Why Murder-By-Semi-Truck Could Be A Thing You Need To Mitigate

I'm not an alarmist. Or at least, I try not to be. Personally, I prefer a rather "Vulcan" approach to many things in security. As the youngsters say, "Logic rules everything around me." Actually, that may not be the "exact" wording but you get the drift. That said, I do have a fair amount of "Holy sh*t!" moments. While reading Rumiyah #3 (An English-language e-magazine for ISIL) and coming up on their murder-by-semi-truck tutorial, I tried to suppress having such a moment. I succeeded, mostly because I realize the tutorial was somewhat incomplete from a tactical perspective. That's not to say the message isn't effective or wouldn't possibly motivate ISIL members to strike. I see its inclusion as both for propaganda and potential triggering for an upcoming attack.

Oh, you read that whole "murder-by-semi-truck" bit correctly. Here's what they actually said - "Though being an essential part of modern life, very few actually comprehend the deadly and destructive capability of the motor vehicle and its capacity of reaping large numbers of casualties if used in a premeditated manner. This was superbly demonstrated in the attack launched by the brother Mohamed Lahouaiej-Bouhlel who, while traveling at the speed of approximately 90 kilometers per hour, plowed his 19-ton load-bearing truck into crowds celebrating Bastille Day in Nice, France, harvesting through his attack the slaughter of 86 Crusader citizens and injuring 434 more."

There's a lot we, as security professionals, can glean from this. Have no worries, I won't be divulging "state secrets" or imparting tactical clues. There are merely my observations. Take them for what they're worth, as your mileage could very well vary.

1. Large vehicles are vogue for jihadis still. In fact, one of the key criteria they attribute for an "ideal vehicle is a "load-bearing truck". Even though, speed and "controllability" are also highly desirable, they suggest operators steer clear of SUV's and small cars. Obviously, they're looking for something that can handle a lot of weight.
2. The Nice attack is seen as successful. Notice the vehicle should have "double-wheels" because it gives "victims less of a chance to escape being crushed by the vehicle's tires". Also, I noticed the inclusion of having a secondary weapon as a means of ensuring additional casualties and "increasing terror". Pretty telling.
3. Crowd mitigation is really freaking important, stupid. Look, folks. I know I harp on this a lot. I get it. I do. But they pretty much say it - "In general, one should consider any outdoor attraction that draws large crowds." Notice the bit about crowds.
   

   

   Image include in Rumiyah #3. Notice the large crowd. Just saying.

4. Attribution is really freaking important, stupid. The last few ISIL-related attacks (either by the group or attributed by them) have included language using the phrase "soldier of the Islamic State". Almost every attack committed by a Western-based attacker who hasn't gone to Syria, ISIL has claimed responsibility using this phrase. So no surprise here when you see it in Rumiyah #3 - "I am a soldier of the Islamic Sate!" Why do they do this? To sum it up - they're a holy anointed apocalyptic cult whose proximity to Allah can only determined by their ability to seemingly kill at will. If that's not clear enough, they do it for street cred. You gotta have bodies to make it in the terror game, folks.
5. Large crowd size does not always equate to certain specific targets. Located in the fine print was this gem - "All so-called “civilian” (and low-security) parades and gatherings are fair game and more devastating to Crusader nations." If you're a security professional who has to mitigate threats to a parade route but you're not in New York, you may assume you're in the clear. Yeah, you're dead wrong about that. It's about the casualty count. If your parade route could have a large number of people along it with limited egress points and insecure access control to the street, you could be in the same boat, if not worse than New York. As I always say - it's not a matter of IF but WHEN. Mark my words. Be vigilant.
6. It's not just about parades, stupid. What other "targets" are they looking at? Glad you asked. ISIL says "Outdoor markets, festivals, parades, political rallies (We got any of these coming up soon? Asking for a friend.), large outdoor conventions and celebrations (Got any tree-lighting ceremonies?), and pedestrian-congested streets (High/Main streets)" are all legit targets. Yep. Here comes your "Oh sh*t" moment. Stop it. Relax. Now, go mitigate.
7. Fail to take this kind of attack seriously, at your peril. Let me put it bluntly. Nope, let me just leave what they said here - "The method of such an attack is that a vehicle is plunged at a high speed into a large congregation of kuffar, smashing their bodies with the vehicle’s strong outer frame, while advancing forward – crushing their heads, torsos, and limbs under the vehicle’s wheels and chassis – and leaving behind a trail of carnage."

Vehicle Assaults in Terrorist Attacks
Create bar charts

Product Review: Sighthound

One of the first topic areas that caught my eye was video analytics. As a video surveillance monitor for a lot of my career in physical security, I felt I had a good grasp on why most surveillance systems fail to detect bad guys as much as they should. If you're a physical security professional, you know where that weak link is as well - the monitors. Yup. It took me less than six months looking at video screens most of my day to understand most irregular events fail to go noticed or are properly assessed. This happens for a variety of reasons:

• Monitor fatigue. This happens when a monitor stares at a screen for too long and either falls asleep or becomes easily distracted. We're humans and no one likes gazing at an empty parking lot for hours on end. So, the mind begins to wonder and bad things can happen. If you'd like to learn more about monitor fatigue, this is a great resource. - https://en.wikipedia.org/wiki/Alarm_fatigue (I know it's Wikipedia but as a primer, it's not too shabby)
• Monitors are expected to recognize irregular events in a huge ocean of regular benign events. That parking lot I mentioned before could have 400 cars in it and thousands of people coming and going. If mixed in with benign events, irregular events can appear to be okay and fit with the norm. This explains why some folks can get robbed right in front of a camera and no one notice.
• There are too many "rules" to remember and act upon on too many feeds for a single monitor. Sometimes, with human monitors, too much video is just as bad as driving into someone else's headlights.

Where else are all these problems more demonstrative than in a home security environment? I have friends who have 6 or more cameras on a home and they call themselves "monitoring" those feeds constantly. No, you're not. What I find most often is the direct opposite - they're monitoring one or two cameras, maybe. The others go either unwatched or constantly recording over each other. So what's the solution to ensure all the feeds are being monitored and reporting and recording events as they occur?

Sighthound is a software application that acts as a monitoring platform with an embedded analytics package. You can not only monitor your feeds from various cameras but you can also have those feeds report only when "rules" are broken which include:

• A person entering a zone.
• Someone leaving a zone.
• Motion inside a zone.

The feeds can be viewed remotely. You have to pay for that feature, though, there is a trial version which includes this for 14 days. Given recent issues with Internet of Things being exploited for DDOS attacks, I highly recommend changing whatever default passwords that are on your cameras, ensuring the firewall on your router is working, and updating the firmware on the device. If you can run a scan to see what ports are open on your machine using the scanner at https://iotscanner.bullguard.com and close them, if possible. Also, check out routing the camera through a DNS provider like DynDNS.

I digress. While you can have the software email you or send a notification to the smartphone app, you can also have it do a myriad of options through IFTTT. The possibilities are almost endless from there. Oh and perhaps the most creative option and one I particularly like is the ability to execute a command should an event be triggered. For example, you could set it to send you a snapshot of the event and then shutdown your computer. Why is that cool? If your PC is full-disk encrypted, then you have just ensured a key mitigation piece is activated. You also have a picture or video of the event and can determine if you need to respond further.

What I like most about Sighthound is how quickly it responds to events. Almost 5 or 10 seconds after an event, I received a notification of the event and was able to view a snapshot. That's pretty cool when you consider how costly an enterprise system can be offering the same service.

There are some things I'd like to see it offer in the future:

• Security options. I'd like to password protect my remote feeds. This maybe here already and I just missed it. If so, I feel like this is kind of an understated feature.
• More event triggers. It covers the basics but I'd like to see triggers for things noise detection with those cameras that offer audio in their feeds.
• Possibly some interoperability with other devices. I'd love it if it could network with other sensors through the home and capture those events as well. Some proprietary device systems already do this but I'd like to see something that would allow me to work with events involving a smoke detector and my camera.

Overall, I THOROUGHLY love Sighthound. It has tremendous potential and is extremely affordable. I hope this is a new movement within the home security surveillance sector. I'd like to see less machines that can't or won't cooperate with other devices to successfully mitigate potentially dangerous events. It isn't perfect but I find it is certainly a great step in that direction.

As of now, I haven't reached out to the Sighthound team for an interview. I will soon, though. I'd love to hear what more they have to offer.

If you know of any other physical security applications or devices you'd like me to review, contact me via the "Contact Me" link above.

How To Get Your Family Interested in Security

A question I get asked sometimes is "How do I get my family interested in security?" The question, surprisingly enough, comes from security professionals who are passionate about what they do but find that their families either don't share their affinity for our trade or are rather lackadaisical about upholding mitigation techniques. Come on. Don't kid yourself. Your family could probably care less about security too. Your spouse probably says "That's why I have you, Mr./Mrs. Security Dude. That's your job." Yeah, I roll my eyes too.

As I stated in my previous podcast, you could pay $10,000 for the world's greatest door lock and have your entire mitigation ruined by a spouse or absent-minded child who forget to lock the door. It happens more than we like to admit. I also surmise it's why some of us are so passionate about security awareness training at work. Given that we view them sometimes as the "weak" link, let's look at how we can get them better at not just maintaining mitigation but also becoming independent security stakeholders.

1. Chill out and recognize who you're working with. You don't get to always hire friends and family. So, we're stuck with people who wouldn't know the difference between a padlock and deadbolt at times. And....why should they? "That's what you're here for" is a phrase I've heard countless times. Recognize the role you've taken as the security person of the house and how that has enabled them.
2. Don't scare them. We know things about the world in which we live that our families should never be exposed to. It's kind of why we do what we do, right? But ignorance isn't always bliss. In sales, I learned a term called "finding pain". It's a term used to describe learning what someone's personal security nightmare is and then exploiting that to get them to buy a proudct you sell to alleviate that "pain". Sounds pretty awful, huh? But it works. Do the same with your family. Ssssssssssllllllllllooooooowwwwwwwllllllllyyyyyy. This is where you explain to them how they could lose things they care about very easily if mitigation isn't there to stop the bad guy or at least aid in getting their valuables back or replaced. I have found explaining value and risk in its most basic and pure form has been very helpful with getting children on early as stakeholders. It takes a lot of time and patience but it is well worth it.
3. Invite them along to do a risk survey of the home. This sounds like something a bit too intense for your home but it's really not and rather easy to do.
• Give each person an area they're responsible for like their rooms or designated work/play areas.
• Have them inventory all of the items in that area they place value on. Tell them to ignore easily disposable items and clothes (absent something truly expensive).
• Also have them include photos of the most expensive items and to include any serial numbers if possible in the inventory.
• Give them value parameters. I make mine rather simple - irreplaceable, replaceable but painful to lose (cost too much or would take forever to get back), replaceable with very little to any pain. For smaller children, this could be a challenge so I encourage you to explain this a bit more in-depth and accompany them throughout the process.
4. Do your vulnerability assessments with them. We've identified things of value and the amount of pain it would create getting them back if it were possible. Now, have them look at all of the ways someone or something could make that risk a reality. For kids, you're going to have be patient and listen to every "ninja scenario". With boys, you'll hear this threat profile thrown around a lot. Get used to it. Explain the difference between a likely exploitable vulnerability and one's that will probably always remain vulnerabilities (Bad guys cutting a hole in your roof). Get out a map or overlay and have them articulate the vulnerability.
5. Address threats. Be sure to caution them to stay away from "thinking like a wolf" mentality. Most often, your family is a mix of really good people. So have them look at likely threats instead. With smaller kids, explain that because it's "likely" doesn't make it real. A bad guy could walk down the street and decide to randomly steal your kid - that doesn't mean every stranger is the bad guy. Explain that because we don't know every person who could be down the street means we can't exclude all of them as potential bad actors for certain crimes. This is also a good time to explain that most violent crimes occur when victims already know their attackers. If we know all good people, then we can reasonably say our probability of meeting harmful attackers is minimal. Crimes of opportunity can be more difficult to simply dismiss because the likelihood exists that you could be a victim of a stranger. Thus we have to mitigate that threat, as well. Discuss any sort of special security issues you face (i.e. any jilted lovers, enemies from prior jobs, stalkers, etc.). 
6. Buy door and window alarms from the Dollar Store and have them work through a variety of home security projects. My absolute favorite activity to do with children is building "booby-traps" with these Dollar Store gadgets. I have them take a map and examine their likely avenues of approach, chokepoints, and areas of final denial. Then, I talk about how the gadgets serve one purpose only - detection. Afterwards, we mark where the gadgets are on the map. Finally, it's time to deploy them. An old trick I learned was fishing line attached to magnet on the "alarm" and securing the sensor/annunciator to the object it's resting on. When the bad guy trips the wire that's wrapped around another object and attached on the other end to magnet, it will then yank the magnet from the sensor it's resting on and sound the alarm. Trust me. Kids love this activity.
7. Go over "secret" codes and how the alarm system at your home works. Sounds pretty basic but you'd be surprised how easy it is to get them on-board by having them understand how the control panel works. Maybe, you don't share the activation code but you can show them how to work the duress code and how to call for help. I like the idea of a "secret" code that's for everyone in the family only, as a way of building into the family a living duress code system for everyday use.
8. Next, go over contingency plans. Where do we go? What do we do? Who do we call? What are our "actions on contact"? Again, we're not making everyone in the house Jason Bourne but are making everyone in the house prepared for other events than just a house fire. Having a plan and even rehearsing that plan are absolutely key to having a comprehensive home security program.
9. Address access control. Growing up in my house, my mother would call this "Don't you let anyone in my house I didn't invite". Yeah, it was that serious. It's almost as if she was grooming me for this trade. Explain the rules for allowing people into the home. BE VERY FIRM HERE, ESPECIALLY WITH SMALL CHILDREN (WHO SHOULDN'T BE ANSWERING THE DOOR ANYWAYS).
10. Teach them situational awareness. This can be very challenging for some members of the family. Be patient and make it fun. I like to start with memory games by asking questions like "What was the color of the car outside as we pulled up?" or "What kind of hat did the guy walking down the street have on?" Do this enough times and you'll be in amazement with how fast they catch on.

Your experiences with this will certainly vary. I've had a lot luck here but I would be seriously remiss, if I didn't disclose that it's been challenging. The key is patience. Take your time. Understand the lay of the land. Most importantly, make this about us rather than about something you do.

Let me know if you have any ideas of your own.