Protection Strategies - Part 2/3

In Part I of this series, I explained how I take a strategy from another familiar setting and produce parallel tactics within the information security realm. Part II of this article will continue this trend by learning the strategies used in Safe Firefighter Operations.

In many ways, the fire department is like any organization: there is a known organization structure, and workers are assembled as teams, and these teams interoperate to accomplish the same goal. And as with most organizations, one team’s interpretation of objectives may differ from another. For example, every team is trying to extinguish a fire with its hose; but it becomes a life safety issue when the interior team is pushing the fire outward with their hose and the exterior team pushes the fire inward with their water stream.

Pre-planned team coordination and clear communications across the entire organization are necessary to prevent injury as well as further damage.  In Part I of this series we learned that emergency services of all kinds rely on the National Incident Management System (NIMS) for a structured approach to communication and decision making at the organizational level. However, to operate safely at the lowest levels of the operation, each team must learn safety “circles of responsibility”. These priorities are simple and effective, and have served me well in both firefighting as well as information security awareness:

• Protect Yourself: Every team member’s primary priority is to protect themselves. This aligns with Maslow’s hierarchy of needs. In emergency situations, one needs to ensure that the team can focus on the issue at hand. If any single individual becomes a victim; then the entire team itself is taken out of service to deal with that individual. In parallel, if your workstation becomes infected, then you and your entire team must stop work while security and support teams review all workstations in that network and mitigate the situation.
• Protect Your Team/Company: Knowing how the loss of a single individual resource can affect team operations, it becomes your responsibility to look out for other team members. If nobody in your team is the evangelist for data security, then it becomes your responsibility to be it. If there is someone already in that role, then you should ensure other team members are following the recommended practices and procedures.
• Protect Your Client: Even though this sounds counter-intuitive for fire rescue operations, it applies. Your client is helpless if your team is disabled, which can be caused by one individual misstep in the team. In emergency situations, first responders will always have taken care of their first two responsibilities (through pre-planning and training) even though it may look like they jump to this step. Similarly, your Cyber Incident Response Team (CIRT) – no matter how small – should have done the same pre-planning and training so their response to your data breach will go smoothly.

As your business operations grow and become more complex, it is imperative that these safety circles of responsibility propagate throughout the organization.

Protection Strategies - Part 1/3

When I give talks about information security, I attempt to pull protection strategies from real-world situations in non-technology-based organizations. Many instruction methods focus on analogies to enhance understanding of security principles. To me analogies are like Canadian Geese which look majestic at first until you get too close to them. (I mentioned I would get back to the geese in a previous blog.) Instead, I’ll try to take a strategy and produce parallel tactics within the information security realm. Part I of this article will focus on the FAA’s "Cockpit Resource Management”.

On December 28, 1978 United Airlines Flight 173 crashed after running out of fuel while investigating a landing problem over the Portland International Airport[i]. The resulting investigation of the crash found that the crew “inattention” to all the issues arising allowed the plane to run out of fuel in midair.[ii] As a result of this accident, United Airlines in coordination with the FAA created the “Cockpit Resource Management” training program. The idea behind this program was to enhance communication and decision making by following the three (3) “decision outcome avenues”.

•  Avoid: Pre-plan to prevent possibilities of a crisis.
• Trap: Identify factors to recognize potential problems before a crisis.
• Mitigate: Maintain resources to minimize the negative effect during and after a crisis. 

I first learned about the as "Avoid, Trap, Mitigate" mantra as a volunteer firefighter[iii] (circa 1982). In fact, this is used extensively by NIMS (national incident management system) in almost all areas of emergency management. All firefighter safety revolves around this concept; firefighters train and do walk through drills on major structures to understand where potential problems could be prevented; live fire training allows us to experience the fire lifecycle first-hand (under semi-controlled conditions) to recognize what stage a fire may be when we arrive at a real scene; and fire departments work with local authorities maintain proper water supplies to ensure any conflagration can be handled with efficiency and safety.

Later in life as I had a family and embarked on coaching kids’ sports (circa 1998), coaches’ training included courses in effective communications and teaching the principles of "Avoid, Trap, Mitigate" as a sports defensive strategy.  In fact, if one followed ice hockey, you would recognize how the NJ Devils changed the face of ice hockey in 2000 with their “neutral zone trap”. Many hockey fans (such as myself) felt that this strategy slowed the pace of the game; in hindsight that is the purpose of the strategy.

In the early part of 2000’s, as businesses started focusing on corporate governance, our consulting business promoted the “Avoid, Trap, Mitigate” principles in information security. It was our spin on the “defense-in-depth” best practice. And it works.

Take, for example, your business relies on some intellectual property (e.g. secret recipe for pizza).

• What steps can you take to prevent it being stolen? Perhaps you premix the secret ingredients ahead of time so your employees have no knowledge of them. Or maybe you create some misinformation, such as re-labeling the secret ingredient “cilantro” as “parsley”.
• How can you tell if another business has gotten your secret recipe? You may decide to periodically send out employees to purchase and taste the competition’s product. Or perhaps, if the ingredient is rare, you ask your supplier if anyone else has bought large quantities of that ingredient.
• And what happens once the secret is out? Perhaps your reputation maintains a good percentage of business. If not, you may need to create a new recipe. (IMHO, litigation at the SMB level would probably bankrupt both companies before anything was accomplished.)

As a small to midsize company, risk management is probably not your primary focus, so adopting a simple set of three rules allows you to quickly assess almost any situation with a good degree of success.

(originally posted 07/2012)

---

[i] http://www.planecrashinfo.com/1978/1978-78.htm

[ii] http://libraryonline.erau.edu/online-full-text/ntsb/aircraft-accident-reports/AAR79-07.pdf

[iii] “Crew Resource Management,” Dennis L. Rubin, Firehouse Magazine, July 2002

I'm Baaaaack

After an interesting experience for the past six months, UBM decided not to continue with "Point2Security" ... so I've decided to continue with using BlogSpot. The next few months will be a mix of some Poit2Security reposts as well as new material. Glad I am back to my comfort zone again :-)