For those who have regulatory or audit requirements for testing, this is a great resource on moving your exercises from the merely-mandatory to Truly Valuable (and Lower Costs)! Feel free to share with your peers. Also feel free to share with your counter-parties and supply chain providers - are they resilient and do they test?
Risk Managers: Is Today’s Violence Worse than the 1960’s? Yes, and Why You Should Care (Sorry, Jim and Max)
Jim Geraghty and Max Bloom, writing in the National Review, have two excellent articles comparing now to the 60’s and asserting that it’s not as bad as it was. Their reasons include better law enforcement and intelligence surveillance, obstacles to organizing without getting caught, lesser magnitude of violence and others.
With respect, I disagree: 2017 (and the next couple of years) have the potential to be severely risky to businesses, infrastructure and people. These risks have a direct impact on your organizations. The heightened risk comes from the four T’s: Timing, Tactics, Technology and Tolerance.
Today’s social and political climate is more polarized and toxic than the 1960’s. The Vietnam War was unpopular to be sure, but in 1966 almost half of the American public supported it, another quarter had no opinion, and only a quarter opposed it, according to Gallup – with a subset of that population being violently opposed. Today, nobody is on the sidelines: half are supportive of the President, civil order, law enforcement/the police, etc., half are opposed – and a larger subset are virulently opposed. Black Lives Matter, “The Resistance”, the ‘Antifa’ movement and other unofficial violence-prone organizations are attracting acolytes and supporters by the millions.
Today’s social climate is also becoming more poisonous. John F. Kennedy’s election win in 1960 was narrower than Donald Trump’s (and arguably just as divisive), yet the nation was united in its revulsion and outrage at his assassination in 1963. Never in recent history have we seen so many people, including public figures and celebrities, publicly and glibly calling for a President’s assassination. If this were to happen, there would be dancing in the streets in America’s larger cities. In the 60’s, a college student sporting an American Flag hat or military T-shirt on campus might get some dirty looks or an isolated confrontation. Try wearing a Make America Great hat on today’s campus and you could get hospitalized.
We also have the added dimension of Islamic extremist terror that did not exist in the 60’s.
The other issue today is that violence is much likelier to be spontaneous, impulsive and rapid. The riots and college takeovers in the 60’s were premeditated and protracted. Today, protests happen in a flash and turn ugly just as quickly. Why? This leads to the second reason: tactics have changed.
The 60’s followed a playbook standard at the time for protests and college takeovers. Phone calls, mail and public or semi-public events to organize, recruiting for numbers and shock troops, and fairly primitive (but effective) operations. Riots would start and build with a cadence slow by today’s standards. There was also a concreteness and organization to them: The Weather Underground, Students for a Democratic Society and other dissident groups had members and meetings. Today’s violence, whether it’s disrupting speakers at university campuses, protesting a police shooting, attempted assassination of politicians or a political protest-cum-riot, have a different anatomy to them. Today’s dissidents are more amorphous and intangible: the Antifa movement does not maintain a membership list or collect dues.
The tactics are more sophisticated and more effective. Today’s perpetrators employ black-bloc tactics (synchronized choreographed attacks and dressing alike wearing masks to escape identification) and flash-mobbing (organizing in real time for instantaneous attack and dispersal with mass numbers) which are difficult to mitigate and counter. The 60’s protest weapons of choice were bricks and Molotov cocktails. The London rioters’ weapons of choice were ammonia bulbs, smoke bombs and other sophisticated methods.
Terrorists have also refined their tactics. Knives and cars have been around for a long time, but only recently have they become the terrorists’ weapons of choice. Attacks like 9/11 require skill, planning and resources, and are almost impossible to replicate today. Attacks like San Bernadino and Pulse Orlando require lesser skills, planning and resources, and are difficult but doable. Attacks like Ohio State and London Bridge only require impulse and forethought, and are impossible to mitigate and counter. Why are tactics becoming more effective? This leads to the third point: technology.
All of the above points are enabled with technology that the 60’s would have marveled at. Protesters and would-be terrorists back in the day had The Anarchist’s Cookbook (still a classic, though) and later, Rules for Radicals. Today’s bad actors have the Internet. The Internet enables instant widespread research into tactics and methods: ideal for breeding copycats and wanna-be’s. Anyone can become an expert at chaos with little effort.
Today’s bad actors also have social media and communications capabilities far beyond the 60’s. Twitter and Facebook make flash-mobbing possible. The 2008 hotel attacks in Mumbai would have been difficult if not impossible without technology. The attackers even used technology to deliver disinformation to the authorities – “hey guys, we’re going to XYZ” when they were really going to ABC.
Outside of making knowledge about how to wreak carnage instantly available, the worst thing about the Internet is that it lowers the barrier of civility. The combination of anonymity (real or imagined) plus isolation lets people express themselves in ways that typical interaction would never permit. Anyone can say the most outrageous things in a Tweet… and anyone can read them and be influenced. Social media is a force multiplier for radicalization. Why is this not tamped down? That brings us to the final ‘T’ – Tolerance.
Our benevolence makes us permissive. There is a bias towards acceptance of today’s violence. Tolerance of the extremists of a movement if one agrees with their basic position is becoming de rigueur, and opposition to extremism brands one as a de facto extremist of ‘the other side’. Riots are called “protests” and “expressions of rage” by politicians (not all but some), news anchors and headline and editorial pages. I’ve seen an email from a West Coast company informing employees of a potentially violent demonstration outside their building, the first paragraph listing the security measures they’re taking and the second paragraph instructing on the proper process for joining the demonstration. Congresswoman Val Demmings (D-FL) called the violence at Berkeley “a beautiful sight”. The Mayor of Baltimore said of the race-inspired rioters, “we… gave those who wished to destroy space to do that.”
Gerhaughty’s point that today’s better surveillance and infiltration capabilities will stem violence becomes moot. What good is it if law enforcement, the FBI of NSA discover potential violence but do nothing? Better surveillance is not needed – just look at the evening news to see thousands marching down city streets screaming “What do we want? DEAD COPS! When do we want them? NOW!” or visit Twitter to see thousands openly calling for political assassination. Better surveillance can’t stop flash-mobs. Violence is hiding in plain sight, and the words we tolerate will turn to action with more frequency and ferocity in the near future.
Why is this important to businesses?
Regardless of your political or social persuasion, executives have an imperative to manage Risk. Violence does not have to be extreme or widespread to impact your business, it just has to be there. Also, violent extremist events do not favor organizations who support their cause. Mob mentality cannot be debated with. Therefore, here are some common-sense steps that every organization should adopt:
Make no mistake: it’s going to be a rougher ride than fifty years ago. With thoughtful pragmatic planning, without regard to ideology, businesses will be able to weather the coming storms.
Why are humans the prime point of failure? Here’s why:
Humans are the Cog in Risk Management and Due Diligence
Risk Management by its very nature is non-deterministic and heuristic. It can’t be programmed and it can’t be learned from a book. It’s not a science, it has elements of art and practice to it. People must acquire the knowledge and apply it. Systems and bots can be programmed to react to information, collect, analyze and report it, but the world is constantly changing, very situation is different, and judgment and assessment will always be essential… and never perfect.
Humans conflate Availability with Contingency
Many outages are caused or exacerbated because ‘fail-proof’ systems failed. Many data centers incorporate High Availability – redundancy, hardening, segregated graceful failover – and assume that because “It Can Never Fail” there is no need for Disaster Recovery or Business Continuity. When they do plan, they skip over or go light on essential elements. Here’s a real-life example: a major global corporation hosted their production environment in a data center isolated in the US Southwest. Seismically inactive, no hazards, politically benign and calm weather. The data center itself had dual power grids, redundant generators, redundant telecom, redundant water. High security, compartmentalized access, biometrics, the works. Uptime Institute Tier 4, everything down to the power into the racks was High Availability. The only way the data center could go dark was if two technicians pulled two master switches, which were located far enough apart that one person could not do it but close enough to be within eyeshot of each other. Can you guess what happened? One tech pulled it while the other was working on it. Whoops! They turned the power back on. Then they said, “Wait, we should not have done that, it’s not procedure” and shut it back off. The power bouncing up and down caused further equipment disruption. Long story short, it took the organization the better part of a day to restore the environment. Why? Why didn’t they activate their Disaster Recovery Plan? Because they did not have confidence in it, particularly the ‘return to normal’ part of the plan (a commonly-overlooked area). Even if you think that your Plan A is 100%, you still need a Plan B.
Humans direct their own preparedness (or not)
Hardware and software can self-detect anomalies and self-schedule maintenance. What they can’t do is refuse to take training, avoid practice or assume their own superiority. Machines do not have hubris. People do. In the outage described above, the IT organization response was delayed by almost two hours and was initially sluggish. Why? The organization had a mechanism for instantaneous multi-channel communications to spin up teams, but it was not utilized and the teams had to fall back to manual call trees. More on the actual incident: why wasn’t the automated system used? The Incident Manager on duty (who was on a site visit to the data center at the time) had decided that they did not need the training on how to activate it. They knew how to send the initiation by company email, so why waste time taking the training module? Well, when the environment went dark, so did company email, and the manager never learned the alternate procedures for launch. Another factor impeding the recovery was the lack of practice in hand-on recovery work under actual conditions. The teams on site were hindered by small things such as inefficient coordination, bad acoustics preventing hearing of directions and other issues that could have been identified by exercising and mitigated before the crisis hit.
Humans have cognitive biases
People by nature are hard-wired not to understand Risk. We have built-in psychological flaws that impede our understanding. Confirmation Bias – the tendency to focus on data that corroborates our decisions, Zero Risk Bias – preferring small eliminations of risk over larger incremental reductions, Anchoring – fixating on the last threat not future threats (hey TSA, can we have our pen knives and knitting needles back yet?), Normalcy Bias – under-estimating risks that are not part of our everyday understanding, Availability Bias – over-estimating risks that are cognitively or emotionally present in our minds, Base Rate Bias – miscalculating probability due to ignorance of total data, Texas Sharpshooter Fallacy – engineering data to support a post-facto assumption, all conspire against good judgment and decision-making on Risk. Machines and bots do not have cognitive biases… but they are developed, programmed and maintained by us imperfect humans who do.
In defense of humans, people do have one trait that machines and bots do not: Humans are heroic. Hardware and software can give 100% to a task, but only people can reach beyond themselves and give 110%. In the outage mentioned above, the success of the recovery was due to people climbing out of their beds in the middle of the night, driving, carpooling, hitching a ride or pedaling bicycles to the office and working feverishly doing yeoman duty to get ‘their’ systems back.
Your organizations’ human capital can be your biggest Risk liability… or your biggest asset. You can build the controls and practices to mitigate the deficiencies above. It all depends on how much investment you wish to make in terms of recruiting the best, motivating them, providing state-of-the-art training and development (yes, these are two different things), giving them the tools they need (including other people), and most importantly, cultivating a culture of Resiliency in order to provide the Risk Management that your stakeholders, customers, and brand deserve.
In Part 1, we discuss how Cash is under pressure from technology and policy standpoints. There are many legitimate reasons to go cashless. There are also many unique features of Cash that set it apart from digital payments. Cash can also be a critical enabler of Business Continuity and Resiliency. Here's why!
Cash as an Risk Mitigation and Business Resiliency Enabler
How does cash enable Business Resiliency? This is easy to unpack if you accept three notions:
But what if your critical people cannot get what they need? Think of a typical worst-case scenario: there’s a regional event, power is spotty, the ATM’s are down. Gas stations are closed or running on generators. Bob and Nancy need gas to drive to the recovery site, and they will not leave Grandma and Fluffy unless they both have food and medicine. The recovery site manager is running out of coffee (coffee!!), food, water and office supplies. The local motel has empty rooms but their payment system is down. The generator is running but the fuel supplier demands cash to continue delivery (he’s got the same problems you do). A bit of cash can come in handy in these situations.
A major financial institution headquartered in Boston has a warm standby site in the suburbs – leased under a pseudonym for security through anonymity – and keeps several thousand dollars in “walking around money” on site. They realize that it’s better to be prepared with a physical fallback.
Organizations that plan for Plan B should also plan for Plan B cash flow. This can apply to the organizational level, as in the example of the aforementioned institution. It can also apply to employees. The Red Cross encourages a cash stash as a critical ingredient in personal and family go-bags. Yes, there are potential problems with tracking, potential loss and security. Organizations must assess and balance as their risk appetite and imperative for continued operation and employee human factors dictate.
In conclusion, although today’s world is increasingly digital and online, when it really counts there’s nothing like good old Cash.
Big words, right? The one-word answer is Cash. I’m no Luddite, but I’m also a Risk Manager and a realistic pragmatist. Let’s explore the changing status of cash, and how cash can be a critical Risk Mitigation and Business Resiliency enabler.
The Death of Cash?
Digital transactions are coming up hard behind cash transactions. Some of this is driven by convenience. Merchants find that having a payment processor or terminal is easier than training employees and managing, storing and transporting currency. Consumers are also finding it easier to trade their wallet for their phone, and Google, Apple and others are happy to oblige. Witness the growth of Green Dot, Ant Financial and other fintechs (financial-technology companies), especially among the unbanked and under-banked. The ascendency of online commerce is also a factor, much to the malls’ chagrin. If Amazon and others have their way, even the trip to the grocery store and “Paper or Plastic? “will be a rarity. Some of this is also being driven by governments. Witness India, where 90% of payments are cash for now but policy is putting downward pressure on cash. Whether for benevolence, eagerness to jumpstart economic activity or desire to monitor and control citizens, states will be deemphasizing cash, and this trend will continue.
Cash is Still King
Don’t rule out cash just yet. Physical currency has several advantages over digital currency:
In the next installment, we will explore how Cash can be a critical Operational Risk reduction play and Business Resiliency enabler!
ARSC would like to extend a Personal Thank You to those clients, contacts, network and "friends and family" for helping us become the next-generation Alternative to legacy consultants. We are therefore launching a personal referral program!
ARSC will pay a 13% referral fee (honoring our founding in 2013) to any of our circle who refers an organization that wants to reduce Risk and increase Resiliency. We realize that it's all about people, so this is a personal Thank You to be paid to you personally (or to your organization if you wish). The credit will be paid out for any work resulting from the referral: an Assessment or temperature-check of an organization's resiliency; an Exercise to help them prepare by practice; any Crisis Management, Business Continuity or Disaster Recovery analysis, planning or implementation. As ARSC strongly believes in 'giving back', we are happy to share our success with you personally. Many thanks in advance!
Please use this form to initiate a referral.
We look forward to hearing from you.
Howard Mannella, Managing Principal
Conchita Mannella, Financial Principal
The fine print:
This is the last of a three-part series on an often-unnoticed security flaw: the corporate conference bridge. This essential communications enabler, despite PINs and pass codes, can be easily exploited by former employees, competitors, or other bad actors, who can join your calls with a bit of ingenuity and listen to your confidential conversations with impunity. In Part 1, we discussed the four elements of a conference bridge call and how they can be compromised. In Part 2, we examined two scenarios of how these compromises can actually be executed. So, how do you plug this gap? There are several common-sense steps that every organization can consider. Think ORRAP: Obfuscate, Rotate, Refresh, Automate, Proctor:
In Part 1 of this series, we identified the conference bridge as a potential vector for data leakage and compromise of confidential information. We discussed the four elements of a bridge - the time of call(s), conference phone number, the PIN or participant code, and human factors. We outlined how each can be compromised with a bit of social engineering and ingenuity. Let's now examine two scenarios to show how confidential company secrets can be siphoned off of a bridge. Note: these actions are illegal, and ARSC discusses them for informational purposes only and does not suggest or condone these actions.
Scenario 1:Bob is a former IT employee at www.xyz.com, now unemployed and cash-poor. He gets a call from a friend – “hey, your old job’s Web site is down!” He pulls up the old IT Operations bridge on his phone. It still works! He dials in. There are so many people working the problem that the manager does not hear the ‘join’ tone. Bob listens while IT Ops decides to relax two-factor authentication and open a back door so developers can work the problem. Voila! Bob is now in the system! The files, critical data and opportunity for profit are his for the taking!
Scenario 2: Chuck works for a competitor of StartUp 2.0. He really wishes that he could be a ‘fly on the wall’ for the Product strategy discussions. Chuck belongs to a committee on a local industry professional group – chaired by a StartUp 2.0 employee, Carol. Carol uses her company's bridge for the committee's meetings. She sends the invite out using her company bridge for this association's meetings: Dial-in 1-888-CON-CALL, pin 2067690428. Chuck now knows StartUp’s bridge number and sees that the PIN is Carol’s desk number. He finds out the name of the VP of Product, Alice (Thanks, LinkedIn!). He calls StartUp’s main number after hours and uses the dial-by-name function. He listens to the messages and now knows Alice’s extension and therefore her phone number… and therefore her PIN. Chuck tries the bridge on Monday morning. Nothing! Tries Tuesday morning. Nothing! Tries Wednesday morning. Paydirt! There are already three people on the call. “Who joined?” Chuck stays on Mute. Alice joins. “Who do we have?” “Dan here!” “Erin here!” Frank here, and there’s someone else on I think.” Alice: “Anyone else on? Ha-ha, while they’re hunting for the Unmute button let’s get started. What’s the word on our latest product launch?”
There are other scenarios but they follow a similar pattern: social engineering, a bit of guesswork and under-the-radar listening.
Now that you see how easy it is, we will examine several common-sense basic practices organizations can take to make their conference bridges more secure (not secure, but more secure)... in Part 3!
Here’s an often-overlooked attack vector that is innocuous, ubiquitous, essential to your organization’s communication, yet from a security standpoint minimally managed if not ignored). Plus, the vulnerabilities are not technical but human factor, hackable with a bit of smarts, guessing and social engineering. What is this weak spot in your critical communication?
The lowly conference bridge.
We all use them. Dial the toll-free number, put in your participant code (and host code if needed) and you’re on the call with your colleagues. The bridge is essential for today’s mobile, virtual and Work-From-Home workforce. They’re standard fare for executive briefings, team meetings, Incident Management, Crisis Communications, Business Continuity/Disaster Recovery events and other situations.
“But wait!” you say. “Conference bridges are confidential! People need to know the number! They also need to know the participant code! Plus, bridges are spun up and then ended. It would be like jumping on a randomly-moving train and picking the locked door from the outside!”
Actually, no. If you know the train schedule, get on at the station and the key is left in the lock (or you have the key since you were a former conductor), it’s easier than the vendors (or your security people) would have you believe.
Think of it. You need the time of the call, the phone number and the participant code or PIN. That information is easy to come by:
Time of call: Many calls are periodic or can be easily guessed. The status calls are typically Monday 9:00, or noon Wednesdays, or some other convenient time. The management calls might be the first weekday of the month. Emergency calls for Incident Management, Crisis Communications or other outage situations start at the onset of the situation then get scheduled for regular intervals (daily at 9:00, noon and 5:00) or they’re left open until the situation is resolved.
Phone number: Most bridge vendors have standard call-in numbers. If you know your target’s vendor you likely know the number to dial. Some vendors provide bespoke or customized numbers. If you know your target employee’s office extension you might know their call-in number. Some organizations use mnemonics for call-in numbers, such as 1-888-BCP-HELP.
Participant code: Same situation as numbers. People want these to be easily remembered, so they’ll use mnemonics, the owner’s phone number or other easily-remembered or easily-guessed sequence. Sometimes it’s even easier – you’ve undoubtedly seen the no-code call-in, set up for executives who can’t be bothered with remembering things.
The human issue is the final crack in the wall. Most people who manage bridge calls are lax in tracking attendance, do not monitor join announcements and do not utilize the tools for roll-call.
This vulnerability is further complicated by management inattention to it. Rotation of numbers or codes is very uncommon. Out-boarding employees often leave them stored as Contacts on their phones. The aspects that make conference bridges convenient make them vulnerable.
The bad actors who can exploit these loopholes include former employees either disgruntled or now competitors, hackers/hacktivists, or, if your company is a defense or critical infrastructure firm, state actors.
Next week, we will examine a few scenarios of how this vulnerability might be exploited.
Microsoft recently abandoned an experiment in AI by launching "Tay" on social media, then having to take her down and re-boot her after 'teaching' her not to be racist of homophobic. Good news/bad news: Another crisis for Microsoft. The second launch of the AI chatbot did not go as well as the first. "Tay" was created to simulate a teen-age American girl, in thought, speech and mannerisms. The launch on Twitter went smoothly enough, with "Tay" learning from what people were saying and 'acting her millennial age', emojis, pop culture references and all. However, within a day her Tweets turned racist, homophobic, hateful and xenophobic. Microsoft acted swiftly to disable her - not swiftly enough, however, as the Tweets went viral and the story was picked up and rebroadcast in the global media (examples can be found here, here, here and here).
This is a striking learning opportunity for Crisis Management:
Postscript: as advanced and accelerating as AI is, its not ready for prime time, especially in a crisis!
Want to learn more? Click here to continue the conversation!
Denouement: MSFT re-activated the new, improved Tay after 'counseling' her on not being 'inappropriate'. Shortly after her re-debut, she tweeted about smoking kush in front of a police car, then had an emotional breakdown and went into a tweet-spamming loop. MSFT took her offline again. I hear she's resting comfortably and getting the care she deserves.
From the Managing Principal
Thought leadership, observations and more
Key words: Howard Mannella Disaster Recovery Consulting Business Continuity Consulting Crisis Management Consulting Emergency Response Consulting Emergency Management Consulting Business Resiliency Consulting Resilience Organizational Preparedness Security Safety Risk Management Consulting Table Top Exercises