Showing posts with label Security Management. Show all posts
Showing posts with label Security Management. Show all posts

Sunday, August 19, 2018

Sooo. I mapped the 2000 to 2014 Laser Strike Incidents - Sorta

UPDATE: Soooo. I kinda didn't like the map. I looked over the map and noticed I was missing some information. I'll plug it in, when I get a sec. Until then, I embedded the data itself. Oh and I included 2015 to 2018. Yeah. I'm awesome like that.

Huge nerd here. Yup. I was talking with Doug Patteson, one of the dopest people on the Interwebz, about laser strike incidents. Basically, it's when some idiot decides to take a laser and aim it at flying aircraft. It's incredibly stupid because it could potentially blind pilots and crash airplanes. Law enforcement has stepped its game up since we first heard of these things. Alas, I digress.

Check out the map. I didn't collect the data. These dudes did and they did some great analysis on it as well.

Wednesday, August 15, 2018

OPINION: I Need to Vent About The State of Security

You may have noticed I haven't blogged in like forever. Yeah, I know. Look, I've been busy with life and stuff. Welp, I'm back. Wait. I've said that before? This time, I promise to be much more regular and consistent with my posting. I digress - I have a grievance about the state of our industry to air and dang it, you're going to read all about it.

So, you may have noticed a minor thing called a "national election" occurred while I've been away. You may have noticed the same thing I have since the election ended. EVERYONE HAS LOST THEIR MINDS!!! Seriously. It's been a strange time for every one of us. What's crazier than the public going bonkers over politics? Security professionals drunk on hype, the erosion of our professionalism, and fraudulent credibility have corrupted our analysis, jeopardized our assets, and enabled ineffective and inefficient security risk mitigation.


Obama: President strike's McKayla's famous pose as U.S ...

We're a failing industry, in short. Sure, we do our jobs and pretend as though none of this has an effect, while the public and the industry embrace perceptions based not on sound and trustworthy data but fear, uncertainty, and doubt (FUD). The public is encouraged to view threats based soley on identity rather than capability, opportunity, and motivation. Add in FUD and you have a consumer base who desire more and more radical solutions to solve what we, as security professionals over-complicate, due mostly to our intentional ignorance and discipleship to partisan rancor, confirmation bias, and ego.

New attacks can't simply be the products of luck or one-offs. No, these attacks, according to our "experts", are "advanced", "sophisticated", or "impressive". I could include other superlatives but you get my drift. These professionals are constantly being impressed by attacks whose effects are often unclear.

After the drone assassination attempt on Maduro, security professionals on social media were aghast and seemed almost terrified at the prospect of a massive global pandemic of wayward killer drones.

Okay. Okay. I'm a terrible human......

I admit it - I called the Maduro assassination attempt a "game changer". It wasn't because I assumed the worst. The drone attack was interesting and certainly, a bit surprising. I'm a guy whose job it is to address and mitigate such threats. While I was intrigued, I didn't lose much sleep. Why? Because there was a lot that could have gone right but didn't in that attack. In fact, the attackers chose a methodology which required far more resources and placed unnecessary risks on its operatives. This is especially true when you realize there were far simpler and effective means of killing Maduro. In fact, the drone attack placed innocent people in danger and had any one of them been killed, perhaps the attackers would have lost a great deal of support.


Huh!!!!!!? - Jacky meme on Memegen

These same "experts" are often impressed by al Qaeda and other groups for doing simple attacks. There are many counter-terrorism and physical security folks who often declare after every attack, we should embrace more and more drastic security measures in response. They never consider the drag on existing resources, the ability to stay in this threat reaction posture for long-term, and whether they're only inviting more problems by creating additional threats. These folks will suggest everything to include putting soldiers in classrooms after shootings, increasing security at hardened facilities, and demanding tools which have shown they're barely appropriate for their current use.

Have no fear! Your consummate security professional is up at night defending our honor and challenging these professionals to consider better solutions. I find a lot of folks in security who happen to do social media can be very reactionary and haphazard about how they communicate threats and mitigation. Is it appropriate or wise to denigrate how others mitigate threats, when your situational knowledge might be minimal, at best? Some people would argue that it is. I'm no badge defender and I certainly challenge bad practice. I also get how often we try to get mitigation in place, only to be told stakeholders would rather allocate resources or funding elsewhere. It happens all over practical security organizations. In fact, having to adjust your mitigation programming is one of the toughest parts of this gig.

For me, the asset is never "soft" or "hard" - it's about what attracts the bad guys to the target. I surmise most kinetic attacks occur on crowded spaces not because of a lack of visible security but because there is a crowd. I could go on and on about crowds but there's a real and transferable reason why wolves hunt sheep. The reason is easily deduced if you've ever seen wolves hunt sheep. Sheep can't stop being a part of a crowd. Wolves either hunt stragglers or those caught in the herd. Why? Because they're slow and they have limited egress points.


Boondocks Funniest Quotes. QuotesGram

I've blogged here before about the ways in which fraudulent "experts" taint our profession, so I won't beleaguer the point here. Here's what I will say:
  1. There is an ever-growing field of "experts" who lack credibility or credentials who often imagine threats and mitigation, based on how it impacts their "bottom line". Don't get me wrong - I like to network and certainly, respect your hustle but I might be more inclined to buy your product or promote your ideas, if you weren't always trying to sell them to me like an over-eager crack dealer. Slow your roll. Again, I digressed.

    None of the aforementioned points I made aren't why I question someone's credibility or their credentials. They do cause me and others to take someone less seriously and see further marketing less as attempts to grow the industry with your knowledge and insight and more about how you line your pockets. I blame our collective anger and angst on 9/12 to be the root of the problem.

    The inconvenient but honest truth is after 9/11 the American people wanted two things: more security and revenge. Our industry, seeing the potential for unlimited growth, went bonkers trying to meet this demand. The government created the TSA. The Internet became a weaponized instrument against our foes both at home and abroad. We believed we were unprepared and needed to adhere to everything "unconventional" pertaining to security. We sold buzzwords like "hybrid warfare", "dynamic", and even my own favorite, "kinetic", without even a semblance of critical thought on whether if any of what we were seeing was "new" to everyone or just "new" to us. 

  2. Rather than fixing a problem which required some TLC, we demanded everyone become Jack Bauer and lined our budgets and pockets with cash which promised not only job security but the most coveted of all security prizes - relevance. Naturally, the fakes and phonies came like vultures and they've been picking the meat off the bodies ever since.

    To be quite fair and honest, I've been called an "expert" by media and I know firsthand, they often mislabel you based on what sells their narrative or topic area to be discussed. When it happened to me in ways I couldn't articulate, I challenged those attributions. I've blogged about it here and explained how it occurred to friends and people I know in that community. As I saw the problem getting worse and seeing audiences and studios seemed less and less interested in what I said versus how I said it, I felt my work as a professional was more important than how awesome I did on an appearance. While I'm grateful for the opportunities that were given to me, my focus will always be on professional development, promoting sound mitigation ideas and best practices, and perfecting my craft. Just cast Cuba Gooding, Jr. in my biopic when I sign the movie deal.

  3. What's worse than creating a side industry filled with the fake and greedy? Giving them a seat at the table of influence and policy. I'm not just talking media. No. I'm talking about Cabinet positions. I'm talking about boards. I'm talking about senior staff positions in major departments. The greatest danger we face from these people is not their inevitably, bad advice. It's their untested and untenable security "solutions" backed by flawed analysis and threat perceptions which we declare as "factual" and "balanced" because they suit infectious and malignant ideas which tarnish our industry and ruin public trust.
What can we do about our fellow practitioners and the public who are engorged with hubris, ego, and
grift? Can we save our industry before we transform into a conflagration of our parents' Facebook pages and the worst of Twitter, LinkedIn, and major news media?
  1. Address their knowledge of the topic and the process from which they've derived their conclusions. 
  2. Challenge how they receive data. 
  3. Challenge who they vetted it with. 
  4. Ask them if what they're seeing is repeatable. 
  5. How do they establish credibility with their sources? You'd be surprised how many professionals subscribe to ineffective ideas on mitigation from sources who have no connection to security or our best practices. 

We're All Going To Die!! | Daily Vlog - YouTube

Whew! That's the bright spot. Wait until I cover all the stuff I hadn't covered in two years.

Saturday, December 10, 2016

Check Out This Old School Intelligence Community Surveillance Detection Video

Note: Dude, again, I am not an intel dude. NOT my lane.

A few days ago, I wrote an article about how political parties could deal with a hostile foreign intelligence service actively targeting them for exploitation. One of the techniques I recommended revolved around avoiding physical surveillance. The video below goes into a lot of detail regarding surveillance detection routes. It appears to have been a declassified intelligence community video from the 1970s(?). This is for purely entertainment purposes. If you think you need to add this to your repertoire, then I suggest doing two things:
  1. Hire a professional to teach you. A video is no substitute for actual training. That said, the materials in this are dated and I would imagine any serious surveillance would have a suitable counter to any SDR. However; this sets a nice introduction into the topic.
  2. If you need this and you're going against any significant intelligence threat, you might be already screwed. Seriously.


This guy seems to know a lot more than I do on this stuff.

Friday, December 9, 2016

And You Thought You Saw The Last of The Terminator. He's Back - As A SWAT-Bot!

So, I've been watching Westworld and it seems like killer robots are becoming a thing again. There are some really cool things with the bot featured in this slick ad:
  • It's seemingly quiet. For obvious reasons.
  • They went the fashionable "combat black" look. It's mandatory for anything being called "covert" these days. (snark)
  • It has loads of cameras. One of the primary purposes of the bot is to give human operators tactical situational awareness. The field of view seems to be okay and has what appears to be some PTZ stuff going on, though the cameras appear to be very stationary. If it relies on the vehicle to move the camera, then I'm curious whether that compromises noise discipline.
  • It comes with a Glock. Yeah. It's "G'd up from da floor up". My bad - that's street vernacular for "It has a working gun that can kill people". That said, I'm curious if the vehicle has a stabilizer to compensate for recoil. Also, where does the "brass" go? Surely, it's not optimal to have it eject in a way that it could lodge between the gun and the bot chassis.
My overall complaints about the bot:
  • It looks great in a video which means it will perform like crap once it gets deployed.
  • I need to see more Army-proofing. Ahem! How long before crazy G.I.s break it on its first run? Trust me - you need to be asking this question.
  • Humans have been doing a bang-up job of clearing rooms thus far without bots. Not sure how this helps in real world tactical environments. Yeah, shooters may not have to get too close to make the hard shots but....What happens when your suspect sees this thing and decides you're trying to make entry and kills hostages preemptively before you do?
  • Finally, I worry about the trial and error part of figuring out its limitations in the real world. An EOD bot is easy to square away because testing and training go hand-in-hand especially in a semi-controlled environment. This bot's armament would need to be tested along with its operators under conditions that mirror the real world both in risk and realism. In other words, let's see it clear a "trap house" with a barricaded homicidal subject armed with an AK-47 and has kids as potential hostages. We tend to be very "meh" about collateral damage (civilian deaths) in combat zones during drone strikes - I have a feeling we'd feel differently about a bot who killed a hostage due to operator error or mechanical failure. Thankfully, it's under human-control. Imagine what it can do if given analytics.

Extra! Extra! Read all about it! RNC After Action Reports!!

2016 was a huge year in security especially in light of our recent presidential elections. The election is always a big security event but unlike previous elections, the last few years have seen the country becoming seemingly more divided and somewhat consumed with protest activities. Additionally, cities that hosted political conventions had to have significant mitigation measures in place. A piece of public records information I'm always very curious about are the after-action reports of cities who have to host these events.

A fellow MuckRock user, Melissa Hill requested the after action reports from from several law enforcement agencies. She's gotten quite a few and I suspect others are forthcoming. I'll post more as they become available and I sift through the chaff.

Ohio Highway Patrol

Wisconsin State Patrol

Florida Highway Patrol After Action Report

City of Cleveland's Information Releases to the Public and Media

NOTE: I decided to add this, even though it's not an AAR. Still worth a look to get a scope of the various organizations which supported the security mission at the convention.

DoD-NORTHCOM Defense Support of Civil Authorities Republican National Convention 2016 Presentation

Saturday, December 3, 2016

Security Awareness. Sigh.

In the annals of military history, there are countless examples of commanders finding unique and interesting ways to get security awareness training to their people. I imagine Hannibal having posters that made coy references to the "element of surprise" and OPSEC. You can guarantee Ceasar had posters ironically about insider threats. In today's modern military, commanders have been less creative and still don't get why marketers declare "Location, location, location!"

Wednesday, November 30, 2016

Video: The Search For the Perfect Door - Deviant Ollam

If there's just one video you watch today, you should watch this one. Deviant Ollam, a physical security penetration tester was at ShakaCon, an information security conference talking about how to pick the perfect door. I won't spoil the video but he covers way more than just doors. It's both insightful and illuminating. Well worth a view.

Tuesday, November 29, 2016

The Good, The Bad, & The Ugly - The Tale of A Gun Store Robbery

I have A LOT to say about the video below. The video below is of a robbery of a Tampa, Florida gun store, Tampa Arms. The robbers made entry into the establishment by DRIVING A TRUCK THROUGH THE FRONT DOOR. Yeah, an entire pickup truck and made off with approximately FORTY firearms - Glock handguns, shotguns and AR-15 rifles. I heard that, by the way and I totally agree "Damn." The video lasts about five minutes and the quality is rough to say the least.

So, let's get to the good, the bad, and the utterly atrocious.

The Good

  1. There was video and it worked. I know. That's not saying an awful lot but...given my professional experience, this is very good. It appears to be a DIY install and the quality (we'll address that later) is well, crap. But it was positioned where it could capture the entirety of the event. It didn't - mostly, because the quality was crap. Did I mention the quality is crap?
The Ugly

  1. Did you notice I only had one "good" thing to note?
The Atrocious

  1. The quality is HORRIBLE. Holy smokes! Seriously, if you're going to install a camera over an entryway to capture theft, it should either ALWAYS have good lighting or have infrared lighting during hours of limited visibility (like when robberies are more likely to occur).

  2. The position of the camera sucks. Like it sucks REALLY, REALLY, REALLY, REALLY, REALLY, REALLY, REALLY bad. When you're doing a DIY install, it is super-duper easy to miss what actual security professionals notice. Stuff like whether a camera is positioned at an angle to capture faces from multiple viewpoints. For example, the camera at the front doorway only caught the suspects' faces as they turned around. Perhaps, there should be a camera actually facing the door unobstructed. A simple test done in complete darkness after the install would have revealed what we now see - this video is useless.
  3. NEVER EVER EVER EVER EVER have firearms not locked in a secure container after store hours. Period. There is absolutely ZERO sound reasons why those weapons were out of containers. They need to be locked up. Remember the name of the game isn't just detection - there's delaying attackers as well.
  4. TEST YOUR SECURITY SYSTEM REGULARLY. The attackers had a lot of time on this particular robbery. This tells me either the alarm failed or notification was entirely too slow. Business owners should do monthly or quarterly checks with their alarm companies, to determine any issues. You should also have a good working relationship with your local police department. You store guns for crying out loud - the cops who patrol your area should have a working knowledge of your alarms and security measures.
  5. Conduct an annual vulnerability assessment. Take a moment once a year to walk through the business and see what vulnerabilities that need to be shored up. Don't think in terms of how you would hit your store. Instead, pay attention to areas that create ways for an attacker to gain access. Then, call a security consultant and have them walk you through what they see. It's also a really good idea to read industry standards pertaining to securing storefronts like yours. Tampa Arms had no excuse to not call a consultant. There's literally one around the corner and also internationally recognized, Stanley Security Solutions.

  6. Get a video alarm verification system. Had the alarms gone off, the front door sensors would have went off, surely. The motions may have caught multiple intruders too. Then again, if your installation was crap which it probably was, you may only get one of those sensors to go off. To cut down on false alarm fines (it's a HUGE deal in Tampa and probably why a system may not have been install if it wasn't) and to give responding law enforcement more situational awareness (cops respond a whole lot faster on alarms they know are legit), ask your alarm provider to talk to you about alarm verification. If they rely on you to respond or if they don't offer it, take this small piece of advice - consider a different provider.
  7. There were no physical barriers in front of the front entryway. You ever driven by a WalMart? Of course you have - you're American, probably. What's the first thing you notice in the front of most WalMarts? They have bollards by every entryway. Why is this? Take a look at the video below and you'll see why. Call the city, get a permit, dig in the ground, fill some metal pipes with concrete, and plant them in each hole. Problem solved. Also, check out the trees.

  8. Approximately, FIFTEEN people robbed these guys. Let that marinate. They brought multiple vehicles, had a plan, executed it, and were in uniforms. Yeah, this ain't their first rodeo. They'll hit more places. Forty guns is a great grab but the proceeds don't split that well among fifteen people and not with that much considerable risk. I know the area well where this happened and I know this shop. This was a team that knew their target and prepared for it. We'll see them again.

Monday, November 28, 2016

Terrorism Attribution in the Age of Social Media - The Struggle is Real

Update (11-28-2016 1904): A few reports have emerged from the media stating various talking points derived from the suspect's Facebook timeline, though with little independent confirmation the account indeed belongs to the suspect. He seemed to believe Muslims were mistreated by the West and also disliked it's meddling in Islamic affairs. There were also noted jihadi luminaries quoted throughout. Again, this information has not been corroborated by official law enforcement sources but could speak to motive and ultimately whether this was a terrorist attack. 

Another mass casualty incident has occurred and I engaged the tried and true method of triggering my compulsion to smash my face with my palm by looking at Twitter. Yep, it was that bad. It never ceases to amaze me that no matter how many times I tweet or blog about the painstaking work of attacker attribution, people continually participate in oversimplified and error-prone "analysis". They're often trying to do this without being at the scene, with no prior investigative experience, and in real-time. To say the least, the amount of wrong is significantly higher than actual "I called it", despite what the authors say.

You're probably wondering why I'm so passionate about the inclinations others have toward this kind of "analysis". I believe it speaks volumes about how much we value the arduous work it takes to do the investigations needed to make accurate attribution claims. It's also a HUGE part of the myth that "anyone can do security". Over the years, I have been practically screaming how false that is. What we as professionals do, takes time, significant knowledge, limited resources, and countless hours of practical experience.

Yet, here we are. Today, I have seen tweet after tweet proclaiming the attack was immediately the work of jihadist invaders or lone wolf extremists of some variety. These suppositions have come in the early moments of reporting on the attack. As it developed, we were informed of a suspect, a Somali refuge named Abdul Razak Ali Artan. As of this writing, there are tweets claiming this is conclusive "evidence" of terrorism. The actual cops working the scene haven't made one statement, as far as I know, yet about any determination of motive. But Twitter says otherwise. A population where 99.99% of people with zero to any relevant law enforcement or security experience have done in hours what it will take seasoned and ordained professionals weeks to do. Yeah, it's crap.

So, if not terrorism, then what is it, Mr. "Security Professional"? Glad, you asked. I don't have a clue and neither do you unless you're on the scene actually investigating this incident. I should know. I used to do this thing all the time. Speaking from firsthand experience, I can confirm how easy it is to engage in this hasty sort of "analysis". What I can tell you is that we often make the mistake, as amateurs, of reaching conclusions about violent mass casualty incidents with little to any information. We do this based on what we either know of the attacker or the incident. This happens with minimal confirmation from official sources or reading too much into either first reports from witnesses, police scanner traffic, or what's told in early press conferences and releases. The often-ignored practice of "wait and see" has turned into "Holy crap! Something bad happened. Let me get my initial reaction out into the Twitterverse so my followers can give me reaffirmation for the sake of my ego and incessant desire to be first to comment on all-things tragic."

There are a few ways we can fix this.
  1. Stop assuming race, ethnicity, or religion can explain why people commit acts of violence. While these things can play a role in attacks, it's unlikely they can explain every single one. Instead, disregard them initially until other information develops that establishes motive or crime typology (act of terror or just a crazy person).
  2.  No one has an exclusive monopoly over non-sanctioned violence. Just because an attacker uses a pipe bomb or even their vehicle doesn't mean the attack is terror-related. Let me put it bluntly - there are no "exclusive" tricks of the trade among bad guys. For example, looking at just the initial information we knew about Christopher Dorner's attacks and his weapons of choice, we could have assumed the attack was probably carried out by militias or other extremists versus an ex-cop with a grudge.
  3. It's too easy to get caught in the brutality of an attack and high casualty numbers and assume the attack was terrorism. Don't get caught in the weeds here, folks. Take a deep breath. Examine what we have and nothing else. When bad things happen, we naturally allow fear and our ever-incessant desire for immediate vengeance to cloud our thinking. Attribution is a game of facts and truth not emotion.
  4. Attack attribution requires more than just your gut feeling. A great example of this is a scene from Designated Survivor. It's a show about a newly, fired HUD Secretary being the "designated survivor" for a State of the Union address by which most of government  is killed in an explosion. The newly, sworn President, played by Keifer Sutherland, is doing his best to determine who the attackers are. His advisers are pleading with him to name a known group as being responsible. Much of their evidence is based on wild speculation, self-interested political jockeying, and warhawking. The Chairman of the Joint Chiefs asks the president to name this group. The President asks the FBI how sure they are of the identity of the attackers and they respond "75 percent, sir." Sutherland's character declines making the call to name the attackers. When pressed by the Chairman of the Joint Chiefs how much more certainty he needed, the President responds with "Give me 25 percent more." I won't lie. This was by far the best dialogue I've seen in a fictional television show regarding attribution. There are dire consequences when we rely on anything other than empirical data when making attribution calls.

  5. The likely suspects could be people you like and it's not wrong to not rule them out. So much of the attack attribution that occurs on social media is wrought with people trying to make the facts fit their narrative. If a person is overtly political, this is more telling than they're ready to acknowledge. In fact, they often dismiss other possible and probable theories outright. Many times, I've seen the "expert" credentials of various participants in this crazy dialogue come into play. Stop it. Take long deep breaths and remember if you're not on-scene, you know absolutely nothing. 
  6. Analysis is not a crystal ball. One of the most often over-played narratives is the intelligence community or law enforcement missed "something". Why? They assume those in these professions have to be right all the time as a part of what they do. It's as if some of us are expected to have superhuman abilities to predict the future accurately. Sometimes, like all things we think we understand, we get things wrong. It sucks when we do but it happens. Stop asking "How could they have missed this?" and start asking "What led them to believe this person posed no discernible danger?"

    Every time law enforcement does a threat assessment on supposedly dangerous persons, an interview with the subject is conducted if possible. Given our legal framework and the very imprecise art and science of "reading" people, some actually dangerous people are missed. It happens. Not often but it does. A more poignant avenue to approach is the examination of how law enforcement and security professionals have been inadvertently incentivized to go after "low-hanging fruit" rather than being given sufficient resources to investigate and mitigate these threats.
  7. The most important component to any terrorism attribution work is understanding what legally constitutes terrorism. I know the US Code is such a drag but it is the legal framework for which cops use to determine whether something is or is not an act of terror.

    Most people assume a car bomb is immediate evidence of a terrorist attack. Yeah, not quite. Other people use bombs to commit murder for a variety of reasons. They were used quite often by the mob and other organized crime networks. Yet, none of these bombers were charged with terrorism. Why? Because their motives were not terror related. Terrorism is one of the few crimes which require motive in the "elements of the offense".

    Remember that "legal framework" I mentioned in the US Code? Here it is:

    "18 U.S.C. § 2331 defines "international terrorism" and "domestic terrorism" for purposes of Chapter 113B of the U.S. Code, entitled "Terrorism.

    "International terrorism" means activities with the following three characteristics:
    1. Involve violent acts or acts dangerous to human life that violate federal or state law;
    2. Appear to be intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and
    3. Occur primarily outside the territorial jurisdiction of the U.S., or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to intimidate or coerce, or the locale in which their perpetrators operate or seek asylum.*
         "Domestic terrorism" means activities with the following three characteristics:
    1. Involve acts dangerous to human life that violate federal or state law;
    2. Appear intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination. or kidnapping; and
    3. Occur primarily within the territorial jurisdiction of the U.S.          
         18 U.S.C. § 2332b defines the term "federal crime of terrorism" as an offense that:
    1. Is calculated to influence or affect the conduct of government by intimidation or coercion, or to retaliate against government conduct; and
    2. Is a violation of one of several listed statutes, including § 930(c) (relating to killing or attempted killing during an attack on a federal facility with a dangerous weapon); and § 1114 (relating to killing or attempted killing of officers and employees of the U.S.)."
I don't have all the answers and neither do you. Let's all take a deep breath and allow the cops to do their jobs.

Tuesday, November 22, 2016

Some Sage Counterintelligence Advice For Political Parties and Their Candidates


I am NOT an intel dude. I have never been an intel dude. I have never been a counterintelligence dude. Never. These are my OPINIONS. 

If the adage that "all politics is war" is true, then this past election could certainly be proof of that. I won't get into specifics about candidates, their positions, or even their actions or culpability. This advice specifically for the Democratic National Committee is nonpartisan and exactly the same counsel I would give the Republican National Committee. In fact, the reason I wrote this post was in response to the DNC leaks/hacks. Also, there will be ZERO discussion about attribution and motives. To me, answering why something happens doesn't always help you mitigate how it happened in the first place. These "rules" apply to anyone who is a target of espionage by any actor, state or otherwise.

You're the active target of an intelligence apparatus. Given the result of this election, we can assume they achieved their objective and will see their success to continue their activities against you. So it is imperative that you and your staff operate as such. Knowing this, let's be clear - these agencies have a great many resources directed at you and will see any and all information as potential actionable intelligence. This means they'll be seeking out any vulnerabilities you have and will exploit them to get that information and will encompass both physical and virtual realms. Ultimately, assume you've been compromised on all of these fronts. For the foreseeable future, your survival in the political arena will be dependent on your acknowledgement of this.

Let's get to what you came here for - the "rules".

Physical Security
  1. Assume every room you felt was "secure" is not. This may sound a bit paranoid but we already know the DNC suspected their offices were bugged by an unknown entity and sent a TCSM team in to investigate. Though, no active bugs were found, we know electronic surveillance is an ongoing tool used by intelligence agencies against targets especially political ones. If you haven't already, have a TCSM team inspect every office, bathroom, closet, etc. regularly. When they're done, assume you're still being bugged and be careful when discussing confidential information.
  2. Assume your cars, homes, and hotels are also compromised. Yeah, I'm paranoid. I know this. That said, if I were to compromise you, I'd hit the places where most people engage or discuss things that make exploitation possible. These are also places you can't sweep every day for bugs. Don't take work home and don't discuss work at home. Also, assume whatever "dirt" you do in these places is being photographed, videoed, and audibly recorded. I shouldn't have to say this but....STOP DOING "DIRT".
  3. You're being followed everywhere. Conduct surveillance detection routes regularly and pay attention to new vehicles in your neighborhood. Talk to your neighbors. Notice vehicles which you can never seem to shake. I have a rule I follow when inspecting vehicles for contraband - anything new and shiny in a sea of filth is not normal. If you're one of those people who use Uber or some other service, think about having the driver drop you off a block or two away from your destination and look to see who gets out when you do.
  4. Consider every potential or new "intimate" encounter to possibly be a "catfish" or a honeypot until proven otherwise. Yeah, it sucks to say this but sex is still a proven way to gain secrets and access. I'm not saying you don't have "game" but you should be very suspicious of something that "sounds too good to be true". I'm not telling you to shun relationships but just be wary of new people wanting more access and information than they should have. Also, imagine these contacts suddenly being blared across social media for the world to judge. Foreign Intelligence Services have a long history of exploiting these encounters. 'Nuff said (Note: In case, I didn't make it clear enough - don't be stupid and don't do "dirt").
  5. Invest in a good safe that's bolted in the ground, high security door locks, dog, burglar system, and a few nosy neighbors. Same crime prevention advice I give everyone applies in the counterintelligence world. You need early detection and you need it yesterday.
  6. Follow the Moscow Rules.
    1. Assume nothing.
    2. Never go against your gut.
    3. Everyone is potentially under opposition control.
    4. Do not look back; you are never completely alone.
    5. Go with the flow, blend in.
    6. Vary your pattern and stay within your cover.
    7. Lull them into a sense of complacency.
    8. Do not harass the opposition.
    9. Pick the time and place for action.
    10. Keep your options open.
  7.  Adhere to the ever-wise directives of Notorious B.I.G.. Seriously, regardless of how awesome this track is, the truths contained in it are essential to the success of any campaign. Though it's not a literal translation of acceptable ethical rules of conduct, interchange the words to fit a typical political campaign and it's very illuminating. 

Information Security
  1. You need a security classification program. The federal government has a security classification program that's been somewhat successful at compartmentalizing information and preventing some data leakage. You don't have to mirror theirs but you should implement something similar. The first step in this process should be the development of a risk management process. Look at what information you could never lose without seriously compromising your objectives, the information you could lose with some compromise of your objectives, and information that is safe for some data leakage or available for public release. This classification should known and enforced organization-wide. Any and all of your policies and procedures to safeguard this information should encompass the physical and virtual realms.

    This classification could look something likes this:
    a. Confidential - this could include documents or communication that should never leave the organization.

    b. Sensitive
     - this could include information  that if discovered could have an impact on day-to-ops or the overall reputation of the organization

    c. Close Hold
    - this could include information that is normally only discussed between as few members as possible. This should also be treated as Confidential if it warrants.

    d. Publicly Releasable - this is information discussed in the organization that could be disseminated for public release with little to any approval.

    Note: All security classifications should be used sparingly and reviewed regularly to mitigate against hyper-vigilance and overclassification.
  2. Consider being more transparent and don't be "dirty". The DNC leaks proved in many ways that transparency could be a great mitigation tool. When you're seen as being overly sneaky, people assume you have "dirt" to hide. How you do this is up to you but it cannot be denied the impact transparency can have with preventing further leaks.

    Political parties are, by their nature, involved in some "dirt". They're either digging for "dirt" on someone else or trying to hide their own. Perhaps, it would be more prudent to limit these activities to lessen the number of attack platforms that can be used against your organization. Just a thought.
  3. Assume you have an informant in your organization. This doesn't mean you have to treat everyone as if they've been compromised. It does mean you should never assume they haven't been. Don't go on an organizational "mole hunt" but you should always be aware of what you say to who you it say it to.
  4. Don't trust any outside communication that isn't part of an existing conversation. Move the conversation offline. Have a gatekeeper handle these when possible. The gatekeeper should be the only person who has direct unsolicited access to communications with key personnel. To say the least, the gatekeeper must deploy a mitigation-first mindset.
  5. Consider building a "secure" room at your HQ. The Intelligence Community calls them SCIFs. They're rooms in which permanent workstations and secure phones are located and are regularly swept for bugs and access control is very strict. Consider only discussing strategic information here and here only. This aids in figuring out how you've been compromised if this leaks, as well as protecting against inadvertent leaking.
  6. Consider ways in which the mundane could be damaging if exposed. For political parties, imagine your entire donor database being leaked. Got any donors who would rather not have their personally identifiable information leaked? How about your call sheets or talking points to donors? Could they be useful for an adversary in figuring out how to counter you? My personal favorite - internal polling. Think the other side or an FIS wouldn't love to know how you're projecting a path to victory? How about areas your constituents feel you're weak in? What if the adversary not only used that information themselves but then leaked it, especially at a moment when you're trying to project strength?
  7. Consider a breach a serious incident. Data leakage happens. Some secrets are difficult to contain. Look at the stealth bomber and the Predator drone. Things happen. That said, there should be severe ramifications for even inadvertent leakage of seriously compromising information. Whatever those consequences are for those parties, they should be swift, consistent with existing policy, and indiscriminate. Period.

Saturday, November 19, 2016

UPDATE: New FOIA Requests Are Updated!!!

Sooo, I'm kind of back on my Freedom of Information Act "grind". This time, I've grown curious about how Reedy Creek Improvement District aka Disney World interacts with law enforcement. I've heard various reports that most law enforcement-related dispatches are relayed through Florida Highway Patrol and Orange County. I'm less curious about shoplifting dispatches (I'm surely, mostly klepto-tourists seeking crimes of opportunity) and more curious about the more serious incidents that either go reported in the media or that don't.

Here are snippets of the new requests so far:

Title of Request
Date Submitted
Orange County Sheriff’s Office
Reedy Creek Improvement District

I'll keep you posted should something more concrete develop. The plan is to write a piece on what I find in the FOIA documents to give more a robust picture of Disney's security via publicly available information. If anything, I'm sure there will be a number of interesting data points to be discussed in the replies.
As always, the best place to keep up-to-date on any FOIA requests I do is here or the link above. Also, Muckrock is an AWESOME place to discover not just my requests but other people's as well. If you see anything noteworthy in my requests, please feel free to reach me via the "Contact Me" link above.

Tuesday, November 15, 2016

Why Murder-By-Semi-Truck Could Be A Thing You Need To Mitigate

I'm not an alarmist. Or at least, I try not to be. Personally, I prefer a rather "Vulcan" approach to many things in security. As the youngsters say, "Logic rules everything around me." Actually, that may not be the "exact" wording but you get the drift. That said, I do have a fair amount of "Holy sh*t!" moments. While reading Rumiyah #3 (An English-language e-magazine for ISIL) and coming up on their murder-by-semi-truck tutorial, I tried to suppress having such a moment. I succeeded, mostly because I realize the tutorial was somewhat incomplete from a tactical perspective. That's not to say the message isn't effective or wouldn't possibly motivate ISIL members to strike. I see its inclusion as both for propaganda and potential triggering for an upcoming attack.

Oh, you read that whole "murder-by-semi-truck" bit correctly. Here's what they actually said - "Though being an essential part of modern life, very few actually comprehend the deadly and destructive capability of the motor vehicle and its capacity of reaping large numbers of casualties if used in a premeditated manner. This was superbly demonstrated in the attack launched by the brother Mohamed Lahouaiej-Bouhlel who, while traveling at the speed of approximately 90 kilometers per hour, plowed his 19-ton load-bearing truck into crowds celebrating Bastille Day in Nice, France, harvesting through his attack the slaughter of 86 Crusader citizens and injuring 434 more."

There's a lot we, as security professionals, can glean from this. Have no worries, I won't be divulging "state secrets" or imparting tactical clues. There are merely my observations. Take them for what they're worth, as your mileage could very well vary.
  1. Large vehicles are vogue for jihadis still. In fact, one of the key criteria they attribute for an "ideal vehicle is a "load-bearing truck". Even though, speed and "controllability" are also highly desirable, they suggest operators steer clear of SUV's and small cars. Obviously, they're looking for something that can handle a lot of weight.
  2. The Nice attack is seen as successful. Notice the vehicle should have "double-wheels" because it gives "victims less of a chance to escape being crushed by the vehicle's tires". Also, I noticed the inclusion of having a secondary weapon as a means of ensuring additional casualties and "increasing terror". Pretty telling.
  3. Crowd mitigation is really freaking important, stupid. Look, folks. I know I harp on this a lot. I get it. I do. But they pretty much say it - "In general, one should consider any outdoor attraction that draws large crowds." Notice the bit about crowds.
    Image include in Rumiyah #3. Notice the large crowd. Just saying.
  4. Attribution is really freaking important, stupid. The last few ISIL-related attacks (either by the group or attributed by them) have included language using the phrase "soldier of the Islamic State". Almost every attack committed by a Western-based attacker who hasn't gone to Syria, ISIL has claimed responsibility using this phrase. So no surprise here when you see it in Rumiyah #3 - "I am a soldier of the Islamic Sate!" Why do they do this? To sum it up - they're a holy anointed apocalyptic cult whose proximity to Allah can only determined by their ability to seemingly kill at will. If that's not clear enough, they do it for street cred. You gotta have bodies to make it in the terror game, folks.
  5. Large crowd size does not always equate to certain specific targets. Located in the fine print was this gem - "All so-called “civilian” (and low-security) parades and gatherings are fair game and more devastating to Crusader nations." If you're a security professional who has to mitigate threats to a parade route but you're not in New York, you may assume you're in the clear. Yeah, you're dead wrong about that. It's about the casualty count. If your parade route could have a large number of people along it with limited egress points and insecure access control to the street, you could be in the same boat, if not worse than New York. As I always say - it's not a matter of IF but WHEN. Mark my words. Be vigilant.
  6. It's not just about parades, stupid. What other "targets" are they looking at? Glad you asked. ISIL says "Outdoor markets, festivals, parades, political rallies (We got any of these coming up soon? Asking for a friend.), large outdoor conventions and celebrations (Got any tree-lighting ceremonies?), and pedestrian-congested streets (High/Main streets)" are all legit targets. Yep. Here comes your "Oh sh*t" moment. Stop it. Relax. Now, go mitigate.
  7. Fail to take this kind of attack seriously, at your peril. Let me put it bluntly. Nope, let me just leave what they said here - "The method of such an attack is that a vehicle is plunged at a high speed into a large congregation of kuffar, smashing their bodies with the vehicle’s strong outer frame, while advancing forward – crushing their heads, torsos, and limbs under the vehicle’s wheels and chassis – and leaving behind a trail of carnage."

Saturday, November 12, 2016

How to Pick A Legit Professional Security Certification aka How Not To Get Scammed In Ten Easy Steps!!

One of the cornerstones of any successful career is training. It's no different in security. Whether you're at a seminar or enrolled in a course, you're doing so because you want to move forward professionally. What better way to demonstrate you're prepared for the "next step" than to take a course or two and learn a new skill? Yeah, it often sounds cooler than it is. What's even worse, in my opinion, is that for many of us the price of pursuing professional development ain't cheap.

I love the American Society for Industrial Security International (ASIS). It is awesome for all-things professional development in security. It has networking, great conferences, expos, a reference library, and its own bookstore. ASIS is also host to some of the most sought-after professional certifications around the world for security. There's one catch - it's pricey. It'll run you about $400 dollars including annual dues to pursue their Physical Security Professional (PSP) certification. It's recognized even by the United States government in the SAFE Act and also has ANSI/ISO 17024 Personnel Accreditation.

ASIS isn't the only horse in the stable offering professional certifications in security. My only problem is almost none of them require the breadth of knowledge, professional recommendations, and experience levels ASIS requires. Many are purely paper-mills.

There is a professional certification body that has a horrific reputation in our industry. I've heard from numerous of their certificate holders all that was needed for their certification was a check and they received a lapel pin, t-shirt, a CD with reference materials which were mostly outdated, and a diploma. In fact, if you go to their site and attempt to pull up their "sample" certification test, you get a 404 error code. There have been a number of articles written on the founder as well.

Getting a professional certification or even getting good training from reputable people can be difficult. My advice?
  1. Ask around on security, tactical, or law enforcement forums. There are lots of forums on the Internet that cover these schools and certifications. You're not the only person who wants to grow professionally. Be careful - look for guys who have a solid reputation in the group. My favorite sources are the folks who don't have to tell you what they do every post but you have an idea.
  2. Find a mentor to ask. Seriously, if you don't have a mentor in security, you're doing your career all-kinds of wrong. Get a mentor and ask about training and certifications.
  3. Search LinkedIn. I know. I know. LinkedIn can be seen as the worst place to network. I get that which I said "search". That's right - look at the qualifications of folks who are where you want to be professionally and see what certifications they have. See if the certification passes your "sniff test". Basically, if it seems legitimate and checks out with other reputable sources, then it might just be okay. Be careful - even "legit" folks fall for the trap of easy paper-mill certifications.
  4. Investigate who recognizes certain certifications. The easiest way to spot a fake certification is to which, if any government bodies formally recognizes them. By "formally", I mean look for statutory and regulatory citations of the certifications. If they won't recognize it on "official letterhead", then already have a good idea it may be something you don't need or want. 
  5. Check to see if a certification is needed for jobs similar to a job you're wanting but on another employer's site. It sounds shadier than it sounds. Okay, it does sound a bit shady but let me explain. We're not looking for a new job - yet. We're looking to see if other employers require a certification for that position. For example, the other day I saw a job listing for a job I would give my left arm and my dog's favorite bowl for. Yes, it was that serious. That job listing had a certification I had never heard of and certainly not one I had seen on other listings. I scour the Internet and sure enough, it's really cool and legitimate certification. Psssst. If anyone knows a guy who knows a guy who can get me to a Lenel certification, I'd greatly appreciate it.
  6. Check the price tag. I hate to tell you this but security training and certification ain't cheap. Personally, I have spent well over a few thousand dollars of my own money to get certifications and training. These certifications and training have given me a "leg up" on the competition in some ways and have afforded me new skills but they did not come cheap. Most of the legitimate stuff that is out there is expensive. If you can't get your employer to pay for it (because they're either too cheap or you're not employed), then I suggest saving up and paying later. Trust me. If it's cheap and supposed to be amazingly career-enhancing, chances are it's probably not one of those things.
  7. Read and research the testimonials. A lot of places brag about having "security directors" and "officials" but often, this is just pure fluff. Wait. I misspoke - it's just a flat-out lie. I suggest you read the testimonials. I'm not saying some certification bodies don't have management and executives getting their certifications. There are some who definitely are not honest, though. Find out more about the people who laud the body - who they are professionally, do they actually exist, and whether they have a bias. You shouldn't base your decision on testimonials but they can be a key component in the process.
  8. Check the reference materials needed for the course. I love any certification that requires industry-standard texts (ahem, ASIS....That's why I love how you certify). I also like certifications that have online instruction materials as well. Most paper-mills will furnish you with a text and have you take it open-book. Nope. Kind of a red flag for me.
  9. Avoid open-book certifications. Not all open-book certifications are bad. Most are very cool. This was my preferred method of certification in the military. That said, I'm a grown-up now and employers like something that forces you to study and come away with industry-standard competence in both skill and comprehension. In other words, an open-book exam doesn't "teach" you anything.
  10. Any respectable training or certification vets its students. Any program that doesn't ask you any questions beyond your credit card is probably not the kind of place you want a certification from. ASIS has you submit references for the PSP exam and sign a "blood oath". Just kidding, ASIS. No, just the references. I know if I was going to certify a person on a skill-set that could get people killed if not applied properly, I'd want them screened beforehand so I'd know if they could handle that responsibility. Pain in the butt for us going for the certification? No doubt. Make you feel like you belong to an elite group of professionals? No doubt.

There are other thoughts I'm sure on this. The simple truth is getting certified is no easy task and if it were easy, you wouldn't like it very much.

Thursday, November 10, 2016

OPINION: The Ten Things We Can Expect To Happen In Security For the Next Four Years

So....the election is finally over!!! There's a lot to be said about the politics of this election and what that means for insert-the-name-of-your-special-interest-group. Have no worries - I'm not going there. In the vein of "staying in my lane", I'd like to discuss what the next four years will look like for those of us in security.

  1. Expect more protests. Seriously, nothing with respect to protesters and how they feel about a litany of political issues will change except they'll find more reasons to protest. There is little that can be done about it. Accept it. Monitor it. Hope to mitigate it. Move on.
  2. Expect ISIL to show up more. Given the aggressive nature of how the next administration plans to engage ISIL, there will inevitably be more attacks either from the group or its sympathizers and ad-hoc members aka lone wolves in retaliation. Expect more attacks against soft targets during periods of high crowd frequencies or surges like major U.S. holidays. Why? Simply put: ISIL and most jihadi organizations are holy anointed apocalyptic cults who are actively trying to bring on the apocalypse and any conflict with the "West" is objective towards that goal.
  3. Expect violence against minorities. The new administration has found its campaign rhetoric resonates with people who share ideologies that encourage violence against minorities. Not saying that message came directly from their campaign; just that the rhetoric resonates. How much more violence is unknown at this time. Seriously, it's been a few days since the election and while we've had a number of attacks reported, it's still much too early to see how far this develops as a long-term trend. That said, be very freaking vigilant.
  4. Cyber security could get really interesting really fast. There could be more cyber attacks against this administration and groups who contract with them. Also, we could also see counter-attacks from groups who sympathize with the administration. Has there been any indication of this happening? I haven't seen anything yet but we should know soon enough. If public outcry continues, then we can expect potential cyber attacks in response or in tandem.
  5. Border security could spawn a growth in physical security. The wall that is being discussed and presumably implemented will require an immense amount of physical security to augment surveillance and protect the wall. How many cameras and sensors will need to be installed? Who gets that contract? What about construction security? What about the wall itself? Lots of things to be hammered out but I expect some growth in the physical security sector if the wall comes to fruition.
  6. More stringent controls on immigration and background checks needed for visas. This was a central part of the campaign and cannot be ignored. I suspect the new administration will rely on the hearings that have been held in Congress previously on visas and travel documents, as a guide. My suspicion is that not much will change for those who immigrate from countries we already share travel document information with. Much stricter guidance will come about for countries which have a history of poor identification documentation controls and who have poor passport security.
  7. Police officers will continue to die in the line of duty. I mention this because there seems to be some mythology that exists which says tougher penalties on cop-killers means more deterrence. Time and time again, we've found that not to be the case. Yet, this is also a theme with the current administration. I do not argue that tougher sentencing is warranted for any murder; I do have issues when we infer a harsher penalty will bring a greater reduction than focusing on what drives the crime to begin with. Fix what drives people to kill and you will see long-term results in dramatically reducing the number of line-of-duty-deaths for cops.
  8. Crowd mitigation will become a bigger issue than is being discussed in the security industry. If you've heard me speak on this topic before, I apologize but this needs to be said. We're not doing enough to mitigate crowd surges which serve as target-rich environments for bad guys. Unless the new administration hires national security people who understand the importance of mitigating this issue, my fear is this will continue to be exploited in a significant way.
  9. Gun control and marijuana will continue to be big-ticket issues. Weed is legal in more states than before which means many of these states will be looking to Colorado and others to determine what should be their guidelines for security. I suggest if you live in a new weed state, brush up on this stuff. There's a big opportunity for growth.

    Active shooters will continue to murder people. Fixing this in the short-term is never going to happen. Again, expect this trend to continue until we discuss what drives it. Thus, gun control will grow as a hot-button political issue.
  10. Criminal justice reform is not going to happen. The new administration has stated one of its primary objectives is the restoration of the rule of law and has taken on a very pro-law enforcement stance. Expect little in the way of discussing reducing or eliminating mandatory sentencing. It could happen but not for the next two years.
So that's how I see the next few years. It's not an entirely optimistic view but I believe it to be an honest view of what we can expect. I'm not going to take a pro or con position on the administration here but I would like my readers to begin the process of determining how they plan to mitigate some of these things. No matter who is president we have a profession that demands we place public safety above our political leanings. Let's do what we can to achieve just that - public safety. Perhaps, when we do this, rather than embrace fear and anger, the American people will embrace hope again.

Saturday, July 18, 2015

OPINION: Panic is the New Normal, America

The last few weeks have been an interesting time in the world of security. We've seen the death of nine innocent lives at the hand of Dylann Roof, seen the panic derived from the unfounded speculation at events like the Navy Yard active shooter scare, and most recently, our nation has suffered an unimaginable blow at the hands of a young man who killed four Marines. In all of this, our discourse with one another has gotten more combative and often, bordering on nonsensical. People are allowing mass hysteria to justify an enormous amount of gross speculation and outright lies and misconceptions about security and mitigation to infiltrate our discussions about the things which provide protection. At times, I have found myself engaged in some of these discussions to only find myself more frustrated and wary from addressing the problems of allowing this mass hysteria to grow at the rate it has. In fact, here, I'd like to address what are the problems and what are some possible solutions.

Lately, it seems like I constantly rehash my favorite topic - the semantics of security. If you're not familiar, I'll digress and explain briefly. I look at security as a mental construct we use to nullify our fears long enough to meet certain life-sustainment activities. In other words, security is nothing more than the things we do to "feel" safe. When we practice "security", we're addressing what we think the adversary will do. Ironically, we do this often without ever seeing the bad actors in action. That's right. We lock doors and windows, primarily, because we believe bad guys will be turned away from locked doors. Time and time, we do this under the assumption bad guys don't pick us to steal from because the doors are locked. What this never accounts for is the determined adversary. Who is this? Someone who gives not a single iota about that locked door, only that it may delay him from gaining entry. What protects us from the bad guy is really something called mitigation.

Basically, mitigation is about dampening the effects of an attack. It recognizes the threat is real and will come eventually. It looks at the complete threat profile and determines its capabilities, opportunities, and motivations. By doing so, we can implement a comprehensive mitigation strategy that not only detects the adversary but possibly, deter, delay, and destroys him. Earlier, I mentioned locked doors. They aren't bad. In fact, those "secure" entry-points are a part of mitigation because they aid in detection, deterrence, and delaying further infiltration. Most novice security practitioners are unaware locks and doors are rated based on their ability to delay penetration. So what does this have to do with our current discussions on security?

Most of your average citizens promote ideas about security based on things they think will work. As someone who has done this kind of work, how many people have you encountered that don't do it but swear they get security? How many of their ideas are lofty, unrealistic, unfeasible, unsustainable, and just pure wrong? Whenever I talked with people about securing the homes, a common statement was "I already have security - it's called a *insert dog breed, gun caliber, or pretend-military/MMA status*". These folks assumed whatever that one thing they had would be adequate to address one kind of threat using one or two vectors. Some would argue one or two of those things will cover most threats to them. That may be true but it neglects other viable threats which may possess other capabilities that aren't countered.

The fix, in part, lies in how we think of the threat. Take the military recruitment center shootings. Loads of people have been saying for the last 48 hours, we should send military police to secure these facilities. They claim these guards would possess the skills and equipment needed to neutralize the threat. What's strange is that most of these people are only considering one type of threat before we even have a confirmed motive from the FBI.

Most believe banks with guards don't get robbed because the posted guard at the bank has a gun. A secret among many bankrobbers is most aren't armed. Bank policy, as is widely known, is to give up whatever money is designated by the bank for robberies to the robber. The bad guys know this and many don't want to jeopardize more time in prison by getting caught with a gun AND the cash. So they opt for the note. The reason they don't hit banks with guards is because the guard has a gun AND radio. A saying I was always fond of when I did security as a civilian was "You may outrun me but you'll never run faster than my radio". What most miss in the discussions about MPs at recruitment centers is that most profiled jihadi active shooters FULLY expect the police and do so expecting to be shot. Remember this - the Dalton gang and others robbed a many of banks and trains that had armed guards. All in all, armed guards only turn away less determined adversaries.

This work, called risk management, requires us to analyze the threat for what is, what it can do, the damage a successful attack can cause, and our mitigation. In the current FUD (fear, uncertainty, and doubt) environment we're in, there's a tendency to deify the adversary to a point where they are seemingly omnipotent and omnipresent. One successful attack and we're suddenly unsafe and at danger of losing everything. What's crazy is that it never acknowledges the connection between the mental construct of "security" vs protection. Is it no wonder, then that after one successful attack, we assume the sky is falling? It's as if the sanctity of safety we constructed our actions has blinded us to what is real and imagined in security. Naturally, we assume we need to do more to "feel" safe rather than fix, eliminate, or upgrade our existing mitigation. Additionally, the loss of human life is unacceptable for any security setting. Having his enemy lose one life, regardless if the shooter lives or dies, is considered a victory for some shooters. Given our intolerance to having personnel killed, this is not wholly untrue.

There are a number of solutions to our current security crisis. Some are good. Some are very good. Some are faulty. Some are flat-out dangerous and wrong. These attacks will only increase, as will the speculation about future attacks, hoaxes, and troubling events. Even more certain is we have to continue having the difficult discussions we're having. Nothing gets solved by having discourse with people who always agree. Ultimately, the solutions don't rest with the victors of our collective shouting matches. They lie in how we understand the threat, the risk they pose, our mitigation, and how we define "safe".

Friday, June 12, 2015

OPINION: Why Security Is Killing Risk Management

   For more than a little while, I have been writing quite a bit about the difference between security and mitigation. In that time, the United States has been riddled with numerous security breaches in both the physical and cyber realms. Whether they were riots over allegations of police brutality or breached firewalls protecting sensitive data, our headlines seem to allude to a failing state of security.
   As a professional who is on social media quite a bit, I have witnessed, firsthand the hysteria surrounding these incidents. Every attack seems to be tweeted or blogged about to a point bordering on obsession. To be honest, I could not be more enthralled. Sure, these events are quite insightful for practitioners wherein we learn how to defend against similar attacks in the future or conduct them ourselves. But that’s not what excites me. No. I’m thrilled to see events which demonstrate the connection between the psychology behind security, the illusion of protection it provides, and how our confusion about the differences between security and mitigation has created our current security crisis.

Security vs Mitigation

   In order to understand how security is killing risk management, let’s go over a few key terms. First, as stated before, security is nothing more than a psychological construct to provide us with the assurance that we’ve done everything possible to keep us safe from various threats. Humans are very fearful of their demise and naturally, see threats to their survival as intolerable. Often, this feeling of security comes from repeating “safe” behaviors and providing what we assume are adequate protection measures. This, as we all know, is often based on untested data and the myth wherein victims can think in much the same way as their assailants.
   Protection is what we do proactively to deter, deter, delay, and destroy attackers, through mitigation. A great example is an executive protection detail. No successful detail operates on the assumption they can prevent attacks. Everything they do is with respect to the attack happening. This is what makes them very good at what they do and why so many in this field go on to become successful throughout the security industry.

   Security, as we know it, is often done with the mindset victims can prevent attacks. For example, we lock doors because we assume they will deny an adversary entry. What we fail to grasp is that the lock is there to delay the attacker so natural observers or victims can have sufficient time to detect the attack and take action. Many victims enter into a mindset where a locked door is all they require to be safe, without sufficiently comprehending the scope of the adversary’s capabilities and the target’s inadequate mitigation tools. Knowing the difference between security and mitigation is a great start to understanding the importance of risk management over just feeling safe. Heck. It’s the key to it.

The Important and Not-So Subtle Difference Between Threats and Vulnerabilities

   Speaking of risk management, there are a few other terms I think we should cover. Risk management has two fundamental keystones - threats and vulnerabilities. Often, we confuse threats with vulnerabilities in ways we don’t catch always. For example, I’ve seen people react to discovering a vulnerability as being one of the worst security events. This couldn’t be further from the truth. In fact, I find knowing there are areas where a potential bad guy can exploit to enable their attack to be quite insightful. Sure, we like to catch these vulnerabilities before an attack but that’s not always the case. What’s our insurance policy for such attacks? Planning ahead as if it’s already going to happen. What do we call that? Oh, that’s right - mitigation. Threats are merely bad actors who use vulnerabilities to conduct kinetic operations against their targets.

   Sometimes, I feel as if we forget that catching bad guys is the goal of effective protection measures. The threat will come and you should be prepared long before they do. You could plug every hole you can find but ultimately, as I heard throughout my military career, “the enemy gets a vote”. He will find a way in, inevitably, that you will miss. You should plan as though Murphy’s law is actually true. Often, no matter what you do, you may not catch the bad actors. This leaves you with having to take away as much power from the enemy’s punch as possible. Whether you’re reinforcing concrete or hardening firewalls, the premise is the same - if you can’t beat ‘em, make it hard as heck for them by shoring up existing vulnerabilities and anticipating the impending attack.

   Perhaps, two of the most important and misunderstood terms in risk management are probability vs possibility. I see you over there laughing. If you are, then you probably know exactly why this is such a pet-peeve of mine. With every major security event, there’s always someone on social media who declares “the end is nigh”. They begin rattling off how bad the breach was and then end by telling you how bad it’s going to get. Very few times, do you actually receive any sort of mitigation advice. If you’ve been following me since the now-infamous OPM hack, you’ve no doubt heard me prattle about this.

   Most of the consternation about the state of security is centered around our confusion between probability and possibility. This was perfectly illustrated by a not-so recent story about the Islamic State capturing an airbase which had a few MiGs. Immediately, social media erupted with reports and predictions about ISIS flying MiGs very soon. If you know anything about training modern pilots and how the U.S. conducts targeting operations, you know this is not likely to happen. In other words, the probability of MiGs flying over ISIS territory is very small. Sure, it’s possible but not likely. A reality star who isn’t a narcissist is possible but not very probable. This is important to remember because security measures often fail based on how possible something is rather than it’s probability. Countless resources are expended on something that is not likely, while we ignore the threats we encounter daily. Successful security organizations employ measures based on a balance struck between a high probability of attacks happening always and the needs of the end-users.

Protect Yourself By Understanding Your Risks

   Risk management is nothing more than understanding what you have, whether you can lose it, who or what could take it from you, and what it will take to get it back or recover from its loss. In essence, risk management is nothing but acting proactively against a probable threat and ensuring you’re able to protect and if need be, recover from its loss or damage. The problem is, if social media is any indicator, many companies and organizations don’t do this. Again, let’s briefly discuss the OPM hack. I saw the eyeroll. I know we don’t have all the facts. I get that. I digress.

   OPM was allegedly hacked by attackers who stole sensitive data on federal employees. This is, understandably, big news. As it should be. The attackers were able to gain the information by attacking non-patched Department of Interior servers. The information, according to folks formerly in the intelligence community, is extremely valuable counterintelligence information and compromise is completely unacceptable. What’s striking is, as I have noted on Twitter, the servers were connected to the Internet and vulnerable to outside attackers. Yet, neither OPM or the Department of Interior bothered to patch the servers or encrypt their data. They, presumably, thought the threat of attack was minimal and did not require adequate mitigation. Imagine the likelihood of uproar had they just simply encrypted the data they stored. The government did everything I said earlier not to do.

   So what’s the answer? Simply, don’t do security but do mitigation. Being proactive with protecting yourself and your assets doesn’t require hiring Blackwater/Xe to track down Chinese hackers before they strike. No. Tailor your protection to what you will do when the attack occurs, the mission and goal of protection (detect, deter, delay, and destroy attackers), and what it will take to recover from the attack. Balance your measures between the likely or probable threats versus those that are possible but not highly likely. Before venturing off into the great abyss of security’s greatest enablers (fear, uncertainty, and doubt), I implore you to “see the light” and find the “truth” in mitigation through risk management.

About Us