Evaluating & Examining Security Before a “Pressure Event” is Critical
There are countless parallels between cyber and physical security. I often use physical security to explain cyber to the uninitiated. An important lesson for both the cyber and physical worlds is to examine your security before a pressure event.
There are countless parallels between cyber and physical security. I often use physical security to explain cyber to the uninitiated. The thick walls, soundproofed vents, locks and codes and even the key on the door to Robert Hanssen’s SCIF are mirrored by the malware detectors, firewalls next-gen virus scanners, machine learning, artificial intelligence, and authentication protocols that protect data in the cyber world. An important lesson for both the cyber and physical worlds is to examine your security before a pressure event.
In the most basic terms, a pressure event occurs when a breach of security is ongoing or has just occurred. In 2014 when the Guardians of Peace (a North Korean front) breached dozens of Sony networks and computer systems, Sony responded to the pressure situation by panicking. They shut down servers, froze email accounts and ground business to a halt while an investigation examined the extent of the damage. Sony hadn’t considered what to do during the specific pressure situation caused by a cyberattack.
One of my most memorable pressure situations happened during a hot summer day at my home just north of Washington D.C. Spring is glorious in Washington. The cherry blossoms bloom, green carpets the lawns and parks and thick leaves cover the trees. Autumn brings an inviting chill to the air and a riot of harvest colour as trees send their leaves downward in lazy spirals. Winter paints the world in a white that is perfect for snowmen and skiing. Summer is hazy, hot and humid.
While my wife ran errands, I took my two-year old daughter and infant son out to play in our small backyard. My plan was to tire them out before nap time and have my kids sleeping before Juliana returned. A few short minutes running and crawling around in the summer heat would do nicely. Or so I thought.
Precocious even at two-years old, Hannah somehow turned the thumb lock on the inside of our back door. One father, one toddler and a baby, locked out in the middle of a scorching hot summer day, with no key to the door and no water. My pressure situation was not that one or all three of us might expire before my wife returned from her errands. I was more concerned with what she might say.
My mistake was not reviewing my security before a pressure situation forced me to analyse it.
I frantically tried windows and doors, finding them all locked tight. We had not provided a key to a neighbour, and in any event, our sleepy cul-de-sac was quiet on a workday afternoon. Breaking a window would defeat the purpose of getting inside without Juliana knowing my folly. To make matters worse, my daughter needed the bathroom ASAP and by the smell, my youngest son hadn’t waited.
Examining security in a pressure situation typically leads to wasted time and additional damage. In my pressure situation, the thought crossed my mind that I might be able to break a basement window and hide the damage from my wife long enough to fix it before she noticed it. Had I examined my security prior to the pressure situation under the oppressive summer sun, I might have hidden a key.
After hunting around the house for what felt like hours, but in reality barely reached 30 minutes, I learned how to break into my own home. The over-sized mail slot rested in the centre of the front door at a distance from the inside thumb lock equal to my daughter’s slender arm. She reached into the door through the slot and unlocked it forcing me to re-evaluate the security of my home. A thief would only need a skinny kid to enter my home without the breaking part.
The numerous cyber breaches that have plagued the past few years have forced companies and individuals to examine their security before the inevitable pressure situation. Vulnerability assessments seek out holes in cyber security defences. Internal security awareness campaigns send fake phishing emails to employees to see who clicks and might need additional training. Bug bounty consulting, where hackers are invited to find breaches in security for money are a booming business.
I never told Juliana about my summer pressure situation. By the time she returned, both children spelt the deep sleep of kids exhausted by a wild afternoon spent racing around our home.