These days, aviation security news items simply boggle the mind.

There are toddlers appearing on no-fly lists.  An adorable, 18 month old girl is pulled off of a flight earlier this month.  The airline claimed she was on its no-fly list, due to computer glitch, and justified its action as following protocol.

There are emerging terrorist weapons which frustrate our technical security systems.  Terrorists are developing bombs that are non metal, made of hard to detect components, and are well concealed.

The public is increasingly impatient.  At this point, travelers are virtually at war with the TSA, their annoyance at long wait times bolstered by doubts as to our aviation security system’s effectiveness.

What these stories have in common, what’s at the heart of it all is the glaring absence of a logical, threat-oriented approach that looks for intent over means.  The toddler’s name could have appeared on 17 lists and she still would not have posed a legitimate threat.  A couple of questions and a little common sense would have averted that PR disaster.  Naturally, our enemies will be adapting their tactics based on our defense strategies; that is what enemies do.  And so we need to work proactively, thinking like the adversary.  Travelers and the public would be less frustrated if they were dealing with a security framework and protocols that make sense and puts us on the same team, fighting the enemy together as opposed to fighting each other.

Kudos to the CIA and its intelligence partners for foiling the latest Al Qaida bomb plot out of Yemen.  It appears the explosive device destined for a U.S.-bound flight was an improvement over previous models like the one used by Abdulmutallab aka the Underwear Bomber in December 2009.  The lead azide detonator is more reliable.  Being devoid of metal obviously makes this IED that much harder for screeners to find.  It would seem the al Asiri lab is making headway.

That terrorists are improving their methods and adjusting their attack strategies in step with ourimprovements to security methods and technology is surely no surprise.

Some public and media responses to this news event are disconcerting:

Reporter “There could be other bombers out there.”  Could?  There are surely many other bombers aching for the chance to hit the West, training and plotting as you read this.

A traveler interviewed by a reporter stated “we aren’t going anywhere near Yemen, so we‘re OK.”  A bomb can be infiltrated onto an aircraft in Yemen and detonated by a passenger terrorist flying to destinations across the globe.  Proximity to Yemen is so not the issue.

Once master bomb-maker al Asiri is stopped, the threat will abate.  Not if he is training a new crop of bomb makers.

The bomb never got on a plane, the terrorists accomplished nothing, so why make such a big deal out of this?  The government is trying to fuel panic to justify security expenditures.  It’s just politics.  While I’m sure there’s always a political angle, I’m likewise sure that there is a viable terrorist threat.  I haven’t heard an Al Qaida representative say “OK, you win.  We’ll stop now.”

CNN provides nice coverage here:

http://edition.cnn.com/2012/05/08/world/al-qaeda-evolving-strategy/?hpt=hp_t1

Tourists come to Tel Aviv, also known as “The City that Never Sleeps” to enjoy its beaches and cafes, its museums, funky architecture, vibrant culture and night life.  At the same time, Israel is a tiny country, with no shortage of enemies, often a target.  Israelis may well be fun loving and irreverent, but they take security very seriously.  There, homeland security is not theoretical but rather existential.  And thus Israel has earned the unfortunate distinction of being amongst the world’s best when it comes to security.

What better place, then, to learn about using a threat-oriented security approach than in Tel Aviv?  That is exactly what you can do this fall, by joining Chameleon’s Homeland Security Laboratory seminar, November 4-10.  Participants will study concepts and methods in the classroom, and will learn how to construct threat-oriented security based on adversarial methods.  Next step?  Test what they’ve learned in the field.  Part of the beauty of these basic principles are that they are applicable to any secured environment.  Attendees return home with an effective and useful toolkit, and an exceptional understanding of what it takes to make it happen.

A good deal of money is spent on trying to protect the world’s IT systems and assets.  The vulnerability of our collective, ever increasing dependence on computers and digital networks is a big deal.  Systems are bolstered with firewalls and protective software, they are subjected to ethical hacking.  But at the end of the day, all these efforts amount to bopkes if physical security has been neglected.

Chameleon has conducted security assessments for companies where it was far too easy for our red team to gain direct access to offices, servers and workstations.  You can spend millions on protection against worms and malware, but forget to lock a door or teach personnel how to avoid being socially engineered out of a password.

Stuxnet  is an example of an effective IT threat that was successfully delivered.  Experts agree that still, someone had to have access to some level of hardware in order for the scheme to work.  Maybe that access was made via social engineering, or via the recruitment of agents within a given company or manufacturing environment.  In any event, it was done the old fashioned way.  And without that access, the most elegant and sophisticated computer code would have no where to run.

Loss Prevention systems often miss the mark by skipping vital steps in SOP development.

My company was hired by a large food wholesaler to assess their loss prevention operations.  At that time, their shrinkage (defined as a reduction in inventory due to shoplifting, employee theft, paperwork errors and supplier fraud) was reported at 1.5 percent.  During a visit to the central distribution warehouse, our security consultant noticed a brand new Series 7 BMW coming on to the lot; the driver waved at the executive who was accompanying the consultant who asked  “Who’s that guy?”  “He’s one of the warehouse supervisors …”

This was the first of many suspicion indicators.  The warehouse supervisor’s salary was definitely not in line with the purchase of a new, luxury vehicle.  From that point, it didn’t take long to uncover an accounting discrepancy that revealed that certain company managers were enjoying a lucrative, side business.  Shrinkage was actually well over three percent and represented millions of dollars walking out the back door.  A lack of checks and balances and security quality control contributed to this client’s problems.

Since the latest economic downturn, many businesses have taken hits.  In response, budgets have been cut and one area that has felt the squeeze is Security and Loss Prevention.   Although I understand the motivation to reduce spending, theft is logically up during this downturn.  Global shrinkage rose to $119 billion in 2011, up 6.6% since 2010.  Each percent can translate to millions of dollars in losses, losses that could be averted through the implementation of proactive procedures which cost a fraction of the potential loss.

Our methodology is to think like a thief.  Looking at an operation from the point of view of an adversary forces a kind of third party objectivity.  In that mind set, it is easier to see the loopholes and identify the problems, for both external or internal threats.  Threat assessment findings must be rolled up into a solid SOP that reflects a carefully defined Loss Prevention objective.  Security efforts need to support that objective in the most effective ways.  And lastly, the company, security and loss prevention objectives should each complement the other.

Questioning is a critical component of any effective security system.  It’s a flexible, cost effective tool that also happens to be very powerful.  Questioning puts a potential criminal or terrorist on the defensive.  They know that the right questions can quickly reveal lying, malicious intent, and more.

Yet, as a skill, Questioning has been somewhat neglected by mainstream security.  Students in Chameleon trainings, once introduced to questioning and the methods around it, can’t get enough.  In part, it has been the consistent clamoring of our students for more that prompted the creation of this course.

Students taking Security Questioning 101 will learn what to ask, what to look for and why.  They will learn how to ask threat-oriented questions to deter, disrupt and prevent the bad guys from meeting their goals.  The course is interactive, informative and fun.

Chameleon also has a new Learning Management System platform on which it is debuting this newest online course offering.  The LMS allows managers to administer, track and monitor students’ progress through the course.

If we were to sit around and brain storm ideas on how to terrorize a given country, someone might come up with a plot that involved imbedding malware in IT and electrical components sold to enemy defense contractors or governmental agencies.  Whether the notion arrives as part of such a session, or out of the pages of recent history, thinking like the enemy is the only reasonable way to proactively strategize against a viable and potentially devastating attack.

What I may never understand is why

we are so slow to defend against this Trojan Horse-esque MO.  The U.S. GAO last week issued a report in which it identified risks associated with global supply chain procurement of IT equipment and software by some federal agencies.  Stricter procedures and measures must be implemented given the risk potential of this particular threat.  A strike to the technological heart of our critical infrastructure would obviously be crippling.

Not that it was necessarily virgin ground, but some would say that Stuxnet cleared the source code path for more attackers to engage in cyber warfare.  Whether that particular piece of malware is a milestone or not, defense against it cannot come fast enough for me.

One of the latest anti-TSA viral blogs circulating this month relates to how to beat backscatter x-ray machines.  Jon Corbett shows how he foiled the scanner at a number of airports by affixing a small metal box to the side of his clothing.  The box appears black at the edge of his white silhouette against a black background, rendering it invisible.  Between the public outcry regarding privacy issues and the questionable security this technology provides, the TSA has been installing new software on all millimeter wave imaging machines that eliminates the passenger-specific images and instead just indicates the location of potential threat items on a generic outline.  Official TSA Blogger Bob has further refuted Jon’s claims, stating that the x-ray machines are only one of twenty some odd security layers used by the TSA and that the TSA has and continues to thoroughly red teams the machines’ effectiveness.  Further, for security reasons, the public does not know everything and shouldn’t jump to conclusions.

I applaud the public debate and will leave Bloggers Jon and Bob and the Comment contributors to fight it out.  Although … I do have a problem with a remark I read that because no explosives have to date been infiltrated successfully onto a plane we are needlessly spending controversial money to defend against a problem that doesn’t exist because it hasn’t happened before.  This kind of thinking is most dangerous.  Even if it weren’t for the Shoe and Underpants Bombers, how would we know for certain that no one has infiltrated explosives onto a plane in the form of a dry run?  And, just because it hasn’t happened, doesn’t mean it can’t.  On September 10, 2001, one could have correctly stated that no terrorist had ever used an airliner as a bomb, at least not in the United States.  If anything, we are overly focused on defending against this one MO, to the possible exclusion of so many others.

Clever terrorists and thieves motivated by an important target patiently plan their attack, knowing that careful planning more likely begets success.  Case in point, the largest diamond heist in history was over three years in the planning.  Although the story of the Antwerp Gang of Turin robbery is remarkable for the amount stolen ($120 million worth) and the charming troop of aging Italian criminals that allegedly pulled it off, I was taken by the methodical preparation behind its success.  That, and the (in hindsight) Antwerp Diamond Centre’s over reliance on technology; few live security guards were on duty.

Posing as a company owner, Leonardo Notarbartolo rented an office in the Centre in November, 2000 where he worked as a diamond merchant.  Prior to the robbery on the weekend of February 15, 2003, he had made several visits to the vaults deep underground while also proceeding to obtain copies of master keys.   Over time, he learned how the alarm system worked.

The robbers chose a weekend when the city’s attention would be on the Diamond Games Tennis tournament attended by many Diamond Centre employees and for that matter, its security guards.  First the thieves bypassed the security camera system going so far as to replace the CCTV tapes with looped previously recorded footage.  Using the duplicate keys, they rode the elevator down to the basement, deactivated the motion sensors and taped over the light detectors to gain access to the vault.  The 12-inch thick doors were a challenge – they drilled holes into them, taping together the internal magnets that would have alarmed if detached.  Lastly, they broke into the deposit boxes and grabbed all they could.

They had memorized the surveillance patterns of the 24-hour police patrols outside the building, which aided them in escaping undetected.  In fact, the burglary was not uncovered for over 24 hours.

The robbers engaged in a good deal of activity over the course of three years, while planning the theft.  If Diamond Centre security had been looking for the suspicion indicators that this plan and its MO reflects, one wonders if there might have been a different outcome.  What do you think?

In preparation for the 1972 Summer Olympic Games in Munich, organizers asked Dr. Georg Sieber, a police psychologist, to sketch out the possible scenarios that would jeopardize the safety of the Olympic Games and to prepare requisite security training.  Sieber identified twenty-six highly detailed scenarios, which ran the gamut from hijacked jets, remote controlled bombs and smuggled arms.  In his method, he extrapolated from his study of the most notorious terrorists of that era, including the IRA, PLO, ETA and the Baader-Meinhof gang.

His scenario Number 21 went something like this:

At 05:00, a dozen armed Palestinian terrorists will scale the six-foot high perimeter fence of the Olympic village and make their way to the building that houses the Israeli delegation.  They will kill a few of the hostages they take and demand the release of prisoners from Israeli jails as well as a plane on which to escape.

At the time, this threat assessment scenario was dismissed as preposterous.  As it happened, the attack and massacre of the Israeli athletes on September 5^th occurred almost precisely as Dr. Sieber predicted.  Was Sieber psychic?  Ah, no.  I would say that he was simply analyzing the situation from the point of view of the potential aggressors as part of a proactive defense strategy.

Many factors informed the security decision processes that resulted in this disaster and the failed rescue attempt that followed.  Prominent among them was the German desire to obliterate the memory of Hitler’s 1936 Olympics.  A pessimistic, doomsday prediction and the security in place to prevent it, would just drag down the mood they wanted to promote.

Especially when it comes to security, why does wishful thinking so often trump diabolical reality?  Why do we shoot the messenger?  It’s the enemy, the terrorists, suicide bombers, crazed and desperate dictators whose scenarios we have to deal with, whether we like it or not.  We can’t successfully defend ourselves by picking and choosing those enemy tactics with which we are most comfortable.