[SecurityRatty] tag: protective

The Importance of Advance Planning in Executive Protection

Sun, 12 Oct 2008 16:10:00 +0000

I was delighted to see the Herald Standard quoting an executive/close protection agent regarding the importance of Advance work.

Sy Alli is an E.P./C.P. team leader for "Limited Brands Inc.," and was speaking at the California University of Pennsylvania's 2nd annual conference on Corporate and Homeland Security.

Mr. Alli was describing a previous trip to Indonesia where he was in charge of the advance to make sure everything was in place before the Principal arrived out with the other protective agents. Very accurately, he described the need to cover every minute detail from the routes of travel to the alternative routes and to include such important features as local hospitals should medical treatment be needed.

Another important point highlighted was the need for agents to have access to contacts in different countries who could assist with logistics, general and specialized support on the ground, current political situations, etc.

Far too often I am approached by security persons (and not even all are qualified/trained in executive or close protection)who find out that we may have overseas work and want to be included. On some occassions, those requesting to be included on the detail did not even have a current passport!

If you are serious about making a career out of this line of work, you owe it to yourself to do your homework. Over the years I have developed hundreds of contacts all over the world who will respond immediately and who can be trusted to support us in any number of situations and scenarios.

This took a lot of preparing and involved constant contact. It is not something that you throw together a day before your client is scheduled to arrive in a country. If you have people in different parts of the country, or world if you wish to work globally, who can assist when you are in need, you will be able to facilitate your client in a way that will not only gain his/her admiration, but will undoubtedly cement your position in that client's security detail.

In these unsure times, there is a lot to be said for knowing your job is safe for the foreseeable future.

Password Protector Program Free in Beta

Fri, 19 Sep 2008 07:49:10 +0000

A new type of “virtual keyboard” system may help Windows users protect their passwords from Trojan keylog programs — and it’s free in beta form for anyone to try.

Darkreading describes how it works:

the software flashes a virtual keyboard onto the video display that flickers the characters on and off at high speeds, with the keys displayed in random locations on the screen rather than as a standard Qwerty keypad. As soon as the user types a character in his or her password on the virtual keyboard, that key is moved to another location on the keyboard.

In tests with large, powerful malware programs, the keyloggers could only read information in the dialog window, and missed the characters flying around the screen.

It sounds like a smart idea, but the question is, will the people who are likely to have problems with Trojans be the same kind of people who would find, download and use this protective software?

Wakeup Call for Risk Management

Fri, 19 Sep 2008 06:11:09 +0000

Blogger: Dan Blum

With the crisis in financial markets still unfolding, it is important to draw what lessons we can from the experience. Since the roots of the crisis lie in a monumental failure of risk management, it’s important to understand more about what happened, and then draw some parallels to our business risk management and IT risk management situations.

The risk management failure in the housing market and on Wall Street had multiple interdependent dimensions:

Mortgage lenders abandoned long standing prudent loan practices. They made too many loans that buyers might not be able to repay. Exotic instruments like ARMs, option ARMs, and interest only loans proliferated. In many cases, all pretense of lending standards were abandoned, so-called “liar loans” approved.
Capital was grossly over-leveraged. Mortgage lenders and other financial services packaged loans into securities, which they sold to raise capital to support more lending. Real capital reserve requirements to back loans were reduced. Of course, if borrowers could not repay loans, all or parts of the derivative securities would become worthless.
Risk was aggregated at Fannie Mae, Freddie Mac, and mortgage loan insurance companies. These companies bought or insured some mortgage loans, providing something of a backstop should loans fail. Government sponsored enterprises (GSEs) Fannie and Freddie in turn became over-leveraged and securities that they sold were in turn repackaged in the murky brew of mortgage-backed securities called collateralized debt obligations (CDOs) and other exotic instruments returning generous yields.
Non-Caveat Emptor. Institutional wealth funds and financial services firms who should have known better bought securities that had been deliberately structured to obfuscate risk. They bought securities they didn’t understand with buried tranches of toxic subprime loans..

It was a great Ponzi scheme – one that kept working as long as housing prices were going up; the recipients of subprime loans could always flip that house to the next buyer. Everyone made money. As Chuck Prince of Citigroup famously put it during a July, 2007 interview: “So long as the music is playing, you’ve got to keep dancing. We’re still dancing.” But one month later, the music stopped. Since then, Citigroup and other financial institutions have taken massive writeoffs with more to come. Wall Street titans like Bear Sterns, Lehman Brothers, Merrill Lynch, and AIG have fallen or been bought out.

What can we learn from this risk management debacle?

As business risk managers and investors, we should ask questions like these:

Does the executive incentive structure of the company encourage managers to dance around risk? Many Wall Street firms paid senior managers 5 times their salary in bonuses tied to annual growth alone.
Is the company over-leveraged? Is it borrowing too much money and betting it on ventures with uncertain outcomes?
Are financial models used for risk management realistic? Earlier, I described the mortgage market of the past few years as a Ponzi scheme, where risk management models must have assumed prices would keep rising. Unlike the dotcom boom whose demise many predicted, very few in the industry foresaw the sharp declines to come in housing prices and sales volumes. Historically, the U.S. housing market has been a steadily rising one, but on the other hand the 2000s saw unprecedented rates of price increases. In reality, what goes up must come down.
Has your company’s risk council ever performed worst case scenario analysis and built adequate reserves? In the days before economics emerged as a would-be “hard” deterministic science, business leaders may have been more cautious, more aware of and more accepting of uncertainty. Events like the Great Tulip Bubble came once in decades or centuries – not every few years. Note that legendary investor George Soros has proposed a Theory of Reflexivity that, if true, helps explain the recent extremes of boom and bust cycles. This theory holds that market participants model market behaviors based on self-interest, and for a time, their manipulations change the reality of the market – until gravitational forces bring it back to earth. Has the music of ephemeral success played to the backbeat of deterministic-sounding economic models gone to your heads and infected your risk management models?
Are cost cutting efforts pursued blindly? Outsourcing and other forays into treacherous global waters may be giving away the crown jewels. Smart companies cut costs, but they do it in smart ways. Smart companies think like intelligence agencies as they parcel out work to different partners with varying levels of dependability, and they check on those partners.

Risk management failures can also occur at the more technical level of IT security. As IT risk managers, we might ask questions like these:

Are the accounting and financial systems your IT department supports under adequate control? As Fred Cohen wrote in one of our documents: “Many companies use computers to manage financial systems, and despite the Sarbanes-Oxley Act (SOX) claims about accounts being properly kept, there are many attacks on financial systems that remain. For example, most of the largest financial systems in the world running on common financial databases do not use double-entry bookkeeping and are thus susceptible to all manner of frauds by insiders.” We find it troubling that a prudent control dating back to the 12th century is going out of style in the name of convenience and cost cutting. Kind of like credit checking became anachronistic during the housing bubble, eh?
Is the “separation” in your “separation of duty” (SoD) for real? Sure the SOX auditors are looking for SoD, and maybe you have different administrators with different accounts maintaining different systems or functions. But when they say Western civilization may be but one weak password from collapse they’re not lying. Look what happened to Sarah Palin’s email account! Weak and straggly SoD is a problem across all critical IT systems where deperimiterization and server consolidation may be bringing down protective barriers, identity management is weak, and strong process controls (e.g., where two people must sign on, one perform a critical operation such as backbone router reconfiguration, and the second observe) abandoned in the name of expediency.
Are risks being aggregated to unacceptable levels in centralized control systems? There are many ways that risks aggregate within enterprise IT infrastructures as we pursue automation and cost cutting. Network risks aggregate when centralized domain name system control is implemented. Application risks aggregate when common infrastructure is shared among applications. And enterprises aggregate platform risks when they use low-assurance endpoints, authentication, and directory systems with single sign-on to access large numbers of resources and don’t separate high consequence systems.
Non-caveat emptor: Has IT security really done the worst case consequence analysis, attack graphs, and vulnerability analysis to know when putting more eggs in a supposedly stronger basket aggregates risks to an unacceptable level? Or are you depending only on vendor claims about some black box appliance equivalent of a risk-obfuscated CDO security? Caveat emptor (buyer beware) again! (The good news is we’ll keep talking about promoting vendor and product rating systems so you don’t have to do all the detailed product analysis yourself, but that’s another post.)

There are many parallels between the monumental risk management failure in the financial markets, and the probable weaknesses in our day to day business risk management and IT risk management. Abandonment of prudent practices for profit; excessive leverage and centralization; ill-constructed risk analysis models; risk obfuscation; and a failure of caveat emptor seem to be common problems. Please take this as a wakeup call to sharpen up the risk management thinking, process, and execution.

Dumb Luck IS a Strategy!

Thu, 18 Sep 2008 05:38:00 +0000

While still at GOVCERT.NL, I've attended a fun little presentation, describing a penetration test (I cannot provide any more details as it was a "No Press" presentation - this post is not about it, but rather was inspired by it!)

In any case, if you do pentests, think about all the RECENT cases where you break in to a major corporation through:

a Solaris system with Internet-exposed telnet with a guessable password OR a telnet vulnerability (circa 1994!)
an exposed VPN appliance with a manufacturer's administrator password
a router with default "enable" password
or, something else entirely - but something that rivals the above example in its unparalleled, unbelievable, abysmal, deep idiocy.

Indeed, many of my pentesting friends still report plenty of such cases (one was also featured in the presentation mentioned above). Whenever I hear about it from a pentester, I always ask:

Do you think "somebody bad" had already passed through the hole you just discovered?

Maybe an hour ago, a day ago - or a year ago?!

I cannot see how the answer can be "no."

Even though pentesters usually don't focus on forensics (no time for this), it is not uncommon to notice "your predecessor's" intrusion traces while you break through systems, "plant flags", change screen backgrounds [for the admins to notice that you've been there...], etc.

Let's think what this situation really means? Here are the choices I see:

Nobody discovered the hole - a law of large numbers (aka "dumb luck") have "shielded" the company from an incident. Yes, Virginia, dumb luck IS a security strategy for some companies... AND it works for them.
It was discovered, but not used/abused by the attacker - maybe he was busy hacking other systems, or saved this for later and never came back due to his ADD. Congratulation, you win! The immense power of dumb luck wrapped you in a protective "security" blanket ... again :-)
It was discovered; the attacker went in, looked around and compromised a few others systems, but found nothing of interest (no low hanging fruits) - and he was not a bot herder. Again, you win. Next time you are in Vegas, bet on "00."
It was discovered; the attacker went in and deployed a bot on "your" system - given how many botnets are there, this situation is clearly acceptable to many organizations. In this case, dumb luck strategy, apparently, still work: so they use your box to spam and phish somebody else ... big deal!
It was discovered; the attacker went in and stole all your credit card information (it is now for sale) - even in this case, the user of "the dumb luck strategy" still "wins" (in some perverse sense)! Unless and until the stolen information IS tracked back to you OR a friendly neighborhood PCI auditor come and jams a broomstick up your ..., you can still continue to be stupid at your leisure and ignore basic security practices.
It was discovered; the attacker went in and stole your CEO's Inbox, including the email related to his affair (it is now on CNN) - now, in this case, you lose AND it is time to stop being stupid! Welcome to the "0wned world." Time to launch (relaunch?) your security program and get serious.

What does this teach us about RISK? The lesson here is important:

For a security professional, an Internet-exposed system with "root/root" is an obvious HUGE risk!
For your boss's boss's boss, it is NOT!

This is exactly why I think that the most critical problem in security today is METRICS. Metrics that a) work AND mean something to decision makers and b) can be clearly communicated to said decision makers [BTW, a) and b) are two separate problems.] Metrics that cover not only threats and vulnerabilities we face, but also the effectiveness of security countermeasures we deploy. Metrics you can act on - and ones your boss (and his boss) will act on. Metrics that lead to correct decisions about which risks to accept, which to mitigate (all while knowing with what efficiency such mitigation occurs) and which to transfer.

Until that time, the dreaded "C-word" (compliance) will trump "the other C-word" (common sense) as a driver for security ... and we will continue to live in the "0wned world."

Possibly related posts:

Risk vs Risk

8 laptop bags that will speed you through airport security

Sat, 13 Sep 2008 20:00:00 +0000

While no one questions the need to properly scan laptops when going through airport security, the requirement to remove them from their protective cases is a different story. "Naked" notebooks can easily get dropped, damaged, forgotten and even stolen outright. One study done for Dell estimated that about 12,000 laptops are lost in U.S. airports every week -- a claim that has been challenged by the Transportation Security Administration (TSA) . Whatever the numbers are, you don't want your machine, with all its precious data, to become a statistic.

NIST revises SP800-60 Volume 1: Go forth and classify

Fri, 15 Aug 2008 04:33:00 +0000

According to GCN, NIST has released a revision to SP800-60 Vol 1 and Volume 2. The two-volume Special Publication 800-60 Revision 1, “Guide for Mapping Types of Information and Information Systems to Security Categories,” is a revision of guidelines published in 2004.
Asset and data classification is the keystone to building proper protective schemes. Simply, if you don't know what you have, you can't apply the appropriate levels of value and importance.
SP 800-60's intro reads:
"The identification of information processed on an information system is essential to the proper selection of security controls and ensuring the confidentiality, integrity, and availability of the system and its information. The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60 has been developed to assist Federal government agencies to categorize information and information systems."
Give this document a read; while it is geared to a federal agency audience, it is entirely useful for baselining your own classification process.

Are the Inmates Running the Jails in Maryland?

Sat, 26 Jul 2008 00:29:00 +0000

The front page of today's Washington Post tells us that the Prince George's Facility has come under scrutiny after the sudden death of Police murder suspect, Ronnie L. White.

The Post lists a number of correction officers who have been investigated, suspended and even jailed for wrong doings. One 13 year veteran was convicted on second degree assault after he beat a woman so badly that he broke her rib. That was not his first violent outburst however. In the late '90s his then wife had to get three protective orders issued against him.

In 2004, he pleaded guilty to breaking a woman's rib. The woman whose rib he broke was pregnant with his child. A judge put him on probation for that assault and ordered him to take anger management classes. The child that the woman was carrying was not so lucky. She miscarried days afer the beating.

The jail which incarcerates 1500 inmates, is said to be overcrowded by Government reports. The jail was built to hold 1330 inmates. One hundred and seventy extra inmates is hardly a serious "overcrowding" problem. The reported number of correction officers at 450, means that the ratio of imates to officers is not even 4:1. Compare that to a place like Riker's Island in New York City where the ratio of inmates to officers is probably closer to 25:1 and you will see that the officers in Maryland should not have many reasons to complain.

Of course, they should not have any reason to break the law either, but they do. Take the case of Renardo Humphrey, for instance. He was jailed this week after being convicted of armed robbery. Along with four others, he held up a couple of teenagers. Then there is Officer Kenneth Paul St. Clair, who joined the Department in 2004. This oxygen thief was convicted of second degree child abuse involving an 11 month old baby boy.

According to Police reports, the baby suffered multiple rib fractures, a skull fracture, internal bleeding, bruises on his face, chest, forehead and a bite mark on his shoulder. If I ever receive a call from a telemarketer tying to solicit money from me to support the fine upstanding members of the Prince George's Correction Department, I will make sure I tell him the story of the the little baby boy that was brutalized by one of his clients.

You may wonder why supervisors do not take more action and do not closely monitor the staff who apparently have a lot of anger management problems. Some Departments admitted that they only do background checks when officers are going for promotion. Therfore, if an officer is prone to beating up little babies and pregnant women, he just might go about his merry way without ever coming to notice - just so long as he does not seek promotion.

It would seem that all is not well with the Maryland Penal system. Perhaps a good overhaul is called for. It is not too much for society to expect that those who are entrusted with great authority do not abuse that authority. If they do and start behaving like those who have been removed from society, then they too should suffer the same fate.

Homeland Security Cost-Benefit Analysis

Thu, 17 Jul 2008 02:43:25 +0000

This is an excellent paper by Ohio State political science professor John Mueller. Titled "The Quixotic Quest for Invulnerability: Assessing the Costs, Benefits, and Probabilities of Protecting the Homeland," it lays out some common send premises and policy implications. The premises:

1. The number of potential terrorist targets is essentially infinite. 2. The probability that any individual target will be attacked is essentially zero. 3. If one potential target happens to enjoy a degree of protection, the agile terrorist usually can readily move on to another one. 4. Most targets are "vulnerable" in that it is not very difficult to damage them, but invulnerable in that they can be rebuilt in fairly short order and at tolerable expense. 5. It is essentially impossible to make a very wide variety of potential terrorist targets invulnerable except by completely closing them down.

The policy implications:

1. Any protective policy should be compared to a "null case": do nothing, and use the money saved to rebuild and to compensate any victims. 2. Abandon any effort to imagine a terrorist target list. 3. Consider negative effects of protection measures: not only direct cost, but inconvenience, enhancement of fear, negative economic impacts, reduction of liberties. 4. Consider the opportunity costs, the tradeoffs, of protection measures.

Here's the abstract:

This paper attempts to set out some general parameters for coming to grips with a central homeland security concern: the effort to make potential targets invulnerable, or at least notably less vulnerable, to terrorist attack. It argues that protection makes sense only when protection is feasible for an entire class of potential targets and when the destruction of something in that target set would have quite large physical, economic, psychological, and/or political consequences. There are a very large number of potential targets where protection is essentially a waste of resources and a much more limited one where it may be effective.

The whole paper is worth reading.

Work-place violence kills many U.S. workers every year.

Sat, 12 Jul 2008 14:28:00 +0000

Our company is hired regularly to make sure that fired employees do not come back to work and kill a supervisor or fellow colleagues.

When people hear that Corporations hire bodyguards to work in their Corporations pending and following company terminations they are surprised. This surprises me. Every year, workplace violence makes the "top ten" list of serious concerns facing U.S. businesses.

Yesterday, on WTOP radio station I heard the phrase; "Desk Rage" for the first time. Unfortunately it is very appropriate. Some people have very bad tempers and an argument or decision at work can lead to them getting a weapon and committing homicide. This was evidenced a couple of weeks ago in Kentucky when five factory workers were killed by an employee who had been slightly reprimanded.

Employers do have a responsibility to ensure a safe work place environment. That is the reason companies hire us. If we are called in and are onsite when a violent worker returns intent on hurting people, we will be the ones to stop him or her from committing the act.

Fellow workers should report incidents involving any type of inappropriate behavior, especially instances where people are likely to get hurt, or worse. Very rarely does an employee just go ballistic or "postal" for no reason. The most common cause of work place homicides are domestic situations. An employee with a dangerous spouse/significant other who has just been arrested on domestic violence charges or has been served with a protective should be brought to a supervisor's attention immediately.

With so much rage in schools, on the road and in the home, the Police have their hands full just reacting to situations where many times the SWAT team will be called in. Private security companies are a great resource to the business community as Police do not have the resources to sit for days and wait to see if something will happen.

Be part of the solution. Report all potentially dangerous situations in the workplace to a supervisor.

When does a bodyguard need to shoot into a crowd?

Tue, 24 Jun 2008 19:28:00 +0000

A story out of Mumbai,India caught my attention today. A politician's bodyguard shot into a crowd of people and killed a man.

While professional Executive Protection Agents no longer refer to themselves as "bodyguards", if we nonetheless examine that "handle", we can break it down as; "a person who guards (protects) the body of another". If I was tasked with the investigation of this shooting incident in India, one of the very first places I would look at would be the training manuals of those involved. If they were Policemen, I would demand to be allowed to inspect that Department's training guides that were used when training their "bodyguards". Same thing would apply if they belonged to a private company/entity.

I very seriously doubt that I would find any directive anywhere authorizing those assigned to the protective detail to fire haphazzardly into a crowd of people. To me, this suggests that the bodyguard either panicked or was placed in the position without any professional training (most probable explanation). Anyone who has spent more than 15 minutes in E.P. training knows that the responsibility of the Protective Agent(s) is to evacuate their client (Principal). Shooting into crowds of people would be out of place, even in far-fetched Hollywood. I am quite sure that Indian society is nothing near as litigious as it is here in the Western world, but I still suspect that there is a smart lawyer somewhere in India trying to contact the victim's family. I believe the case will be his for the winning.

Ironically, I contactd a company in India a couple of months back with a proposal to train their Executive Protection staff. Without ever hearing a price, they contacted me back and said they were sure they couldn't afford us (eventhough they are one of the largest employers in India). Which makes me wonder, how do you put a price on a human life and what would you consider a fair price to have your people professionally trained so that you were not sued by the family/next of kin of someone killed by one of your employees? By the way, this question can be asked of any employer anywhere in the world who is in the business of either safeguarding their own employees, or protecting the life of others.

In Real Estate it is about; "Location, Location, Location". In security, it is about; "Training, Training, Training". I sincerely hope that many get to know of this incident (including nearly all of the Hollywood stars who allow their Protectors to assault people on a regular basis)and begin to realize the importance of having a professionally trained person taking care of them. Hiring some big guy with a couple of years military experience is not good enough.

That would be like hiring a person for a plastic surgery procedure whose only experience was carving the Thanksgiving turkey. Who'd be the turkey then?