OPINION: Why Does It Suck To Think Like A Good Guy In Security

Day after day, on social media and elsewhere on the Internet, there are lots of folks who are seemingly shocked every time a bad guy shows up and acts like a bad guy. Seriously, how many times have you read or seen "I can't believe Suspect A was able to murder all of those people" or "If only they (security) did XYZ like I thought of during a conversation with my veterinarian who may have been in the military, that bad thing wouldn't have happened"? I see it quite a bit and frankly, I've decided it may be time to finally add my .02 about it.

Those of us in security who have spent some time studying "the threat" (insert whatever scary bad guy you're dealing with) understand what few who haven't studied it don't. No matter how awesome your protective measures are, they do little to mitigate (and certainly not "prevent") the attacker unless you start thinking a bit like they do. Herein lies the fatal flaw of most "white hats" and even some "grey hats".

1. You think of attacks in ways that you would conduct them. No offense but if you're protecting yourself against robbers but know relatively little of them, you may be looking to deploy solutions which don't work against that threat. One of the most painful things any security professional can hear when doing a site survey with a client from the client is "If I were the bad guy, this is how I would do it." More often than not, it is not how the bad guys would attack. Think security cameras in homes. Most people will deploy a camera at home with the thought the camera provides an extra layer of protection when in fact it doesn't. I have known several victims of home invasions who either had cameras installed or had an alarm sign out front. These are two commonly deployed deterrence tools that we know don't work. Instead, focus on the problem as if the bad guy would ignore the deterrence measures (because he will because we have little proof he won't) and proceed with the attack and use things like cameras as after-incident mitigation tools to catch the perpetrator later.
2. You think of your threat as one-dimensional. Most good guys see their threat based on commonly accepted precepts of what the threat is and how he has attacked in the past. Just because the bad guy only hit you or the other guy using one vector doesn't mean he won't try something different later. A great example of this is 9/11. Prior to the second World Trade Center attack, there were common beliefs that terrorists were only capable of performing certain kinds of attacks. What no factored in was changing realistic threat capabilities. In other words, we assumed the threat wasn't evolutionary in his tactics. Seriously, who could've imagine having to protect a building against two near-simultaneous aircraft crashes? Perhaps we could have had we accepted the idea that as we change so does the threat.
3. You think the threat is omnipotent and omnipresent. It's easy to get caught up in the hype of a threat. I do it sometimes. This is a natural defense mechanism after an attack has occurred. Why? No one likes to have their vulnerabilities exposed. After every mass shooting or act of violence that makes the news, we assume every venue that is like the one that was attacked is also vulnerable and being selected as the "next" target for another perpetrator.
   
   I remember fondly working on 9/11 on a small Air Force base on a perimeter patrol. What I recall the most are the initial attitudes people had of al Qaeda. We believed this one attack displayed a level of sophistication unseen by them before on US soil could be replicated on a massive scale. Every Muslim, ignorantly, was assumed to be a sleeper agent waiting for cues from "Muslim HQ" to attack us wherever and however they chose. The months and years ahead showed how far from the truth that was. Imagine how many countless resources were expended before we realized the fallacy behind this assumption.
4. You think your attacker "chose" you for a variety of reasons he didn't. People almost always assume an attacker chose to attack them or others for reasons they didn't. Rape is commonly thought to be a crime of lust because good people believe sex is the only reason you rape because it's the end-result. However, most criminologists and psychologists would agree rape is a crime of power. I would argue the majority of crime takes place for this very reason. Terrorism occurs because of this as does murder (what's more powerful than ridding yourself of someone permanently), drug dealing, fraud, and a host of other crimes. You're either fighting to obtain it (i.e. steal it from someone else) or committing crime to become more powerful. This confusion could possibly explain why most crime "prevention" measures based on policy fail at alarming rates - we're clueless on what truly motivates people to attack us.
5. You assume because you haven't seen the threat, he must not exist. Whether we see the threat or not, we should never assume he does not exist. While the threat can't be everywhere every time, the threat can still be very much. Never assume the absence of threat means he or she isn't going to show. You still need to adequately protect your assets as if today is the day you're going to be attacked. Remember, the attacker chooses the time of attack. You choose how well-prepared you'll be when it happens.

I'm not proposing anyone go out and hire a red team. I firmly believe one of the reasons we, often, fail so miserably at security sometimes is due to our natural inclination to think the bad guy thinks like we do when they don't. So how can we fix this?

1. Study your adversary. Seriously, pour over any open source intelligence you can on your threat. Read the paper and look for crime stories. Pick up a police report or two on similar venues like yours. I'll leave how you conduct your research to you. Just do it. Stop assuming blindly how the attack will go down or even who your adversary is.
2. Consider hiring folks who can think like attackers. I'm not saying you hire criminals but red teams hire specialists who can mimic attackers. Choose folks from a variety of backgrounds to round out your security team. By the way, by "background", I'm not talking education. I mean pick a team with a variety of specialists.
3. Test your systems with exercises. The only way you're going to learn is by testing how well your security program holds up against an actual attack. Consider doing this with little to no notice and have an after-action or "hot-wash" debriefing with your red team and affected staff right away. Finally, fix the vulnerabilities as soon as possible.
4. Reward outside the box thinking. When I was a young boy, I recall my fondest memories were playing games like "hide-and-go-seek" with my friends. The guys who were the most creative were the best at this game. Why? Because they were unpredictable. I'll leave how you choose to reward these folks on your own. Just do it.

PHOTO: Fake Cameras Provide Fake Protection

I can't even begin to tell you how many times I run into stores that have decoy cameras in lieu of real cameras. I also can't tell you how many countless times these same stores get robbed. Buying a decoy camera, in my opinion, are invitations for criminals. This is not to say most criminals can't tell the difference between fake and real. This is to say that many of these businesses and homes that utilize decoy cameras don't quite get what kind of mitigators they need to adequately protect themselves and their assets.

The added statistic at the bottom of this photograph is especially troubling because it dupes customers into believing they have added another layer of "security". This is correct in some respects. Remember what I said about "security" being a goal and less of an action? The problem lies in exactly the same place issues of semantics in security are - it relies on data that is either incomplete and more than likely, irrelevant to their protection needs.

We all know cameras serve a variety of purposes other than video surveillance. We also understand some vendors and property owners either have poor tools or are so under-trained they may as well not have a camera. However, when an incident happens, the last thing property owners want to tell the police and insurance companies (worse yet, a jury in a civil liability trial) is they thought a decoy or non-operative camera offered better protection.

If you're a property owner and considering one of these decoys, turn around and invest in a camera system you will monitor and maintain. If you're a pro, call these out and the dangers behind using them.

The Semantics of Security - The Great Enabler of Security Ignorance

One of the toughest and most insightful lessons I learned came during a conversation with a good military buddy about why English is such a difficult language to learn. "You never mean the things you say. You say you "love" your car in Spanish, it means you love it like family. It's as if you use the words so much they lose their actual meaning." I was a bit taken aback by this. No one had ever explained the issue of semantics so eloquently before to me.

This same thing happens in security and explains what makes it so difficult for so many professionals and lay-people to be able to comprehend it. The following are great examples:

1. Prevention versus mitigation. Prevention is defined by Websters as "the action of stopping something from happening or arising." Mitigation is defined by Websters as "the action of reducing the severity, seriousness, or painfulness of something." The words mean something completely different from the other, yet are used interchangeably. In security, getting these two words wrong can mean the difference between a loss of life (yours or an innocent) and victory over an attacker. Having lofty goals of prevention through methods and measures seldom tested with actual bad actors, often leads to failure when they do show up. However, having sound mitigators in place should they attack, could save both life and property and result in the consequential capture of your bad actor. The decision to stop his or her actions is totally dependent upon his or her decisions and plans before and during the attack. Your measures could help persuade them not to attack but I would hardly call this prevention without more quantifiable evidence.
2. Vulnerability assessment versus reconnaissance. A vulnerability assessment is a process which entails analyzing a client's assets to determine likely avenues of approach for attackers. It could involve talking to stakeholders, physical walkthroughs of the assets, imagery analysis, and red-team exercises. Reconnaissance is a process which entails some covert surveillance resulting in a report to the target's adversary to support a plan of attack on the target. These terms are often confused because people assume one means the other. Typically, bad actors do recon and friendly agents do vulnerability assessments. The latter could use the former as part of a red-team exercise or even as part of a walkthrough. However, the methods by which either is done are very different. Keeping this in mind prevents amateurs from thinking by doing reconnaissance, they are in some way doing a complete vulnerability assessment.
3. Security versus protection. It grates my nerves to hear people say they are "doing security". I find most people have no true understanding of what the term means and are therefore, ill-suited for and failing miserable at the task they think they are doing. As I've discussed before, security is a mental construct wherein our protective measures are adequate enough in our minds to mitigate bad actors and their attacks to make us feel secure. It's a subjective term but more of a goal and less of an action than anything else. Protection is what we do to make the environment secure enough to assuage our fears of a possible attack.
4. Arrested versus detained. It took me a while to get used to this. They both sound like they should mean the same thing but they do not. Ask anyone who has ever been arrested. Being arrested has an element of detention but it isn't the totality of the action. You can be detained without being arrested. While this may sound like an issue of semantics, ask your legal counsel to explain what happens in security when you confuse your ability to detain versus your arrest powers.
5. OPSEC. OPSEC is one of the latest buzzwords to come into the modern security lexicon. Everyone believes they do it but few actually do to include me at times. Seriously, everyone on social media who is in our industry seems to have a burner cell phone number, 10 fake IDs, wall safes for their wall safes for the wall safes with their encrypted USB, uses TOR to hide from the NSA (as if), etc. The first rule of being good at operations security is to shut up about OPSEC. What's the first thing people do when they think they've done something awesome with respect to OPSEC? They tweet about it on a source they don't own with people they don't know or could vet with any realistic degree of certainty, using communication they know very little about on the Internet which was created by some of their adversaries who have actively engaged in intelligence operations here since its inception. So if so few get it, why do they think they've adequately protected themselves? See the difference between prevention and mitigation.
6. Intelligence versus information. I often hear professionals claim they have "intelligence" on adversary, when in fact they don't. Most often they have only raw information they haven't vetted or analyzed. These colleagues suffer from the correlation paradigm where they mistakenly conclude correlating or parallel information to an event is the cause. In the analyst world, this is called "confirmation bias". You believe the information because it confirms what you believe. Intelligence is the product of taking that raw information, vetting its source, comparing and contrasting that data against previous data and assumptions, peer reviews, and a final reporting of that information with an analysis centered on critical thinking. A newspaper article in and of itself is not intelligence because it says something we already thought was true. That would be akin to treating Weekly World News' stories on aliens consulting a still-alive JFK on Elvis' newly proposed welcome-back world tour as intelligence because you're an Elvis-loving, conspiracy theorist who believes you're an alien-abductee.
   
   
7. Guard versus officer. I'm sure to stir up something here. Let me clarify: there is NOTHING wrong with being a "guard". However, traditionally, that word has gotten a bad reputation. Think "mall security guard". These guys can be awesome professionals but the title does tend to minimize the extraordinary amount of work it takes to protect the thousands of mall patrons and mall assets against a variety of threats daily. It also does little to note the authority which enables them to perform certain legal actions against those threats such as trespass advisements and in some cases, arrests. "Officer" denotes they are an extension management and not merely someone who stands a post. They represent the extent to which managers are willing to go to protect their assets and their customers.
   
   Recently, during a discussion with another friend from the military, I recalled a conversation about semantics with a person who worked in what was commonly referred to as the "chow hall". One day, I inquired why the name "chow hall" was such an insult to him. He explained "Do you guard planes or do you protect assets vital to national security? I don't cook chow. I cook meals which are nutritious as per my training. We're both professionals. I know people mean no harm but that term implies my food and what I do as a professional are sub-par and unworthy of a professional title, when that's not true." Vets, I hear the snickering. Stop laughing. But he had a point. One that wasn't lost on me.
   
   How your customers see a "guard":
   
   
   
   An image the term "security officer" typically conveys:
   
   
8. OSINT versus unclassified. I'm a huge supporter of open source intelligence (OSINT). This entails gathering intelligence from a variety of non-covert channels. This could include public radio, news broadcasts, social media, etc. I have noticed this word used to excuse what I believe to be gross violations of protecting classified or sensitive information. Let me explain. I certainly understand OSINT by its nature can come from unclassified channels. However, I also realize it does not negate professionals from their responsibility not to divulge information coupled with their "insider perspective" which may be tactically advantageous to an adversary. You can observe this lack of professionalism best on social media, during a critical incident. There's seems to be a pandemic of sorts when these incidents happen which encourages its victims to feed their egos by talking endlessly about their highly sensitive "insider knowledge". I, once, observed someone who is widely considered an "expert" tweet the locations of responding forces to a major hostage situation. Another person tweeted security measures at a base they just left. Sure, none of this was classified because it came from a radio scanner and personal experience. It was, nonetheless, highly sensitive and could have placed lives at risk, if the adversary had intercepted these messages. In the physical security, once sensitive information is compromised, we only have a precious, small amount of time to deploy mitigators. As I'm often say during these events, "Don't let your ego and mouth write checks your a-- can't afford to cash with someone else's collateral."
   
   

   We've moved a table to barricade the door into this room. pic.twitter.com/FXj33EynxE
   — Federico Barillas S. (@fgbarillas) October 3, 2013

9. Active shooter versus mass killing. The best way to explain this is simply stating not every active shooter kills anyone and not every mass killing involves a gun. Yet, whether because of politics or hype, professionals and laymen still confuse these two. This may seem meaningless until you realize how information is gathered to study these two distinct events and the influence those studies have on policy.
   
10. Security theater versus threat mitigation. Look, folks, as professionals, we realize not every threat is going to attack us. We also get some of our measures are extreme. I'm certainly NOT trying to justify any abuses of authority or trust. That being said, just because you don't see the "boogey-man" doesn't mean he's not there. Does this mean security should have authority to do cavity searches on everyone? No. But it doesn't mean because that's extreme that someone isn't trying to do you harm. Do some threats get blown out of proportion? You bet. A vigilant public and other professionals are awesome checks against overreach, though. As every threat isn't realistic, every threat mitigator isn't security theater. We'd all do well keeping this in mind.

There are a load of others I would add but I feel as though this list does a great job of illustrating the power of words in our industry. Please use them carefully. If you have more, let me know.

How And Why Mass Violence At Schools Happen

There's been yet another act of mass violence at a school and, or course, the media has lost its mind. People are wondering how this could have happened and why. As security professionals, these questions are not new and nor is the answer. For those in the field, bear with me, I'm going to over how and why these things happen.

1. It has nothing to do with WHO at times and more with WHERE. Let me explain. We always assume people target us because we mistakenly believe the target is "special" to the attacker in some sort of way. This is a common theme in our attempts to understand attacker methodology with respect to terrorism. All over electronic punditry, we're saturated with folks who proclaim "they attack us because they hate us." So this has become our mantra for every attack of any variety. What we fail to account for is that it's not entirely exclusive as to who they attack but where. On Twitter, I have been practically shouting when it comes to mass violence, one of the most key ingredients, if not the key ingredient, is the presence of crowds. Nothing is more appetizing to an attacker but to make his attack seem grand and above-average for a swath of reasons I'm not qualified to adequately explain here. Let's just say, you should NEVER EVER be surprised by the actions of mentally disturbed people.
   
   Crowds are also, normally, not difficult to get large casualty numbers from. Think about the last time you were at baseball game or major sporting event. Ever notice the large crowd at the ticket or embarkation areas. As a security professional, whether you're working or not, this is perhaps one of the most precarious chokepoints to be at. A chokepoint is a place where people have no other choice to be at in order to go some place. Everyone working anything from Secret Service to convoy security will tell you to ALWAYS avoid chokepoints. Why? They offer the presence of crowds, very narrow escapes for victims, and the ability of attackers to conceal themselves in the crowd.
2. Violence has very little to do with the tools. Think about that for a second. I have made it no secret I enjoys guns. I do. However, I also understand the temptation to want to ban them. I've seen the statistics and the simulated models in whitepapers from folks who have never fired a gun or actually witnessed violence. I have a problem with this overly simplistic conceptualization of the problem. Erroneously, we believe the issue is with the mass proliferation of guns. Unfortunately, the discussion rarely acknowledges the socioeconomic, psychological, political, and cultural issues that drive some violence. More importantly, we ignore what mankind has known for decades - you can ban the tool but violence will always remain and the loss of any life is intolerable. Do you think if mankind had no guns he wouldn't find a better way to commit acts of violence? Think about that for a second. We had no electric chair until Thomas Edison did a proof-of-concept demonstration to show the dangers of electricity. Man will always find ways to commit acts of violence against one another for whatever reason it deems fit. This is not to say we can't have mitigators in place but we can't for one second believe we're getting rid of the problem solely with a ban of the tools or knee-jerk "reforms".
3. People mistakenly use "mitigation" and "prevention" interchangeably. Security professionals understand the difference between the two. Websters defines "mitigate" as "to make (something) less severe, harmful, or painful". Many people believe we can prevent acts of mass violence "if only we do X,Y, or Z." There's a huge fallacy that we can prevent crime. This comes from a sublime arrogance of humans who believe we can stop our fellow man from acting out against us.
   
   The issue may seem to be one of semantics but I argue that it's not. You can't "prevent" me from speeding. Only I can do that. I used an analogy the other day where I articulated, "Just as Match.com doesn't make marriages, you can't "prevent" crime. You can set conditions with good mitigators but ultimately the decision to move forward or stop is on the principle actor(s)." Think about that for a second. No matter what measures you put in place, whether it's a guard at a school or metal detectors, my ability to accomplish the task of killing a large amount of people at a particular location is solely left to my motivation, intelligence, ability, and imagination.
   
   I have long argued that we have to move away from the idea that we can "prevent" crime to one where we "mitigate" attacks. A while back, I said people mistakenly believe by locking a door that somehow they have thwarted a burglary without seeing any firsthand information a burglar attacked the door and left because it was locked. Yet, everyday, most of us lock our doors anyway thinking we're doing crime "prevention" when in fact we're doing crime "mitigation". Mass violence occurs many times because we mistakenly believe our mitigators can prevent it.
4. We rely too heavily on certain mitigation tools. Having an armed guard at a location is a mitigator not a prevention tool. The guard is there to ensure you have the means to adequately respond to acts of violence until police arrive. School administrators have for far too long relied on guards as prevention tools and have stopped doing other things which are more effective in mitigating these acts like deploying good cameras, training personnel on monitoring camera feeds, practicing lockdown procedures with teachers and other staff during non-working hours, talking with local police about their capabilities, training staff on conflict deescalation, and paying attention to warning signs.
5. We don't train staff on attack methodology and psychology in school. Teachers and other staff are often taught how to respond to these events which is great. However, solely doing this ignores how often teachers and staff are the best sensors we have to students who may be a danger. Many times, they may observe a student doing reconnaissance or testing security and not even know it. Imagine how many lives could be saved if teachers and staff had a threat working group chaired with the school safety official and principal in schools where these incidents have taken place.  
6. We used to do a really good job of being very proactive with mental health incidents in this country. I'm not advocating going back to asylums. Most were wrought with abuse and shoddy practices. No, what I want is for us to become much more proactive with mental health. We can no longer see mentally ill people as "someone else's problem". Mass violence has taught us we can no longer think of it like this. Yet, we do. When we removed the ability of doctors and other mental health professionals to intervene immediately and possibly treat long-term issues, we placed our citizens at risk. How? When most seriously mentally disturbed people come to the attention of authorities, it is often too late and the nature for how long and where they can be adequately be treated has greatly diminished. In some jurisdictions, the police can only place you on a "mental health hold" at a local mental health facility for 72 hours or less, in many cases. If you don't exhibit the behavior further and can be treated, you're out.
   
   As a former law enforcement officer, I can tell you the most distressful call to go to is a mental health one. Given that most mental health hospitalizations are never found (either because they can't legally or no measures exists to enable it) on background checks for firearms, the problem grows exponentially worse. Many of those who have committed acts of mass violence had already been diagnosed as being seriously mentally ill but couldn't be put in long-term care because they hadn't been deemed a danger and even if they had, I'm unaware if this would have barred them from having firearms (as discussed previously, I'm not sure a ban for them would have been effective in preventing violence in some instances).

I understand this list is not all-inclusive but this is how I see the problem in a more condensed manner than I believe can be adequately addressed on a forum such as this. You may have other solutions or know of other ideas. As always, they are greatly appreciated.

Guess Who Is In The Freedom Of Information Act Business

Folks, I don't claim to be a journalist, though I give unsolicited advice to them on Twitter. I know I shouldn't. I'm supposed to be in my lane. However, I do recognize when they go about using the law to get official documents about things the government likes to keep secret. I respect this so much that I began doing the same a while back through MuckRock.com. MuckRock is a Freedom of Information Act request clearinghouse where journalists, bloggers, and fellow netizens use FOIA to gain access to documents. I do this mainly to educate myself on physical security issues. I've decided to begin sharing my requests and those of others I find worth following.

Here are a few of my pending requests:

• Customs Billing Invoices & Activities Documents - 02/19/2014
• Department of the Interior Security Docs - 02/20/2014
• Threats Against Jesse Jackson - 05/22/2013

Here are a few of the requests where I was successful in getting information:

• ACCESS: Automated Comparison and Clustering of Entity Signatures - 05/22/2013
• Equipment Issued to Department of Education OIG - 08/06/2013
• MRAP Sales  - 05/13/2013

You can sign up for an account at MuckRock and submit your own FOIA requests through them. The only caveat is whatever you find or get from the government, MuckRock will publish on their site. So exercise due caution with phone numbers, SSN information, etc. Also, as you will learn, if it's a really good secret, the government will fight you "tooth and nail". Luckily, MuckRock has a pretty good team that will work with you. Also, don't worry about staying on top of the government with requests, MuckRock has a nag feature wherein they bug the government almost bi-weekly with respect to your requests. These folks are great at what they do.

You can use MuckRock via the link below

http://www.muckrock.com

Or you can do your own requests via the official US government FOIA requests. Just be aware, your state and local jurisdictions have their own sites as well. Try them for a more localized search. 

http://www.foia.gov

I will continue to post more documents and updates regarding what I find. Stay tuned.

Security Officer Memorial

My latest post directed toward those who consider themselves "security professionals" got me to thinking about some of the ways we, in this profession, often fail to recognize the sacrifices of those who have worn the uniform and shield. So I decided to do something about it in my own small way. I created a wall using information derived from the fine folks at Private Officer to memorialize those who have made that sacrifice. I will update the wall as I get information. Feel free to check it often when you feel yourself becoming more unsure about what this profession entails.

The wall can be found on the right-hand (your right) side of this site. Here's the permalink - http://blog.thesecuritydialogue.org/p/security-officers-killed-in-line-of.html

Quote of the Week

Today's quote of the week comes from one of my favorite tweeps and fellow security aficionado The Grugq. Pretty much sums it up.

@GoddamGeek no. The meaning of privacy and security are context sensitive and defined by the user. It becomes a semantic debate
— the grugq (@thegrugq) April 7, 2014

The Security Professional's Creed

After my latest post, I started to think about what it means to be a "security professional". I use this title on my personal emails and how I describe my passion to others. I find most people, to include fellow "professionals", are pretty unclear what a "security professional" actually is or should be doing. So I decided to create a creed I think summarizes what we believe, practice, and require as professionals. Let me know what you think.

1. I am a security professional. I will provide protection when requested or required. I will do this to best of my ability and will ensure my fellow professionals, sub-contractors, and employees do the same. I will work within the parameters you give but I will not sacrifice quality and how I ensure you and your assets are adequately protected.
2. I am a security professional. I have an amazing legacy. I come from Pinkerton, the Bow Street Runners, and Robert Peele. Society is safe and secure because men and women like me and my team have stood watch over the things and people others have said needed protection. We have done this dutifully and often with great sacrifice. In my field, there are no long funeral processions when we lose someone "on the job". There's no horse-drawn carriage. If we're "lucky", there's an article in the paper. Yet, here I stand ready, willing, and more than capable to make that sacrifice if need be.
3. I am a security professional. I may not be a gun-toter or a patrolman. I may be the guy working on your firewall or doing your annual risk assessment. I may be the guy in the parking lot you ignore as you hurry to your office while I stand watch in the cold, rain, and insanely hot. I may be the guy walking around your child's school to keep out drug dealers and other criminals. I may be the private investigator you call when your wife is charged with a DUI. I may be the private investigator you call when the police have failed and you need a lead in tracking down a missing child. I may be the 24 year old security officer who takes up someone else's patrol sector for the night and is mercilessly killed because I asked for an ID. I am a security professional.
4. I am a security professional. I am not a guard dog though I may use them on occasion to protect you. I am not your maid or baggage handler though I am happy to work alongside them in protecting you. I am an enabler. I ensure what I need to do doesn't impede on your ability to do what you need to do.  I am not an obstacle nor am I a nuisance. I am a professional.
5. I am a security professional. I have a variety of experiences and I've been educated by a school where the lessons learned are taught in measurements of life or death. Just not anyone can do what I do. It's hard. I'm a security professional.
6. I am a security professional. I take detailed notes, draw sketches, outline terrain features, study the threat inside and out, meet with stakeholders to address risk management, and I know the things you want protected most and where you're most vulnerable. I'm on-time to meetings. I dress professionally. I address you by terms of address you're familiar with and requested. These are big responsibilities I shoulder alone with my team. We are always adapting to your protection needs. Why? Because I'm a security professional.
7. I am security professional. Yet, I make mistakes. I may try my best but there will be a few isolated times where I forget something. While you're upset, I am even more mad that it happened. You see, I'm disciplined. When I'm in the workplace, I don't engage in office gossip. I strive to manage my personal life so it doesn't conflict with my professional life. I ask for help when needed and I seek opportunities to grow. I treat what I do as a profession and not a "job". I am security professional.
8. I am a security professional. I may not be a security "expert". As a matter of fact, I'm uncomfortable with the term. I know most "experts" are only good at one thing - convincing you they're an "expert". I don't have all the answers but I know where to find them. You could very well have a situation that I'm not familiar or equipped to deal with. When this happens, I will transfer the task to someone else who knows better than I and I will "shadow" them until I am. I am a security professional.
9. I am a security professional. I may be a guard, officer, manager, agent, director, or chief, but, at the end of the day, I am a professional. I treat this as a profession and I demand you do as well. I ensure my team and I adhere to the highest standard. Our job demands it. Countless lives depend on me and my team being effective mitigators every day in the event the threat shows up. We are prepared to detect, deter, delay and if needed, destroy the threat. We will do this and more. We are security professionals.

OPINION: Why Your Terrorism Expert Isn't A Security Expert Always

I know some of you already know the answer to this. Just bear with me while I explain it to those who seem confused. First, let's begin with telling you why I'm even bothering. Through various social media accounts I participate on, I have come across folks who seem to believe their education and/or sort-of-relative experience makes them experts in physical security. As I have explained earlier, I am certainly not qualified to call myself an expert but I have a swath of experience and knowledge that allows me to adequately determine someone's expertise in my field. Because of this, I have run across a many of people who the media and others have extolled as subject matter experts on everything from active shooters to in-depth espionage cases. It seems the loftier the person's former or current professional title is the more they seem to call on them to give their commentary. As you might imagine, I have become angry and dismayed by what I have perceived as reckless de facto expertise certifications given to people who are often woefully unqualified. Let me explain:

1. Just because you were Special Forces or even a spy doesn't mean you're an expert on all-things related to security. I LOVE special operations folks. They do stuff other people can't and only dream of doing in the name of God, country, and duty. They are elite and deserve all of the praise and accolades that come from doing awesome work in their field. Let me explain. I'm not taking anything away from people who could kill me from a thousand yards away or who kill bad people in far away lands. However, not every special operations person knows about alarm systems, CCTV, CPTED, security operations, video analytics, or a host of other things I cover here to the level where they are the only people qualified to speak on physical security matters. Some do because their mission may require it. Just like I'm familiar with special operations because I had a job that required some knowledge of them doesn't mean that I'm an "expert" in special operations. This doesn't stop our media and a few Fortune 500 companies from proclaiming some of these folks who "look and sound the part", yet have never worked a single security project, as experts.
2. They have a Ph.D in Middle Eastern Literature and Art and know about every major terrorist attack in the region and have a blog their peers think is top-notch. Coincidentally, they know everything there is about active shooters, CCTV footage, small arms, and small unit tactics. Folks, seriously, after every active shooter event, spy story, or terrorist attack, there's a deluge of these folks through my various social media feeds. These are excellent folks in their field. They've got more education and background in studying terrorism than I could ever dream to have. Many of them are great people who only want to share knowledge. For those who have done that with me, I'm extremely grateful. However, there's another segment of this population who often come across as belittling in their demeanor. I appreciate all opinions. I truly do. I won't even pretend like I know everything (even on things where I may know a bit more than I let on) because I don't. I enjoy discourse and exchange of ideas. What grates on mine and other security professionals' nerves are non-native academic "experts" who come as though your opinions are somewhat flawed because you haven't taken their course or written a paper on it. I'm sorry - I got my experience in the field and learned what little I do know by seeing the world through the lens of a person actually doing the job you allude to know so much about but never did.
3. They've read a bunch of blogs, some books, seen a few DEFCON talks, and follow some guys who pick locks. Sounds legit. That's great. But that doesn't make them an expert. In my opinion, expertise is derived from a multitude of professional experiences and in some cases, academic knowledge on the topic. I appreciate their enthusiasm but they can call me when they've suffered their first physical breach from an armed adversary at a facility the've been entrusted to protect. The world I operate in is much different than those books, articles, DEFCON or TED talks could convey adequately. That doesn't mean their opinion isn't worthy. I wouldn't dream of making that kind of determination. In your dialogue with professionals in this field, don't assume things you've read about physical security related topics are true or accurate. Assume you may not know everything either. If you're a reporter, never assume because a guy wrote a book on terrorism he understands why a 15 year old boy shoots up his school. Take into account not everything that goes boom in America was made because "they hate freedom".
4. Your "security expert/guru/prophet" is a cyber-security dude who does encryption, firewalls, and IDS. That's great. But just like I know basic stuff about that stuff, unless they've worked on or designed physical security systems or apparatus, that doesn't necessarily make them an "expert" either. Chances are they've also never done a bag search, searched a vehicle for IEDs, detained shoplifters, or a host of other events physical security professionals have had to encounter. In the cyber world, they're awesome. This does not mean they understand burglaries, forced entry, active shooters, or property trespassers, though some may.
5. They've been referred to as a "security expert" but their experience is almost invisible. I've seen major corporations shell out some serious money to make guys who "sound smart" about security the "face" of their security initiatives. This is VERY bad. It undermines the strides we've made in this industry to standardize what it means to have expertise in this field, when major companies assign people as their "subject matter experts" when they have minimal experience doing anything in security. If I just touched a hammer yesterday for the first time, would you make me the foreman of the crew building a high-rise today? 
6. Your expert has certifications. I'm not impressed. Actually, that's not entirely true. If your expert has certifications that they earned, I'm impressed. The American Society of Industrial Security, Inc. does an awesome job of certifying people based on merit and performance. This is why their certifications are the best in the industry to have, in my opinion (and a few others). I'm not saying everyone else's certification is bad. Some are really good. I'm thinking of getting a few non-ASIS certifications myself. However, let's not be naive. There are certifications you can buy to make yourself seem more qualified than you are. This is dangerous yet is also HIGHLY ignored in some instance. The best place to witness this disgusting hoax is on LinkedIn. I LOVE LinkedIn but there are some profiles which are full of self-aggrandizement. Don't believe the hype, folks. Do your due diligence.
7. Your expert is a former cop who never did security details when he was working and his degree is in a non-related field. Being a cop is VERY cool. I'm a bit prejudiced but I think cops are more diversified than we acknowledge. That being said, I have found where security managers are former cops (those looking for a post-retirement job) who haven't worked security prior, they have found the transition to be more difficult than they or management may have imagined. The personnel, the jurisdiction size, and overall authority are different. The mission is also different. Yet I have seen companies hire people from law enforcement solely because management sees an intersection of subject matter expertise which may not even exist. Law enforcement and security are different species of the same animal in some respects.

I hope no one takes offense to this post. I'm just a bit wary of countless people peppering social media with facts and ideas which are unfounded and dangerous. Most times, these people are ignorant of the damage they're doing. Many believe that "expertise" is a subjective term and they have as much credibility as anyone else to give their commentary to masses they believe need to hear it. This is all very true. I have almost no issues with this. Many of them didn't want to be considered "experts". Often, there is a void of "experts" for the media and others to call on and so the people who "sound the part" get called. Perhaps, we need to move beyond our acceptance of "anyone can do security" to one where we recognize and respect the professionalism that is required to do this job and those who actually do it.

If I Had To Design A Parking Lot, This Is How I'd Do It

The other day, I noticed in a discussion group someone asked about designing a parking lot access control system. This got me to thinking about why security officials are often tasked with designing and deploying these systems and why they are flawed many times. Here's the response I gave.

There is no technological answer for this. This would be dependent upon METT-TC (Mission, Enemy, Terrain, Troops—Time, Civilians). The best parking plans I've seen first started by looking at the mission of the facility.

• This immediately beckons you to ask if any of the vehicles parked are or will at some point need to be mission critical. In other words, if this is a hospital, would it be prudent to have access control measures which take into account emergency vehicles? Will you have sufficient room in the lot to accomodate them and an emergency egress? I would also determine who NEEDED to be able to park in this lot. Not everyone needs to park in your lot though they may want to. This should create a decent entry authorization list wherein you can identify who will need an expedient, yet effective means of gaining access. How critical is the facility? Tech is great but sometimes having a guy at the gate is more prudent, with respect to handling visitors, LEOs/first responders without access control tags, etc.

• It is also really helpful to not interfere with the mission of your facility, when designing your access control system whether for the parking lot or anywhere else. Seriously. I can't overstate this enough. DO NOT make your system so cumbersome or strict that it impedes on the mission of those who do the work that pays you and your personnel. I have seen parking plans so restrictive that mission-essential personnel have been denied access to their facilities for things such as day-old expired vehicle tags and hours-old expired vehicle passes. Make sure your plan is flexible enough to accommodate those who need access right away but need to get their credentials in order.

• Be wary of making it susceptible to social engineering, though. I find the best way to mitigate this is through codification of your policies with exceptions allowed to accommodate those whose credentials may be lacking but can be verified. NEVER allow anyone access without verification. Ensure your access control system has authenticators, whether it be electronic or solely paper-based. However, ensure your authenticators are never discussed with anyone. I'd suggest making this a definitive terminable offense. 

• I'd also consider your threat profile. Who has an interest, as a nefarious actor, to gain entry to this lot or through this lot to your facility? How can you mitigate this, bearing in mind how they could obtain entry feasibly? Seriously. Don't plan on ninjas and SOF to make entry if that's not your threat. Plan physical measures with this in mind.

• What's the size of your lot? Has your lot grown to an extent where it requires fencing? If it does, how often do your security officers check that fence? No sense in having a fence if you're not checking it. Remember fences are a demarcation AND a detection piece of your plan. Also determine if your lot is situated with any physical obstructions wherein you can't observe who may have circumvented your parking plan. Consider CCTV or even a roving patrol to help if needed. Also, I find that if you use stickers, a few things tend to happen. One, people tend to park illegally and need to be towed. This takes up precious time and resources. And it could create confusion depending on how "creative" your sticker plan is. If you use stickers, keep it simple and wheel lock. Give each of your patrolmen a wheel locks and authority to deploy on cars illegally parked in select spots. Also address parking violations on a stakeholder basis as well. Talk to them about the potential loss in revenue should responders be delayed because of illegal parking in their reserved spots. Also describe what you're trying to accomplish and how a sound parking plan can be a force multiplier (Boss, if our plan works, I can reduce the number of patrols and increase security efficiency and efficacy by x-amount).

• Start thinking about how you want to accommodate vehicles in terms of their egress and entry. How long should it take them to leave and get in? Are there any chokepoints in the plan that can cause congestion and make for additional security heartaches?

• Finally, consider the impact your plan could have on civilian or non-business related entities such as neighbors. Will you have to consider parking off campus? Will your plan cause congestion that impacts them? Will your plan address neighbors and their parking plans? Will your plan have a demarcation for neighbors to know where your property extends?

Why Attacking The Grid Became Hip & What We Can Do About it

In April 2013, a group of armed men attacked 17 Bay-area power substations in an effort to presumably disrupt power to neighboring business. The attack was carried out using 7.62 rounds which are commonly used in AK-47s (and its variants) as well as numerous other rifles namely certain sniper rifles such as the M-24 depicted below. The attacks were said to be carried out with military precision as the attackers both shot at the transformers and breached the underground area where various power cables were located.

I've also attached the surveillance video of these attacks so you can get an idea of how they occurred.




Much has been pontificated on exactly who could have carried out such an attack. Former Federal Regulatory Commission Chairman John Wellinghoff stated he believed the attacks were a "terrorist act" even though the FBI has said to various media outlets they don't see any evidence of that now. As an investigator and a former military police officer, I can tell you when law enforcement says they "don't see any evidence supporting that", that does exclude any suspicions they might have. My preliminary guesstimate is the FBI has some idea as to who the perpetrators are especially given the investigation is several months old and we're approaching a year since the attacks occurred.

I have heard from various sources this was the work of animal rights groups or environmentalist, given the target selection and court convictions of members of those groups in attacks against similar targets despite the methodology being completely different from the Bay-area attacks. For the record, I completely disagree with this supposition, as it eliminates several other groups who are just as capable and have just as much stake in pulling off this kind of attack. As a matter of fact, I find it odd those who suspect environmentalist/animal rights connections would ignore the attackers would choose a methodology using firearms which goes against one of the strongest weapons going for them - the lack of human casualties and kinetic attacks which harm human beings. Think about what I'm saying here for a second. Why would you bring a gun to an op where you could be discovered by law enforcement if the weapon isn't going to be useful as a defensive weapon against them? Also, any of these groups would have to account for the damage done to their public image if discovered with sniper rifles. It certainly makes it easy for their opponents to call them "enemies of the state".

What I surmise, rather amateurishly, is the perpetrators brought guns to do the damage and possibly, engage responding law enforcement. Thankfully, the latter never occurred I suspect because the suspects believed they had done enough damage. I am also of the opinion this was a dress rehearsal for a larger scale attack. Many groups do a dry-run before a major attack to test how the target and responders react. We see this all the time with bomb threats called in weeks before an attack. No suspicious device is found at first as the subjects observe reactions. They then rework the plan and decide whether to order another test. I know this because this is how I was taught to plan operations in the military and I suspect whoever is behind these attacks was taught the same lessons.

So why the power plants and why sniper attacks? Quite simply, because the security industry and our government partners have been discussing this since 2002. We've consistently asked that critical infrastructure beef up its security. Additionally, a report was done by the National Academy of Science describing the probability for success of a sniper attack against transformers. One could use the CARVER matrix to determine this is perhaps the more likely of any probable attack against critical infrastructure nodes. This is partially because of the ease of access to the target, lack of security at the target, its criticality (it is vital to the target's mission), and its recoverability.

My summation is the attackers didn't have much experience as a group with kinetic attacks and may have used this attack as a means to demonstrate some proof of concept. Whether there will be more attacks is still unknown. Given the hype surrounding this one, they may try again.

Here's what I propose power companies can do to protect their substations:

• Add 10 foot fencing around the perimeter of substations, ensure fence is encased in concrete at the bottom to prevent digging under the fence, and configure the barbed wire in a Y configuration.
• Have a roving armed security unit patrol actively in the area of transformers and substations conducting periodic but random security checks of the area. Have a randomizer pick the days and times of these attacks on a daily basis. Never keep the same schedule.
• Consider feeding the substation's closed circuit television feed into your state's emergency management agency or fusion cell incident management consoles.
• Emplace barriers throughout the avenues of approach to disrupt potential vehicle traffic to the substation. 
• Consider placing armoured steel on the transformers and other critical areas.
• Consider using seismographic security sensors and magnetic sensors along various vantage points.
• Conduct a foot patrol in the area as a part of your random checks I mentioned earlier. 
• Conduct a red team exercise yearly on your facilities to ensure personnel and security operators understand and implement sound practices to secure your assets in an attack.

As a caveat to the recommendation above, I fully realize this is not a fully comprehensive plan. The idea is to demonstrate how the power companies can implement various measures which are relatively less-complicated than might be assumed. If you have other recommendations, please post them below. I'd like to hear from folks from all over the industry.

Kenya Mall Shooting - Why It Went All Wrong & What We Can Do To Be Better

Yesterday, the New York City Police Department released a report from its SHIELD initiative about the Kenya mall shooting/terrorist attack. It was a pretty damning report to say the least. Before we talk about the report, let's talk about SHIELD is and why that's important to understand in the context of this report. SHIELD is the NYPD's homegrown information-sharing component with private sector security. It provides analysis on current and future threats. I've previously read some of SHIELD's reports. Some were good and some were typical of fusion center reports - some meat and some potatoes but not a full meal. This report was driven, in part, to go over what NYPD and private security could learn about what happened in Nairobi. There was plenty.

There were some startling revelations:

1. Kenyan police were VASTLY outgunned. The report states, "The typical Uniformed Kenyan Police Officer is not as well equipped as their western counterparts, typically only carrying a long gun, most commonly an AK-47 style rifle with a folding stock, loaded with a single 30 round magazine. They do not carry handguns, wear body armor, gun belts or have portable radios to communicate." Each of the terrorist were carrying 250 rounds of 7.62 mm ammunition. Lack of body armor and radios to communicate resulted in fratricide. More on that later.
2. Responding plainclothes officers were also outgunned and had no visible identification. Remember what I said about fratricide? From the report: "Very few of any of the plainclothes law enforcement first responders displayed any visible law enforcement identification such as a badge, arm band, ID card or  a raid jacket, making identification as “friend or foe” extremely difficult for other armed first responders."
3. Realizing the police were outgunned, Kenya made the incident response a military matter. That's as bad as it sounds. The report says, "Kenyan government officials decide to transfer the handling of this incident from the police to the military. A squad of Kenya Defense Forces KDF soldiers enters the mall and shortly afterwards, in a case of mistaken identity, the troops fired on the GSU-RC Tactical Team.They kill one police officer and wounding the tactical team commander. In the ensuing confusion both the police and military personnel pull out of the mall to tend to the casualties and re-group."
4. Responding military forces used an RPG-7 as a room clearing tool. I kid you not. And the destruction was insane. "It is reported that at some point during the day the Kenya Defense Forces decided to fire a high explosive anti-tank rocket (possibly a RPG-7 or an 84mm Recoilless Rifle) as part of their operation to neutralize the terrorists in the Nakumatt Super Market.The end result of this operation was a large fire and the partial collapse of the rear rooftop parking lot and two floors within the Nakumatt Super Market into the basement parking."
5. It is possible the terrorists escaped in part because the Kenyan security forces failed to secure a perimeter. It is rather elementary for the very first thing Western police do in these scenarios is to lock down the perimeter. No one comes in or out unless they can be positively identified as a "friendly". This credentialing occurs by checking IDs and only first admitting law enforcement and first responders to exit upon verification.
6. The mall employed unarmed officers who performed unsatisfactory "wand searches". This is irritating to say the least. Why? Unarmed officers are appropriate for certain environments and are the way to go in most environments. However, in high value targets, such as mass gathering locations in places like Kenya, I would have used an armed component. Armed officers are not only armed but can be equipped with radios and are usually uniformed. This makes identifying them for law enforcement somewhat easier. Also, armed officers can do things unarmed officers can't due to safety concerns such as locking down perimeters and evacuating victims.
7. Wand searches are weak. I dislike them with a passion. Why? Officers get tricked into believing a search was "good" because the wand didn't annunciate. This is all kinds of bad. A search should be thorough in high value targets. If you're going to employ officers and have them search, have them be thorough and do it without a wand. I would use the wand only in environments where I had other search mitigators in place such as backscatters or X-ray search devices.

So what does this attack teach us in the West?

1. The desire of terrorist groups to attack mass gathering locations is still very alive.
2. Places like malls should consider Kenya to be a warning. If you're in mall security, I highly suggest going over your active shooter plan and rehearsing it on a fairly regular basis with local police departments and simulated shooters. In these exercise, test not just your ability to minimize casualties but to also test your security apparatus under stress. This is best accomplished by "killing" responders, taking hostages, attempting escape, and causing confusion among responders. Get your people used to chaos in these scenarios.
3. Never do wand searches at high value targets and test your people regularly. I've gone over why I think wand searches are bad. So let's examine why you should test and train your searchers regularly. Searching is one of the most important yet often neglected security components. We usually pick rookies and the "lowest common denominator" to do this function because it's "easy". Doing good and thorough searches that you can go to sleep easy with at night are not easy. Searchers should be trained on subject "tells", physical characteristics of forbidden items by touch, sound, smell, and sight, the tools they can use to do searches better, etc. They should also be regularly "red-teamed" which is to say you should have a non-attributable person walk through security and see what they can get through. When they're done, they should report to management their findings.
   
   Here's a video I did on how I would search bags:
   
   
4. CCTV and analytics are EXTREMELY important to an active shooter scenario. There are several takeaways from what we learned about CCTV and the lack of analytics in Nairobi. First, CCTV coverage was spotty in some areas. Also, the CCTV coverage was easily identified and avoided by the terrorists. We also know while they had remote viewing capability, it was five miles away and more than likely not cross-fed into the police. While a CCTV monitor can't identify every threat, video analytics can alert them to suspicious activity. At the very least, consider it an option.
5. Garages and parking lots should be regularly patrolled. While there was a guard posted at the entrance of the garage, had a response element been closer by, they could have locked the exterior doors to the mall.
6. Train your employees on how to sound the alarm and IMMEDIATELY lock down their storefronts and secure customers. I would consider including them as a part of your active shooter training as well. Make that mandatory training for all storefront management and their trusted employees. I would include it in a leasing agreement if I had to.
7. Have a HIGHLY accessible public address system to sound the alarm.
8. Train local non-law enforcement responders on the need to "shoot, move, and communicate". Seriously, I can't stress this enough. There is a huge debate in the US surrounding concealed carry permit holders as responders. I'm okay with them responding, though I prefer they receive some training on  the need to identify themselves to law enforcement prior to responding via a phone call if time and circumstance permit.
9. Equip every security person and law enforcement officer with a radio.  If you want to avoid wasting your time clearing rooms that have already been cleared or fratricide, then you HAVE TO equip your responders with radios and share your frequencies with them.
10. Train your personnel on reporting formats like SALUTE. We've covered this before so I won't bore you with the details.
11. Train your security management personnel on casualty collection points, IED mitigation, cordons, perimeter searches, and periodic vulnerability assessments. These things can't be overstated in training. Trust me. You'll thank me for this later.

The Rules: 10 Things Every Entry-level Security Person Needs to Know & Every Pro Forgets

There are principles which are inherently the same no matter what discipline of security you practice. Although, for some reason, some of us tend to forget them to our detriment. I blame 99.9% of all practitioner -caused security failures on this. What's worse is that rookies aren't the only one's who miss them. A lot of these issues come from pros who should know better. Like everything else, we need a refresher.

1. Our business is about risk. This profession isn't just about assigning widgets to fix people's security issues. We deal with asking and solving really tough questions the end-user is often scared to address or doesn't know exist. If you're just selling a product to meet a quota or performing a security function to satisfy a job description, you're wrong. Start by asking the client about the resources he's protecting and what he's willing to do to protect it. Next, ask him if it's worth protecting. Most people believe EVERYTHING needs security. Precious time and resources are sometimes wasted defending something no one cares about to include the bad guys.
2. Security is a state of mind; not an objective. Do you know how many of us believe the mythology that tells us we can attain security as if it were quantitative? Of course you do. An entire industry is built around this ridiculous premise. Nothing is 100% secure - ever! It can't be. There's always a vulnerability. I'm not saying not to bother with security. I'm just asking you to consider what it is you're trying to do and to consider if you and the client have realistic goals.
3. Know your tools. I'm surprised by the number of practitioners who know so little about the tools that are available to protect their assets. People have this problematic tendency to learn from vendors about the tools offered but fail to educate themselves. Venture to some trade shows. Join ASIS. Ask around the Internet. Become a sponge. Too many of us are bricks. There aren't enough of us taking in knowledge in order to give knowledge back.
4. Know your limitations. Face it, there are some problems you can't fix. Seriously. If you can't do the job, be honest. Say you can't and find someone else who can. You'll keep your integrity and impress the client more by being honest. You'll also develop a good rapport with trusted colleagues you refer. Trust me this is a good thing. After the referral, tag along. Be that sponge I mentioned previously.
5. Define your goals. When I was a supervisor in the Air Force, I can't tell you how many of my troops' professional failings came from forgeting this simple step. Look, no one likes writing goals except for those insanely productive people who live inside Lifehacker.  But what's the harm in sitting down and mapping out your weaknesses, what you can to do to fix them, and assigning a goal to reach them? Absolutely nothing. So get started.
   
   This can and should also be applied to security projects. Define what the project is, what the client's expectations are, determine how you can meet them, and then set goals in order to meet each objective. It's simple but few people do it. Failing to do it guarantees you'll lose an opportunity to work on future projects. 
6. Know your terrain. Do you really understand the security environment? I'm not just talking about the threat. So often, we ignore the internal and external impacts of our measures which undermine our ability to properly protect these assets. For example, in many businesses, there is a key exchange. If you need access to a secure area, you have to leave a badge to receive a key into the area. This seems like a perfectly harmless idea, until users grow tired of giving up their badges and the person conducting the exchange is increasingly wary of having to do it. Security lapses occur as the "inconvenience" outweighs the security concerns. Don't believe me? Three words - Transportation Security Administration. Learn the terrain and figure out what will work the smoothest.
7. Education begins with exposure. My take on security education is simple - you don't know what you need to know because you're not out there asking the right people. I know some people may be scratching their heads at that. But it's the truth. So many of us are ignorant of the threat, the tools, and the terrain because we haven't taken the steps to "get smart" about them.
8. Befriend your enemy. I'm not telling you to "friend request" al-Shabab on Facebook or chat with MS-13 members on Twitter. What I'm suggesting is that you not only read up on their operations but try to get some basic understanding of their collective psychology. Learn how they conduct target selection, who they work with, how they recruit, their tools, etc. This will not only give you an idea as to how to build a better security plan but it will also enable you to ensure it's both comprehensive and adaptive.
9. Everyone has a sales pitch. My first venture into private security was interesting, to say the least. I learned a lot from that gig. One of the lessons that stood out the most was to always be on the lookout for the sale pitch. Learning your client's pitch will enable you to ensure how you protect his resources won't effect his "bottom-line". Would be it a good idea to have dome cameras installed over tables at restaurants? Of course not. What most restaurants sell, in addition to food, is a friendly environment where you can dine among friends. A dome camera over your table robs you of that, thus killing the restaurant's sale pitch. I've never seen that happen but it does illustrate how quickly we can lose the client's respect and business by forgetting they have a business to run as well. 
10. Vigilance is demanded. When I wrote the first draft of this article, I originally wrote "vigilance is expected." That was a HUGE mistake. Why? Because "expected" means you accept a margin of failure. In this business, apathy is where all good security measures go to die. I recognize the fine line between hyper-vigilance and vigilance. Certainly, there needs to be a balance. Just remember, at the end of the day, when there is a breach, you'll be forced to address why you violated this most sacred of security "rules". If you're a supervisor, your vision of how your people practice their profession should have this rule at the forefront. Julius Ceasar had a special patrol he conducted before battle to catch wayward soldiers sleep on their post. The maximum and usual penalty? Death. While the consequences aren't quite as dire as this in the real world at times, complacency will destroy our ability to adequately protect the client and their resources. This is a compromise we can't afford to allow - EVER.

Ten OPSEC Lessons Learned From The Good Guys, Bad Guys, and People-in-Between

If you've been in the security world long enough, you've heard of a term called "OPSEC" or operational security. This is a security discipline in which organizations or individual operators conduct their business in a manner that does not jeopardize their true mission. If you're a police officer who is staking out a house, it would be bad OPSEC to sit outside the house in a marked police vehicle. I think it's prudent we discuss this discipline so we can better analyze our own processes by which we protect ourselves and our operations. Reviewing the OPSEC process is a great place to start. The following come from Wikipedia (I know - it's super-scholarly):

1. Identification of Critical Information: Identifying information needed by an adversary, which focuses the remainder of the OPSEC process on protecting vital information, rather than attempting to protect all classified or sensitive unclassified information.
2. Analysis of Threats: the research and analysis of intelligence, counterintelligence, and open source information to identify likely adversaries to a planned operation.
3. Analysis of Vulnerabilities: examining each aspect of the planned operation to identify OPSEC indicators that could reveal critical information and then comparing those indicators with the adversary’s intelligence collection capabilities identified in the previous action.
4. Assessment of Risk: First, planners analyze the vulnerabilities identified in the previous action and identify possible OPSEC measures for each vulnerability. Second, specific OPSEC measures are selected for execution based upon a risk assessment done by the commander and staff.
5. Application of Appropriate OPSEC Measures: The command implements the OPSEC measures selected in the assessment of risk action or, in the case of planned future operations and activities, includes the measures in specific OPSEC plans.
6. Assessment of Insider Knowledge: Assessing and ensuring employees, contractors, and key personnel having access to critical or sensitive information practice and maintain proper OPSEC measures by organizational security elements; whether by open assessment or covert assessment in order to evaluate the information being processed and/or handled on all levels of operatability (employees/mid-level/senior management) and prevent unintended/intentional disclosure.

We should also recognize good guys aren't the only ones who practice this discipline. As a matter of fact, the bad guys do as well and many are quite good at it. The lessons we could learn from them, our fellow security professionals, and others are almost immeasurable.

1. NEVER trust a big butt and a smile. Yup. I started off with that. Bear with me. Many intelligence agencies and law enforcement organizations use sex as a means to get close to a target or person of interest. Most bad guys realize this. However, many do not to their own detriment. When involved with people in a relationship or sexual encounter, they get very close to you and your secrets. I liken these people to "trusted agents" who you allow close enough to you that can get more information than you're willing or able to share publicly. Poor OPSEC practitioners often forget this. Most of their security failures stem from this fatal flaw. I'm not saying to not be in a relationship or to eschew intimacy. If you're in a job that requires you adhere to sound OPSEC principles, what I'm advising you to do is to exercise due diligence and conduct a risk analysis before you do. Think Marion Barry, Anthony Weiner, and Elliott Spitzer.



Immortal words spoken during an EPIC fail.

2. Always have a thoroughly vetted back-story for your cover. This is commonly referred to as "legend" in the intelligence community. This is an identity in line with your established, synthetic cover. For example, I previously mentioned the hacker known as the The Jester in a previous blog post. Depending on which side you're on, he's either a bad guy or a good guy. However, the lessons he teaches us about cover are insightful. Whenever someone "doxes" him, he has a prepared and detailed analysis as to how he created that cover identity. Many times he'll use a name that does exist with a person who either does not exist or who he has cleverly manufactured using a multitude of identity generators. He'll use disposable credit cards, email, LinkedIn profiles, VPNs which show logins from his cover location, etc. He even engages in cyber-deception with other actors to establish various cover stories for operations that require them. Whether you like him or not, he's certainly good at one thing we know for sure - cover discipline.
3. NEVER trust anyone you just met. I see you laughing. Many people mistakenly believe they can and should trust everyone they meet. They will often claim they don't but their behavior says otherwise. As Ronald Reagan is often quoted is saying, "In God we trust, all others we verify" I firmly believe this to be the most crucial aspect of operational security. Proper trust is needed in any environment for the mission to be accomplished. However, blind trust can and will kill any hopes of a successful mission. Whether you're checking identification at an entry control point or planning cybersecurity for an online bank, you should always treat every introduction you don't initiate as suspect. Then triage people and their level of access according to risk acceptance. This is a lesson we learned with Edward Snowden. He'd only been at Booze Hamilton a few months before he began siphoning massive amounts of classified information he had no direct access or need-to-know. Another saying I'm fond of is "Keep your enemies close, but your friends closer." I'm not saying everyone you meet is going to steal from you or betray your trust. Like my momma always says, "Not everyone that smiles at you is your friend and not every frown comes from an enemy."
4. Shut the hell up! No. Seriously. Shut up. If you hang around the special operations community, you'll hear a term used to describe the work they do as "quiet professionals". Most successful bad guys realize the best way to ensure longevity to shut the hell up. Bragging about or giving "pre-game commentary" before an operation are guaranteed ways to get caught or killed. The truly dangerous people are the one's who never say a word and just do their work. Sometimes, lethality is best expressed with silence.
   
   
   
   
   
5. Watch what you leak. While we can keep our mouths shut, it is more difficult in the information age to keep everything connected to us quiet. In order to properly protect ourselves, we have to begin this process by conducting proper risk analysis. Is what I'm doing right now giving away something I don't want the public to know? Is the the device or medium I'm talking on able to give away information I'm not comfortable with sharing? Does my enemy have the ability to intercept or analyze what I'm doing in order to gain sensitive information? What "tells" am I projecting? These are a few of many questions you should be asking in order to ensure you're limiting "noise litter".
   
   

   

   In the information age, do I need to say more?

6. If you're doing secret stuff, NEVER EVER EVER EVER EVER, talk on the wire. Look at the Mafia as a perfect example of what not to do. As an OPSEC practitioner, you should never communicate on any medium that can give away your secrets or be intercepted. John Gotti got busted talking on the wire. A person rule of thumb: If it can receive messages, it can transmit messages without you knowing. Treat every computer like an informant - feed it what you're willing to share with your adversary.
7. NEVER ever touch or be in the same place as the "product". For the uninitiated, that is one of first rules of the dope game. Every successfully, elusive drug dealer knows to keep away from the "product" (read "drugs). Whatever the "product" in your "game", ensure you put enough distance between you and it. If you have to be close to it, then have a good reason to be with it.
8. Recognize "the lion in the tall grass". When practicing OPSEC, if there is one thing you should never forget is why you're doing it. The reason you're practicing it is simple - there are people out there that oppose you. Ignore them at your detriment.
9. NEVER say something you can't backup or prove immediately. Nothing says you're a person needing to be checked out better than saying things you can backup or prove. People who are trying to vet you will require you backup what you say for a reason. Be ready for this. A great example of this is demonstrated by people who claim to be connected to someone of stature in order to gain access. In this case, they're found out because the target asked the other party who could not confirm this.
10. Treat your real intentions and identity as that gold ring from Lord of the Rings. I'm not saying put your driver's license on a necklace so a troll who think it's his "precious" won't take it. First of all, that's too cool to happen in real life. Second, you'll look like an idiot. Finally, there are more practical ways of protecting your identity. For starters, never have anything that connects your identity to your operation. Next, if you have to use your real identity in connection with an operation, give yourself some ability to deny the connection. Lastly, NEVER trust your identity, intentions, or operations to anyone or anything other than yourself.

I've decided to include the more practical list from the "Notorious B.I.G." to drive home some of these principles:

TEN CRACK COMMANDMENTS

1. Rule number uno, never let no one know
   How much, dough you hold, 'cause you know
   The cheddar breed jealousy 'specially
   If that man *** up, get your *** stuck up
2. Number two, never let 'em know your next move
   Don't you know Bad Boys move in silence or violence
   Take it from your highness
   I done squeezed mad clips at these cats for they bricks and chips
3. Number three, never trust nobody
   Your moms'll set that *** up, properly gassed up
   Hoodie to mask up, s***, for that fast buck
   She be layin' in the bushes to light that *** up
4. Number four, know you heard this before
   Never get high on your own supply
5. Number five, never sell no *** where you rest at
   I don't care if they want a ounce, tell 'em bounce
6. Number six, that God*** credit, dig it
   You think a *** head payin' you back, *** forget it
7. Seven, this rule is so underrated
   Keep your family and business completely separated
   Money and blood don't mix like two *** and no ***
   Find yourself in serious s***
8. Number eight, never keep no weight on you
   Them cats that squeeze your *** can hold jobs too
9. Number nine, shoulda been number one to me
   If you ain't gettin' bags stay the f*** from police
   If niggaz think you snitchin' ain't tryin' listen
   They be sittin' in your kitchen, waitin' to start hittin'
10. Number ten, a strong word called consignment
    Strictly for live men, not for freshmen
    If you ain't got the clientele say hell no
    'Cause they gon' want they money rain, sleet, hail, snow

Don't forget the admonition from Notorious B.IG. gives that should never be diminished:

Follow these rules, you'll have mad bread to break up
If not, twenty-four years, on the wake up
Slug hit your temple, watch your frame shake up
Caretaker did your makeup, when you pass

An information security professional known as "The Grugq" gave a very interesting talk on OPSEC, I think it is worth taking a glance at (try to contain all laughter and bafoonery at the preview image - we're running a family show here, folks):