Veteran’s Day: Thank You!

by kriggins on November 11, 2012

in General

There are several times every year when I think about the armed services of the United States. Days like Independence Day, the anniversary of D-Day, the anniversary of the attack on Pearl Harbor and others. Many times, I have wanted to let the people who serve our country in this manner know how much I appreciate that service.

On occasion I have had the opportunity to walk up to a serving member of our armed services, shake their hand and say thank you for your service. Nearly every time, the reaction is one of surprise followed by gratitude. It deeply saddens me that the first reaction is surprise.

The men and women who serve in the Armed Services of the United States of America deserve our gratitude and our respect. It is through their sacrifice that we continue to experience the freedom and security we have.

Today is Veteran's Day in the United States. I urge you to find one person who is serving or has served in the armed services and thank them. I will be. Let's make today a special day for these people to whom we owe so much.

To all those who serve and have served to guarantee the freedom and security of the United States of America, I thank you from the bottom of my heart. Your sacrifice is greatly appreciated.



InfoSec Certfication: Worth It or Not?

by kriggins on March 18, 2011

in Career, General

It is a never ending conversation. Is getting an InfoSec certification worth it or not? Of course, the same question can be asked about any industry certification, but that's not the point. Mike and Lee over at InfoSecLeaders are running a survey to delve into this topic. From a recent blog post:

Mike and I want everyone to know that we are off to a very good start for the Value of Certification Survey. We are steadily approaching 750 responses, but we have lofty goals.  The data that we have collected so far, the responses have been very interesting and eye-opening.

Give them a hand and head on over and complete the survey.

You can reach the survery here: Value of Certification Survey




"Security infrastructure should be layered."... I'm sure we've all heard this statement or even seen it on one or more IT Security exams.  The idea seems logical once explained.  Yet, many corporate "security" infrastructure designs don't include more than one layer of security.  I always thought this was a bit of an odd disconnect between what we're teaching and what we are employing.  But, never really thought much of it.  Until...

I was recently in a local store to pick something up.  It had been a pretty mind numbing day and so my brain was pretty bored.  So, by the time I actually walked to the door of the store, my brain was trying to "spice things" up by processing anything and everything besides my shopping list.  Before I knew it, I was observing the store's physical security.  This particular store had multiple layers ranging from cameras in the parking lot to "door greeters" to cameras in the store to a structured checkout area that lead to a specific exit.

As I began making my way through the layers, I began really observing them.  I also began to figure out how each one was tailored to a specific function and how they all interacted or complimented each other.

Over the last few days, I've been thinking a lot about the "layering" of items that the store used for physical security.  I've also been thinking about how we as a society, tend to layer everything including meal plans, clothing, physical security at home, etc.  For instance, a local apartment complex has the following: two entrances/exits, perimeter fencing and associated gates, roving security guards, and most of the apartments have a security system that can be monitored for a cost.  This of course is in addition to your typical home security items like locking windows and doors, secondary door locks, etc.

Of course because of my profession, some of my brain cycles began to relate this to the IT world.  This of course brought back the fond memories of my first security certification exam.  One of the topics was relating to "Security infrastructure should be layered."  Well, obviously this is a no brainer to me now.  But back then I had to learn that a properly designed and configured IT environment needs to include multiple layers of security to protect the infrastructure.  I also learned that some items within the design might include things like firewalls, DMZs, IPS solutions, spam filters, virus programs, user education, etc.

As I began to apply my recent analysis of the store's physical security layers to my existing IT related knowledge, I began to really see the layered approach much more clearly.  I also, of course, with a new level of clarity, began to see how each IT "security" device fits into the layered approach and how each device interacts or compliments each other.

What is still a little surprising to me is that more companies aren't using this concept on their company's network.  Some companies believe that a single piece of "security" equipment can protect their entire infrastructure.  And so, they feel  perfectly safe with a single router with "pre-configured firewall rules" that was supplied by the ISP.  I know this is hard to believe and is somewhat a joke to those of us with any IT Security training.  But, this was actually the case at one of my previous employers.  So, I challenge you to take a look at your company's environment and identify and count the different layers in place.  Can you count more than one layer at each "entrance and exit" including the user end?

As always, comments welcome below or you can email me at if you prefer.

If you are interested in getting our content regularly, go ahead and subscribe to the RSS feed. You can also subscribe to have posts emailed to you if you prefer.


{ 1 comment }

Merry Christmas!

by kriggins on December 25, 2010

in General

Merry Christmas everybody. May your day be filled will laughter, joy and blessings.

Jolly Little Fellow

Tree in Front of Tree


Rafal has a very nice post up that explores why security folks have such a hard time getting application developers to care about secure coding.

As I was reading that post, two ideas merged in my poor little head. This was cause for celebration because it doesn't happen very often 🙂

Thought #1: Ask, Don't Tell

I recently attended a class provided by my employer called Adaptive Leadership. One of the tenets of this class is that is often more productive to ask than to tell. What does that mean?

When we tell somebody to do something or give specific instructions, they have no investment in the outcome.

However, if we ask the right questions and lead their thoughts down the right path, we give them the opportunity to invest in the outcome. If we do this well, we then have somebody who has convinced themselves that this is the right thing to do, whatever that right thing may be.

Thought #2: Engagement

This video, RSA Animate - Drive, is a synopsis of Daniel Pink's book Drive. I have just started reading it so don't have detailed knowledge of the thoughts ideas introduced in the book yet. One thought I did get from the video is that engagement is key to performance, performance, in this case, being caring about secure coding practices.

Engagement means that the individual cares about what they are doing. That they are invested in the outcome.

Thought Merge: Ask, Don't Tell To Get Engagement

If we can use 'ask, don't tell' to get people invested in something and getting people invested in outcomes produces engagement, might we not end up with developers who care about producing secure code?




This week was arguably the week that everybody was most excited about. This week we had the opportunity to fire a few of the weapons the FBI uses. We also took turns using the F.A.T.S. (FireArms Training Simulator.) Before we got to play with the toys though, we had a introduction to the Department of Justice's Use of Deadly Force Policy Statement which was very interesting.

Use of Deadly Force

The FBI falls under the Department of Justice's Use of Deadly Force Policy Statement. You can read the entire statement here. While the entire statement is very important, the guts of it are:

I. Permissible Uses. Law enforcement officers and correctional officers of the Department of Justice may use deadly force only when necessary, that is, when the officer has a reasonable belief that the subject of such force poses an imminent danger of death or serious physical injury to the officer or to another person.

If you read the rest of the statement, you will find that there are further limitations and rules for the use of deadly force. However, the heart of the statement is in the words "imminent danger of death or serious physical injury."

A couple of interesting things about that word imminent in the context of this statement:

  1. Imminent does not mean immediate. This means that the risk of death or injury can be a risk that is at some point in the future.
  2. Imminent is solely at the discretion of the agent.

Another interesting fact is that there can be multiple deadly force policy statements in force at the same time as different jurisdictions have different deadly force policies.

In addition to discussions about the policy statement, we talked about what happens when deadly force is used. I learned a number of interesting tidbits:

  1. A review is held in every case. However, the agent remains on duty and continues to carry a weapon. His weapon is, of course, entered into evidence, but he is provided with another immediately.
  2. A criminal investigation is performed in the local jurisdiction where the use occurred. This has to be disconcerting to say the least.

We also talked about what happens to the human body and senses in times of high stress. Several interesting statistics were shared. If you are interested in seeing some of the, check out this Wikipedia article. The human mind does some strange things under these circumstances.

After this talk, we learned a bit about the SWAT (Special Weapons and Tactics) teams.


Each FBI field office has a SWAT team. In most cases the duties are in addition to regular agent duties. It is only in the larger offices where dedicated SWAT teams exist. There is also a dedicated hostage rescue team. There are over 1200 SWAT agents that can be rolled out if needed.

The SWAT guys were the ones who ran the rest of our evening.

A few facts about the FBI and weapons:

  • Each agent is required to qualify with their service weapon four times per year.
  • The standard side arm is a Glock .40 Caliber.
  • The standard SWAT weapon in the MP-5.
  • An FBI agent can and often goes their entire career without having to draw, let alone fire, their weapon. However, they are well trained and prepared to do so if necessary.


The first thing we experienced after our introduction to SWAT and the safety lecture was a live fire demonstration of a room entry.

This was very very cool. The SWAT team "breached" the room (range), used a flash bang and then let loose on the the targets on the range.

If you have never experienced a flash bang, which I had not, it is quite an experience. Even with ear protection the sound was very load. You could actually feel the thump in your chest. I was somewhat prepared for it going off and I still just about jumped out of my skin 🙂

After the demonstration, it was time to split up, half went to use the FATS and the other stayed on the range to fire the weapons.

The Range

I was in the first group on the range. We had the opportunity to fire the .40 caliber Glock, a .38 and an MP-5. I shot quite a bit as a youth, including automatic weapons, and was happy that those skills came back quickly. It was a lot of fun shooting and the SWAT guys were fantastic.

While firing the MP-5 was a lot of fun, I have always been partial to semi-automatic pistols. I enjoyed firing the Glock the most.

After our time on the range we went to take our turn using the FATS.


Using the FATS was an interesting experience as a participant and as a viewer. Even though it is a simulated experience, it is amazing how your body and mind reacts as you are in the scenarios. This is true even after you have watched others go through scenarios.

Your perceptions change and you experience things is a very different way than in your everyday life. That is why they use these trainers, to help agents become comfortable or at least aware of what their bodies and minds will do in they are ever in a situation where they must react with their weapons.

This was a really fun evening and fully lived up to the expectations I had for it.



Chris Hoff took his three young girls to Source Boston with him last week.

First, VERY COOL and it sounds like they had a good time.

Second, it started some thoughts in his head, some conversations with others and the creation of something that will be most excellent.

HacKid Conferences

From the website:

The idea really revolves around providing an interactive, hands-on experience for kids and their parents which includes things like:

  • Low-impact martial arts/self-defense training
  • Online safety (kids and parents!)
  • How to deal with CyberBullies
  • Gaming competitions
  • Introduction to Programming
  • Basic to advanced network/application security
  • Hacking hardware and software for fun
  • Build a netbook
  • Make a podcast/vodcast
  • Lockpicking
  • Interactive robot building (Lego Mindstorms?)
  • Organic snacks and lunches
  • Website design/introduction to blogging
  • Meet law enforcement
  • Meet *real* security researchers 😉

I think this is an awesome effort.

If you have ideas or are interested in helping out, you can contact the group via @HacKidCon on twitter or via email at


{ 1 comment }

The fourth week focused on Weapons of Mass Destruction (WMD) and Evidence Response Teams (ERT.) We had the chance to actually have some hands on experience with some of the techniques used during evidence recovery.

Weapons of Mass Destruction (WMD)

WMDs are defined by the FBI as:

  • Any explosive or incendiary device, as defined in Title 18 USC, Section 921: bomb, grenade, rocket, missile, mine, or other device with a charge of more than four ounces;
  • Any weapon designed or intended to cause death or serious bodily injury through the release, dissemination, or impact of toxic or poisonous chemicals or their precursors;
  • Any weapon involving a disease organism; or
  • Any weapon designed to release radiation or radioactivity at a level dangerous to human life.

The FBI, through the Counterintelligence priority, focuses on WMDs from several perspectives. The primary goal is to prevent WMDs from being used on United States soil and abroad. Response to incidents is another responsibility.

The FBI's efforts fall in to four basic catergories:

  1. National Coordination - managed out of the WMD Directorate.
  2. Local response - each of the FBI's field offices has a WMD Coordinator. The coordinator is responsible for assessing and managing the response to WMD incidents.
  3. Outreach and Information Sharing - the coordinator is also responsible for talking to people about WMDs just like the agent did during our presentation.
  4. Preparedness - the coordinators work with local law enforcement, fire and safety personnel and others to engage in mock exercises to make sure all are prepared in the event there is an incident.

Some of the most dangerous and hard to control WMDs are biological and chemical. We were shown how common many of these materials are. This is not to say that they are safe to make or necessarily easy, but they are relatively common to come by.

If you are interested in more information on WMDs and the FBIs efforts to combat them, you can read more here.

The rest of the evening was spent focusing on the Evidence Recovery Teams

Evidence Recovery Teams (ERT)

The FBI's Evidence Recovery Teams are not staffed as full-time standing teams. The personnel who make up these teams have other duties. They are, however, highly trained and receive continuing education to keep their skills current.

Just like on CSI, they are the first to ent...just kidding. CSI, while entertaining and fun to watch, is about as far from how  real ERTs work as can be. The teams are called in after first responders have determined there is a need for FBI involvement or just a need for assistance.

The teams support federal, state and local law enforcement efforts and do not have to have jurisdiction over the case in order to be called in to assist.This is not to say that the FBI takes over cases. It means they are available support other agencies as requested or needed.

The do have some pretty cool toys like a device that allows them to map a scene in three dimensions which is nifty no matter how you look at it. They also spend a lot of time with mundane equipment like brushes, brooms and shovels. You can see a bit more information about ERTs here.

Play Time

On top of learning about the work the ERTs do, we also got to experience first hand some of the tool and techniques they use.

We learned how to take plaster casts of foot prints, lift fingerprints off various surfaces, use forensic vacuums, and look for trace evidence using alternate light sources. This was a lot of fun and I was able to successfully lift my fingerprint from a mirror. I wasn't quite as successful with anything more difficult 🙂

I really enjoyed getting my hands dirty.

Our next session will be at the range where we will get to fire FBI weapons. That is going to be fun!



I apologize for the delay in getting the post for week three to you. It was a very interesting evening.

Week three focused on the top 2 priorities of the FBI.

  1. Protect the United States from terrorist attacks
  2. Protect the United States against foreign intelligence operations and espionage.


Currently, the FBI's number one priority is counter-terrorism, both international and domestic.

The FBI uses the definition of terrorism that is set out in the Code of Federal Regulations. That definition is:

“...the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives.” (28 C.F.R. Section 0.85)

Two of the primary tools used by the FBI to fight terrorism are Joint Terrorism Task Forces (JTTFs) and the National Counterterrorism Center (NCTC.)


JTTFs are multi-agency task forces located, at a minimum, in every field office and every legal attache (international.) These task forces are made up of personnel from the FBI, Federal Marshals, Air Force, State and local law enforcement and other agencies. They are the primary weapon in the FBI's battle against terrorism. You can read more about JTTFs here.


The National Counterterrorism Center is where analysts from the FBI, CIA, DHS, DOD, HHS, the Nuclear Regulatory Commission, and other agencies work side by side to create a big picture view of terrorism and strategically plan how to battle it. The NCTC is responsible for creating the National Threat Bulletin for the President and Threat Matrix among other analysis products. There is also a central web-based system where information on terrorism can be accessed by and disseminated to participating agencies and organizations. You can read more about the NCTC here.

What has been Accomplished

If you would like to see some examples of the kinds of accomplishments that have been achieved in the counterterrorism arena, take a look at the Terrorism 2002-2005 (link to pdf) report. It is an interesting reading.

Other Resources

If you are interested in digging a little further into the FBI and their counterterrorism efforts, the FBI Counterterrorism page is a great place to start.

The agent that delivered this part of the evening's program gave us a great overview of terrorism, the activities terrorists use to fund their efforts and the methods that the FBI uses to identify, prevent, disrupt and defeat terrorists and their attacks. I took over eight pages of notes and could easily turn this post into a small novel, but I will save you from that 🙂


The second half of the evening was spent learning how about the FBI's counterintelligence efforts. The FBI is the only agency that has the authority to investigate foreign counterintelligence cases withing the United States. The FBI's counterintelligence efforts also include investigations into espionage, misuse of classified data and other national security issues. You can read more about the FBI and counterintelligence here.

I do want to say before I go any farther that counterintelligence, while having specific mandates, is also deeply involved in almost all facets of FBI work. For instance, counterintelligence is vital to the success of the fight against terrorism.

The mandate of the counterintelligence group is to combat espionage, economic espionage, and deal with weapons on mass destruction.


One of the very interesting things shared during this presentation were some basic tradecraft or techniques that spies use to communicate with their handlers. Handlers are the individuals to whom the person who is do the spying provides information.

We see movies with all kind of fancy gadgets and high-tech ways for spies to signal each other, but, in reality, it is much simpler. For instance, a particular type of soda can by a particular mile marker on a particular day can be a signal to do something. How more innocuous can you get?

The Motivation of Spies

Another interesting tidbit was the five motivators of spies. He used an acronym to share this, C.R.I.M.E. 🙂

C - Compromise: This is where the individual is compromised and spies to keep the compromise a secret, i.e. girl friend, taking money for something, etc.

R - Revenge: One of the oldest reasons in the world. The spy is getting back at someone because of revenge.

I - Ideology: A belief that what they are doing is the right thing to do.

M - Money: These folks just want the cash.

E - ?: Unfortunately, I either didn't right this one down or we ran out of time.


The final bit of the evening was spent walking through some cases from the past and seeing what the motivators where and how they were caught. Very interesting stuff.

Week Four

In week four we talked about weapons of mass destruction and evidence collection. We also were able to do some hands on stuff, evidence related, not WMD related 🙂 The full post for week four will be up tomorrow.



Cyber Crime

The first topic in our week 2 session was Cyber Crime. I am not a big fan of the phrase cyber, but that's a bit of a personal issue 🙂 If you remember, the FBI has 10 major priorities. If you need a refresher, check out the Week 1 - Part 1 post.

Cyber crime is the number three priority for the FBI. The Cyber Crime Division has its own set of priorities. They  involve detecting, preventing and reacting to:

  • Counter-terrorism intrusions
  • Counter-intelligence intrusions
  • Criminal intrusions
  • Chile exploitation involving computers
  • Intellectual property theft involving computers
  • Internet-based fraud

The division currently is engaged in four initiatives.

One of facts I found very interesting is that Cyber Crime Task Force have local law enforcement representatives sitting along side federal agents. They receive the same clearances and have access to the same resources. This makes pursuit of the bad guys that much easier.

Another good tidbit of information to be aware of is that there is a place where you can report suspected malicious activity. It is called that Internet Crime Complaint Center.

The next topic was Internet Safety.

Internet Safety

This section dealt with providing education to people, mainly children, about internet safety. The presenter was Karen Gale, an FBI Victim Assistance Specialist. I have seen Karen speak before and will point you to a previous post for details about that program.

In addition to the Netsmartz program, there is the Parent's Guide to Internet Safety and Safe Online Surfing programs.

Our final topic for the evening was White Collar Crime.

White Collar Crime

Frankly, I couldn't take notes fast enough on this topic. There was a huge amount of information shared. The following are the areas of fraud the FBI is involved in:

  • Corporate Fraud
  • Health Care Fraud
  • Mortgage Fraud
  • Securities & Commodities Fraud
  • Insurance Fraud | Consumer Information
  • Mass Marketing Fraud
  • Asset Forfeiture/Money Laundering
  • Bankruptcy Fraud
  • Hedge Fund Fraud

Of these, it appeared that Mortgage and Health Care fraud are the most prevalent right now.


The next session will cover Counter-intelligence/Espionage and International/Domestic Terrorism.