Add some “magic” to security – misleading, concealment, and deception.

Add some “magic” to security – misleading, concealment, and deception.

September 4, 2020 Uncategorized 0

Avoiding the incident is the most effective security. In a previous post we discussed the concept of thwarting an attack by denying the perpetrator entry to our facility by locking them out. This, however, poses an additional question – can we push the threat even further away? Well, we can certainly try.

In WWII the US Army deployed the “23rd Headquarters Special Troops” better known as theGhost Armythis unit used different visual, electronic and other methods to deceive the German army. The British army also had similar units which also engaged in camouflage and deception. These operations led the Germans to attack fake targets and spend resources attacking cardboard and plywood while saving lives of Allied forces.

The same principals of deception, misleading and concealment can be used in most security scenarios as an additional layer. 

An FBI study from 2018 shows that 77% of attackers take more than one week to plan their attack; historically, many attacks have taken from six weeks to over a year to plan.

Attackers (in most cases) know the target in advance, either by surveilling it, gathering intelligence and/or studying it in other manners (internet, publications, public records etc.) or knowing the target in person (having worked in or visited it before). This means that they will plan according to their acquaintance with infrastructure, routine, means and methods of operation etc. Our aim, then, is to disrupt the attack anywhere in the attacker’s planning process. Even highly trained organizations and/or operatives get thrown off balance and take time to regroup and delay or even abandon an operation if they cannot obtain the information (or supplies) needed to conduct an attack, they find a difference between their plans to the actual situation on site or they are made to believe that their chances of success are low. This will certainly apply to the attackers we might face.

Applying these methods carries little to no cost while generating great benefits.

Lastly – COVID-19 has forced events outside, to yards and open public venues and away from protected facilities. This creates challenges both in physical security and in cyberspace.

Here are some “magic tricks” that might help you.

Remember, since no one knows your facility better that you, you are be the best “magician” for creating your “tricks”.

  • Conceal your activity – both physically and in cyberspace
  • Physical concealment – use large plastic/cloth sheets on the perimeter of your venue so the activity inside (if any) can’t be seen. Keep shades down on windows.
  • When creating a physical event, do not openly disclose the actual time or location. Manage your invitation through a secure environment and send the details to the attendees via a different method of communication – preferably text message / WhatsApp / telegram etc., or by mail.
  • When creating a web event –
    • Do not send the event link with the password in the same communication and if possible use different means of communication for each element.
    • Use a “waiting room” to vet in every attendee.
  • On the organization website –
    • Do not post schedules for any type of activity. Have those sent separately to members.
    • Have an email designated for inquiries. Have a procedure in place for verification of identity and background checks of all nonmembers.
  • Use different entry and exit doors and gates for different events, to avoid setting a pattern. If possible stagger the use of primary and secondary points of entry and exit.
  • Create randomly timed lighting patterns that will create the illusion of a 24/7 presence.
  • If conducting events outside create a “fake” location, place an extra set of chairs and shades in a different location from where the accrual event is going to take place.
  • Do not disclose any details about activities, hours, and if possible locations over the phone, either during operating hours or on after-hours answering machines. Have callers send you inquiries via email or text.

These are just a few generic basic ideas. There is a whole world of options for these types of activities including social media, audio and more.

Think outside of the box. When you surprise and disrupt the attacker, you diminish their motivation and ability to cause you damage and risk lives.

 

Leave a Reply

Your email address will not be published.