Doomsday Preppers – What’s Your Score?

Doomsday Preppers, National Geographic Channel’s new hit series – is awesome.

The show follows various survivalists through their daily lives as they prepare for the end of civilization as we know it, whether it be from massive economic collapse, nuclear war, the melting of the polar ice caps or the failure of the power grid.

Each prepper, and sometimes their families, friends and neighbors has undertaken serious precautions, from stockpiling months of non-perishable food and water, to training in self-defense to building bunkers in the desert. All based on their belief that at some point – in their lifetime – they will need it.DoomsdayPreppers

They are then scored by survival experts in five categories of survival; water, food, shelter, security and an x-factor.

Some score quite well. Others? No.

Most people find it entertaining due to the uniquely odd and dysfunctional nature of the preppers themselves.

I recall one episode specifically where one prepper had stockpiled nearly 50,000 rounds of ammunition, built a sniper nest in a tower, and then proceeded to have his ear blown off because his companion was had no experience with firearms and because he wasn’t wearing appropriate ear protection.

Sometimes it’s the little things.

But I find it entertaining for different reasons.

First, if you ask the experts that are closest to these scenarios – financial collapse, cyberterrorism, chemical and nuclear weapons – they’ll tell you that the likelihood of them making a significant impact on our lives is higher than most think.

The joke’s on us.

Second, human beings aren’t very good at identifying the real threats in any situation.

In the event that water, food and shelter become scarce due to some epic disaster, the threat isn’t going to be the flood waters, chemical agents or viruses. The real threat will be your neighbor.

People are always the biggest threat.

Hurricane Sandy was a massive storm, but one could argue that the worst damage was fairly localized. If you lived on the Jersey coast, lower Manhattan or Long Island, things were very bad, but outside of those areas you may have only gotten a little rain.

Yet inside of two weeks people were pulling guns and knives on each other, just to get in line for gas. What would it have been like if the damage was more widespread and the shortage sustained?

We saw the same behavior during Katrina. People were killed for food and guns. Society started breaking down. Quickly.

By nature we are all survivalists. It’s why we have a massive brain and opposing thumbs. The human race has endured for thousands of years because this is how we’re programmed. In many ways, we’re all Doomsday Preppers.

What’s your score?

Advertisements

Cyber Monday is Dead, Long Live Cyber Monday

Cyber Monday is dead.

At least that’s what NPR would have us believe, along with CNN, USA Today and countless other media outlets.

According to these sources, ubiquitous Internet availability, along with the ability to shop from smartphones and other mobile devices has closed the gap between Cyber Monday and the days on either side of it.

This is compounded by the fact that Black Friday no longer starts on Friday. Yours truly was in line at 6:30 PM Thursday night because Black Friday started at 9 PM on Thursday in my town. This has caused online retailers to follow suit – the online deals are available Thursday, too. Waiting until Monday will only get you disappointment.

The simple fact is, people are doing more shopping on days other than Cyber Monday.

Now this doesn’t mean that Cyber Monday is going away. In fact, sales for Cyber Monday are growing rapidly year over year, and 2012 is expected to trump year’s past by 16.8%.

The opportunities are boundless, for retailers and fraudsters.

But a dead or dying Cyber Monday could have both positive and negative effects for security awareness.

On one hand, a special day tends to generate special behaviors. I might argue that awareness is heightened on Cyber Monday because it has a name, the media promotes it, retailers advertise it, banks warn of it.

When one dies, so does the other.

But the reality it that your payment card information is just as likely to get jacked on Wacky Wednesday or Filthy Friday. Security is a process, not a moment in time.

So in the spirit of Cyber Monday, and all it may come to be, here are our Top Five Tips for safe online shopping:

  1. Only Use Secure Sites – Check for HTTPS, the lock and a valid certificate before you enter any information, and certainly before you check out.
  2. Only Use Reputable Sites – Just because #1 is true doesn’t make it safe, don’t give your money to a stranger just because they handle it properly.
  3. Only Use a Credit Card – Don’t use a debit card, it does not offer the same protections as a credit card, and if the number is stolen it’s one step closer to your bank account.
  4. Check Out as a Guest – Don’t create an account with online retailers unless you have to, this may help you avoid storing your payment card information online.
  5. Check Your Statements – As silly as this sounds, this is one of the easiest ways to tell if you’ve been compromised.

We all shop online. It’s convenient, easy and usually saves you some coin.

And if you’re careful, Cyber Monday doesn’t have to be as black as your Friday.

Bullets, Pirates and Risk Management

Piracy off the coast of Somalia has dropped off dramatically in 2012. Successful hijackings of American and other ships has decreased from 31 in 2011 (and 49 in 2010) to only four so far in 2012.

Unsuccessful attacks have also decreased, falling from 199 reported attacks in the first nine months of 2011 to 70 attacks over the same span in 2012 — a 65 percent drop.

However, diminished activity has not resulted in a decrease in the cost of sailing around the Horn of Africa.

Pressure continues to mount on International trade partners to increase the security of their vessels passing through these once heavily pirated trade routes. The risks of shipping goods through these waters increased to a point where excessive defensive means were necessary, both politically and militarily.

But risk avoidance has come at a high cost.

Many factors have contributed to the decrease in pirate hijackings in 2012. One factor is that shipping companies have begun equipping their ships with countermeasures, namely armed guards.

Anyone in the defense contracting business knows that these services are expensive. Water cannons may be cheaper, but they just don’t have the same effect.

And so we see several examples of Risk Management at work here, on both sides of the proverbial coin:

  1. International shippers made the decision to spend X on armed guards, along with their required equipment, firearms and ammunition. In addition, the countries involved have begun increasing their naval presence, coordination and response plans to counter these activities, all at increased costs. This all to protect a bounty worth Y. We expect that if and when X exceeds Y that these practices will be suspended, and the shippers will go back to taking their chances.
  2. Somali (and other) pirates on the other hand, could at one time hijack a ship with four men, a couple of Kalashnikovs and a ladder, at a cost of X. To be successful today, they require far greater coordination, communications, firepower and manpower. Their costs have increased dramatically, while the bounty remains at Y. Factor in the recent increase in likelihood of death by armed paramilitary, and the decision becomes even clearer. The costs have outweighed the benefit.

Any organization today can apply the same methodology to make decisions about the procurement and implementation of security controls, even though they may not be shipping food, fuel and jewelry through International waters.

In a recent conversation with a prospect we discovered that a number of edge security devices were upgraded, to the tune of $80K. The obvious questions were launched:

  1. Did these investments address your most critical risks?
  2. Were these investments worth it?

Like any good cliffhanger, I’ll leave the responses to another post. Let me instead redirect and suggest that you ask yourself the same questions of your own investments.

You may also want to ask yourself if you’re the shipper, the pirate or both.

Luckily for us, we’re the armed guards.

Election Day Security

I feel proud today.

Like apple pie, hot dogs and online bank fraud, nothing is more American than personally selecting (kinda) the next President of the United States. And doing it in the hometown of Uncle Sam makes it that much more special.

But lately I’ve become more concerned about the integrity of my vote.

My concern is not with the security of the voting machines. There are only a few different types of electronic voting machines, including optical scanners and direct recording machines, where voters press buttons that are digitally recorded. And both types of machines have been compromised on numerous occasions.

In one case the voting machine was so vulnerable researchers were able to install Pac-Man on it. One team member was quoted, saying that it only required an 8th-grade education and $10.50 to hack the machine.

We also know that the networks, storage and computers that the machines rely on are vulnerable. As are the people involved in the voting process.

But this is not my concern.

What I find most worrisome is, if and when it happens, how will we know?

Happy voting America.

Smashing Pumpkins, Security Myths and Pretty Much Anything Else We Can Get Our Hands On

Hurricane Sandy, appropriately named after a slow-moving but powerful family member of yours truly, spent the last few days wreaking havoc on the East Coast.

And while some of us made it through with just a bit of sideways rain, I’m sure there are more than a few business out there putting a Business Continuity Plan on their “To Do” list this morning.

Better late than never, they say.

Or is it? After all, Upstate New York has experienced an earthquake, a tornado, epic flooding and two hurricanes in the past fifteen months. This in an area that is considered relatively protected from Mother Nature.

Maybe it’s time to rethink the “cross your fingers” Risk Management strategy. And just in time for Halloween.

Tonight, on All Hallows’ Eve, most of us will engage in some sort of ghoulish tradition, whether carving a pumpkin for the front stoop or trick-or-treating with the kiddies. And yet we know that most, if not all of these activities can end in some kind of trouble.

Chances are good that the creepy teenager down the block with the acne and the freakishly thick eyebrows is going to smash your pumpkin. Someone’s car is going to get a clean shave. And Mrs. McGillicutty’s willow tree is probably getting TPd.

But despite all of this, we trust our kids and neighbors to make it through the night without serious damage. We trust that things won’t get out of hand. Without trust that people won’t kill each other over a bag of treats.

We trust.

And in that apparent weakness lies one of our greatest strengths. In trust we gain the ability to go about our lives. To interact with others. To exist.

Without trust, we could not walk down the street at night without checking every dark corner. We couldn’t approach a stranger’s door without a background check. We couldn’t eat candy without inspecting every chocolatey bite.

Without trust, we could simply not function.

Trust is at the heart of every security model on planet Earth. Despite popular wisdom, the security controls that we put in place to protect our information, people and other assets imply some measure of trust in their relationships.

We trust that a firewall will disallow specific protocols on specific ports. If we didn’t we wouldn’t buy them. But like the creepy kid down the street, trust only goes so far.

At some point, you need to verify.

And what better time than Halloween for a lesson in verification? Whether it’s the batteries in your flashlight, the traffic crossing in front of your little Spiderman or the brastrap on your girlfriend’s Lady Gaga BaconSuit costume, some times you just need to verify.

Halloween is no time for a wardrobe malfunction.

The Walking Dead

It seems that everybody loves a good zombie apocalypse.

The Walking Dead has become the highest rated cable series ever. And for good reason. The thought of free gas, unlimited travel and zombie target shooting is appealing to many.

And regardless of how you feel about Rick and company’s impending doom, there is one thing that is pretty clear – they weren’t exactly prepared.

That being said, they haven’t exactly screwed everything up, either.

Let’s take a critical look at the team’s security strengths and weaknesses, zombie-style:

Strengths:

  1. Leadership – Although at times challenged by Shane, Merle, his wife, zombies and the occasional deer, Rick quickly established himself as the Incident Response Lead, and a reasonably effective one. Nevermind that he had to kill his best friend to get there.
  2. Escape and Evasion – You can’t argue with success. Even the elderly, ladies and children have made it through hordes of feasting undead. And zombie meatsuits? Brilliant.
  3. Conservation – I’ve never seen a group of newbies shoot with such deadly accuracy. Ammo may be free in the post-zombie-apocalyptic world, but why take two shots if you can get the job done in one? High ratings here.

Weaknesses:

  1. Tactics – How many times is Rick going to wander off by himself in the middle of the night in a heavily zombie-occupied zone searching for someone who likely died two episodes ago? Isn’t this guy a trained Sheriff?
  2. Communication – Seriously, Rick, next time you’re in town grab a walkie-talkie or something. Or a flare. Anything. Must you all wander about wondering what everyone else is up to?
  3. Planning – Oh and while you’re at, grab a pencil. And WRITE SOMETHING DOWN. Like where the exit is. Or where you found the beans last time. Or maybe come up with a plan. Like what you’re going to do for the next 40 years.

I have to admit I’m a huge fan of the show, and I have been since it debuted in 2010. I’d be lying if I wasn’t a little jealous – living out a zombie-apocalypse is sort of a fantasy of mine. I often wonder how I would fare. Baked beans and all.

The real lesson here is that we can’t exactly plan for everything. Preparation is important, but adaptation is critical. The ability to survive – in business or otherwise – depends on our ability to recognize our threats, weaknesses and the most effective ways to counteract them.

Bullets and beans don’t equal survival. You need people who know how to use them. And a plan.

One way or another, we’re all going to end up a Rick or a zombie.

The choice is yours.

I Was Wrong About Security (Again)

On Friday of last week, a few GreyCastlers spent some time at the range with the FBI Albany Division SWAT team.

We started with the obligatory safety briefing, then talked training and qualifications for a while and then we shot firearms for a few hours.

I love my job.

During the course of the conversation, the SWAT Team Leader discussed the rigor and frequency of the squad’s training program. On average, each operator fires 10,000 rounds each year. Some of these are in basic training drills, where the operator is simply shooting at a target. Some these rounds are in live fire drills, where the operator is timed, under duress and working with a team. And yet another bunch of rounds are fired in what’s called force-on-force. This is where someone is firing back (they’re using non-lethal ammo, of course).

When asked why they spent so much time training, the Team Leader stressed the need for “unconscious competence” in their profession. This is a term that has been coming up more in information security circles, too, particularly regarding operational security.

The SWAT team did a quick demonstration of a dynamic entry before we all geared up and grabbed guns. They deployed a flashbang, kicked a (virtual) door in, dropped a few tangos and rescued the hostage. It was over in under three seconds.

These guys are good. Really good.

What do you expect for individuals who qualify with their weapons four times a month under tight tolerances and grueling conditions?

After the course I started thinking again about how unconscious competence can be achieved in our business. Let’s rewind a bit.

Last week I suggested that people weren’t the biggest problem in information security. I was wrong.

Human beings, despite having an oversized brain and opposing thumbs, are naturally bad at interpreting risk. We are by far, the biggest problem in information security. We are the only reason that training programs are required.

What if employees were required to qualify four times a month like the SWAT team? What if we could get employees to achieve unconscious competence?

Most of the people reading this will already recognize that changing people’s behavior’s requires a bit of psychology. Up until recently we’ve focused on learning sciences as they relate to content and delivery – relevance, engagement, tempo and duration.

But what if we applied a secondary model to this, one that starts out suggesting that people don’t know what they don’t know.

Introducing the “Four Stages of Competence“.

This learning model has been around for some time (I first learned about it in the October/November 2012 issue of Handguns Magazine) and it makes a lot of sense.

We plan to do some research on this and continue to think about how we can integrate this into our awareness and education programs.

If it’s good enough for SWAT it’s good enough for us.

I Was Wrong About Security

Back in the mid-2000s I was managing enterprise security for a medium-sized entity in critical infrastructure.

Along with security I was managing much of the Information Technology team, including the Help Desk. My management style tends to be pretty hands on, and one of the things I liked to do was walk around and survey my minions in the morning.

I would talk to my teams about their problems and headaches, and if I got lucky, what was going well.

One morning I was passing through the Help Desk when I overheard one associate – we’ll call him Fred – working with an end-user on a problem. Fred kept repeating, “yes, go ahead and put your mouse on the OK button and click”. Seemed simple enough.

Well after multiple attempts, Fred decided that it was worth a trip out to see the user. I was intrigued so I tagged along.

I learned an important lesson that day.

When we got to the user’s cubicle, we were met with a sweet older women. She was smiling. Super friendly. Just a warm, inviting person. There was no frustration, no resentment whatsoever that we hadn’t been able to resolve her problem. Fred got right to work.

He repeated his instructions. “Put the mouse on the OK button and click.”

So she did just that.

She picked her mouse up off of the desk and literally placed it on the monitor, right on top of the OK button. And then she clicked. And she was right, it didn’t work.

She did exactly what we told her to do, but not what we wanted her to do.

You can guess the moral to this story.

Fast-forward to today, and most security practitioners (I used to be in this group) will have you believe that people are our biggest risk. They will tell you stories about how people fail during penetration tests, how people don’t “get it” and how statistics show that nearly all security breaches are the result of a human failure.

They will tell you that people are the biggest problem in information security.

They are wrong.

Ask yourself these questions –

  1. Would you attempt to drive across the country without a map?
  2. Would you let someone perform surgery on you if they weren’t a doctor?
  3. Would you deploy a firewall without configuring it?

The answer to all of these is obviously no.

However we regularly – in all industries, in organizations of all shapes and sizes, in every country of the world – expect human beings to behave securely without effective training, education or configuration.

What we haven’t quite figured out in a meaningful way yet is that, people are like firewalls. They need configuring and patching on a regular basis. As soon as you stop patching a firewall, the state of its security begins to decline. The same is true of people.

And yet people are not like firewalls at all. Firewalls don’t have brains. And people aren’t binary.

Yet most organizations continue to utilize training techniques that aren’t designed for human beings. Their training is boring, irrelevant, tedious, unengaging and long. We’ve all been there – forty-five bullet-filled, do-it-yourself PowerPoint slides and a quiz.

This doesn’t bring awareness, it brings tears.

If you want your employees’ security behaviors to be effective, your training needs to be effective. It has to be fun. It has to be relevant to their job. It has to be short enough that it can fit into their day without being too disruptive. It has to be timely. And it has to be continuous.

October is National Cyber Security Awareness Month, a great time to rethink your security awareness and education program.

I was wrong about security, but you don’t have to be.

Your human firewalls – and your business – will thank you.

Calling All Social Engineers

A friend of GreyCastle Security stopped by this morning to discuss social engineering and how it can be used to improve audit programs.

This friend is an Auditor for a large state-run entity, and a wannabe pentester (tough to blame him).

Now I know what you’re thinking – why is an Auditor interested in social engineering?

I’m glad you asked.

First, we’ve seen many audits totally miss the mark by not including the people aspects of information security. In their defense, audits are typically based on compliance regulations or organizational policies, which miss the same mark.

But if you were an Auditor, where would you focus?

On the countless firewalls out there that are summarily bypassed by attackers, both expert and newb? Or the hordes of susceptible bank tellers, healthcare executives, students, IT administrators and other personnel targeted each and every day by cybercriminals all over the globe.

The answer is clear. Auditors need to be social engineers.

But that’s not as easy as it sounds. In our conversation today we talked about what makes a good social engineer. And the reality is, the best social engineers are born, not made.

That being said, social engineering skills can be taught and improved, even if your name doesn’t end in “Mitnick”.

So what are these skills?

The ability to improvise is critical. So is the ability to collect and leverage information about assets (people) to your advantage. And last but not least, the ability to maintain cool under pressure, especially when being challenged.

A good social engineer is generally good at getting out of tickets, into the VIP and around the rules. If you panic when trying to get away with a duplicate grocery store coupon, it might not be for you.

So if you’re comfortable impersonating someone you’ve never met, that may not even exist, to gain confidential intel or compromise an asset for the betterment of the greater good – all while smiling – we may be looking for you.

After all, the human side of information security is quite possibly the most important, and most misunderstood, of all.

Next month is National Cyber Security Awareness Month. Stay tuned for a whole month of interesting thoughts, trends and tips for securing human beings.

Remembering 9/11

For most, if not all Americans, today is a special day.

Eleven years ago we were all changed, some of us irrevocably. The images of that day are still burned into our memories.

Images of Osama bin Laden or the collapsing Twin Towers still generate feelings of angst, powerlessness and fear.

And yet, that’s all they are.

In a world of risks separating feelings from reality is difficult, but necessary. In many cases, they are not only different, but contrary.

Ask someone if they would rather text while driving or face a terrorist.

Yet texting while driving has killed twice as many people this year than terrorists.

So why aren’t we afraid of texting in a moving car?

The answer is related to the way human beings make decisions. It’s related to way the human brain works, and to the way fear, ego and survival instinct cause us to feel and react.

It makes us really bad at judging risk sometimes.

Eleven years ago, the USA, including the intelligence community, Government and Military, didn’t keep feelings and reality in check. We didn’t understand our risks.

We didn’t think terrorists would fly planes into buildings.

Let’s take a moment today to remember those lost in the tragedy on September 11. Let’s remember all of those affected. Let’s remember those who have paid the ultimate price fighting to make things right.

Let’s also remember that the next tragedy can be averted if we remember that you can feel secure and not be.

%d bloggers like this: