On August 14th, at JFK airport in New York, terminal 8 was evacuated after a report of “shots fired.” On August 28th an eerily similar situation occurred at Terminal 4 at LAX. Both of these situations occurred in the evening at about 8:30-9:30pm local time. In both cases chaos ensued with shouts of “Run!”, errant stories of hearing “pops” or gun fire and in both cases not only did people evacuate out the front, public facing area of the terminal but people also evacuated onto the tarmac, a supposed secure space where passengers are NEVER to be (for both safety and security reasons). What is more interesting is that in both cases police reported that in fact no shots were fired and no evidence (i.e. shell casings, video images etc.) of weapons or shots were even present. There was not even a situation where a gun was found at TSA or seen in an open carry situation.
Not going to go there:
Is there something more sinister happening? As much as I want to pontificate on intelligence collection and the potential meaning (or lack thereof) of these events directly, this blog is about teaching security so let’s continue to focus on that and you can speculate on what is happening with these two events directly. I am sure there are other blogs that will delve into that as well. I can certainly tell you that more nefarious reasons for these two events have crossed my mind… namely probing. So that is what we will discuss, probing security defenses.
What is probing?
Simply put, probing is an attacker deliberately testing certain areas of your defensive mechanisms, usually the perimeter, in order to determine if a weakness or pattern exists. That weakness or pattern could show the attacker where to begin or conduct his or her actual attack efforts.
Bring that to real life, many times kids (and some adults) will probe one another. My boys will all the time make a jab at their brother(s) and friends, looking for a reaction. When they get a reaction then they tease back. They found a weakness. Adults may do this in potential dating situations, we call it flirting. One flirts with another, you get a reaction and you keep going. You get none, you move on or try another tactic.
In security, sometimes an attacker is looking for no reaction and moves in that direction knowing that no reaction from a guard or defensive system is likely a sign of weakness. However, sometimes an attacker will probe and want a reaction, to see what the reactions are either to avoid them or use them to his or her advantage. In the case of the airports, that reaction could be used in a multitude of ways. Maybe they are wanting to see where people congregate so that they can take hostages or worse in a mass way. Maybe they wanted to see if people would go on to the tarmac and so that maybe a baggage handler can pass an unsecure device to someone “evacuated” on to the tarmac. There are lots of reasons for probing but all of them are a precursor to an action or an attack.
Social Media as a Probe?
We have seen that social media has been used extensively with riots and protests in the past couple of years in Baltimore, Ferguson, Milwaukee, the events of the “Arab Spring” and many more. Let’s reflect upon these two airport events in the perspective of what if someone was probing (not saying they are, but what if). Keep in mind that probing is usually to determine a weakness or reaction, a precursor to an actual attack. If you want to know how your physical attack may work, or know where to best conduct the attack, what better way to see what would happen than create a social media “event.”
Thirty years ago (1986) these airport events would have been reported as small side notes, with little detail and probably no pictures in your local newspaper a day or two after they occurred. We would read them and take note of them in passing, then move along with our day.
Twenty years ago (1996), the events would have been published on distinguished and edited news websites within a couple of hours of occurrence, may have taken an “above the fold” or headline location, maybe even would have been “breaking news” for cable news sources for a short period of time and then been replaced by the next event. Unless you were sitting staring at CNN as it happened, you would have read about it during your lunch or other break at work on YAHOO!, maybe in the evening on your pokey dial up Internet connection from home, and then went about your day.
Ten years ago (2006) the 1996 situation had not changed much from an actual journalistic perspective, news was published on credible sites, edited by competent editors etc. But because of actual world events (9/11, war in Iraq etc) you were taking a closer and more critical note of things. You were reposting news stories with your added commentary of the world and news on Social Media sites such as the new Facebook or more likely MySpace (remember that?). You became the content approver, an editor and a censor.
And finally, here we are in 2016. Journalism still exists but each and every person with a smartphone can now be a journalist, and frequently is. Facebook Live and other similar types of tools can stream events as they happen and without a filter, giving people an opportunity to be there without actually being there. Many people that are watching can post what they “think” is occurring in an event on Facebook, Twitter, Periscope or Instagram and provide their own interpretation of the event(s). All too often these sideline comments are either jumbled with real data and the communication more closely resembles the old game of “telephone” than actual data. And all the while, this “story” can trend and people will “follow” not by the tens, but the tens and hundreds of thousands and more. Reality television is no longer a thing for television that has some scripting, editing and bleeping out of the tough parts, it is in the palm of your hand, unedited, unfiltered and all in the eye and mind of the beholder.
Are we Jumpy?
The question does beg to be answered, are people more jumpy today than they were thirty (or more) years ago? My personal opinion is that jumpy is not the right word. There were plenty of things, including terrorism, in 1986 that still exist today (if you are curious, I wrote a whole paper on the history of Islamic terrorism that clearly shows it was around and prevalent prior to 9/11/01). I would argue that technologies and applications with those technologies has removed a level of responsible, vetted information production and has placed information dissemination, interpretation and consumption in the hands of untrained, highly opinionated and overall over-informed persons. As a result, “we the people” may actually make less informed and more reactionary decisions based upon micro events rather than the larger landscape on the canvas. Instead of jumpy, I may say that we are more micro-reactionary. People today live for the moment, not for the long haul. Whatever feels good or right now is OK, regardless of the long term ramifications.
We, as security professionals need to take that into account when we are conducting our everyday work, event analysis and annual (or more frequent) training events. We need to take into account that the slightest actual or perceived event can set off a hailstorm of reaction by over and under informed citizenry that takes an innocent or inaccurate event or story and causes an out of control blaze. It turns “my” opinion and perception of reality into reality whether it be true or not. Social media has caused every little perceived or actual situation into a national or international news event. And an ill-informed or improper reliance upon unvetted intelligence sources can lead to failed actions and reactions by security personnel.
A number of things should be considered for Physical Security and the Potential of Probing Events:
- We need to be careful to rely upon facts in order to make our assessments of situations and events. Do we evacuate a terminal based upon someone posting on Twitter or stating in a hallway that shots have been fired? Or do we base our decisions upon our own LEO’s and Agents on the ground reporting actual shots fired? Do we evacuate our offices because Twitter is “lit up” with reports of an active shooter on the fourth floor of our office building or do we urge people to remain calm and seek to validate and contain that through other means?
- We should understand our risk tolerance in advance. Every organization and leader is different in how much risk tolerance they are willing to accept. Before making your plans, understand or have the discussion on what is tolerable. Ask the tough question – are we willing to risk life and limb, someone getting run over by a stampede, a baggage cart or sucked into a jet engine, because our immediate reaction to unsubstantiated reports is “Get out!” Or are we willing to risk an extra couple of shots getting off while we check with our qualified agents on the ground?
- Do we have clear evacuation plans that include securing secure spaces and directing people to the proper evacuation routes? In both the JFK and LAX situations, unsecured “never to be there” people were allowed, sent to or otherwise found themselves on the tarmac, a space that should never be occupied by uncleared persons for a number of reasons, both safety and security (and in my opinion, safety more so). If you have not considered in your evacuation plans how to secure secure spaces, do so no. How do you ensure that the data center will not be breached by a throng of people rushing down the hallway like the bulls at Pamplona?
- Do we have a secure re-entry plan? Situations like JFK and LAX could be used to cause mass confusion and allow unsecure items to enter secure spaces. Speculate with me, what if they “active shooter” situation as designed to get someone on to a tarmac so that an unsecure item could be passed from an insider threat agent in baggage handling to an unsecure person getting ready to board a plan? What if an evacuation scenario would exist in your office spaces to allow a person to slip in during the “all clear” rush to re-enter and get work restarted?
- Have you considered you are being probed? Hackers all the time will scan an electronic environment and seek out the weak points, look to see where an organization reacts and does not and then use that to exploit the situation, many times gaining access. When things like JFK and LAX happen, bomb hoaxes are called in or unplanned fire alarms occur, don’t blow them off as if they are nothing. They could be a future attack in the planning stages (my personal concern about the airport situations). Maybe the attacker wants to see how fast, which way you exit and what your gathering points are when you have exited the building. Worse, maybe he wants to slip in during the chaos of everyone going out.
- Do we show all of our cards when facts don’t support that an event is occurring? This is a huge question that is best answered by the risk assessment process. If the facts don’t support that an event is occurring, then we cannot assume that probing is taking place, after all it may be a disgruntled employee or a prank. However, we should take seriously “false alarm” events and consider the possibility that in fact we are being probed and in those cases, you may want to keep something back for when the bad guy really does show up.
- Increase vigilance: When an unplanned event occurs, such as a fire alarm or even odd person showing up on the parking lot, as a security leader keep a portion of your team focused on their normal operations job and keep vigilant on other doors. In fact, turn up their vigilance requirements. Redeploy your team if necessary from lesser needed posts to the CCTV monitor. Someone may be trying to sneak in through the backdoor while you attend to the “drunk” in the parking lot or the fire alarm going off on the 3rd floor.
These are just some of the things, if you consider and put them into action, that will make your security program a better one.
Mark A. Houpt is a security professional, leader and speaker with more than 25 years of experience in ALL facets of the security field. Mark holds numerous security certifications including the CISSP, CEH, CHFI and is diligently working to complete his Masters degree in Information Security and Assurance. Mark is currently the CISO of a Cloud Hosting Provider in the Maryland area. If you would like to learn more about Mark and his experience, please see his resume. If you would like to contact Mark for consulting or possible media or speaking appearances, please email him for further discussion.