Tuesday, April 22, 2014

The Semantics of Security - The Great Enabler of Security Ignorance


One of the toughest and most insightful lessons I learned came during a conversation with a good military buddy about why English is such a difficult language to learn. "You never mean the things you say. You say you "love" your car in Spanish, it means you love it like family. It's as if you use the words so much they lose their actual meaning." I was a bit taken aback by this. No one had ever explained the issue of semantics so eloquently before to me.

This same thing happens in security and explains what makes it so difficult for so many professionals and lay-people to be able to comprehend it. The following are great examples:
  1. Prevention versus mitigation. Prevention is defined by Websters as "the action of stopping something from happening or arising." Mitigation is defined by Websters as "the action of reducing the severity, seriousness, or painfulness of something." The words mean something completely different from the other, yet are used interchangeably. In security, getting these two words wrong can mean the difference between a loss of life (yours or an innocent) and victory over an attacker. Having lofty goals of prevention through methods and measures seldom tested with actual bad actors, often leads to failure when they do show up. However, having sound mitigators in place should they attack, could save both life and property and result in the consequential capture of your bad actor. The decision to stop his or her actions is totally dependent upon his or her decisions and plans before and during the attack. Your measures could help persuade them not to attack but I would hardly call this prevention without more quantifiable evidence.
  2. Vulnerability assessment versus reconnaissance. A vulnerability assessment is a process which entails analyzing a client's assets to determine likely avenues of approach for attackers. It could involve talking to stakeholders, physical walkthroughs of the assets, imagery analysis, and red-team exercises. Reconnaissance is a process which entails some covert surveillance resulting in a report to the target's adversary to support a plan of attack on the target. These terms are often confused because people assume one means the other. Typically, bad actors do recon and friendly agents do vulnerability assessments. The latter could use the former as part of a red-team exercise or even as part of a walkthrough. However, the methods by which either is done are very different. Keeping this in mind prevents amateurs from thinking by doing reconnaissance, they are in some way doing a complete vulnerability assessment.
  3. Security versus protection. It grates my nerves to hear people say they are "doing security". I find most people have no true understanding of what the term means and are therefore, ill-suited for and failing miserable at the task they think they are doing. As I've discussed before, security is a mental construct wherein our protective measures are adequate enough in our minds to mitigate bad actors and their attacks to make us feel secure. It's a subjective term but more of a goal and less of an action than anything else. Protection is what we do to make the environment secure enough to assuage our fears of a possible attack.
  4. Arrested versus detained. It took me a while to get used to this. They both sound like they should mean the same thing but they do not. Ask anyone who has ever been arrested. Being arrested has an element of detention but it isn't the totality of the action. You can be detained without being arrested. While this may sound like an issue of semantics, ask your legal counsel to explain what happens in security when you confuse your ability to detain versus your arrest powers.
  5. OPSEC. OPSEC is one of the latest buzzwords to come into the modern security lexicon. Everyone believes they do it but few actually do to include me at times. Seriously, everyone on social media who is in our industry seems to have a burner cell phone number, 10 fake IDs, wall safes for their wall safes for the wall safes with their encrypted USB, uses TOR to hide from the NSA (as if), etc. The first rule of being good at operations security is to shut up about OPSEC. What's the first thing people do when they think they've done something awesome with respect to OPSEC? They tweet about it on a source they don't own with people they don't know or could vet with any realistic degree of certainty, using communication they know very little about on the Internet which was created by some of their adversaries who have actively engaged in intelligence operations here since its inception. So if so few get it, why do they think they've adequately protected themselves? See the difference between prevention and mitigation.
  6. Intelligence versus information. I often hear professionals claim they have "intelligence" on adversary, when in fact they don't. Most often they have only raw information they haven't vetted or analyzed. These colleagues suffer from the correlation paradigm where they mistakenly conclude correlating or parallel information to an event is the cause. In the analyst world, this is called "confirmation bias". You believe the information because it confirms what you believe. Intelligence is the product of taking that raw information, vetting its source, comparing and contrasting that data against previous data and assumptions, peer reviews, and a final reporting of that information with an analysis centered on critical thinking. A newspaper article in and of itself is not intelligence because it says something we already thought was true. That would be akin to treating Weekly World News' stories on aliens consulting a still-alive JFK on Elvis' newly proposed welcome-back world tour as intelligence because you're an Elvis-loving, conspiracy theorist who believes you're an alien-abductee.

  7. Guard versus officer. I'm sure to stir up something here. Let me clarify: there is NOTHING wrong with being a "guard". However, traditionally, that word has gotten a bad reputation. Think "mall security guard". These guys can be awesome professionals but the title does tend to minimize the extraordinary amount of work it takes to protect the thousands of mall patrons and mall assets against a variety of threats daily. It also does little to note the authority which enables them to perform certain legal actions against those threats such as trespass advisements and in some cases, arrests. "Officer" denotes they are an extension management and not merely someone who stands a post. They represent the extent to which managers are willing to go to protect their assets and their customers.

    Recently, during a discussion with another friend from the military, I recalled a conversation about semantics with a person who worked in what was commonly referred to as the "chow hall". One day, I inquired why the name "chow hall" was such an insult to him. He explained "Do you guard planes or do you protect assets vital to national security? I don't cook chow. I cook meals which are nutritious as per my training. We're both professionals. I know people mean no harm but that term implies my food and what I do as a professional are sub-par and unworthy of a professional title, when that's not true." Vets, I hear the snickering. Stop laughing. But he had a point. One that wasn't lost on me.

    How your customers see a "guard":



    An image the term "security officer" typically conveys:

  8. OSINT versus unclassified. I'm a huge supporter of open source intelligence (OSINT). This entails gathering intelligence from a variety of non-covert channels. This could include public radio, news broadcasts, social media, etc. I have noticed this word used to excuse what I believe to be gross violations of protecting classified or sensitive information. Let me explain. I certainly understand OSINT by its nature can come from unclassified channels. However, I also realize it does not negate professionals from their responsibility not to divulge information coupled with their "insider perspective" which may be tactically advantageous to an adversary. You can observe this lack of professionalism best on social media, during a critical incident. There's seems to be a pandemic of sorts when these incidents happen which encourages its victims to feed their egos by talking endlessly about their highly sensitive "insider knowledge". I, once, observed someone who is widely considered an "expert" tweet the locations of responding forces to a major hostage situation. Another person tweeted security measures at a base they just left. Sure, none of this was classified because it came from a radio scanner and personal experience. It was, nonetheless, highly sensitive and could have placed lives at risk, if the adversary had intercepted these messages. In the physical security, once sensitive information is compromised, we only have a precious, small amount of time to deploy mitigators. As I'm often say during these events, "Don't let your ego and mouth write checks your a-- can't afford to cash with someone else's collateral."

  9. Active shooter versus mass killing. The best way to explain this is simply stating not every active shooter kills anyone and not every mass killing involves a gun. Yet, whether because of politics or hype, professionals and laymen still confuse these two. This may seem meaningless until you realize how information is gathered to study these two distinct events and the influence those studies have on policy.
  10. Security theater versus threat mitigation. Look, folks, as professionals, we realize not every threat is going to attack us. We also get some of our measures are extreme. I'm certainly NOT trying to justify any abuses of authority or trust. That being said, just because you don't see the "boogey-man" doesn't mean he's not there. Does this mean security should have authority to do cavity searches on everyone? No. But it doesn't mean because that's extreme that someone isn't trying to do you harm. Do some threats get blown out of proportion? You bet. A vigilant public and other professionals are awesome checks against overreach, though. As every threat isn't realistic, every threat mitigator isn't security theater. We'd all do well keeping this in mind.
There are a load of others I would add but I feel as though this list does a great job of illustrating the power of words in our industry. Please use them carefully. If you have more, let me know.

Wednesday, April 16, 2014

25 Items Every Security Professional Should Carry On-Site In Case S--- Hits The Fan

A picture of my "get-home bag"

I had the privilege of working as a private security officer as one of my first jobs after getting out of the military. I did this job in one of the most disaster-prone areas of the country - Florida. During my training and my time spent with coworkers and supervisors, I had many conversations about our duty to remain on-site during a natural disaster. These conversations had me asking many introspective questions about my own personal preparedness to fulfill this obligation. I knew I was highly trained and very skilled in providing the best protection possible for our clients. I was more concerned with the stark contrasts between my preparedness from when I did similar work in the military versus this new arena as a civilian. In the military, my post was equipped with gas mask, Chemical Biological Nuclear Radiation Explosive suits, food rations, radio, and a huge support network. As a civilian, I had none of these to face similar threats. It was this realization that sparked my determination to "prep".

"Prepping" is the application of various disaster preparedness concepts for personal and group survival in the event of a disaster. It's that simple. No Rambo survivalist fantasies stereotypes. Just people who want to better prepare for disasters in order to survive. With that in mind, "prepping" seems to be one of the most overlooked portions of the security officer's toolkit. Most agencies assign you a standard list of mandatory you need just to make it through a standard duty day. My hope is to provide you with a guide to get you through those not-so-standard duty days.

  1. Flashlights. This goes without saying almost but I HIGHLY recommend carrying at least two more flashlights. In the picture above you will note two flashflights. I keep one for map reading and other minimum distance tasks. The other I use for longer distance tasks such as room clearing, site exploration, target acquisition, and signaling.
  2. Compass, binoculars, and maps. Loads of security guys will carry the flashlight and maybe a knife and first aid kit. Few see the utility of having additional roadmaps and a compass. These tools are valuable for a variety of reasons in disaster scenarios that range from giving directions and position location to rescuers, navigation from one point on-site to another, and mapping terrain features and other locations as temporary shelter locations should they be needed.
  3. Knives. I can't overstate why having a knife is a good thing in a disaster. There's practically an encyclopedia's worth of knowledge of the best utilities for a knife. I won't go over any of them here. However, I would like to specify the types of knives you should consider. I carry a defensive knife, three multi-tool knives, and a hunter's knife. These knives each serve a multitude of purposes and have served me in more ways than I can articulate in this space. Suffice it to say, if you don't get how these could benefit you in a disaster, then I suggest you get yourself in a situation where you need to cut, pry, hold, clamp, or stab something without them.
  4. Notepad. Keep a notepad handy should you need to keep track of people in your area, emergency responders you've made contact with, how many people are on-site, etc. Anything and everything you feel you need to keep track of you should use this notepad for.
  5. Tape. In my photo, you will notice electrical tape. I keep this tape in my kit mostly because this is my go-to tape for work and I keep it in the bag I take with me most in the field. It's also handy to have in my car for various vehicle breakdown scenarios. Before you ask, I also keep duct tape handy. It's another bag but I do have it and would use it over the electrical tape. The most important thing for security officers to note are the practical uses tape could have in a survival situation. In most cases, we use tape to keep things stuck together. There are a few more uses for tape other than this. I have used tape to close bandages, mark areas I cleared, hastily label items, etc. Just like knives, tape is another subject where the uses in a disaster are too large to discuss here. To say the least, if you don't already, keep some tape in your gear.
  6. Cottonballs. I keep cottonballs in my kit for two reasons. The first is to have it to use as a dressing for wounds. The other is to use it for kindling in case a fire is needed. You may scoff at the idea of needing a fire in a standard duty. However, remember this list is for those non-standard duty days.
  7. Whistle. It's a secondary communication device.
  8. Lighter and "strike-anywhere" matches.
  9. Signalling mirror. This is another communication device.
  10. Address book. I keep all of the important numbers and information I may need in case cell service is out or my phone is dead. Most people are caught off-guard by how fast cell services goes out in disaster scenarios. Having a copy of your most important numbers is very important. You should consider having the numbers for:
    (a) Your local police and fire departments
    (b) Your home numbers and those of family members you may need to inform.
    (c) Your employer's numbers
    (d) The National Weather Service Dial-A-Forecast for your local area
    (e) 511 and 311.
    This will provide local government information and traffic information.
    (f) Local friends who may have some situational awareness about what's happening.
  11. Debris mask. This is no substitute for a full respirator or gas mask but it could prove vital if the need arises.
  12. Gloves. I normally carry both latex and work gloves. The latext I use to mitigate exposure to bloodborne pathogens, while I use the work gloves to mitigate exposure to various temperature fluctuations, rain, sharp or abrasive materials, and to gain better traction when gripping certain objects.
  13. Paracord. Seriously, I don't have enough space in the world to discuss paracord. Get educated on how useful just a few feet can be, if you're not already, and I guarantee you'll be carrying it daily as a part of your kit.
  14. Basic tools. Screwdriver with multiple bits and a hex lock tool. Also, if your bag allows, consider carrying a hammer and camp axe.
  15. Emergency blanket.
  16. Miniature towel.
  17. Portable poncho.
  18. Basic first aid kit with bandages, supplies for tourniquets, and other items you have been trained to use in a medical situation.
  19. Food. I pack food for sustainment and morale purposes. In other words, in my kit, you will find food for meals like MREs and other high calorie food meals and morale like snacks and some candies. Anyone who has ever had to eat the same meal over and over again or who has to "stretch" a meal out over a few days knows the power having some variety in between can have on your morale.
  20. Water and purification tablets. The water goes without saying. There could be a situation when you're stuck on site but with limited water options. Having water on hand and having the ability to purify the available water on-site will ensure you're meeting one of the most important survival needs.
  21. Clothes. Ever been on a patrol and got rained on? I have and the impact it has on you physically and mentally is taxing. Physically, you can suffer from hypothermia and all the ugliness associated with that. Mentally, there is nothing better than knowing you can periodically change clothes if needed. Anyone who has ever been rained on during a foot patrol can attest to this.
  22. Boots. See clothes.
  23. Rucksack or versatile tactical bag. The bag you see pictured above is what my wife has deemed my "tactical man-bag". All joking aside, having a good bag to store your gear is of the utmost important. If you don't or can't go with a bag, then I suggest obtaining a pouch wherein you can carry your basic personal survival stuff in a pocket or some other storage compartment. You should test any bag to its limit. My recommendation, if your budget can handle it, buy a rucksack from the folks at GoRuck and evaluate the bag through their course. I have been meaning to do a GoRuck Challenge just for this purpose. No better way to see how your bag holds up other than through some stress. GoRuck puts on challenges that will do just that and give you some idea as to where you stand with another critical survival tool.
  24. Conditioning. I hated this word in high school. It meant long runs and grumpy coaches. It also meant I would be better prepared for whatever the opponents threw at us that season. The same goes with disaster prep. You should be engaging in enough physical activities daily to prepare yourself for situations wherein your body could easily be the leading cause of death. Remember the first rule in the movie Zombieland was Cardio.
  25. Train. The items on this are dependent on the most important tool you always carry with you - your mind. Please, don't buy any of the items on this list unless you feel you can adequately use them to save your life or the lives of others. In other words, if you don't know how to use the tool, find some training to figure it out or practice with the tools until you get it right. These items require the same amount of dedication to master as your firearm or other relevant security tools. 
This list is by no means all-inclusive. I will admit I have missed some very important stuff. However, I think I have covered the basics. Let me know if you have any other items you would suggest security officers carry should they find themselves in a disaster situation.

Video: The Story of Glenn Duffie Shriver - Student, Chinese Spy


Many times, when we hear the Chinese have recruited spies on US soil, they are normally Chinese-American scientists. Like most foreign intelligence services (FIS), the Chinese realized it would be much more valuable to have someone who could get inside the Central Intelligence Agency who perhaps wasn't Chinese-American. Meet Glenn Duffie Shriver, a Michigan college student Beijing recruited to join the CIA in 2007. Although he failed to matriculate into the agency, he was paid over $70,000 to do so. American counterintelligence discovered this recruitment and prosecuted Shriver. Subsequently, in 2010, he was sentenced to four years in federal prison for committing espionage for a foreign government. The video above describes Shriver's recruitment, the consequences of his actions, and subsequent attempts by the Chinese to recruit agents from backgrounds similar to Shriver's.

Here are some resources to learn more about Shriver:






Thursday, April 10, 2014

How And Why Mass Violence At Schools Happen


There's been yet another act of mass violence at a school and, or course, the media has lost its mind. People are wondering how this could have happened and why. As security professionals, these questions are not new and nor is the answer. For those in the field, bear with me, I'm going to over how and why these things happen.

  1. It has nothing to do with WHO at times and more with WHERE. Let me explain. We always assume people target us because we mistakenly believe the target is "special" to the attacker in some sort of way. This is a common theme in our attempts to understand attacker methodology with respect to terrorism. All over electronic punditry, we're saturated with folks who proclaim "they attack us because they hate us." So this has become our mantra for every attack of any variety. What we fail to account for is that it's not entirely exclusive as to who they attack but where. On Twitter, I have been practically shouting when it comes to mass violence, one of the most key ingredients, if not the key ingredient, is the presence of crowds. Nothing is more appetizing to an attacker but to make his attack seem grand and above-average for a swath of reasons I'm not qualified to adequately explain here. Let's just say, you should NEVER EVER be surprised by the actions of mentally disturbed people.

    Crowds are also, normally, not difficult to get large casualty numbers from. Think about the last time you were at baseball game or major sporting event. Ever notice the large crowd at the ticket or embarkation areas. As a security professional, whether you're working or not, this is perhaps one of the most precarious chokepoints to be at. A chokepoint is a place where people have no other choice to be at in order to go some place. Everyone working anything from Secret Service to convoy security will tell you to ALWAYS avoid chokepoints. Why? They offer the presence of crowds, very narrow escapes for victims, and the ability of attackers to conceal themselves in the crowd.
  2. Violence has very little to do with the tools. Think about that for a second. I have made it no secret I enjoys guns. I do. However, I also understand the temptation to want to ban them. I've seen the statistics and the simulated models in whitepapers from folks who have never fired a gun or actually witnessed violence. I have a problem with this overly simplistic conceptualization of the problem. Erroneously, we believe the issue is with the mass proliferation of guns. Unfortunately, the discussion rarely acknowledges the socioeconomic, psychological, political, and cultural issues that drive some violence. More importantly, we ignore what mankind has known for decades - you can ban the tool but violence will always remain and the loss of any life is intolerable. Do you think if mankind had no guns he wouldn't find a better way to commit acts of violence? Think about that for a second. We had no electric chair until Thomas Edison did a proof-of-concept demonstration to show the dangers of electricity. Man will always find ways to commit acts of violence against one another for whatever reason it deems fit. This is not to say we can't have mitigators in place but we can't for one second believe we're getting rid of the problem solely with a ban of the tools or knee-jerk "reforms".
  3. People mistakenly use "mitigation" and "prevention" interchangeably. Security professionals understand the difference between the two. Websters defines "mitigate" as "to make (something) less severe, harmful, or painful". Many people believe we can prevent acts of mass violence "if only we do X,Y, or Z." There's a huge fallacy that we can prevent crime. This comes from a sublime arrogance of humans who believe we can stop our fellow man from acting out against us.

    The issue may seem to be one of semantics but I argue that it's not. You can't "prevent" me from speeding. Only I can do that. I used an analogy the other day where I articulated, "Just as Match.com doesn't make marriages, you can't "prevent" crime. You can set conditions with good mitigators but ultimately the decision to move forward or stop is on the principle actor(s)." Think about that for a second. No matter what measures you put in place, whether it's a guard at a school or metal detectors, my ability to accomplish the task of killing a large amount of people at a particular location is solely left to my motivation, intelligence, ability, and imagination.

    I have long argued that we have to move away from the idea that we can "prevent" crime to one where we "mitigate" attacks. A while back, I said people mistakenly believe by locking a door that somehow they have thwarted a burglary without seeing any firsthand information a burglar attacked the door and left because it was locked. Yet, everyday, most of us lock our doors anyway thinking we're doing crime "prevention" when in fact we're doing crime "mitigation". Mass violence occurs many times because we mistakenly believe our mitigators can prevent it.
  4. We rely too heavily on certain mitigation tools. Having an armed guard at a location is a mitigator not a prevention tool. The guard is there to ensure you have the means to adequately respond to acts of violence until police arrive. School administrators have for far too long relied on guards as prevention tools and have stopped doing other things which are more effective in mitigating these acts like deploying good cameras, training personnel on monitoring camera feeds, practicing lockdown procedures with teachers and other staff during non-working hours, talking with local police about their capabilities, training staff on conflict deescalation, and paying attention to warning signs.
  5. We don't train staff on attack methodology and psychology in school. Teachers and other staff are often taught how to respond to these events which is great. However, solely doing this ignores how often teachers and staff are the best sensors we have to students who may be a danger. Many times, they may observe a student doing reconnaissance or testing security and not even know it. Imagine how many lives could be saved if teachers and staff had a threat working group chaired with the school safety official and principal in schools where these incidents have taken place.  
  6. We used to do a really good job of being very proactive with mental health incidents in this country. I'm not advocating going back to asylums. Most were wrought with abuse and shoddy practices. No, what I want is for us to become much more proactive with mental health. We can no longer see mentally ill people as "someone else's problem". Mass violence has taught us we can no longer think of it like this. Yet, we do. When we removed the ability of doctors and other mental health professionals to intervene immediately and possibly treat long-term issues, we placed our citizens at risk. How? When most seriously mentally disturbed people come to the attention of authorities, it is often too late and the nature for how long and where they can be adequately be treated has greatly diminished. In some jurisdictions, the police can only place you on a "mental health hold" at a local mental health facility for 72 hours or less, in many cases. If you don't exhibit the behavior further and can be treated, you're out.

    As a former law enforcement officer, I can tell you the most distressful call to go to is a mental health one. Given that most mental health hospitalizations are never found (either because they can't legally or no measures exists to enable it) on background checks for firearms, the problem grows exponentially worse. Many of those who have committed acts of mass violence had already been diagnosed as being seriously mentally ill but couldn't be put in long-term care because they hadn't been deemed a danger and even if they had, I'm unaware if this would have barred them from having firearms (as discussed previously, I'm not sure a ban for them would have been effective in preventing violence in some instances).
I understand this list is not all-inclusive but this is how I see the problem in a more condensed manner than I believe can be adequately addressed on a forum such as this. You may have other solutions or know of other ideas. As always, they are greatly appreciated.

Tuesday, April 8, 2014

KiteString - A Web App That Could Save Your Life



I'm all about the use of automated tools as force multipliers in security. Whether you're protecting your home or office, you can always benefit from having an automated tool to help you out. Just remember the biggest vulnerability begins with the user. The folks at KiteString have done an awesome job of creating a wonderful web application that could actually save your life.

KiteString is a check-in service, wherein you create a list of contacts, a check-in phrase (optional), and a duress word (also optional). You also supply the service with your estimated time of arrival to your location. When you fail to check-in via text, the app will notify your emergency contacts.

Who can benefit from a service like this?

  • Victims of domestic violence
  • Stalking victims
  • People concerned with overt threats against their lives (witnesses in criminal cases)
  • Parents of children who travel or who are mobile
  • Senior citizens who need to notify their children should they not arrive somewhere
  • Security enthusiasts
  • Private investigators
When coupled with tools like Tasker, Guardly, Locale, and now, KiteString, the possibilities are endless what you can do with respect to emergency notifications. I'll be doing some side projects with this service to see what else you can do with other tools working in conjunction with KiteString.
Related Posts Plugin for WordPress, Blogger...