Tag Archive | Situational Awareness

Doomsday Preppers – What’s Your Score?

Doomsday Preppers, National Geographic Channel’s new hit series – is awesome.

The show follows various survivalists through their daily lives as they prepare for the end of civilization as we know it, whether it be from massive economic collapse, nuclear war, the melting of the polar ice caps or the failure of the power grid.

Each prepper, and sometimes their families, friends and neighbors has undertaken serious precautions, from stockpiling months of non-perishable food and water, to training in self-defense to building bunkers in the desert. All based on their belief that at some point – in their lifetime – they will need it.DoomsdayPreppers

They are then scored by survival experts in five categories of survival; water, food, shelter, security and an x-factor.

Some score quite well. Others? No.

Most people find it entertaining due to the uniquely odd and dysfunctional nature of the preppers themselves.

I recall one episode specifically where one prepper had stockpiled nearly 50,000 rounds of ammunition, built a sniper nest in a tower, and then proceeded to have his ear blown off because his companion was had no experience with firearms and because he wasn’t wearing appropriate ear protection.

Sometimes it’s the little things.

But I find it entertaining for different reasons.

First, if you ask the experts that are closest to these scenarios – financial collapse, cyberterrorism, chemical and nuclear weapons – they’ll tell you that the likelihood of them making a significant impact on our lives is higher than most think.

The joke’s on us.

Second, human beings aren’t very good at identifying the real threats in any situation.

In the event that water, food and shelter become scarce due to some epic disaster, the threat isn’t going to be the flood waters, chemical agents or viruses. The real threat will be your neighbor.

People are always the biggest threat.

Hurricane Sandy was a massive storm, but one could argue that the worst damage was fairly localized. If you lived on the Jersey coast, lower Manhattan or Long Island, things were very bad, but outside of those areas you may have only gotten a little rain.

Yet inside of two weeks people were pulling guns and knives on each other, just to get in line for gas. What would it have been like if the damage was more widespread and the shortage sustained?

We saw the same behavior during Katrina. People were killed for food and guns. Society started breaking down. Quickly.

By nature we are all survivalists. It’s why we have a massive brain and opposing thumbs. The human race has endured for thousands of years because this is how we’re programmed. In many ways, we’re all Doomsday Preppers.

What’s your score?

Advertisements

The Walking Dead

It seems that everybody loves a good zombie apocalypse.

The Walking Dead has become the highest rated cable series ever. And for good reason. The thought of free gas, unlimited travel and zombie target shooting is appealing to many.

And regardless of how you feel about Rick and company’s impending doom, there is one thing that is pretty clear – they weren’t exactly prepared.

That being said, they haven’t exactly screwed everything up, either.

Let’s take a critical look at the team’s security strengths and weaknesses, zombie-style:

Strengths:

  1. Leadership – Although at times challenged by Shane, Merle, his wife, zombies and the occasional deer, Rick quickly established himself as the Incident Response Lead, and a reasonably effective one. Nevermind that he had to kill his best friend to get there.
  2. Escape and Evasion – You can’t argue with success. Even the elderly, ladies and children have made it through hordes of feasting undead. And zombie meatsuits? Brilliant.
  3. Conservation – I’ve never seen a group of newbies shoot with such deadly accuracy. Ammo may be free in the post-zombie-apocalyptic world, but why take two shots if you can get the job done in one? High ratings here.

Weaknesses:

  1. Tactics – How many times is Rick going to wander off by himself in the middle of the night in a heavily zombie-occupied zone searching for someone who likely died two episodes ago? Isn’t this guy a trained Sheriff?
  2. Communication – Seriously, Rick, next time you’re in town grab a walkie-talkie or something. Or a flare. Anything. Must you all wander about wondering what everyone else is up to?
  3. Planning – Oh and while you’re at, grab a pencil. And WRITE SOMETHING DOWN. Like where the exit is. Or where you found the beans last time. Or maybe come up with a plan. Like what you’re going to do for the next 40 years.

I have to admit I’m a huge fan of the show, and I have been since it debuted in 2010. I’d be lying if I wasn’t a little jealous – living out a zombie-apocalypse is sort of a fantasy of mine. I often wonder how I would fare. Baked beans and all.

The real lesson here is that we can’t exactly plan for everything. Preparation is important, but adaptation is critical. The ability to survive – in business or otherwise – depends on our ability to recognize our threats, weaknesses and the most effective ways to counteract them.

Bullets and beans don’t equal survival. You need people who know how to use them. And a plan.

One way or another, we’re all going to end up a Rick or a zombie.

The choice is yours.

I Was Wrong About Security (Again)

On Friday of last week, a few GreyCastlers spent some time at the range with the FBI Albany Division SWAT team.

We started with the obligatory safety briefing, then talked training and qualifications for a while and then we shot firearms for a few hours.

I love my job.

During the course of the conversation, the SWAT Team Leader discussed the rigor and frequency of the squad’s training program. On average, each operator fires 10,000 rounds each year. Some of these are in basic training drills, where the operator is simply shooting at a target. Some these rounds are in live fire drills, where the operator is timed, under duress and working with a team. And yet another bunch of rounds are fired in what’s called force-on-force. This is where someone is firing back (they’re using non-lethal ammo, of course).

When asked why they spent so much time training, the Team Leader stressed the need for “unconscious competence” in their profession. This is a term that has been coming up more in information security circles, too, particularly regarding operational security.

The SWAT team did a quick demonstration of a dynamic entry before we all geared up and grabbed guns. They deployed a flashbang, kicked a (virtual) door in, dropped a few tangos and rescued the hostage. It was over in under three seconds.

These guys are good. Really good.

What do you expect for individuals who qualify with their weapons four times a month under tight tolerances and grueling conditions?

After the course I started thinking again about how unconscious competence can be achieved in our business. Let’s rewind a bit.

Last week I suggested that people weren’t the biggest problem in information security. I was wrong.

Human beings, despite having an oversized brain and opposing thumbs, are naturally bad at interpreting risk. We are by far, the biggest problem in information security. We are the only reason that training programs are required.

What if employees were required to qualify four times a month like the SWAT team? What if we could get employees to achieve unconscious competence?

Most of the people reading this will already recognize that changing people’s behavior’s requires a bit of psychology. Up until recently we’ve focused on learning sciences as they relate to content and delivery – relevance, engagement, tempo and duration.

But what if we applied a secondary model to this, one that starts out suggesting that people don’t know what they don’t know.

Introducing the “Four Stages of Competence“.

This learning model has been around for some time (I first learned about it in the October/November 2012 issue of Handguns Magazine) and it makes a lot of sense.

We plan to do some research on this and continue to think about how we can integrate this into our awareness and education programs.

If it’s good enough for SWAT it’s good enough for us.

Remembering 9/11

For most, if not all Americans, today is a special day.

Eleven years ago we were all changed, some of us irrevocably. The images of that day are still burned into our memories.

Images of Osama bin Laden or the collapsing Twin Towers still generate feelings of angst, powerlessness and fear.

And yet, that’s all they are.

In a world of risks separating feelings from reality is difficult, but necessary. In many cases, they are not only different, but contrary.

Ask someone if they would rather text while driving or face a terrorist.

Yet texting while driving has killed twice as many people this year than terrorists.

So why aren’t we afraid of texting in a moving car?

The answer is related to the way human beings make decisions. It’s related to way the human brain works, and to the way fear, ego and survival instinct cause us to feel and react.

It makes us really bad at judging risk sometimes.

Eleven years ago, the USA, including the intelligence community, Government and Military, didn’t keep feelings and reality in check. We didn’t understand our risks.

We didn’t think terrorists would fly planes into buildings.

Let’s take a moment today to remember those lost in the tragedy on September 11. Let’s remember all of those affected. Let’s remember those who have paid the ultimate price fighting to make things right.

Let’s also remember that the next tragedy can be averted if we remember that you can feel secure and not be.

More Tales From the (Unen)Crypt

You just can’t make this stuff up.

Last week I received the following text message from an unknown number: “I received check. Thank you. Alice“.

A quick bit of research revealed that the number came from a woman (OK, I made some assumptions on the “Alice” part) who owns a flower shop in a small town in Florida.

They offer a full line of floral favorites, houseplants and perennials, and they also accept Visa, MasterCard and PayPal. The web site doesn’t say anything about accepting personal checks but apparently they’re cool with that, too.

I sat on the text for over an hour, as various scenarios piled up in my mind. I couldn’t help but wonder how security-conscious Alice was. Now that she had opened the door, I wanted to walk through and see what was on the other side.

My curiosity was piquing. Was Alice from Wonderland, carrying a big, nasty broom, and sweeping out all that would dare trespass on PII? Or was she just another careless merchant exposing helpless customers’ personal data?

I couldn’t help myself.

Hi Alice. I don’t remember which acct I used can you resend the routing and acct number.

We would soon find out.

Like all disasters, you prepare for the worst and hope for the best. We all want to believe in human beings’ natural sense of good, to protect our own and to want the best for others. We are the only species on the planet that has been gifted with morality, a true sense of right and wrong. We are truly blessed.

Over two hours had passed and I felt strong. In a world where security breaches, fraud and cybercrime were the norm, Alice was a beacon of hope. A shining example of what was right in this sordid world where so much has gone wrong. Alice, a frail, aging shopkeeper would show us what fortitude, diligence and a sense of righteousness truly means. If Alice could do it, anyo (bzzzzzt)…

021000322 XXXXXXXXXXXX XXXX

Don’t buy flowers in Florida.

To Train or Not to Train, That is Not the Question

Recently, CSO published an article suggesting that organizations eliminate security awareness training from their security programs. The article has stirred great debate in security circles, including this one.

Citing the  “Carronade” phishing test failure at West Point in 2004, the author went on to claim that any investment in security awareness training “is money wasted”. The overarching theme of the piece suggested that human susceptibility is impossible to eliminate. Because complete (100%) security is impossible to achieve in this area, resources should be dedicated elsewhere.

If this argument were true, there would be no firewalls. No antivirus. No security controls of any kind.

Let me first say that I respect the author for offering a viewpoint counter to that of the masses, and for getting us to think a bit. Let me then say that I believe the author missed the point. It’s not about eliminating training, it’s about eliminating ineffective training.

Anyone who has been protecting things for any length of time knows that trust is hard to come by. And it gets harder every day. Consider this:

  1. Business has become complex, amorphous and dynamic. An increasingly younger workforce cares less about privacy and security. Wireless, social media, virtualization, mobility – all of these have made it harder to protect critical assets.
  2. Attackers are multiplying and motivations are increasing. China just arrested 10,000 online criminals and other individuals suspected of Internet crimes. 10,000. And hacking is still not illegal in most countries.
  3. The tools to steal banking credentials and roll malware can be bought online with incredible ease. They’re inexpensive and come with technical support, just like Microsoft Office. Anyone can get into online crime.

Fighting cybercrime is a $400B industry, and we’re just getting started.

So now ask yourself, what – or better yet who – are you trusting to protect your assets?

I offer this counterpoint to the CSO article; an effective security awareness training is the best, perhaps the only security practice that, done effectively demonstrates dramatic, measurable return in today’s environment.

Your employees are everywhere, and they do everything. They touch every database. Every SSN. Every locked door. Every web application. Every e-mail. Every credit card number. Every line of code. Every turnstile. Every firewall rule.

Get the right message to your employees on a consistent basis and you have solved a significant number of your security challenges, or at least reduced risk in those areas. Change your employees behaviors and you have instantly changed your security profile. There is no other single security control that has that same potential.

Today, you may be trying to save the company time by making training optional for employees. Today, you may be trying to save the company money by having the security guy deliver your training. Today, you may be trying to save the company energy by delivering the same PowerPoint slides to management, IT and staff.

Today, you are wasting your money.

Tomorrow is another day.

Becoming A Low Hanging Olive

In January of 2004 I spent three weeks in Northern Africa. It was one of the most memorable trips of my life.

The second half of my trip would be spent in Morocco with close friends, being catered to by personal attendants, drivers and handmaids, dining on the finest couscous and staying in chic riads. The first half of the trip was spent in Tunisia, a third-world country that has for years suffered through political turmoil. Most of Tunisia is uninhabited, rough and Islamic, which was simultaneously exciting, frustrating and frightening.

It was also educational.

Tunisia is an amazing country. Undiscovered beaches, the endless dunes of the Sahara, ancient ruins, bustling souks with fresh fruit and spices and the planet’s largest herd of camels.

Tunisia is also the world’s largest olive grove. No ladies and gentleman, it’s not Greece. There are only a few roads in Tunisia, but all of them seem to go through olive groves. You can drive for hours with olive trees outside both driver and passenger windows.

When I first arrived in country, I was met by Muslims with machine guns. Which I expected. And appreciated.

In 2004 my security career was rather young, but I was no less exuberant. If they had decided to strip search the only white guy in Tunisia I would have been inconvenienced but impressed.

Little did I know when I arrived that Tunisia would teach me a few things about security.

On the last full day of my trip I visited Carthage, the ancient coastal ruins where Hannibal became famous. Satisfied that I had filled my quota of digital pictures, I headed for the train to begin the trip back to my hotel. I needed to pack, eat and make some calls to arrange for my trip to Morocco the following day. My mind was busy as I boarded the busy rush hour train.

I passed a few stops, continuing to plot out the next day’s early morning checkout and flights. I noticed how overloaded the train was getting. I needed to remember to change some money at the airport. Just a few more stops now. I needed to send post… Is that a hand in my pocket?

Time slowed to a crawl and the roar of the rush hour train came to a hush. My wallet was gone. It had some money, a credit card and a copy of my passport in it. And the doors were closing. Was that the thief escaping? I needed to make a decision and fast. So I did what any security professional would do.

I panicked.

By the time I knew what was happening it was over. I rocked my best Walter Payton 45-Right to get off the train before the doors closed, pulling several likely innocent bystanders with me. But despite my seemingly heroic effort, the perpetrator was long gone by the time I got to the platform. I frantically challenged every pedestrian in the station that looked suspicious. They all looked suspicious. And I looked crazy.

How could this have happened?

  1. I lost situational awareness – Even though I had lived in New York City and I was a security-minded person, I was out of it on that train. It had been an exhausting week and I had less than 12 hours before I was escaping to paradise. My mind was somewhere else. While I was mentally reviewing departure times and sorting out logistics, an attacker was fingerprinting me.
  2. I was poorly defended – I was alone. It was the end of my trip and all of my laundry was dirty, so I was wearing baggy khakis with loose pockets. I was standing on a tightly packed train, hands above my head to keep from falling on some indigenous woman. I might have well been wearing a sign that said “defenseless tourist”.
  3. I became a low-hanging olive – I looked out of place. I was tired. I was in the wrong place at the wrong time. I became the low-hanging fruit and I got picked.

And here’s some advice – if you ever find yourself pickpocketed in Tunisia, save yourself the time and anguish of reporting it to La Police. These are the same people who beat their own citizens with blackjacks.

Your adversaries can strike at any time. The good ones will find your weaknesses and exploit them. Your business may not require the same defenses as the Pentagon, but whatever defenses you have should be up at all times.

Sometimes the best lessons are those hardest learned.

And now the olives in my life usually end up on a salad.

%d bloggers like this: