wore on, it became apparent to the American people many of the sightings were the result of false reports, hoaxes, and the rare creepy dude in a clown costume. Thanks to the awesomeness of MuckRock we have a real live police report of such an incident. Have a look - if you dare!
Before you watch this video, let me clarify a few things:
I TOTALLYsupport the right to bear and keep arms. Period. Full stop.
The words "gun safe" is a HUGE play on words. Most of these "safes" aren't safes at all and solely designed and engineered to keep a weapon secure from inadvertent breach from children or other curious individuals and readily accessible. They offer little in the way of any of the protection safes tend to provide.
I fully expect you to comply with laws in your jurisdiction. Don't mess this up. Follow the rules. Just understand what the "gun safe" is there for and deploy them with that in mind.
Consider other mitigation strategies to go along with the safe. There are a few products on the market. Personally, this is one of my favorites.
This presentation took place during DEFCON 19. Deviant gave an awesome talk. It's great to see the perspective a gun owner who happens to know a ton about physical security when discussing these devices.
Yeah. I know. Me too. I TOTALLY want one of these. If you want more information on how you can get one, then you should probably click here and sign up to be on their mailing list.
Also, here's a video of the lock's mechanics in animation. Yeah. It's pretty freaking awesome. I'd like to mention this lock gives me hope. As a non-fan of the consumer lock industry, this lock is a VERY development for the sector. Unpickable. Unbumpable. That said, you should probably look at other door strengthening techniques just in case your adversary doesn't bring a pick or have a key bump but has a good size boot and a decent pair of thighs.
In the annals of military history, there are countless examples of commanders finding unique and interesting ways to get security awareness training to their people. I imagine Hannibal having posters that made coy references to the "element of surprise" and OPSEC. You can guarantee Ceasar had posters ironically about insider threats. In today's modern military, commanders have been less creative and still don't get why marketers declare "Location, location, location!"
If there's just one video you watch today, you should watch this one. Deviant Ollam, a physical security penetration tester was at ShakaCon, an information security conference talking about how to pick the perfect door. I won't spoil the video but he covers way more than just doors. It's both insightful and illuminating. Well worth a view.
I have A LOT to say about the video below. The video below is of a robbery of a Tampa, Florida gun store, Tampa Arms. The robbers made entry into the establishment by DRIVING A TRUCK THROUGH THE FRONT DOOR. Yeah, an entire pickup truck and made off with approximately FORTY firearms - Glock handguns, shotguns and AR-15 rifles. I heard that, by the way and I totally agree "Damn." The video lasts about five minutes and the quality is rough to say the least.
So, let's get to the good, the bad, and the utterly atrocious.
The Good
There was video and it worked. I know. That's not saying an awful lot but...given my professional experience, this is very good. It appears to be a DIY install and the quality (we'll address that later) is well, crap. But it was positioned where it could capture the entirety of the event. It didn't - mostly, because the quality was crap. Did I mention the quality is crap?
The Ugly
Did you notice I only had one "good" thing to note?
The Atrocious
The quality is HORRIBLE. Holy smokes! Seriously, if you're going to install a camera over an entryway to capture theft, it should either ALWAYS have good lighting or have infrared lighting during hours of limited visibility (like when robberies are more likely to occur).
The position of the camera sucks. Like it sucks REALLY, REALLY, REALLY, REALLY, REALLY, REALLY, REALLY bad. When you're doing a DIY install, it is super-duper easy to miss what actual security professionals notice. Stuff like whether a camera is positioned at an angle to capture faces from multiple viewpoints. For example, the camera at the front doorway only caught the suspects' faces as they turned around. Perhaps, there should be a camera actually facing the door unobstructed. A simple test done in complete darkness after the install would have revealed what we now see - this video is useless.
NEVER EVER EVER EVER EVER have firearms not locked in a secure container after store hours. Period. There is absolutely ZEROsound reasons why those weapons were out of containers. They need to be locked up. Remember the name of the game isn't just detection - there's delaying attackers as well.
TEST YOUR SECURITY SYSTEM REGULARLY. The attackers had a lot of time on this particular robbery. This tells me either the alarm failed or notification was entirely too slow. Business owners should do monthly or quarterly checks with their alarm companies, to determine any issues. You should also have a good working relationship with your local police department. You store guns for crying out loud - the cops who patrol your area should have a working knowledge of your alarms and security measures.
Conduct an annual vulnerability assessment. Take a moment once a year to walk through the business and see what vulnerabilities that need to be shored up. Don't think in terms of how you would hit your store. Instead, pay attention to areas that create ways for an attacker to gain access. Then, call a security consultant and have them walk you through what they see. It's also a really good idea to read industry standards pertaining to securing storefronts like yours. Tampa Arms had no excuse to not call a consultant. There's literally one around the corner and also internationally recognized, Stanley Security Solutions.
Get a video alarm verification system. Had the alarms gone off, the front door sensors would have went off, surely. The motions may have caught multiple intruders too. Then again, if your installation was crap which it probably was, you may only get one of those sensors to go off. To cut down on false alarm fines (it's a HUGE deal in Tampa and probably why a system may not have been install if it wasn't) and to give responding law enforcement more situational awareness (cops respond a whole lot faster on alarms they know are legit), ask your alarm provider to talk to you about alarm verification. If they rely on you to respond or if they don't offer it, take this small piece of advice - consider a different provider.
There were no physical barriers in front of the front entryway. You ever driven by a WalMart? Of course you have - you're American, probably. What's the first thing you notice in the front of most WalMarts? They have bollards by every entryway. Why is this? Take a look at the video below and you'll see why. Call the city, get a permit, dig in the ground, fill some metal pipes with concrete, and plant them in each hole. Problem solved. Also, check out the trees.
Approximately, FIFTEEN people robbed these guys. Let that marinate. They brought multiple vehicles, had a plan, executed it, and were in uniforms. Yeah, this ain't their first rodeo. They'll hit more places. Forty guns is a great grab but the proceeds don't split that well among fifteen people and not with that much considerable risk. I know the area well where this happened and I know this shop. This was a team that knew their target and prepared for it. We'll see them again.
Update (11-28-2016 1904): A few reports have emerged from the media stating various talking points derived from the suspect's Facebook timeline, though with little independent confirmation the account indeed belongs to the suspect. He seemed to believe Muslims were mistreated by the West and also disliked it's meddling in Islamic affairs. There were also noted jihadi luminaries quoted throughout. Again, this information has not been corroborated by official law enforcement sources but could speak to motive and ultimately whether this was a terrorist attack.
Another mass casualty incident has occurred and I engaged the tried and true method of triggering my compulsion to smash my face with my palm by looking at Twitter. Yep, it was that bad. It never ceases to amaze me that no matter how many times I tweet or blog about the painstaking work of attacker attribution, people continually participate in oversimplified and error-prone "analysis". They're often trying to do this without being at the scene, with no prior investigative experience, and in real-time. To say the least, the amount of wrong is significantly higher than actual "I called it", despite what the authors say.
You're probably wondering why I'm so passionate about the inclinations others have toward this kind of "analysis". I believe it speaks volumes about how much we value the arduous work it takes to do the investigations needed to make accurate attribution claims. It's also a HUGE part of the myth that "anyone can do security". Over the years, I have been practically screaming how false that is. What we as professionals do, takes time, significant knowledge, limited resources, and countless hours of practical experience.
Yet, here we are. Today, I have seen tweet after tweet proclaiming the attack was immediately the work of jihadist invaders or lone wolf extremists of some variety. These suppositions have come in the early moments of reporting on the attack. As it developed, we were informed of a suspect, a Somali refuge named Abdul Razak Ali Artan. As of this writing, there are tweets claiming this is conclusive "evidence" of terrorism. The actual cops working the scene haven't made one statement, as far as I know, yet about any determination of motive. But Twitter says otherwise. A population where 99.99% of people with zero to any relevant law enforcement or security experience have done in hours what it will take seasoned and ordained professionals weeks to do. Yeah, it's crap.
So, if not terrorism, then what is it, Mr. "Security Professional"? Glad, you asked. I don't have a clue and neither do you unless you're on the scene actually investigating this incident. I should know. I used to do this thing all the time. Speaking from firsthand experience, I can confirm how easy it is to engage in this hasty sort of "analysis". What I can tell you is that we often make the mistake, as amateurs, of reaching conclusions about violent mass casualty incidents with little to any information. We do this based on what we either know of the attacker or the incident. This happens with minimal confirmation from official sources or reading too much into either first reports from witnesses, police scanner traffic, or what's told in early press conferences and releases. The often-ignored practice of "wait and see" has turned into "Holy crap! Something bad happened. Let me get my initial reaction out into the Twitterverse so my followers can give me reaffirmation for the sake of my ego and incessant desire to be first to comment on all-things tragic."
There are a few ways we can fix this.
Stop assuming race, ethnicity, or religion can explain why people commit acts of violence. While these things can play a role in attacks, it's unlikely they can explain every single one. Instead, disregard them initially until other information develops that establishes motive or crime typology (act of terror or just a crazy person).
No one has an exclusive monopoly over non-sanctioned violence. Just because an attacker uses a pipe bomb or even their vehicle doesn't mean the attack is terror-related. Let me put it bluntly - there are no "exclusive" tricks of the trade among bad guys. For example, looking at just the initial information we knew about Christopher Dorner's attacks and his weapons of choice, we could have assumed the attack was probably carried out by militias or other extremists versus an ex-cop with a grudge.
It's too easy to get caught in the brutality of an attack and high casualty numbers and assume the attack was terrorism. Don't get caught in the weeds here, folks. Take a deep breath. Examine what we have and nothing else. When bad things happen, we naturally allow fear and our ever-incessant desire for immediate vengeance to cloud our thinking. Attribution is a game of facts and truth not emotion.
Attack attribution requires more than just your gut feeling. A great example of this is a scene from Designated Survivor. It's a show about a newly, fired HUD Secretary being the "designated survivor" for a State of the Union address by which most of government is killed in an explosion. The newly, sworn President, played by Keifer Sutherland, is doing his best to determine who the attackers are. His advisers are pleading with him to name a known group as being responsible. Much of their evidence is based on wild speculation, self-interested political jockeying, and warhawking. The Chairman of the Joint Chiefs asks the president to name this group. The President asks the FBI how sure they are of the identity of the attackers and they respond "75 percent, sir." Sutherland's character declines making the call to name the attackers. When pressed by the Chairman of the Joint Chiefs how much more certainty he needed, the President responds with "Give me 25 percent more." I won't lie. This was by far the best dialogue I've seen in a fictional television show regarding attribution. There are dire consequences when we rely on anything other than empirical data when making attribution calls.
The likely suspects could be people you like and it's not wrong to not rule them out. So much of the attack attribution that occurs on social media is wrought with people trying to make the facts fit their narrative. If a person is overtly political, this is more telling than they're ready to acknowledge. In fact, they often dismiss other possible and probable theories outright. Many times, I've seen the "expert" credentials of various participants in this crazy dialogue come into play. Stop it. Take long deep breaths and remember if you're not on-scene, you know absolutely nothing.
Analysis is not a crystal ball. One of the most often over-played narratives is the intelligence community or law enforcement missed "something". Why? They assume those in these professions have to be right all the time as a part of what they do. It's as if some of us are expected to have superhuman abilities to predict the future accurately. Sometimes, like all things we think we understand, we get things wrong. It sucks when we do but it happens. Stop asking "How could they have missed this?" and start asking "What led them to believe this person posed no discernible danger?"
Every time law enforcement does a threat assessment on supposedly dangerous persons, an interview with the subject is conducted if possible. Given our legal framework and the very imprecise art and science of "reading" people, some actually dangerous people are missed. It happens. Not often but it does. A more poignant avenue to approach is the examination of how law enforcement and security professionals have been inadvertently incentivized to go after "low-hanging fruit" rather than being given sufficient resources to investigate and mitigate these threats.
Most people assume a car bomb is immediate evidence of a terrorist attack. Yeah, not quite. Other people use bombs to commit murder for a variety of reasons. They were used quite often by the mob and other organized crime networks. Yet, none of these bombers were charged with terrorism. Why? Because their motives were not terror related. Terrorism is one of the few crimes which require motive in the "elements of the offense".
Remember that "legal framework" I mentioned in the US Code? Here it is:
"18 U.S.C. § 2331 defines "international terrorism" and "domestic terrorism" for purposes of Chapter 113B of the U.S. Code, entitled "Terrorism.”
"International terrorism" means activities with the following three characteristics:
Involve violent acts or acts dangerous to human life that violate federal or state law;
Appear to be intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and
Occur primarily outside the territorial jurisdiction of the U.S., or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to intimidate or coerce, or the locale in which their perpetrators operate or seek asylum.*
"Domestic terrorism" means activities with the following three characteristics:
Involve acts dangerous to human life that violate federal or state law;
Appear intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination. or kidnapping; and
Occur primarily within the territorial jurisdiction of the U.S.
18 U.S.C. § 2332b defines the term "federal crime of terrorism" as an offense that:
Is calculated to influence or affect the conduct of government by intimidation or coercion, or to retaliate against government conduct; and
Is a violation of one of several listed statutes, including § 930(c) (relating to killing or attempted killing during an attack on a federal facility with a dangerous weapon); and § 1114 (relating to killing or attempted killing of officers and employees of the U.S.)."
I don't have all the answers and neither do you. Let's all take a deep breath and allow the cops to do their jobs.
NOTE: I am NOTan intel dude. I have never been an intel dude. I have never been a counterintelligence dude. Never. These are my OPINIONS. If the adage that "all politics is war" is true, then this past election could certainly be proof of that. I won't get into specifics about candidates, their positions, or even their actions or culpability. This advice specifically for the Democratic National Committee is nonpartisan and exactly the same counsel I would give the Republican National Committee. In fact, the reason I wrote this post was in response to the DNC leaks/hacks. Also, there will be ZERO discussion about attribution and motives. To me, answering why something happens doesn't always help you mitigate how it happened in the first place. These "rules" apply to anyone who is a target of espionage by any actor, state or otherwise.
You're the active target of an intelligence apparatus. Given the result of this election, we can assume they achieved their objective and will see their success to continue their activities against you. So it is imperative that you and your staff operate as such. Knowing this, let's be clear - these agencies have a great many resources directed at you and will see any and all information as potential actionable intelligence. This means they'll be seeking out any vulnerabilities you have and will exploit them to get that information and will encompass both physical and virtual realms. Ultimately, assume you've been compromised on all of these fronts. For the foreseeable future, your survival in the political arena will be dependent on your acknowledgement of this.
Let's get to what you came here for - the "rules".
Physical Security
Assume every room you felt was "secure" is not. This may sound a bit paranoid but we already know the DNC suspected their offices were bugged by an unknown entity and sent a TCSM team in to investigate. Though, no active bugs were found, we know electronic surveillance is an ongoing tool used by intelligence agencies against targets especially political ones. If you haven't already, have a TCSM team inspect every office, bathroom, closet, etc. regularly. When they're done, assume you're still being bugged and be careful when discussing confidential information.
Assume your cars, homes, and hotels are also compromised. Yeah, I'm paranoid. I know this. That said, if I were to compromise you, I'd hit the places where most people engage or discuss things that make exploitation possible. These are also places you can't sweep every day for bugs. Don't take work home and don't discuss work at home. Also, assume whatever "dirt" you do in these places is being photographed, videoed, and audibly recorded. I shouldn't have to say this but....STOP DOING "DIRT".
You're being followed everywhere. Conduct surveillance detection routes regularly and pay attention to new vehicles in your neighborhood. Talk to your neighbors. Notice vehicles which you can never seem to shake. I have a rule I follow when inspecting vehicles for contraband - anything new and shiny in a sea of filth is not normal. If you're one of those people who use Uber or some other service, think about having the driver drop you off a block or two away from your destination and look to see who gets out when you do.
Consider every potential or new "intimate" encounter to possibly be a "catfish" or a honeypot until proven otherwise. Yeah, it sucks to say this but sex is still a proven way to gain secrets and access. I'm not saying you don't have "game" but youshould be very suspicious of something that "sounds too good to be true". I'm not telling you to shun relationships but just be wary of new people wanting more access and information than they should have. Also, imagine these contacts suddenly being blared across social media for the world to judge. Foreign Intelligence Services have a long history of exploiting these encounters. 'Nuff said (Note: In case, I didn't make it clear enough - don't be stupid and don't do "dirt").
Invest in a good safe that's bolted in the ground, high security door locks, dog, burglar system, and a few nosy neighbors. Same crime prevention advice I give everyone applies in the counterintelligence world. You need early detection and you need it yesterday.
Follow the Moscow Rules.
Assume nothing.
Never go against your gut.
Everyone is potentially under opposition control.
Do not look back; you are never completely alone.
Go with the flow, blend in.
Vary your pattern and stay within your cover.
Lull them into a sense of complacency.
Do not harass the opposition.
Pick the time and place for action.
Keep your options open.
Adhere to the ever-wise directives of Notorious B.I.G.. Seriously, regardless of how awesome this track is, the truths contained in it are essential to the success of any campaign. Though it's not a literal translation of acceptable ethical rules of conduct, interchange the words to fit a typical political campaign and it's very illuminating.
Information Security
You need a security classification program. The federal government has a security classification program that's been somewhat successful at compartmentalizing information and preventing some data leakage. You don't have to mirror theirs but you should implement something similar. The first step in this process should be the development of a risk management process. Look at what information you could never lose without seriously compromising your objectives, the information you could lose with some compromise of your objectives, and information that is safe for some data leakage or available for public release. This classification should known and enforced organization-wide. Any and all of your policies and procedures to safeguard this information should encompass the physical and virtual realms.
This classification could look something likes this: a. Confidential - this could include documents or communication that should neverleave the organization. b. Sensitive - this could include information that if discovered could have an impact on day-to-ops or the overall reputation of the organization c. Close Hold - this could include information that is normally only discussed between as few members as possible. This should also be treated as Confidential if it warrants.
d. Publicly Releasable - this is information discussed in the organization that could be disseminated for public release with little to any approval. Note: All security classifications should be used sparingly and reviewed regularly to mitigate against hyper-vigilance and overclassification.
Consider being more transparent and don't be "dirty". The DNC leaks proved in many ways that transparency could be a great mitigation tool. When you're seen as being overly sneaky, people assume you have "dirt" to hide. How you do this is up to you but it cannot be denied the impact transparency can have with preventing further leaks.
Political parties are, by their nature, involved in some "dirt". They're either digging for "dirt" on someone else or trying to hide their own. Perhaps, it would be more prudent to limit these activities to lessen the number of attack platforms that can be used against your organization. Just a thought.
Assume you have an informant in your organization. This doesn't mean you have to treat everyone as if they've been compromised. It does mean you should never assume they haven't been. Don't go on an organizational "mole hunt" but you should always be aware of what you say to who you it say it to.
Don't trust any outside communication that isn't part of an existing conversation. Move the conversation offline. Have a gatekeeper handle these when possible. The gatekeeper should be the only person who has direct unsolicited access to communications with key personnel. To say the least, the gatekeeper must deploy a mitigation-first mindset.
Consider building a "secure" room at your HQ. The Intelligence Community calls them SCIFs. They're rooms in which permanent workstations and secure phones are located and are regularly swept for bugs and access control is very strict. Consider only discussing strategic information here and here only. This aids in figuring out how you've been compromised if this leaks, as well as protecting against inadvertent leaking.
Consider ways in which the mundane could be damaging if exposed. For political parties, imagine your entire donor database being leaked. Got any donors who would rather not have their personally identifiable information leaked? How about your call sheets or talking points to donors? Could they be useful for an adversary in figuring out how to counter you? My personal favorite - internal polling. Think the other side or an FIS wouldn't love to know how you're projecting a path to victory? How about areas your constituents feel you're weak in? What if the adversary not only used that information themselves but then leaked it, especially at a moment when you're trying to project strength?
Consider a breach a serious incident. Data leakage happens. Some secrets are difficult to contain. Look at the stealth bomber and the Predator drone. Things happen. That said, there should be severe ramifications for even inadvertent leakage of seriously compromising information. Whatever those consequences are for those parties, they should be swift, consistent with existing policy, and indiscriminate. Period.
Sooo, I'm kind of back on my Freedom of Information Act "grind". This time, I've grown curious about how Reedy Creek Improvement District aka Disney World interacts with law enforcement. I've heard various reports that most law enforcement-related dispatches are relayed through Florida Highway Patrol and Orange County. I'm less curious about shoplifting dispatches (I'm surely, mostly klepto-tourists seeking crimes of opportunity) and more curious about the more serious incidents that either go reported in the media or that don't.
I'll keep you posted should something more concrete develop. The plan is to write a piece on what I find in the FOIA documents to give more a robust picture of Disney's security via publicly available information. If anything, I'm sure there will be a number of interesting data points to be discussed in the replies.
As always, the best place to keep up-to-date on any FOIA requests I do is here or the link above. Also, Muckrock is an AWESOME place to discover not just my requests but other people's as well. If you see anything noteworthy in my requests, please feel free to reach me via the "Contact Me" link above.
I'm not an alarmist. Or at least, I try not to be. Personally, I prefer a rather "Vulcan" approach to many things in security. As the youngsters say, "Logic rules everything around me." Actually, that may not be the "exact" wording but you get the drift. That said, I do have a fair amount of "Holy sh*t!" moments. While reading Rumiyah #3 (An English-language e-magazine for ISIL) and coming up on their murder-by-semi-truck tutorial, I tried to suppress having such a moment. I succeeded, mostly because I realize the tutorial was somewhat incomplete from a tactical perspective. That's not to say the message isn't effective or wouldn't possibly motivate ISIL members to strike. I see its inclusion as both for propaganda and potential triggering for an upcoming attack.
Oh, you read that whole "murder-by-semi-truck" bit correctly. Here's what they actually said - "Though being an essential part of modern life, very few actually comprehend the deadly and destructive capability of the motor vehicle and its capacity of reaping large numbers of casualties if used in a premeditated manner. This was superbly demonstrated in the attack launched by the brother Mohamed Lahouaiej-Bouhlel who, while traveling at the speed of approximately 90 kilometers per hour, plowed his 19-ton load-bearing truck into crowds celebrating Bastille Day in Nice, France, harvesting through his attack the slaughter of 86 Crusader citizens and injuring 434 more."
There's a lot we, as security professionals, can glean from this. Have no worries, I won't be divulging "state secrets" or imparting tactical clues. There are merely my observations. Take them for what they're worth, as your mileage could very well vary.
Large vehicles are vogue for jihadis still. In fact, one of the key criteria they attribute for an "ideal vehicle is a "load-bearing truck". Even though, speed and "controllability" are also highly desirable, they suggest operators steer clear of SUV's and small cars. Obviously, they're looking for something that can handle a lot of weight.
The Nice attack is seen as successful. Notice the vehicle should have "double-wheels" because it gives "victims less of a chance to escape being crushed by the vehicle's tires". Also, I noticed the inclusion of having a secondary weapon as a means of ensuring additional casualties and "increasing terror". Pretty telling.
Crowd mitigation is really freaking important, stupid. Look, folks. I know I harp on this a lot. I get it. I do. But they pretty much say it - "In general, one should consider any outdoor attraction that draws large crowds." Notice the bit about crowds.
Image include in Rumiyah #3. Notice the large crowd. Just saying.
Attribution is really freaking important, stupid. The last few ISIL-related attacks (either by the group or attributed by them) have included language using the phrase "soldier of the Islamic State". Almost every attack committed by a Western-based attacker who hasn't gone to Syria, ISIL has claimed responsibility using this phrase. So no surprise here when you see it in Rumiyah #3 - "I am a soldier of the Islamic Sate!" Why do they do this? To sum it up - they're a holy anointed apocalyptic cult whose proximity to Allah can only determined by their ability to seemingly kill at will. If that's not clear enough, they do it for street cred. You gotta have bodies to make it in the terror game, folks.
Large crowd size does not always equate to certain specific targets. Located in the fine print was this gem - "All so-called “civilian” (and low-security) parades and gatherings are fair game and more devastating to Crusader nations." If you're a security professional who has to mitigate threats to a parade route but you're not in New York, you may assume you're in the clear. Yeah, you're dead wrong about that. It's about the casualty count. If your parade route could have a large number of people along it with limited egress points and insecure access control to the street, you could be in the same boat, if not worse than New York. As I always say - it's not a matter of IF but WHEN. Mark my words. Be vigilant.
It's not just about parades, stupid. What other "targets" are they looking at? Glad you asked. ISIL says "Outdoor markets, festivals, parades, political rallies (We got any of these coming up soon? Asking for a friend.), large outdoor conventions and celebrations (Got any tree-lighting ceremonies?), and pedestrian-congested streets (High/Main
streets)" are all legit targets. Yep. Here comes your "Oh sh*t" moment. Stop it. Relax. Now, go mitigate.
Fail to take this kind of attack seriously, at your peril. Let me put it bluntly. Nope, let me just leave what they said here - "The method of such an attack is that a vehicle is plunged at a high speed into a large congregation of kuffar, smashing their bodies with the vehicle’s strong outer frame, while advancing forward – crushing their heads, torsos, and limbs under the vehicle’s wheels and chassis – and leaving behind a trail of carnage."
One of the first topic areas that caught my eye was video analytics. As a video surveillance monitor for a lot of my career in physical security, I felt I had a good grasp on why most surveillance systems fail to detect bad guys as much as they should. If you're a physical security professional, you know where that weak link is as well - the monitors. Yup. It took me less than six months looking at video screens most of my day to understand most irregular events fail to go noticed or are properly assessed. This happens for a variety of reasons:
Monitor fatigue. This happens when a monitor stares at a screen for too long and either falls asleep or becomes easily distracted. We're humans and no one likes gazing at an empty parking lot for hours on end. So, the mind begins to wonder and bad things can happen. If you'd like to learn more about monitor fatigue, this is a great resource. - https://en.wikipedia.org/wiki/Alarm_fatigue (I know it's Wikipedia but as a primer, it's not too shabby)
Monitors are expected to recognize irregular events in a huge ocean of regular benign events. That parking lot I mentioned before could have 400 cars in it and thousands of people coming and going. If mixed in with benign events, irregular events can appear to be okay and fit with the norm. This explains why some folks can get robbed right in front of a camera and no one notice.
There are too many "rules" to remember and act upon on too many feeds for a single monitor. Sometimes, with human monitors, too much video is just as bad as driving into someone else's headlights.
Where else are all these problems more demonstrative than in a home security environment? I have friends who have 6 or more cameras on a home and they call themselves "monitoring" those feeds constantly. No, you're not. What I find most often is the direct opposite - they're monitoring one or two cameras, maybe. The others go either unwatched or constantly recording over each other. So what's the solution to ensure all the feeds are being monitored and reporting and recording events as they occur?
Sighthound is a software application that acts as a monitoring platform with an embedded analytics package. You can not only monitor your feeds from various cameras but you can also have those feeds report only when "rules" are broken which include:
A person entering a zone.
Someone leaving a zone.
Motion inside a zone.
The feeds can be viewed remotely. You have to pay for that feature, though, there is a trial version which includes this for 14 days. Given recent issues with Internet of Things being exploited for DDOS attacks, I highly recommend changing whatever default passwords that are on your cameras, ensuring the firewall on your router is working, and updating the firmware on the device. If you can run a scan to see what ports are open on your machine using the scanner at https://iotscanner.bullguard.com and close them, if possible. Also, check out routing the camera through a DNS provider like DynDNS.
I digress. While you can have the software email you or send a notification to the smartphone app, you can also have it do a myriad of options through IFTTT. The possibilities are almost endless from there. Oh and perhaps the most creative option and one I particularly like is the ability to execute a command should an event be triggered. For example, you could set it to send you a snapshot of the event and then shutdown your computer. Why is that cool? If your PC is full-disk encrypted, then you have just ensured a key mitigation piece is activated. You also have a picture or video of the event and can determine if you need to respond further.
What I like most about Sighthound is how quickly it responds to events. Almost 5 or 10 seconds after an event, I received a notification of the event and was able to view a snapshot. That's pretty cool when you consider how costly an enterprise system can be offering the same service.
There are some things I'd like to see it offer in the future:
Security options. I'd like to password protect my remote feeds. This maybe here already and I just missed it. If so, I feel like this is kind of an understated feature.
More event triggers. It covers the basics but I'd like to see triggers for things noise detection with those cameras that offer audio in their feeds.
Possibly some interoperability with other devices. I'd love it if it could network with other sensors through the home and capture those events as well. Some proprietary device systems already do this but I'd like to see something that would allow me to work with events involving a smoke detector and my camera.
Overall, I THOROUGHLY love Sighthound. It has tremendous potential and is extremely affordable. I hope this is a new movement within the home security surveillance sector. I'd like to see less machines that can't or won't cooperate with other devices to successfully mitigate potentially dangerous events. It isn't perfect but I find it is certainly a great step in that direction.
As of now, I haven't reached out to the Sighthound team for an interview. I will soon, though. I'd love to hear what more they have to offer.
If you know of any other physical security applications or devices you'd like me to review, contact me via the "Contact Me" link above.
A question I get asked sometimes is "How do I get my family interested in security?" The question, surprisingly enough, comes from security professionals who are passionate about what they do but find that their families either don't share their affinity for our trade or are rather lackadaisical about upholding mitigation techniques. Come on. Don't kid yourself. Your family could probably care less about security too. Your spouse probably says "That's why I have you, Mr./Mrs. Security Dude. That's your job." Yeah, I roll my eyes too.
As I stated in my previous podcast, you could pay $10,000 for the world's greatest door lock and have your entire mitigation ruined by a spouse or absent-minded child who forget to lock the door. It happens more than we like to admit. I also surmise it's why some of us are so passionate about security awareness training at work. Given that we view them sometimes as the "weak" link, let's look at how we can get them better at not just maintaining mitigation but also becoming independent security stakeholders.
Chill out and recognize who you're working with. You don't get to always hire friends and family. So, we're stuck with people who wouldn't know the difference between a padlock and deadbolt at times. And....why should they? "That's what you're here for" is a phrase I've heard countless times. Recognize the role you've taken as the security person of the house and how that has enabled them.
Don't scare them. We know things about the world in which we live that our families should never be exposed to. It's kind of why we do what we do, right? But ignorance isn't always bliss. In sales, I learned a term called "finding pain". It's a term used to describe learning what someone's personal security nightmare is and then exploiting that to get them to buy a proudct you sell to alleviate that "pain". Sounds pretty awful, huh? But it works. Do the same with your family. Ssssssssssllllllllllooooooowwwwwwwllllllllyyyyyy. This is where you explain to them how they could lose things they care about very easily if mitigation isn't there to stop the bad guy or at least aid in getting their valuables back or replaced. I have found explaining value and risk in its most basic and pure form has been very helpful with getting children on early as stakeholders. It takes a lot of time and patience but it is well worth it.
Invite them along to do a risk survey of the home. This sounds like something a bit too intense for your home but it's really not and rather easy to do.
Give each person an area they're responsible for like their rooms or designated work/play areas.
Have them inventory all of the items in that area they place value on. Tell them to ignore easily disposable items and clothes (absent something truly expensive).
Also have them include photos of the most expensive items and to include any serial numbers if possible in the inventory.
Give them value parameters. I make mine rather simple - irreplaceable, replaceable but painful to lose (cost too much or would take forever to get back), replaceable with very little to any pain. For smaller children, this could be a challenge so I encourage you to explain this a bit more in-depth and accompany them throughout the process.
Do your vulnerability assessments with them. We've identified things of value and the amount of pain it would create getting them back if it were possible. Now, have them look at all of the ways someone or something could make that risk a reality. For kids, you're going to have be patient and listen to every "ninja scenario". With boys, you'll hear this threat profile thrown around a lot. Get used to it. Explain the difference between a likely exploitable vulnerability and one's that will probably always remain vulnerabilities (Bad guys cutting a hole in your roof). Get out a map or overlay and have them articulate the vulnerability.
Address threats. Be sure to caution them to stay away from "thinking like a wolf" mentality. Most often, your family is a mix of really good people. So have them look at likely threats instead. With smaller kids, explain that because it's "likely" doesn't make it real. A bad guy could walk down the street and decide to randomly steal your kid - that doesn't mean every stranger is the bad guy. Explain that because we don't know every person who could be down the street means we can't exclude all of them as potential bad actors for certain crimes. This is also a good time to explain that most violent crimes occur when victims already know their attackers. If we know all good people, then we can reasonably say our probability of meeting harmful attackers is minimal. Crimes of opportunity can be more difficult to simply dismiss because the likelihood exists that you could be a victim of a stranger. Thus we have to mitigate that threat, as well. Discuss any sort of special security issues you face (i.e. any jilted lovers, enemies from prior jobs, stalkers, etc.).
Buy door and window alarms from the Dollar Store and have them work through a variety of home security projects. My absolute favorite activity to do with children is building "booby-traps" with these Dollar Store gadgets. I have them take a map and examine their likely avenues of approach, chokepoints, and areas of final denial. Then, I talk about how the gadgets serve one purpose only - detection. Afterwards, we mark where the gadgets are on the map. Finally, it's time to deploy them. An old trick I learned was fishing line attached to magnet on the "alarm" and securing the sensor/annunciator to the object it's resting on. When the bad guy trips the wire that's wrapped around another object and attached on the other end to magnet, it will then yank the magnet from the sensor it's resting on and sound the alarm. Trust me. Kids love this activity.
Go over "secret" codes and how the alarm system at your home works. Sounds pretty basic but you'd be surprised how easy it is to get them on-board by having them understand how the control panel works. Maybe, you don't share the activation code but you can show them how to work the duress code and how to call for help. I like the idea of a "secret" code that's for everyone in the family only, as a way of building into the family a living duress code system for everyday use.
Next, go over contingency plans. Where do we go? What do we do? Who do we call? What are our "actions on contact"? Again, we're not making everyone in the house Jason Bourne but are making everyone in the house prepared for other events than just a house fire. Having a plan and even rehearsing that plan are absolutely key to having a comprehensive home security program.
Address access control. Growing up in my house, my mother would call this "Don't you let anyone in my house I didn't invite". Yeah, it was that serious. It's almost as if she was grooming me for this trade. Explain the rules for allowing people into the home. BE VERY FIRM HERE, ESPECIALLY WITH SMALL CHILDREN (WHO SHOULDN'T BE ANSWERING THE DOOR ANYWAYS).
Teach them situational awareness. This can be very challenging for some members of the family. Be patient and make it fun. I like to start with memory games by asking questions like "What was the color of the car outside as we pulled up?" or "What kind of hat did the guy walking down the street have on?" Do this enough times and you'll be in amazement with how fast they catch on.
Your experiences with this will certainly vary. I've had a lot luck here but I would be seriously remiss, if I didn't disclose that it's been challenging. The key is patience. Take your time. Understand the lay of the land. Most importantly, make this about us rather than about something you do.
One of the cornerstones of any successful career is training. It's no different in security. Whether you're at a seminar or enrolled in a course, you're doing so because you want to move forward professionally. What better way to demonstrate you're prepared for the "next step" than to take a course or two and learn a new skill? Yeah, it often sounds cooler than it is. What's even worse, in my opinion, is that for many of us the price of pursuing professional development ain't cheap.
ASIS isn't the only horse in the stable offering professional certifications in security. My only problem is almost none of them require the breadth of knowledge, professional recommendations, and experience levels ASIS requires. Many are purely paper-mills.
There is a professional certification body that has a horrific reputation in our industry. I've heard from numerous of their certificate holders all that was needed for their certification was a check and they received a lapel pin, t-shirt, a CD with reference materials which were mostly outdated, and a diploma. In fact, if you go to their site and attempt to pull up their "sample" certification test, you get a 404 error code. There have been a number of articles written on the founder as well.
Getting a professional certification or even getting good training from reputable people can be difficult. My advice?
Ask around on security, tactical, or law enforcement forums. There are lots of forums on the Internet that cover these schools and certifications. You're not the only person who wants to grow professionally. Be careful - look for guys who have a solid reputation in the group. My favorite sources are the folks who don't have to tell you what they do every post but you have an idea.
Find a mentor to ask. Seriously, if you don't have a mentor in security, you're doing your career all-kinds of wrong. Get a mentor and ask about training and certifications.
Search LinkedIn. I know. I know. LinkedIn can be seen as the worst place to network. I get that which I said "search". That's right - look at the qualifications of folks who are where you want to be professionally and see what certifications they have. See if the certification passes your "sniff test". Basically, if it seems legitimate and checks out with other reputable sources, then it might just be okay. Be careful - even "legit" folks fall for the trap of easy paper-mill certifications.
Investigate who recognizes certain certifications. The easiest way to spot a fake certification is to which, if any government bodies formally recognizes them. By "formally", I mean look for statutory and regulatory citations of the certifications. If they won't recognize it on "official letterhead", then already have a good idea it may be something you don't need or want.
Check to see if a certification is needed for jobs similar to a job you're wanting but on another employer's site. It sounds shadier than it sounds. Okay, it does sound a bit shady but let me explain. We're not looking for a new job - yet. We're looking to see if other employers require a certification for that position. For example, the other day I saw a job listing for a job I would give my left arm and my dog's favorite bowl for. Yes, it was that serious. That job listing had a certification I had never heard of and certainly not one I had seen on other listings. I scour the Internet and sure enough, it's really cool and legitimate certification. Psssst. If anyone knows a guy who knows a guy who can get me to a Lenel certification, I'd greatly appreciate it.
Check the price tag. I hate to tell you this but security training and certification ain't cheap. Personally, I have spent well over a few thousand dollars of my own money to get certifications and training. These certifications and training have given me a "leg up" on the competition in some ways and have afforded me new skills but they did not come cheap. Most of the legitimate stuff that is out there is expensive. If you can't get your employer to pay for it (because they're either too cheap or you're not employed), then I suggest saving up and paying later. Trust me. If it's cheap and supposed to be amazingly career-enhancing, chances are it's probably not one of those things.
Read and research the testimonials. A lot of places brag about having "security directors" and "officials" but often, this is just pure fluff. Wait. I misspoke - it's just a flat-out lie. I suggest you read the testimonials. I'm not saying some certification bodies don't have management and executives getting their certifications. There are some who definitely are not honest, though. Find out more about the people who laud the body - who they are professionally, do they actually exist, and whether they have a bias. You shouldn't base your decision on testimonials but they can be a key component in the process.
Check the reference materials needed for the course. I love any certification that requires industry-standard texts (ahem, ASIS....That's why I love how you certify). I also like certifications that have online instruction materials as well. Most paper-mills will furnish you with a text and have you take it open-book. Nope. Kind of a red flag for me.
Avoid open-book certifications. Not all open-book certifications are bad. Most are very cool. This was my preferred method of certification in the military. That said, I'm a grown-up now and employers like something that forces you to study and come away with industry-standard competence in both skill and comprehension. In other words, an open-book exam doesn't "teach" you anything.
Any respectable training or certification vets its students. Any program that doesn't ask you any questions beyond your credit card is probably not the kind of place you want a certification from. ASIS has you submit references for the PSP exam and sign a "blood oath". Just kidding, ASIS. No, just the references. I know if I was going to certify a person on a skill-set that could get people killed if not applied properly, I'd want them screened beforehand so I'd know if they could handle that responsibility. Pain in the butt for us going for the certification? No doubt. Make you feel like you belong to an elite group of professionals? No doubt.
Here are some legit certification and training bodies in security (PLEASE, NOTE THIS LIST ISN'T ALL-INCLUSIVE. I PROBABLY LEFT OUT YOUR FAVORITE TRAINING OR CERTIFICATION. BREATHE DEEP AND CHILL OUT):
