A Thoughtful, Analytical Approach to NGO Security

Learning to Think Analytically with Video Games

According to Wired US intelligence agencies are using custom video games to teach analytical thinking. Despite what the graphics might suggest the games' emphasis is on critical thinking skills and the use of the analytical process rather than violence.

I'd love to see an NGO version of something like this. It shouldn't be too hard to come up with an interesting story with a humanitarian slant that would challenge the players reasoning. Perhaps based on Darfur with the player attempting to shift through opposing claims and counter claims. Or how about a scenario based in Gaza?






Only the eight principles of intelligence analysis can save him? Oh my Gawd! I don't remember them! I'm hoping that its Richards J. Heuer's eight step Analysis of Competing Hypotheses otherwise little DIA dude is doomed.

NGO Security is Compiling a Security Training Directory

NGO Security is compiling a humanitarian security training directory. If you or your organization want to be included in the directory drop them a line. If you know someone who might want to be included please pass the word.


Breaking NGO IT with Low Tech - Suggested Readings

Discussion (here and here) regarding Bruce Schneier’s recent post on security mindset combined with recent interesting posts from friends regarding NGO IT security issues (here, here and here) has me thinking. It seems to me that social engineering, rather than a purely technological attack, is still the easiest route into most NGO’s networks. There is no need for anything too complicated. Most aid workers are somewhat trusting and helpful by nature making them easy targets for even relatively inexperienced social engineers.

Kevin Mitnick’s book, “The Art of Deception - Controlling the Human Element of Security” is a great introduction to social engineering. Kevin Mitnick was one of the world’s greatest hackers. He gained great notoriety for his ability to penetrate telephone and computer networks seemingly at will. What surprised many is that it wasn’t sophisticated technology that allowed him to do it. It was his ability to con or ‘pretext’ people into giving him the information he needed to access their systems. As he explains in the book the human factor was security’s weakest link.

Hint: If you search for “Kevin Mitnick The Art of Deception.pdf” Google you just might be able to find a free copy of Kevin’s book floating around the net.

To further develop your security mindset check out "No-Tech Hacking" by Johnny Long. Its a sample chapter from "Techno Security's Guide to Managing Risks for IT Managers, Auditors and Investigators". Johnny has since turned the chapter into a book in its own right. In the freely available sample chapter he covers tailgating, faking ID cards, lock bumping, shoulder surfing, dumpster diving and other low tech means of gaining forbidden access.

Happy reading and don't blame me if it keeps you up at night.

The Security Mindset

Bruce Schneier has an interesting article, "Inside the Twisted Mind of the Security Professional", that takes a quick look at the security mindset and whether it is innate or a skill that can be taught. I always enjoy Bruce's writing but in this case it is the links he provides to a 'computer' security course at the University of Washington that have me the most excited. Despite the fact that it is billed as a computer course the course blog is full of entries of interest to anyone honing their security mindset. Student security reviews range from soda machines to airport security. Well worth the read.

Evacuation and Relocation Training

Several months ago I did evacuation, relocation and hibernation training with one of our offices. We were all very busy at the time and my planned eight-hour training day turned into three hours. I insisted we go ahead with the training despite my concern that everyone was too tired to learn anything of value.

It turns out I needn’t have worried. Last week we were forced to temporarily relocate a sub-office due to security issues. The relocation went very smoothly and staff were keen to point out that it ‘was just like the training’.

The method we used for the training is outlined below.

The team with thier creations


Materials:

1. Index cards or construction paper

2. Flipchart paper – or any other type of paper you can use to cover several desks

3. Pens and markers

4. Note paper


Preparation:

1. Create cardboard representations of all your vehicles. They can be as simple as an index card with the vehicle details or as complex as the three-dimensional models shown in the photo below. The models in the photo are accurate down to the vehicle plate number and communication equipment on board.

2. Draw a large map that covers your operational area and potential relocation sites. The map will probably need to be large enough to cover several desk tops.

3. Prepare an equipment list outlining items needed at the relocation site and items staying behind.

4. Write each major piece of equipment on a separate small square of cardboard. Minor items can be grouped together i.e. “staff luggage - one load”.

5. Prepare a staff list that indicates who will relocate and who will stay behind. It is a good idea to brief staff on agency and individual responsibilities during evacuation/relocation a day or two before the exercise. They should also be encouraged to discuss the issue with their families.

6. Write the name of each staff member being relocated on a cardboard square.

cardboard vehicles and map

Exercise process:

1. You’ll start the exercise at your desired end state. Place the cardboard squares representing equipment and people and the vehicle models on the map at the relocation site. Divide everything into two piles: ‘essential’ and ‘nice to have’.

2. Working backward, load the equipment and staff pieces onto the vehicles. Record what equipment and which people go on which vehicle. Be realistic about how much your vehicles can carry. You’ll also need to record how long the unloading process will take.

3. Continue to work backward recording travel times, rendezvous points, rest stops etc for several alternative routes.

4. Repeat the process until all equipment and staff are back in their place of origin.

5. Using this reverse process will allow you to come up with realistic planning times, load lists, and staff lists for relocation based on your own unique situation.


Some questions to ask:

1. Have you allowed enough time for delays? Nothing ever goes perfectly to plan. Also, convoy travel is generally slower than that for an individual vehicle.

2. Will you need to make more than one trip to move all your equipment and staff? Is this going to be possible?

3. Have you allowed time for acquiring travel permission from the relevant authorities? Drafting Performa requests in advance will save time.

4. Will you be able to travel after dark? Will it be safe to do so?

Although training is important it is how it is applied in the field that matters. I'm happy to say that the team passed their real life test with flying colours.

Other Stuff

Subscribe to Patronus in a feedreader
Subscribe to Patronus Analytical RSS Feed by Email

Low on bandwidth? Try this low graphics version


Lijit Search

Bloggers' Rights at EFF Global Voices: The World is Talking, Are You Listening?



Support CC - 2007

Creative Commons License
This work by Kevin Toomer is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 Canada License.
Jun 2008
May 2008
Apr 2008
Mar 2008
Feb 2008
Jan 2008
Dec 2007
Nov 2007
Oct 2007
Sep 2007
Aug 2007
Jul 2007