Thursday, December 27, 2012

Security Strength Through Diversification

In November, I saw an interesting article on the Wired Danger Room national security blog: Top Pilot: Air Force Should Put Brakes on All-Stealth Arsenal. Stealth technology is obviously a critical asset, and in December they ran another good piece (7 Secret Ways America's Stealth Armada Stays Off the Radar) that explained some of the technical aspects of how stealth works in modern aircraft. I make note of the article not so much because of the aspect that it's getting at - a discussion of the types of aircraft in America's air forces - but rather, to illustrate a broader point about security.

Most folks have a pretty standardized vision of what security entails: guys with guns, concrete or chain link fences, barbed wire, and maybe high security doors. Of course, these can all be important aspects of security. However, security is best when it uses a layered, diverse approach that draws upon multiple disciplines, techniques, and technologies. In network security, this is referred to as defense in depth (a term and concept that's also used by the military). It's similar to the military doctrine of combined arms, which seeks to maximize military effectiveness by using multiple, complementary weapon systems.

In security operations, defense in depth can be achieved by combining what we usually think of - things like guard forces, barriers, and sensors - with other disciplines, like specialized security procedures, red teaming/penetration testing, and overlapping access controls. By overlapping security protocols, procedures, and equipment, the overall risk of security breaches can be mitigated. The likelihood of security failures increases When an organization relies too heavily on one security measure, or attempts to do security on the cheap - for example, relying only on procedures, or by providing authorized personnel with credentials without implementing measures to verify those credentials.

The steps for establishing good overall security are the same as the steps for OPSEC:
1. Identify Critical Information/Assets
2. Conduct Threat Analysis
3. Conduct Vulnerability Analysis
4. Assess Risk
5. Apply Countermeasures
A strong risk analysis is critical because it can help to ensure two things:

1. Gaps in security can be identified, addressed, and mitigated, potentially saving the organization from the costs incurred in a security breach. Security breaches can be expensive, both in financial costs and in damage to an organization's reputation or ability to conduct its operations. 2. A level of security commensurate with the threat to the organization can be established. This can also save costs, as it prevents overspending on security measures that are poorly suited to an organization's needs, or which exceed the threat posed by an adversary.

Combining a good risk assessment with defense in depth is the essence of the old adage, "An ounce of prevention equals a pound of cure".

Sunday, December 23, 2012

More Ironic Music from IRIB

One of my first posts was about the Islamic Republic of Iran Broadcasting agency's use of the theme from The Delta Force in its nightly propaganda broadcast. A couple of weeks ago, I caught them at it again, but this time... Well, let's just say you'll be surprised.


For all of the Iranian government's nefarious dealings, and all of the IRIB's ridiculous claims on their nightly program, I'll at least give them credit: someone in their office has a sense of humor.

Saturday, December 22, 2012

Ranger Up Presents: How to Get a Job

In early 2012, Ranger Up CEO Nick Palmisciano posted a series of four videos on YouTube to help veterans of Iraq and Afghanistan find work. Having worked as a hiring manager, and having fought tooth and nail to climb the professional ladder, I found these videos fascinating and entirely legitimate - I can't remember a single thing that Palmisciano said that I disagreed with. The thing is, the advice Palmisciano offers is potentially useful for anyone trying to get hired. As such, I figured I'd post them for the benefit of any readers for whom the content would be relevant.

Ranger Up Presents: How to Get a Job Part 1, The Approach


Ranger Up Presents: How to get a Job, Part 2, The Resume


Ranger Up Presents: How to Get a Job as a Vet, Part 3, Networking


Ranger Up Presents: How to get a job as a Veteran Part 4, The Interview


Another resource that some folks may find helpful is Your Resume Stinks! from the Manager Tools Podcast. I'll add a few more tips that I've run into as both an interviewer and an interviewee.

  • Answer questions honestly while being interviewed. I once interviewed a guy whose answer - twice - to the question, "What's your greatest weakness?", was "I don't have any weaknesses, I'm a really strong person." All three members of the interview panel voted unanimously not to hire him.
  • Limit name-drops. On that same interview, the applicant couldn't answer a single question (other than the one about his weaknesses) without reminding the panel that he'd been in the Army. Things like that are okay to mention once or twice, but you should expect that if you've been invited in for an interview in the first place, you should expect that the hiring manager is aware of your qualifications and experience.
  • It also helps to anticipate your competition, and that's a follow-on from the last item. Most of the resumes I received as a hiring manager were a dime a dozen, and I tended to interview and eventually hire folks who could offer something different. I've also usually been hired because I could offer my potential employer something different than my competition could.
  • Be smart about what information you volunteer about yourself, and this is another one that's mentioned by Palmisciano. One candidate informed me that he'd shot off his toe - I didn't care that he was missing a toe, I cared that he'd volunteered information that called his personal responsibility and attention to detail into question.
  • Know what job you're applying to. If a hiring manager is trying to fill a recquisition for a technical writer and they get three hundred resumes for forklift drivers, the forklift drivers aren't going to receive responses inviting them to come in for an interview.

    That's it for today.