[Infowarrior] - Don't Look a Leopard in the Eye, and Other Security Advice

[Richard Forno]

Don't Look a Leopard in the Eye, and Other Security Advice
05.31.07 | 2:00 AM
http://www.wired.com/print/politics/security/commentary/securitymatters/2007
/05/securitymatters_0531

If you encounter an aggressive lion, stare him down. But not a leopard;
avoid his gaze at all costs. In both cases, back away slowly; don't run. If
you stumble on a pack of hyenas, run and climb a tree; hyenas can't climb
trees. But don't do that if you're being chased by an elephant; he'll just
knock the tree down. Stand still until he forgets about you.

I spent the last few days on safari in a South African game park, and this
was just some of the security advice we were all given. What's interesting
about this advice is how well-defined it is. The defenses might not be
terribly effective -- you still might get eaten, gored or trampled -- but
they're your best hope. Doing something else isn't advised, because animals
do the same things over and over again. These are security countermeasures
against specific tactics.

Lions and leopards learn tactics that work for them, and I was taught
tactics to defend myself. Humans are intelligent, and that means we are more
adaptable than animals. But we're also, generally speaking, lazy and stupid;
and, like a lion or hyena, we will repeat tactics that work. Pickpockets use
the same tricks over and over again. So do phishers, and school shooters
(.pdf). If improvised explosive devices didn't work often enough, Iraqi
insurgents would do something else.

So security against people generally focuses on tactics as well.

A friend of mine recently asked me where she should hide her jewelry in her
apartment, so that burglars wouldn't find it. Burglars tend to look in the
same places all the time -- dresser tops, night tables, dresser drawers,
bathroom counters -- so hiding valuables somewhere else is more likely to be
effective, especially against a burglar who is pressed for time. Leave decoy
cash and jewelry in an obvious place so a burglar will think he's found your
stash and then leave. Again, there's no guarantee of success, but it's your
best hope.

The key to these countermeasures is to find the pattern: the common attack
tactic that is worth defending against. That takes data. A single instance
of an attack that didn't work -- liquid bombs, shoe bombs -- or one instance
that did -- 9/11 -- is not a pattern. Implementing defensive tactics against
them is the same as my safari guide saying: "We've only ever heard of one
tourist encountering a lion. He stared it down and survived. Another tourist
tried the same thing with a leopard, and he got eaten. So when you see a
lion...." The advice I was given was based on thousands of years of
collective wisdom from people encountering African animals again and again.

Compare this with the Transportation Security Administration's approach.
With every unique threat, TSA implements a countermeasure with no basis to
say that it helps, or that the threat will ever recur.

Furthermore, human attackers can adapt more quickly than lions. A lion won't
learn that he should ignore people who stare him down, and eat them anyway.
But people will learn. Burglars now know the common "secret" places people
hide their valuables -- the toilet, cereal boxes, the refrigerator and
freezer, the medicine cabinet, under the bed -- and look there. I told my
friend to find a different secret place, and to put decoy valuables in a
more obvious place.

This is the arms race of security. Common attack tactics result in common
countermeasures. Eventually, those countermeasures will be evaded and new
attack tactics developed. These, in turn, require new countermeasures. You
can easily see this in the constant arms race that is credit card fraud, ATM
fraud or automobile theft.

The result of these tactic-specific security countermeasures is to make the
attacker go elsewhere. For the most part, the attacker doesn't particularly
care about the target. Lions don't care who or what they eat; to a lion,
you're just a conveniently packaged bag of protein. Burglars don't care
which house they rob, and terrorists don't care who they kill. If your
countermeasure makes the lion attack an impala instead of you, or if your
burglar alarm makes the burglar rob the house next door instead of yours,
that's a win for you.

Tactics matter less if the attacker is after you personally. If, for
example, you have a priceless painting hanging in your living room and the
burglar knows it, he's not going to rob the house next door instead -- even
if you have a burglar alarm. He's going to figure out how to defeat your
system. Or he'll stop you at gunpoint and force you to open the door. Or
he'll pose as an air-conditioner repairman. What matters is the target, and
a good attacker will consider a variety of tactics to reach his target.

This approach requires a different kind of countermeasure, but it's still
well-understood in the security world. For people, it's what alarm
companies, insurance companies and bodyguards specialize in. President Bush
needs a different level of protection against targeted attacks than Bill
Gates does, and I need a different level of protection than either of them.
It would be foolish of me to hire bodyguards in case someone was targeting
me for robbery or kidnapping. Yes, I would be more secure, but it's not a
good security trade-off.

Al-Qaida terrorism is different yet again. The goal is to terrorize. It
doesn't care about the target, but it doesn't have any pattern of tactic,
either. Given that, the best way to spend our counterterrorism dollar is on
intelligence, investigation and emergency response. And to refuse to be
terrorized.

These measures are effective because they don't assume any particular
tactic, and they don't assume any particular target. We should only apply
specific countermeasures when the cost-benefit ratio makes sense
(reinforcing airplane cockpit doors) or when a specific tactic is repeatedly
observed (lions attacking people who don't stare them down). Otherwise,
general countermeasures are far more effective a defense.

- - -

Bruce Schneier is the CTO of BT Counterpane and the author of Beyond Fear:
Thinking Sensibly About Security in an Uncertain World.