OPINION: How The Shooting In Sweden Teaches Us Trust Is A Must In Security

Last night, there was a shooting which occurred in one of Sweden's suburbs involving AK-47s and innocent people being shot with two or more being brutally murdered. Within the initial moments of the rest of the Western world being notified of this tragedy, a great many of people on social media immediately began to elaborate if this was the work of Islamist terrorists, despite the police saying otherwise. The police spokesman, Ulla Brehm is quoted as saying, "The shooting happened in an area of the city with a history of gang-related violence." The media has also attributed the spokesman as saying it was "too early to speculate on the motive but said there were indications that the shooting was gang-related....There is absolutely nothing that indicates terrorism.”

As many of you know, I have experience in criminal investigations. While I won't touch on how I'd investigate this, what I would like to do is share some insight into these preliminary and often-wrong "guesstimates" and how they damage our credibility as security professionals.

1. These "guesstimates are usually wrong. VERY wrong and miss a lot of key facts in the weird calculus that creates them. A few people I spoke with, last night, said the attacks were the work of Islamist terrorists. What's strange about that is the police NEVER EVER provided the public with ANY suspect descriptions and NO known terrorist group nor the "operators" claimed ANY responsibility, yet many people seem to be very certain this is the work of jihadists. I surmise this is the result of a spate of terrorist attacks involving guns in Western countries and our natural inclination to see correlation and make connections that may not be there.
   
   Another key fact missing is the lack of burning vehicles described in independent or eyewitness accounts, despite several on social media claiming this was the case. Many even used this mythology to explain their hypothesis that this was the work of Islamists. Perhaps, you missed that; so I'll repeat it: THERE WAS NEVER A SINGLE CORROBORATED ACCOUNT OF BURNING VEHICLES BUT MANY AMERICANS REPORTED THERE WERE AND THIS POINTED TO ISLAMISTS. In fact, those burning cars happened weeks ago. I know that sounds like terrible analytical practice, at worse. That's because it is, at best.
2. Contrary to what many believe, there's always more than meets the eye. I'm a serious fan of Transformers. If you didn't get the reference, there's not much I can do for you. Just kidding. No. Seriously, nothing. I digress.
   
   Many on social media either simply ignored potentially exculpatory evidence or were so eager for this to be the work of terrorists they missed a key component: growing and escalating gang violence in Sweden and throughout Western Europe. That's right, folks. Sweden has gangs and many are armed to the teeth. In fact, not too long ago, Swedish media reported a gang fired "machine guns" at a police station. There's a fallacy that "gun crime" akin to what we see in America only happens in America and that only certain "guns" are the weapons of known terrorist or guerrilla groups. However; a cursory examination of Swedish media shows the AK-47 is VERY prevalent in certain violent crimes.
   
   The British newspaper, The Guardian reported, "There have been dozens of shootings involving criminal gangs in Gothenburg, many of them in the Biskopsgaarden area - a housing estate with a large immigrant population and high unemployment - in recent years, however fatalities are relatively rare.
   
   A man was shot dead in an apartment in the area in May last year and two others died in suspected gang-related shootings in late 2013.
   
   In January a man was shot in the leg close to the scene of Wednesday’s shooting."
   
   The video below shows such a "typical" crime with an AK-47 occurring in Sweden.
   
   
   
   There are some who will point out that many of these gangs are "Muslim youth gangs". What's striking is this ignores the existence of any corroborative and objective evidence which makes the case these gangs are "Islamic". Many are comprised of members who are young immigrants from predominately Muslim countries. However; until one of these gangs expresses some sort of jihadist ideology, they're just criminal gangs. Sweden's has a burgeoning and rapidly expanding organized crime network not always on the radar of its Western neighbors. Many of these non-Muslim gangs have had quite a history of death and mayhem in their wake. Check out what the Hells Angels have been up to there:
   
   http://www.thelocal.se/20121028/44096
   
   And..here:
   
   http://www.thelocal.se/20101008/29510
   
   Here's a list of other gangs:
1. Albanian mafia
2. Bandidos Motorcycle Club
3. Black Cobra (gang)
4. Brödraskapet
5. Fucked For Life
6. Hammerskins
7. Hells Angels
8. Naserligan
9. Original Gangsters (gang)
10. Outlaws Motorcycle Club
11. Sala gang
12. Serb mafia in Scandinavia
3. Bad theories based on bad or missing facts diminish our credibility and the public's trust in our field. Many Americans don't "get" security and they rely on a variety of "trusted" sources to assist them in making decisions regarding security. Some of these sources are objective and reliable. Many are not. Social media is wrought with both kinds. Unfortunately, many, as we've discussed before, are biased and too eager to share faulty theories. How many times can we afford to make predictions and analysis that is blatantly wrong or follows bad analytical practices before our entire industry is treated in the same dangerous fashion as TV meteorologists who give dire storm warnings but are ignored. Like every storm, I find more and more people making security-related decisions based on the idea that anyone can "do" security. 

I expressed no theories here regarding potential motives or suspects because I don't have all of the facts. This could be the work of Islamist terrorists. Sweden has had two terrorist plots foiled recently. Sweden is also currently at odds with Saudi Arabia and the UAE. They've also "outed" a number of Russian spies and have seen an increase in Russian "aggression" and posturing. That being said, at the end of the day, this was a murder that took place at 4 o'clock in the morning in Sweden. The cops have the advantage of having a look at evidence long before the public does. Perhaps, as academics and practitioners, we should keep our hypotheses regarding motive and suspects to ourselves, until we learn more. In an era of rapid-fire tweeting and hashtag punditry rife with inaccuracies, our industry and the public could use our silence and restraint at times likes these.

OPINION: What Mrs. Clinton's Email Problems Can Teach Us About Security

"Msc2011 dett-clinton 0298" by Harald Dettenborn. Licensed under CC BY 3.0 de via Wikimedia Commons.

Over the last two weeks, we’ve been inundated with emails and presidential candidates. I won’t spend a lot of time talking about Mrs. Clinton and what her emails may or may not contain. I could spend an entire series of blog posts on that topic. However, there are some very interesting insights this story gives us into how we perceive what security is, where we feel most secure, and whether any of that makes us more secure.

So let’s begin our discussion: NOTE: I’m no hacker or IT-guru. I’m a guy who blogs and who has a ton of opinions on this stuff. However; I’m also someone who has worked with senior-level persons and I understand how some of these components work. By no means are my opinions facts but merely points to consider.

1.  Security is about convenience over protection. Remember when I said “security is about peace of mind”. Mrs. Clinton decided it would be more “convenient” to send her emails (personal and professional) through a single server which she owned. Why? She reasoned, because her government-issued Blackberry could not hold more than one email account, it would be better to have a single account. Many users, especially government users, bypass existing security protocols and do and have done exactly this (except many don’t have servers at home). Does this make it right? No. The government has policies in place that state this is bad security practice and a violation of certain public records laws. Yet, ask any security professional how many times they’ve witnessed an end-user potentially compromise protective measures through circumvention out of convenience and you’ll note immediately how much their eyes roll.
2. Just because a senior-level government official is discussing something doesn’t make it “classified information”. There’s been a massive amount of speculation on the kind of information any investigation would turn up on Mrs. Clinton’s servers. Like I said, I won’t attempt to go into that. However; let’s address why we perceive there would be classified information and whether that’s likely. Sure, being Secretary of State entails having access to some of our nation’s greatest secrets. The job requires it. Some of that information is considered “classified” and others not-so-much. When pieced together with other information or on its own, that material could be extremely sensitive. The very nature of the potential discussions Mrs. Clinton could have had over emails has created a great amount of concern – as it should.
   
   Senior leaders are given amenities like secure telephone and other communication lines in their homes and offices to facilitate these kinds of sensitive discussions with “cleared” persons. In fact, during ASIS 2014, I had the great honor and privilege to hear Colin Powell speak about his time as Secretary of State. General(r) Powell recalled his final days in Mrs. Clinton’s old job and the day the Diplomatic Security Service agents assigned to him and the information technology staff left his residence while removing his secure lines from his home on his last remaining day. It should be noted Mrs. Clinton should have had the same amenities extended. As such, I’d be curious if the Internet service her server accessed did so via government-installed communication lines or privately-owned and installed lines. I digress, given the nature of what could have been discussed; it should give security practitioners who advise senior leaders on protective measures pause.
3. Government computers and services are NOT intrinsically more secure. These last two weeks, the deluge of speculation, regarding the security of Mrs. Clinton’s email traffic being more secure had it been through government servers, has been extreme. Seriously, have we forgotten about a number of breaches on government email and sites in the past few years? We’ve caught hackers breaking into NASA, NSA, the State Department, and the Pentagon computers. Where most of this confusion comes from is not quite understanding what having your emails on a government server entails versus what a private (or as widely-and-annoyingly termed this week “homebrew”) server does. People hear “government server” and they immediately conjure up an image of a secure server with loads of encryption which would require a team of seasoned hackers to compromise. In fact, while watching a cartoon the other day with my son, a character brags “I hacked NORAD when I was six”. Hacking into these systems should be a big deal because they are. However; they are not invincible to the same kinds of human security failures and poor security mindset when they’re designed and implemented as their commercial partners. 
   
   Your government email service can easily be hacked in the same way your private email can. Lose your credentials to log into a government computer without noticing and use a password or PIN that is easily guessed. Sadly, that happens more times than many outside of government service would ever be willing to admit. A government server does bring one thing a private server does not always – the full extent of your government agency’s information technology team, most of whom are the best and brightest at what they do and who defeat a variety of threats constantly. In other words, when a breach occurs, this team can respond immediately and use the weight of the government to mitigate the breach. Mrs. Clinton knew this, yet felt she and her staff could do better. Given what little we know of what could have been breached or whether a breach even occurred, this could have been true. That being said, it doesn’t make any of her decisions right.
4. The extent of how much protection to provide sensitive information disclosure is not up to the user but those who have the designated expertise within the organization. Mrs. Clinton, while acting as Secretary of State, had every right to make her own determinations regarding how her agency would protect sensitive information to some extent. That did not provide her with any right to decide, without consultation or coordination with her information security staff at the State Department, to forego policies she enforced on her subordinates. It is highly doubtful Mrs. Clinton would have absolved a junior-level employee who would have been caught in a sensitive information breach from their personal email account. No, we all know she would have directed her staff to punish them. However; the implied arrogance to believe you can enforce one security policy meant to mitigate vulnerabilities and lessen risk while ignoring your own failure in abiding by those very decrees, is striking, to be honest.
5. Politics obscures our ability to ascertain the more important security issues in crises like these. Mrs. Clinton’s enemies are clamoring to be the first one to hand her an indictment or hold her letter detailing her retirement from politics. While that is unlikely, it seems to be a centerpiece in most political discussions regarding the emails. Most of this is centered around the potential for classified information being on the servers. Again, this is unlikely, given we still have zero clue about what’s on the server.
   
   What have not been discussed are the very relevant questions pertaining to total protection and mitigation. No one has addressed to any significant degree whether Mrs. Clinton is the only Cabinet member to have done this (she isn’t) and whether she received advice from her designated State Department IT staff (I’m betting she didn’t and relied on her political staff’s IT department who are not government employees). I’d also be curious whether the Secret Service devotes any time to protecting their protectees online as well (doubtful and perhaps an area to pursue). How many people had access to her server? At what level were they cleared? This is important because in order to read unclassified emails which contain “For Official Use Only” you need to be a “cleared” employee. Very few people are asking these questions but should.

Does any of this make us safer now that we know? In some ways? Yes. In others? No. Mrs. Clinton’s emails crisis occurred for a variety of reasons. Many of those were aggravated because she is a political entity at her core. She may have felt as though having a server she owned she was more “secure” from some threats of the political variety. While it is always good to protect yourself from threats, one should not forget the more likely and persistent threats which are present because of the job you hold. She lost sight of that and ultimately forwent some very sound security practices. Then again, she may have well had a number of mitigation measures in-place. Unfortunately, we may never know what they were and thus remain a bit unsure of our protection.

Insight: How The Day I Almost Shot Someone Is Shaping Me As A Security Practitioner

Trucks go through the Mobile Vehicle and Cargo Inspection System at Camp Navistar, Kuwait. (Source: US Army)

What I’m about to write is something I share no glory writing. In fact, what I’m about to tell you is something few people have heard me tell and no one until now understands why it’s such an important experience in my life.

Let me begin by going over briefly my military background up until this experience. I joined the Air Force in 2000 and enlisted in a category known as “open general”. I qualified for any job I wanted but I only desired to be a fireman. Unfortunately, I wasn’t picked for that assignment. I was selected for a career-field in the Air Force known as Security Forces (SF). Basically, I was the classic military policeman in my early years – I checked IDs at the gate, responded to various law enforcement calls for service, emergency response, base security, etc. In 2002, I was deployed to Kuwait for the first time. It was an interesting and perilous time to be there. We’d been deployed to provide air base defense, in case the Iraqis wanted to start the war before we did. Essentially, I protected planes, pilots, and maintainers so our aircraft could kill Sadaam and his men. Pretty cool, huh? Not really. It was boring with some excitement in between. However, my second deployment was somewhat more perilous not because of Sadaam but from insurgents in Iraq and is the setting of the experience I want to talk about.

In most cases, when I deployed in SF, I and the folks I was with were euphemistically called “REMFs”. Pardon the crassness of the translation – rear echelon moth-*insert bad words*. In other words, while everyone else fought the war in Iraq, my unit was in the relative safety of the “rear”. We were trained to expect bad guys at every turn but the sad reality is very few times did the bad guys show up to engage us.

On this second deployment, our mission was somewhat ambiguous. We’d deployed to support air base defense missions for Operation Iraqi Freedom in whatever way the Air Force saw fit. If you know military deployments, you know what that means – no one knew what to do with us and so we were wrought to be abused and we were. One assignment we were given was to inspect vehicles coming into and out of Kuwait and Iraq on the Kuwaiti side of the border.

One fateful day, my lieutenant grabbed a group of us and ordered us to help a returning Army convoy get through a Kuwaiti roadway. We were each placed at various intersections, mostly by ourselves. Yeah. I know. Translation: we were armed crossing guards for big trucks coming home after being blown up. The job sucked as much as it sounds. As I stood in the middle of a Kuwaiti road contemplating what I had done to deserve this ungodly punishment, an Army officer came to my position and shouted “Make sure NO ONE comes through this area. NO ONE! Have you done this before?” I answered “Not quite.” I was lying. I had never stood in the middle of a road in another country to protect a bunch of trucks from getting T-boned by vehicles they could have run over and not have noticed. He shouted back, “Look, if you see a car, start putting your hand in the air and shouting for them to stop. By the way, hold your fingers pursed together and shout (insert Arabic word for “stop”).” Sounds like a plan. I do what he says and the cars will stop. Yeah. Not quite.

An hour passed and no vehicles. As soon as I grabbed my radio to check on the status of the convoy, I saw it – a vehicle I’ll never forget for as long as I live. It was a brown Mercedes S-class sedan. It was a few hundred feet away. I immediately put my hands in the air and demanded the vehicle stop. I shout and it keeps coming. I do the thing the officer told me and still it won’t stop. The distance closes by the second. Time seems to be creeping slower as nervousness sets in. What do I do if he won’t stop? The other guys are God-knows-where and my battery is about dead.Every cop in the world has been trained to recognize the car as a lethal weapon when it’s coming at you with no apparent attempt to stop. At some point, I realize the M-4 I’m carrying needs to come up and pointed towards the vehicle. Remember, this takes seconds. I pull the charging handle and let the round chamber to make the weapon ready to fire. I scream, “Stop! STOP! STOP!” The vehicle stops five feet from me. I’m huffing and puffing. I hear the ebb of trucks – the convoy has just gone passed. The tunnel vision I had at the onset left and there I was eyeball-to-eyeball with the vehicle and its occupants – a family. I don’t know if it was language, culture, or poor vision but for whatever I reason I hesitated and saved a family’s life and the convoy, in some weird way.

Here’s where it gets awkward. Over the years since then, few days go by where I don’t think about that family. I can see the husband, his wife, and children. I can see the frightened looks of the children. I remember the kafiyeh the husband wore and the piercing glance his wife gave him from her hijab as he suddenly stopped. I can hear the tires squeal. I remember the aroma of the diesel trucks as they passed me by. Most importantly, I remember my hesitation. I could have killed them. Why did I hesitate? When it matters will hesitate or react? Am I the warrior I always envisioned I’d be? Some days, these things are easier to answer than others.
Since that incident, several years later, I went on another deployment as a REMF and served two tours in Korea. I also worked as an armed community based security patrol officer in some of Tampa’s worst housing areas. Each job I’ve had since that day, I’ve encountered situations where that day was in the back of my mind. Admittedly, I’ve never had to raise my weapon in anger since then.
So here’s what I’ve learned since then and how I think my experience can help others in security:

1. No matter the gig, you should ALWAYS expect the bad guy to show up. It never fails. You’re told the job is easy. The threat is nonexistent. You feel safe. Then, BAM! The bad guy shows up. What do you do? Do you hesitate to respond? It’s not an easy question to answer but one you need to ask yourself daily. Don’t worry. You know the answer. We all do.
2. Have confidence in your ability to defeat the bad guy. During this deployment, many of us had derided the training we’d received to prepare for this deployment. None of us felt like we could do much against the bad guys with the training being as ambiguous as the training and the rules of engagement being equally confusing. Believe it or not, the psychology behind self-induced confusion and “fog of war” diminishes a great deal of confidence. Whatever you do to get ready for these situations, make sure it’s not only effective at mitigation through mechanics but gives you the confidence needed to make difficult decisions in a variety of scenarios.
3. Just because you don’t fire a gun in combat doesn’t mean there aren’t decisions you won’t wrestle with. Seriously, I didn’t kill anyone but the idea that I could have killed an “innocent” has followed me throughout my life. It doesn’t make me some sort of “seasoned vet” or anything. However, the questions I asked immediately afterwards, still remain.
4. There’s nothing wrong with hesitating when you can. Had I not waited, I could have killed that family or at the very least, created a major issue for everyone. Remember, Kuwait was an ally. I’d be lying if I told you I was thinking of the alliance. Sometimes, in security, we respond to situations not based on what we see or hear but what our rules of engagement allow us to get away with in the situation. I could have done far more damage, had I dealt with this differently. Don’t take too long to make up your mind but make sure you’re decisive and situationally aware.

I admit I could have done a lot of things differently that day. I could have insisted on better ROEs. I could have asked for another person to be with me. I could have made up my mind earlier what my “red line” was going to be. None of this would have meant I would have shot anyone but I can’t help but think I should have reacted sooner and more decisively. But you know what? The simple truth is – I did everything right.

OPINION: The Impact of Bias & Politics In Security

Originally, I wanted to make this an “open letter” to my fellow Americans about the current state of security. I was going to lecture us for engaging in pointless arguments and conjecture regarding where to place the blame for our security failings and who deserved credit for our success. However, this will not be an “open letter”, though; I will address these issues in this post. That’s right. I’m probably going to offend a few of you. Stick around because you’ll soon discover I’ll offend someone you don’t like. So let’s begin.

There seems to be an incessant desire to inject our personal political beliefs into how we view security. This used to occur only in the domain of national security. Here it was more acceptable, expected, and understandable than in others. In 2014, we saw a dramatic shift in this paradigm. The injection of politics has occurred throughout the spectra of security. Hacks on corporations have occurred in the name of political differences and responsibility assigned (accurately or inaccurately) based on them as well. Even areas thought immune to politics such as personnel security saw this as well. Discourse diluted to regurgitation of talking points. Experts emerged with little to any relative experience or extensive security knowledge but gained popularity because of which side they seemed to agree with. Accusations were cast as fact with little to corroborate them other than innuendo and insinuation from less-than-objective sources.

Today, the discussions of security have become little more than massive pep rallies and virtual lynch mobs. As professionals and practitioners, we rely on credible and objective evidence-based analysis to make informed decisions for our clients. Yet, the current discourse has been infected with vitriol and far-from-honest portrayals. In order to correct our course, we must examine what is occurring and how we can change.

1. What happened to having conversations? This is a question I find myself posing quite a bit on social media these days. The dialogues people are having with one another about things in security have been destructive, short on content, and full of conjecture. Twitter is the perfect place to watch this devolution. People shout and angrily dismiss opinions they don’t agree with, in an effort to assert expertise rather than collaborative learning. I don’t pretend to have all of the answers and so I use Twitter and other mediums as a means of learning more. Yet, so many people don’t want to learn. They’d rather spend their time proving you wrong rather than hearing your perspective. In certain cases, I get this. Some ideas are flatly wrong or just an attempt to “troll”. Therein lays our greatest weapon in bringing back sound intellectual discourse – choice. We can always choose to ignore opinions that are not in the interests of learning and sharing knowledge. Yet, we don’t but we need to.
2. We seem to like to state our bias but pretend as though it doesn’t matter. Facts are facts but our bias has a great deal of influence on our analysis of those facts. The worse offense we make is allowing our bias to form our opinions. On social media, I have seen a great many of profiles with biographies full of stated or implied bias. Not surprisingly, I find many of these accounts and their timelines to be absent of manipulated or inaccurate facts and vitriolic opinions. When challenged, these accounts retort how much they don’t care that influences them, how the “other side” does it too, and how the challenger’s facts are wrong or formed from the “mainstream media”. Miraculously, these accounts don’t see how this very analysis is influenced by theirs.We all have a bias. We can’t escape it nor should we. That being said, it is incumbent upon us to realize our bias and understand how it influences our analysis and our subsequent opinions. For example, if you don’t know anyone who owns a firearm and never touched a gun before but hold very anti-gun opinions after a friend was shot, it may be prudent to understand how your lack of exposure and the tragic event of losing a friend could have an impact on your opinions about guns. This doesn’t mean you’re wrong but it certainly pays dividends to understand.
3. The labels we give people have a tremendous impact on the level of discourse and engagement we seek to have. Come on. Let’s not pretend we don’t know what RWNJ (right wing nutjob), Libtard, Democraps, SJW (social justice warrior), gun nut, thug, un-patriotic, Obummer, and others mean. These are the “nice” labels. Have you ever had someone call you “stupid” after you articulate a point and thought you were going to be taken seriously? Have you ever called someone “stupid” after they made their initial point and expected them to take your argument seriously? No. That’s not how constructive discourse works. We use these labels in order to dismiss people’s arguments because we either fear taking them seriously or we don’t want to listen to them. In some cases, I get this. I do. I get trolled at times and I find it easy (though I resist) to troll back.
   
   If we’re truly interested in having meaningful discussions and want people to take us and our ideas seriously, perhaps we should drop the labels. Our forefathers often engaged in heated debates with another about various topics. However, they recognized their greatest vulnerability rested in their greatest weapon – their ability to compromise. Consensus and commitment can’t occur when you’re busy tearing people (instead of their bad arguments) down. By tearing down our neighbors, our enemies find new allies to defeat us. If there is one lesson we’ve learned this year, it’s that the insider can have the greatest impact.
4. Stop using tragedy to assert your political commentary. There are few things that rub me wrong than this. I have been on Twitter for little over three years and in that time; I have witnessed countless tragedies as they were happening. With each crisis, there are new experts vying for their voice to be heard among the ever-growing field. During the initial days of the Ferguson riots, I was called upon to give my opinions. It was an experience I will never forget and it gave me valuable insight into how politics with its own agenda shapes much of the dialogue in security. Good or bad, there are a host of issues which impact security and law enforcement which wouldn’t drive as much discussion if it were not for politics.
   That being said, I find a great many of “experts” use social media and the settings of tragic events as platforms to inject their personal political allegiance and ambitions in to their “objective” analysis of security issues. Nowhere has this been more apparent and to our detriment than in the recent spate of officer-involved-shootings. There are a host of instances where “experts” have used incomplete, manufactured, outdated, or demonstrative data from corollary events in an effort to support their biased and politically-based opinions. Nowhere but in our current media paradigm do we see and accept this so blindly.
5. In a world where events don’t matter unless they “go viral” or cause our clients embarrassment, it is strange how we ignore the impact this has on both how information is given and received and why. Even stranger is how we ignore how that happens. Today, you can’t visit a news story and not see a button to like or share the content with others. News organizations no longer make their money off of consumers but advertisers. Ads are custom-delivered to us based on our reactions to various news articles. Many times, we don’t see a story unless it’s “trending”. So if we’re only seeing things based on our reactions to them and it’s solely crafted in its current form to create an emotional response, then why ignore the influence this has on our discussions about these stories?

Perhaps, when we care more about how we receive and present information, we’ll make more informed decisions regarding the issues surrounding our industry. We may even see a high-return in a public that takes us more seriously and understands the mental acuity required to understand the threat, our risks, and vulnerabilities. When we get back to having meaningful and constructive discourse founded on information meant to inform and not persuade, we’ll do more than prattle about who should be our political party of choice.

The GateShack - Episode 04 - Ferguson - Lessons Learned

Show Notes:
First, I’d like to extend an apology for the previous episode’s audio issues. I was attempting something new while preparing the podcast and it backfired on me. For that, I apologize and I appear to have the sound sorted out.
During today’s podcast, I wanted to continue our discussion on Ferguson with some of the lessons we’ve learned since August. I focus a lot on some of the mistakes made by Ferguson PD during the early days of the protests. Some of those mistakes are still being made and they offer insight into how we, as security and law enforcement officers, can do better when responding to civil disturbances. Feel free to leave a comment on Twitter using the hashtag #FergusonLessons or leaving a comment below.

The GateShack - Episode 03 - Ferguson and Why It Matters To Security Professionals

Riots: The Physical Security Considerations

LONDON, ENGLAND – AUGUST 08: A rioter throws a rock at riot police in Clarence Road in Hackney on August 8, 2011 in London, England. (Photo by Dan Istitene/Getty Images)

Last night, riots erupted all over Ferguson, MO after the grand jury announced they would be declining to indict Darren Wilson, the police officer who shot and killed Michael Brown. This post isNOT about that decision or the investigation itself. My opinions on that will remain out of the public sphere. However, I would like to discuss the unique physical security considerations mass protests and riots present for security practitioners. I’d like to discuss what those challenges are and how we can counter the physical attacks against assets during these events.

1. Protests are extremely dynamic and what looks peaceful five minutes from now could be a full-blown riot the next. People assume they can do a lot of things they simply can’t. Predicting the actions of hundreds of people and whether they view your assets as a legitimate target is one of them. This is almost impossible to do. So don’t. Just err on the side of caution and just assume your assets are.
   Social media and the news can lull practitioners into believing the intelligence they’re receiving about the threat is accurate. In many cases, it can be. However, you should never use anyone else other than yourself to determine how a crowd will behave and view your assets.
2. Agitators carry an assortment of tools to target your assets. Just because you’re seeing rocks and water bottles being thrown now does not mean you’ll only see that as a weapon against your assets. They may use chainsaws, bats, pipes, bricks, Molotov cocktails, guns, etc. against you and your assets. Consider the full gambit of tools they will have access to, factor in the time they have had to pre-stage gear, and experience. Make sure your preparations are comparable for probable threats.
3. The people protesting aren’t always your biggest threats – they can also be your savior. In many cases, as we saw in August and last night, bystanders and peaceful protesters stood up to defend local businesses in Ferguson. Most of those storefronts were businesses who had made in-roads with protesters beforehand. Also, the peaceful protesters realized their protest was being hijacked by anarchists and thus, losing the narrative. Because of this, many protesters actively protected storefronts. You should make every effort to reach out to protesters beforehand. In some cases, I would consider offering a reward for any protester caught seeing defending your assets.
4. Some storefronts are targeted not because of who they are but for what they have inside. Last night, I advised any pawnshop owner to remove all weapons from their locations. Why? Because most physical security measures used to defeat thieves is usually meant for one or two persons attempting the threat and reliable police response. As last night proved, the police will be to busy with other response to ensure adequate protection to those stores. If you can’t move the guns, then remove their firing pins and ammunition immediately. If you have some clue that rioting could occur, you owe it to yourself and the community you service to at least remove the weapons or firing pins until you know for sure the threat is gone.
5. Consider how we’re trained as professionals to protect assets in your riot contingency. We detect, deter, delay, and if necessary, stop the threat. Are the measures you’re implementing do that? Can they do that with a crowd amassing your facility? If not, can you afford the risk of failure?

Here are some measures you should think about about implementing, in my opinion:

• Remove any weapons or explosive materials from stores.
• Shutdown gas station pumps.
• Consider constructing steel shutters or a roll cage around your storefront. The shutters and roll cage should be secured with a heavy-duty lock with a buried shackle to prevent cutting it or using a shim to pick it.
• Install heavy-duty glass or board windows from the inside and outside.
• Remove cars from parking lots to other secure areas. If this is not possible, consider erecting a larger fence where the top is bent facing towards the adversary. This configuration is used in prisons to prevent scaling which is difficult to do for most people. A ladder is required in most cases. Also, remove those assets closest to the fence.
• Conduct counter-surveillance daily before the protest is said to occur. Be on the lookout for any suspicious behavior. Have you noticed new people around your stores you haven’t seen before? How much loitering occurs and is any of it out of the ordinary? Are people asking strange questions about when you typically shutdown for the day or when do you “really lock the doors”? Have your loss prevention guys noticed any increased observance of camera locations?
• Barriers.  Use them. I can’t say this enough. When I was a young Airman, barriers were a part of my everyday life. We used them a lot for increased threat mitigation, civil disturbance, crowd control, and even presidential visits. My preference is for the plastic jersey barriers to be filled with water or sand. Water should be used in winter because it’s more likely to freeze than like, unlike in summer where it tends to so a lot. Jersey barriers, when not filled, are highly mobile and allow the practitioner flexibility in how, when, and where they can be deployed. In many cases, a pick-up and a few able-bodied people is all you need to move them, where concrete and sandbags require forklifts and more bodies.
• Fences. Put them up. You should make every effort to ensure protesters will have to struggle to get to your assets. The cheapest and best way to do that is through proper fencing. You should install a fence typically around 10 to 15 feet and weigh whether or not your insurance can handle barbed wire. Another consideration, if you’re using barbed wire, is aesthetics. Can you do business with the barbed wire on the fence? Some customers respond differently to that.
• Consider guards if you have no other choice. Seriously, don’t hire guards if you don’t need to. Security officers are great at what they do. If the target of the protests is law enforcement, who do you think the rioters will look at as a potential target? Those stores with guards in uniform. Not saying you shouldn’t use guards but understand their risk and that they don’t always lower your threat profile.
• Don’t get political. Seriously, if you have a Twitter profile for your store and you’re talking about how you hate the protesters all the time, you’re making yourself a larger target. That’s what we call “begging for a fight”. Stop. Instead, talk about how many people in the community you employ, how long you’ve been there, and how the damage impacts you and other businesses. Stay away from any discussions about what is being protested.

My list here is not all-inclusive. I am sure there are other ideas. Please, submit your ideas below so we can continue the discussion.

The GateShack - Episode 02 - The Myths of Security

During today’s episode, I cover the major myths about security and the ramifications for ignoring them. We’ll also explore Mubin Shaikh’s book, Undercover Jihadi: Inside the Toronto 18 – Al Qaeda Inspired, Homegrown, Terrorism in the West and close with an interview I conducted with Phil Harris, Founder/CEO of Geofeedia. To continue the discussion, be sure to leave a comment below or use the hashtag #securitymyths in Twitter.

Show Notes:
Mubin Shaikh’s book - Undercover Jihadi: Inside the Toronto 18 – Al Qaeda Inspired, Homegrown, Terrorism in the West available at Amazon.

For more information on Geofeedia, visit http://www.geofeedia.com

The GateShack: Episode 01 - Getting The Semantics of Security Wrong

The 41 Security Tweeps To Follow Today

The 41 Security Tweeps To Follow Today

The Top 21 Ebola People And Organizations To Follow Today

The Top 21 Ebola People And Organizations To Follow Today

VIDEO: Elevator Hacking: From the Pit to the Penthouse by DeviantOllam

From the video’s description:

Throughout the history of hacker culture, elevators have played a key role. From the mystique of students at MIT taking late-night rides upon car tops (don’t do that, please!) to the work of modern pen testers who use elevators to bypass building security systems (it’s easier than you think!) these devices are often misunderstood and their full range of features and abilities go unexplored. This talk will be an in-depth explanation of how elevators work… allowing for greater understanding, system optimizing, and the subversion of security in many facilities. Those who attend will learn why an elevator is virtually no different than an unlocked staircase as far as building security is concerned!

While paying the bills as a security auditor and penetration testing consultant with his company, The CORE Group, Deviant Ollam is also member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Deviant runs the Lockpicking Village with TOOOL at HOPE, DEFCON, ShmooCon, etc, and he has conducted physical security training sessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the United States Military Academy at West Point, and the United States Naval Academy at Annapolis. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.

Howard Payne is an elevator consultant from New York specializing in code compliance and accident investigations. He has logged over 9,000 hours examining car-tops, motor rooms, and hoistways in cases ranging from minor injuries to highly-publicized fatalities, and has contributed to forensic investigations that have been recognized by local, State, and Federal courts. Howard has appeared on national broadcast television making elevators do things they never should. When he’s not riding up and down high-rise hoistways, he moonlights as a drum and bass DJ and semi-professional gambler. His favorite direction is Up and his favorite elevator feature is riot mode.

Security-Related Podcasts You Should Be Following Today

Security-Related Podcasts You Should Be Following Today

OPINION: What The Ottawa Shootings Can Teach Us About Social Media As a News Source

I have been on social media for a LONG time. In the time that I have been online, I have taken part in real-time discussions and analysis for a variety of events in the security “lane”. I’ve talked about an assortment of events ranging from Dorner to the Ottawa shooting. Each time, I’m astounded by how fast the events that transpire are posted in almost-real-time. The advent of the Internet and the smart phone has made all bystanders on-scene correspondents and social media users like myself the most sought-after “experts”. I argue, therein lies social media’s greatest drawback during these events.

1. We get stuff wrong a lot. Yesterday’s shooting highlights some of my frustrations with social media as a news sources. On more than one occasion, various sources posted certain information as vetted “facts”. Most of those reports were false and depicted a scene far more chaotic than the one that was occurring. Why? For a lot of reasons – some of which I don’t have enough space in this forum to adequately articulate. Chief among them – confirmation bias. Many of us were simply re-posting information that solely confirmed what we either wanted the scene to be or the headline struck an emotional chord. Worse than that is another reason not related to confirmation bias but perception bias – some people re-posted information because it supported a prejudice or a political ideology.
2. We ignored the danger of “first reports”. I have but one cardinal rule with social media as a news source remember ALWAYS  “first reports” are wrong. Seriously, the first eyewitness accounts from a major incident will almost surely be wrong. Why? Because eyewitnesses suck. No two people in an attack ever see the same thing and their perceptions will also be markedly different. The folks at the Innocence Project do “yeoman’s work” on this very issue for their clients. I HIGHLY suggest we all read up on their work to understand why we shouldn’t always trust unconfirmed eyewitness reports.
3. We created confusion in order to stay relevant. That sounds harsh and mean. Hear me out. With some of us having “followers”, during an event like Ottawa or Dorner or Boston, it is very tempting to believe we either need to share information which has already been posted several times over or comment on that information before they can be vetted in order to appear on top of things. Instead, we should wait until the information can be verified and is still relevant to events happening in the present. These events can be confusing and there is no need to add to the chaos and potentially colour the situation in a way that is not accurate. Our time to pontificate on the events can come later.
4. We confuse hazardous behavior with context. I get it. The bullets are flying and you want the entire world to know. I get it. Your shot could be the one that depicts the essence of the event. I want you to get that shot. I also want you to be safe and not to place first responders in jeopardy. STOP POSTING LOCATIONS OF YOURSELF AND OFFICERS RELATIVE TO THE SHOOTER AND WHAT YOU’RE HEARING VIA POLICE SCANNERS. Guys, I was a 911 dispatcher many moons ago and I’ve worked in a security and law enforcement for over a decade. If there’s one thing I know from my career, law enforcement operations can be extremely difficult for even seasoned pros to decipher and scanners are not always a good place to get an accurate account of what’s happening. A cop responding to a shooting is just a cop responding to a scene. If he hasn’t verified a shooting took place, a shooting hasn’t taken place.
5. We assumed shooter counts and body counts were accurate. There are few things that can either mellow people out or cause even more chaos on social media than body and shooter counts. During the Ottawa shooting, the number of shooters originally accounted for by social media was up to FIVE with a couple of shooters on roofs. That depicts a much different scene than the one we later found to be true of one shooter who was shot and killed inside a building. Keep in mind, law enforcement would only confirm initially one shooter in the beginning, yet somehow there was five. How did that happen? It happened for all of the reasons I’ve talked about in this post and one that is far more dangerous.
6. We believed people with “sources close to law enforcement”. Nothing makes me cringe more than hearing “The police confirmed XYZ” from a person on social media only to learn the source cited as “the police” was cited by the media as a “source close to law enforcement”. What does this mean if not “the police”? It simply means two things – either the source is a cop who is giving out information to the press without authorization or it’s someone the media knows is not a cop and your knowledge of that truth could diminish how you view the accuracy of the source. A perfect example of the latter is a cop’s wife or an intern at the police department. They both have access to insider information but neither of them are actually investigating anything. There is also another reality – the “source” could also be made up. No matter how bad the sourcing could be, I grow disheartened more and more as we accept this as a set of reliable information to base opinions and reactions to.

So what can we do? What advice do I have? I’d been thinking about this all day, when I discovered the tweet below. My suggestion, as I added below, is to – “read and heed”.

THIS. Read and heed!! pic.twitter.com/hSwE5LeKRi
— Scriven King (@scrivenlking) October 23, 2014

LIST: A Few Good “Official” Ebola Resources

As an ongoing effort to disseminate objective information to my readers, regarding Ebola, I’ve decided to put together a list of sources I consider minimally unbiased who have the data to give security practitioners an idea of how the outbreak is progressing. NOTE: I REALIZE THIS LIST IS NOT ALL-INCLUSIVE. THESE ARE MERELY SOURCES I THINK ARE IN THE BEST POSITION TO DELIVER OBJECTIVE DATA AND ALLOW FOR SECURITY PRACTITIONERS TO MAKE THEIR OWN ANALYSIS.

• CENTER FOR DISEASE CONTROL EBOLA PAGE – http://www.cdc.gov/vhf/ebola/
• CDC – WHAT’S NEW PAGE – http://www.cdc.gov/vhf/ebola/outbreaks/2014-west-africa/whats-new.html
• CDC COUNTS – http://www.cdc.gov/vhf/ebola/outbreaks/2014-west-africa/case-counts.html
• CDC – WHAT THE CDC IS DOING – http://www.cdc.gov/vhf/ebola/outbreaks/2014-west-africa/what-cdc-is-doing.html
• CDC – COMMUNICATION RESOURCES – http://www.cdc.gov/vhf/ebola/resources/index.html
• WORLD HEALTH ORGANIZATION EBOLA PAGE – http://www.who.int/csr/disease/ebola/en/
• WHO EBOLA MAP -https://who-ocr.github.io/ebola-data/
• DEFENSE THREAT REDUCTION AGENCY – http://www.dtra.mil/
• GOVERNMENT OF LIBERIA EBOLA PAGE – http://www.micatliberia.com/index.php/ebola-update.html
• MONROVIA – US EMBASSY – http://monrovia.usembassy.gov/
• DOCTORS WITHOUT BORDERS – http://www.doctorswithoutborders.org/our-work/medical-issues/ebola
• NGOs Responding To Ebola – http://www.cidi.org/ebola-ngos/#.VDbCyWddXTo

REPORT: Police Under Attack – The Police Foundation Review of the Christopher Dorner Incident

When I mention the name, Christopher Dorner, among my friends in law enforcement, the mood changes dramatically. I know I will never forget the day he attacked his fellow officers and their families. I have spoken at great length here about Dorner, so I won’t waste more of your time talking about him. However, I did find the following report published by The Police Foundation. If that name sounds familiar, it should. These were the folks behind the Kansas City Police Patrol Experiment. Recently, the published this report detailing a lot what happened during Dorner’s attacks. For civilians, it’s an after-action report of sorts. I HIGHLY recommend reading it.

OPINION: The Fine Art of Failing vs Mitigating in Security

Last week, I wrote a post regarding “security myths”. In that post, I was hesitant to be overly critical of the United States Secret Service’s response to recent intrusions. In the days following my article, there have been very illuminating leaks regarding exactly what happened that day. One revelation was the intruder actually made his way inside the White House. Before the leaks, I stated whatever the After Action Reports revealed; the entire incident was not a mission failure. I stand by that conclusion for a few of the reasons outlined below:




1. Mitigation is the goal of any security program. The idea that we, in security, prevent bad things from happening is a huge myth. You can lock your doors and windows to thwart bad guys but the only people who make the final determination whether the bad guys continue are the bad guys. We mistakenly believe security is a physical entity we can see, when in fact, it is a psychological construct designed to enable us to move on from our fears to do other important things vital to survival. What we seek is protection which is only achieved by mitigation. Mitigation is what we do to reduce the potential harm inflicted on us if the adversary should show up. So the lock does not prevent crimes but its presence gives us some sense of security, while it also mitigates potential threats that may come via the doors.

Prevention is perhaps the one thing we don’t control but assume we should. In the case of the Secret Service, yes, there were lapses in security. Uniformed personnel were obviously not able to sufficiently cover the grounds of the White House. They could have done more to secure the doors and should have posted someone able to engage a threat coming for the North Portico doors. Someone at Secret Service did on multiple occasions succumb to allowing convenience to overrule the imperatives of adequate mitigation. The White House staff and the United States Secret Service did fall for the psychological trap of security, instead of following a plan that guaranteed mitigation.

Feeling safe is not the same as being safe. That being said, various mitigation tools did work like the successful evacuation of the press and staff who were in danger. Also, an off-duty agent was successful in aiding in the apprehension of the subject. It’s important to note the Secret Service’s mission is to protect the President and Vice President as well as all principles designated by law. In short, with no loss of life, this mission was accomplished solely because other mitigation tools had a chance to do what they were designed to do. It was a mess and it certainly does not reflect well on the Secret Service.

2. Prevention as a security goal and task are unrealistic. An old adage I remember from my days in the Air Force is “the enemy gets a vote”. No matter how good your plan is or how great your mitigation tools and techniques are, nothing you do will prevent the enemy from doing anything except killing him. Detention is, at best, only guaranteed to delay their actions. In fact, the only reason I believe the saying “Only you can prevent forest fires” is because I always thought Smokey the Bear was talking to potential perpetrators of forest fires and not victims. So why do we insist on believing prevention is realistic, if we’re solely addressing victims? What most people want are more effective mitigation tools but assume the semantics mean the same when they don’t.

3. Every security organization is bound by the use of force continuum. Some argue the Secret Service should have killed the subject immediately. Many of these people ignore Graham vs Connor which dictates the level of force an officer can use against any subject. That standard is called the “objective reasonableness standard”. This comes from the idea an officer can use whatever force is necessary to stop any threat as long as that force is comparable to what a reasonable officer would deploy in similar circumstances. Would a reasonable officer shoot a potentially unarmed man just because he committed a trespass violation? Imagine the precedence we could set by implying under certain circumstances it is reasonable to kill someone for seemingly minor offenses. Does a simple trespass have the potential to be more at the White House? Oh, for sure. Until a person displays a lethal “intent, opportunity, and capability” against another, we are bound to use the force a reasonable officer would to stop the threat. Otherwise, we stand the chance of the White House become a favorite spot for those looking to die via “suicide by cop” or placing the White House and its security at the center of a potential tragedy.If these statements make you upset, then I implore you to read what I said again. I never said deadly force was not authorized. It is. Deadly force can be used as soon as the threat meets those three criteria I established prior.

4. Like it or not, the White House is a tourist attraction and that complicates things greatly. Did you know the White House receives millions of visitors annually? This accounts for those who merely gaze through the fence and those who come to take a tour. In partnership with the Park Service, the United States Secret Service is tasked with protecting the White House in spite of the enormous opportunity various threats have to carry out an attack either against the throng of tourists or the President. In most executive protection assignments, the principles address is a matter of neither public record nor access. The Secret Service is in the unenviable position of protecting the President in a vastly different environment. Measures we’d like to see taken in one regard (i.e. fortifications) which help mitigate the visibility of the grounds and the principles are often not what the public envisions when they come to see their “house”.

5. In some executive protection circles, if not most, there is a delicate balance between protection and convenience. Most people who have never worked an executive protection detail don’t get how often the people protecting dignitaries are overridden when it comes to matters of convenience. I have known a many of personal protection officers who have complained they have been told to “stay with the car” when a VIP goes some place where his protection details has no visibility. 

With the White House incident, we learned a key mitigation tool was rendered ineffective because the White House Usher’s Office decided the intrusion notification system was too loud and needed to be turned off. In a world where one sees protection and is lulled into feeling “safe”, this is an easy mistake to make. It never costs you in the short-term. It won’t hurt today but you can bet when the adversary shows up, you’ll wish you had that mitigation tool in place. Is this a fault of the Secret Service? Sure, in some ways. They could have pressed the issue and said “no”. They, not the Usher, are legally mandated to protect the President. If that tool aids them in doing so, then the tool stays. Period. Is there a culture in Secret Service that enables this? I don’t know. What I can tell you is there is a culture in DC and the White House that does. Hopefully, the hearings which are going on will further highlight the need to silence the parts of that culture that negate sound protection practices.

6. Finally, stuff just happens. During my 14 years in this industry, I spent 10 in the service of the United States Air Forces in military law enforcement and security. My first few years were spent as a young Airman performing what is commonly termed as “gate guard” duties. I stood at the main gate of our installation controlling entry and exit. I was also responsible for issuing countless visitor passes. I was really good at my job. So good that I was winning awards and accolades above my peers. However, on one fateful day, I encountered something no one expected.

A female Technical Sergeant and her male guest came to the visitors’ center looking to get a visitor pass. All that was required at the time was a military ID card from her and a government issued ID from him. I checked his ID which was a passport and noted all of the details had matched. Our conversation was good and I detected nothing extremely peculiar. Actually, I did note something but I was stationed in Idaho so it was not a big deal at the time. Her guest asked if he could bring his personal weapon on the base. I told him he could not and asked if he had the weapon. He replied he hadn’t and she reassured me he hadn’t one. The question seemed one of mere curiosity in an attempt to make “small talk”. I had done everything I could do at that moment.

It was not until two days later was I approached by our investigators and several federal agents informing me several tactical vehicles were coming to apprehend him for being a fugitive – he had killed several people and almost killed a police officer. I was crushed. How could this happen? Should I have asked more questions? Would they blame me?

Years later, still torn by this, I asked a mentor who informed me I had done nothing wrong and in fact did everything right. Despite my best efforts, the adversary won. This is an unfortunate but inherent ingredient of protection. No matter what you do, the enemy will still do what he does and it is your job to prepare for that and win.

OPINION: Top Eleven Myths Supporting Security Critiques

Well, this seems to be the season for "major" security breaches.  There seems to never be a week in the last few months some retailer or government entity isn't revealing how it's been penetrated. Along with those revelations comes the torrent of critics who ask "How could this happen?" and proclaim "This is the worst thing ever!....Incompetence!....This is epic!" Please, note the heavy amount of snark and sarcasm there. As one of a few people who sort of gets security, I often find myself getting increasingly frustrated about the growing number of amateur critics who have in some way implied "expertise" on a topic few professionals in the industry actually get. So in an effort to educate everyone and to vent (okay, mostly to vent), I've decided to do a piece on the myths surrounding security. Bear with me. If it feels like I've kicked you in your stomach, good - that's why I'm doing it.

1. Physical security is easy. Sigh. This is the most upsetting and doggone frustrating statement a security professional could hear. Contrary to popular belief, security is not easy. It's pretty hard, actually. There's a lot more that goes into security than just bag searches, menacing guards, cameras, and alarms. It encompasses multiple disciplines which contribute to the security mission. They range from everything from the information security to operations security to risk management to executive protection to physical security to personnel security to personal security. All of them bring something unique to the table. Each is an integral part of the total security package. It takes a professional versed in all of them to be able to deploy the package seamlessly.
2. Anyone can do security. Ugh. Wait, no. Double - ugh!! Not everyone can "do" security. As I stated before, it's hard. It's not rocket science but if the only thing you've ever protected in your life was a bike in a bad neighborhood, you may not be as qualified as you think to speak expertly on matters such as the security surrounding rather complex and sensitive facilities as the White House or military bases. I know I just made a lot of folks in the DC press conglomerate very unhappy. So let me explain. You can have all of the facts on an issue but still not get the nuances behind how to properly execute an effective security plan or understand the stark realities those facilities face. As a matter of fact, there are people in the job who barely get some of these concepts which explains why so many security plans fail.
   
   I've been in this industry for 14 years and there are things I'm learning every day. I am no "expert" and I often eschew any effort to attribute me to that title. It is also my suggestion, given my background, if I admit to knowing far less than most "experts" with less experience are willing to, then maybe you should be questioning their "expertise" as well. Think you can "do" security? I'd happily place you in charge of physical security at the White House which receives MILLIONS of visitors every year and hosts the most targeted human being on the face of planet Earth. Good luck.
3. There's entirely too much security for this. Another sigh. Seriously, folks. Unless you've walked in the shoes of the person who designed the security apparatus for that facility or worked in a similar post, you may not understand the thought-process behind how security is set-up there. In order to better educate most folks who are not familiar on this topic, I'll take a moment to digress and speak on the mission of security and how it is often set-up.
   
   Security's primary mission, no matter the discipline, is pretty much the same minus some semantics. It is to detect, deter, delay, and destroy. There are professionals who will undoubtedly find issue with my choice of words here. My message to them is clear - I get it but let's think more figuratively. While it is optimal in security to see the threat before he arrives, that may not always be the case. In fact, there is very little empirical data to suggest much of what is done in physical security actually deters the truly dangerous threat. However, what is quantifiable is delaying and subsequently disrupting or destroying the threat's ability to continue their actions.
   
   
   

   

   A great example of classic defense-in-depth

   
   Finally, let's examine what drives most security plans. Much earlier, in another post, I wrote extensively about risk management which is a process by which security professionals and their stakeholders ascertain the level of risk they're able to maintain and the mitigators they plan to deploy minimize the risk.  As you can imagine, this process is what most security plans are derived from. Within those plans, therein lies the basic outline of how most modern security is implemented - defense-in-depth. This is best explained by asking you to imagine an onion. As you peel the skin on any onion, you'll note the various layers contained. Security is much like that. Every protected resource has an outer layer of protection which supports the inner layers. The close you get to the resource, the more intimate the security. Imagine the White House. The far most outer layer of security there could be the scores of CCTV systems found all over the DC area. From there, the security mechanics become more intimate with their resource. Stop laughing. I hear the jokes. Serious. Stop it. The inner layers encompass a new level of protection more closer to the resource than the next. See, I cleaned it up for you.
4. The security guys just need to do a better job. Really? Like seriously. What qualifies you to make statements like that? Have you examined the actual, no-kidding threat intelligence or data to understand the nature of the adversaries those "security guys" may face or the countless attacks which get thwarted. A great example of this is a conversation I had recently with a political website editor regarding how the United States Secret Service would be better served by doing a "better job of managing its fence" rather than deploying checkpoints further from the ones already at the gates closest to the White House. I strongly disagreed not because I love checkpoints (I don't - see my thoughts on crowds) but because I understand (because I've actually done executive protection and physical security versus offering critiques about something I only read about) what drove the US Secret Service to acknowledge they were considering checkpoints. You would be remiss as a professional not to consider them as an option. I think we would all do a lot better to understand the difference between a consideration and an implementation.
5. I have a PhD so I have the magic ability to know all things related to security, though, my PhD is in an unrelated field or I've written books non-security professionals think is dope. I won't waste a lot of time and space on this but this is a growing issue throughout social media. Stop it. There are few things more irritating than to be dismissed by an academic or author who thinks their degree or books written provide them with omnipotent ability to know everything they need in order to criticize security. As I've stated before, you're probably extremely smart in your area of expertise. This does not lend itself to transference into what I've done for 14 years. Sorry. But that's the truth. Again, I don't know a whole lot and there are guys in my field who are far more impressive than me. That being said, read this and #2.
   
   
6. You say tomato and I say TOH-MAH-TO. Same difference. No, it's not the same. In security, certain terms do matter. They really do. For example, I had a very good conversation with a national security pundit I follow on Twitter, Joshua Foust. Joshua is smart when it comes to matters of national security and almost ties John Schindler in trolls except Joshua doesn't have a parody account yet and his and John's tweets are thought-provoking.  That being said, our discussion this morning was about the efficacy of passport revocations. Joshua intimated revocations made jihadi terrorists stateless people. I find that most people confuse revocation of passports with revocation of citizenship. The two sound the same but are vastly different both in mechanics and impact. However, because they sound the same they are often confused. We saw this when Snowden's passport was revoked. People claimed he had been stripped of his citizenship, although he never formally renounced his citizenship nor did Congress or the President revoke it. In fact, the passport revocation is nothing more than a travel restriction. You're allowed to travel to other countries as long as your country provides you with a valid passport. If your country revokes your passport, you're no longer able to travel and can only come back to your home country.
   
   Joshua would later admit the semantics were different and we both agreed there were mechanisms already in place with respect to fugitive warrants and the Foreign Terrorist Organization designation. Neither, from my limited knowledge, have been integrated when it comes to jihadi foreign fighters. Something, I'm sure the President and other leaders are seeking to change because the inherent value of Western foreign fighters for groups like the Islamic State is their passports. Western travel documents can gain you access to a variety of countries, if they're not revoked or cancelled.
7. I could take down security anywhere and I could break in there if I wanted to. Okay, that sounds very cool. I'm sure you could. However, taking down an unarmed security guard because he's 75 years old with a bad limp is vastly different than being faster than his radio and being tougher than the eight burly deputies who will respond. You might also be able to break into a facility. That's also great and amazing. However, keep this in mind - sometimes breaking into a facility has more to do with luck rather than skill or technical acumen - remember one of the latest White House fence-jumpers was a toddler. In other words, the sun shines on a dog's rear every now and then. You also may not be as lucky as you think.
   
   
8. OMG, this breach was the worst breach EVER!! Stop. Full-stop. Don't move. Breaches happen all over physical security for a variety of reasons. Some are preventable, sure. Some are not. Some occur in ways professionals never thought of. Some occur because the security manager and his/her stakeholders accepted too much risk. All I ask is that before you roll up a physical security breach as the worst ever, analyze not only the breach but the totality of circumstances. Some people are making a big deal about the recent White House fence-jumper who made his way "into the White House". I'll take a moment and explain why this is wrong.
   
   Yes, the White House fence-jumper recently made his way to an inner layer of the mansion. Keep in mind what I said about layers. Here's something most critics won't acknowledge mostly out of ignorance. The doors, which I have pictured below, are actually an entrapment area. Wait. What? Yes, the North Portico doors are indeed an entrapment area. What does that mean? Simply put, the exterior doors remain unlocked so exterior personnel (security and non-security) can enter through them and gain access through the second set of doors which remain locked and more than likely, guarded by on-duty US Secret Service Uniformed Division personnel. In other words, someone or something would need to verify your credentials before allowing entrance into the interior.
   
   
   

   

   The diagram of the White House showing the doors.

   
   

   
   

   The North Portico doors UNLOCKED. But do you see the doors behind them?

   
   
   Scriven, how does this change the fact that he should have never gotten that close? It doesn't. However, it's always best to remember while this is the first time someone has made it to those doors, there have been other more egregious breaches. Thirty-three others, to be exact. Remember when the airplane crashed in the White House lawn? I digress. Did the USSS accept too much risk by keeping the doors unlocked? Sure, but I'm also aware these doors were probably unlocked more for convenience for certain non-USSS personnel. How do I know that? Because I've done something similar in a variety of security situations. So what does this little exercise tell us? First, it tells you I have entirely too much time on my hands and I spend a lot of time on Twitter. Second, it tell tells you exactly why layers exist and whether they function properly. In this case, a few layers were breached but the resource was secured by one. Third, a lot of people are making wild assumptions without having read the official report nor has there been an accurate articulation from which direction the jumper entered or whether he had been observed (my guess is he was). Also, some of these same people make all kinds of weird guesses about the nature of security at the White House based on rumor and what television and the movies convey. No, the President will not firing an RPG at multiple jumpers next time.
   
   Finally, it teaches us the value of relativity and complexity - this was bad but was it the worst? It's all relative. Seriously, can you imagine managing the security of POTUS and his/her staff and guests AND the most iconic tourist attraction in the Western world? It poses some SERIOUS security challenges which are countered every single day, mostly with zero incidents. If this was the "worst", then the Secret Service did an excellent job of containing the threat.
   
   
9. Security is pretty simple. I can't even.
10. The Israelis do it better.
    

    Israel has an entirely different security landscape than we do. It's also key to remember their adversaries surround them.
    — Scriven King (@scrivenlking) September 20, 2014

OPINION: 10 Simple Rules Every Security Professional On Social Media Should Think About

Social  media can be a great thing at times. It can connect you with other professionals, allow you to sound off on things in our industry, advertise your services, and even give you new insight into security matters. However, it can also be a very dangerous tool. Countless times, I've seen security professionals realize this inherent truth much too late. In every social interaction, there is an implied trust with our fellow netizens they will abide by certain unspoken "rules". Often, they do but more than often, they do not. I'd like to share a few rules that can help mitigate the risks associated with combining your personal and professional social media personas.

1. Be humble and listen to everyone's opinion. There seems to be a rash of security professionals who believe the best way to interact with those who disagree with them is to be brash and rude regardless of the interaction. Sometimes, it calls for being a bit brash and rude. However, I find it often does not. Don't make being adversarial a part of who you are on social media. You could potential "scare away" potential clients or employers. Don't be "that" guy. Seriously. If you don't want discourse, then social media is not the place for you. Chances are just because you're awesome in what you know doesn't mean you're awesome in all things you claim to know. Sometimes, other folks have legit ideas we can learn from. You don't always have to be right. A simple "I never thought of it that way" goes a long way.
2. Keep your "circle" small. A while back, I went to "private" on all of my social media accounts. Why? Am I talking secret stuff I don't want others to know? No. I just realized how much better my social media experience is by keeping my audience relatively small. Think of it like how you rate schools based on student-to-teacher ratios. Do you really want to have to interact with 90,000 people you don't know? Also, by keeping your "circle" small, you pick the people you want to interact with. There's a danger here, though. By being selective, you run the risk of limiting the amount of data you receive and it can enable subjectivity to some extent. With that being said, I'll add my next rule.
3. Interact with people who provide value and not an ego boost. When I went "private", I noticed I was far more selective and I tended to interact with people who "liked" my comments less and interacted more. There's a trap by having loads of people "like" everything you post. It can lull you into a false sense of security that you're a "big deal" and immune to legitimate criticism. Remember, this is the Internet. Just because you say awesome things does not mean people think you're awesome. You will make people upset sometimes. That's life. Some attacks will be personal. That is also life. Deal with it. My mother provided me with the best sage advice I've ever heard and will never forget - "Not everyone that smiles at you is your friend and not everyone who frowns at you is your enemy."
4. Don't say or do anything on social media you can't tell your mother or boss about. Seriously, you can limit half the drama that comes your way by just abiding by this simple rule. More professionals get involved in more drama online than they should because they forgot this. What does this mean? Don't write checks with your status updates your career and personal life can't cash.
5. Keep it real. I've written in the past about "experts" and how often it is easy to confuse real expertise with implied expertise. If you're really knowledgeable about something, feel free to talk about it like you do. If you're not, then take it easy and try to "stay in your lane". Many people find themselves in trouble when they forget to do this. Why? Everyone wants to be popular on social media and you don't get to be popular by staying in your lane all the time. Remember what I said about getting too many followers and "likes". Again, don't be "that" guy. When I'm talking to people on social media, I try my hardest to be upfront about what I know based on my experiences and from other sources. If you follow me on social media, you'll often read me telling people what's in my lane and what is not. I find when I do that, I receive much better interaction with professionals and I learn quite a bit more than I preach.
6. Don't make your social media persona to be something you are not.  The downfall of many professionals on social media can be traced back to forgetting this rule. Quite a few security practitioners seem to believe in order to have value, they have to inflate who they are or what they've done in the past. More often than not, they're found out and revealed without prejudice. You don't have to fake a degree or have an awesome job title to provide value in your social media interactions. I'm more impressed by a person who is totally honest about being a janitor and knows a lot on a topic versus a janitor who pretends to be an "expert" security "guru. As I always say, "Game recognizes game."
7. Use your manners. My advice to son is always, "I get more from pleases and thank-yous than I have ever gotten with a frown on my face." A simple "Thank you for the discourse" or an apologetic private message for an overly snippy comment has provided me with more value than my stubborness to concede a point ever has. With that in mind, as with everywhere you go in life, there will always be jerks. Try not to be one of them if you don't have to. Sometimes, a situation online may call for you to be one. I suggest resisting the temptation to do so and simply either ignore the other party or "block" them. This is the Internet and there are tools available wherein you can choose to be a jerk or not. At one point, my mother was a preacher's wife which is position replete with jealousy. She always told me, after an encounter with someone who she knew didn't like her, "Baby, sometimes, you gotta kill them with kindness."
8. Some things are better said in-person. This is too easy to explain. Keep private things as private as you can because once it leaves your computer, you have lost complete control of it. If I'm in charge of human resources at a company you applied to or I'm a prospective client and I noticed your social media accounts are chock full of indiscretion, you're probably not a person I want to hire and for good reason. Whatever your intent was will not matter to someone who decides your fate with the click of button without having to ever talk to you.
9. Never trust people to keep things private online. Salient advice I received from a friend once - "This is the Internet, nothing is as it appears." People are inherently untrustworthy. Why? Because they can always make disadvantageous decisions regarding you online without your knowledge and consent. There is very little you can do about this except following this rule. As the old adage from hip-hop goes, "Never trust a big butt and a smile."
10. You don't have to be first to speak during a crisis to have value. The first time I became popular on social media was during Christopher Dorner's rampage through Los Angeles. I made a few points which were re-shared a lot. After that, it seemed like every other crisis, I was being called on to give my opinion. Not too long after that, I did some introspective thinking and realized I was being wasn't always being called on to give my opinion or insight - I was seeking it out. I had fallen into the trap. Why is this bad? The reason I took the time to think on this topic was I noticed I was sharing incorrect and highly subjective information. In other words, I was misinforming people. My "circle" was kind and quietly called me on some of it. Here's what I learned: Being first, often, means being first with the wrong information and relying on firsthand accounts. Anyone involved in the intelligence community will tell you how this leads to a degradation of analysis and eventual disregard of the analyst responsible. Take your time and give your insight when it's helpful.