Friday Summary: March 18, 2011—Preparing for the WorstBy Rich
I have been debating (in my head) whether or not to write anything about what’s going on in Japan. This is about as serious as it gets, and there is far too much under-informed material out there.
But the thing is I’m actually qualified to talk about disaster response. Heck, probably more qualified than I am to talk about information security. I have over 20 years experience in emergency services, including work as a firefighter (volunteer), paramedic (paid), ski patroller, mountain rescuer (over 10 years with Rocky Mountain Rescue), and various other paid and volunteer roles.
Plus, for about 10 years now, I’ve been on a federal disaster and terrorism (WMD) response team. I’ve deployed on a bunch of exercises, as standby at a few national security events, and for real to Katrina and some smaller local disasters with other agencies. Yes, I’m trained to respond to something like what’s happening right now in Japan, and might deploy if it happened here in the US.
The reason I’m being borderline-exploitative is that I know it’s human nature to ignore major risks until it’s too late, or for a brief period during and after a major event. I honestly expect that out of our thousands of readers, a handful of you might pay attention, and maybe one of you will do something to prepare. Words are cheap, so I figure it won’t hurt to try.
I have far too many friends in disaster magnets like California who, at best, have a commercial earthquake bag lying around, and no real disaster plans whatsoever.
Instead of a big post with all the disaster prep you should do (and yes, that I’ve done, despite living in a very stable area), I will focus on three quick items to give you a place to start.
First: know your risks. Figure out what sorts of disasters (natural or human) are possible in your area. Phoenix is very stable, so I focus mostly on wildfires, flash floods, nuclear (there’s a plant outside the metro area, but weather could cause a panic), and biological (pandemic). Plus standard home disasters like fire (e.g., our smoke detector is linked to a call center/fire department). My disaster kits and plans focus around these, plus some personal plans around travel related incidents (I have an medical evac service for some trips).
Second: know yourself. My disaster plans when I was single, without family or pets, and living in a condo in Boulder, were very different than the ones I have now. Back then it was, “grab my go bag and lock the door”, becauase I’d be involved in any major response. These days I have to plan for my family… and for being called away from my family if something big happens (the downside of being a fed). Have pets? Do you have enough pet carriers for all of them? And some spare food?
Finally: layer your plan. I suggest you have a three-tiered plan:
- Eject: Your bugout plan. Something so serious hits that you get the hell out immediately. At best you’ll be able to grab 1 or 2 things. I’m not joking when I say this, but there are areas of this country where, if I lived in them, I’d bury supply caches along my escape routes. Heck, when I travel I usually have essentials and survival stuff ready to go in 30 seconds in case the hotel alarm goes off.
- Evac: You need to leave, but have more than a few minutes to put things together… or something (like a wildfire or radiological event) happens where you might need to go on sudden notice, but not have to drop everything. I have a larger list of items to take if I had 60-90 minutes to prep, which would go in a vehicle. There’s a much smaller list if I have to go on foot – we have 2 kids and cats to carry.
- Entrench: For blizzards, pandemics, etc.: whatever you might need to settle in. There are certain events I would previously have evacuated for but with a family I would now entrench for. What do you need, accounting for your climate, to survive where you are and for how long? The usual rule is 3 days of supplies, but that’s a load of crap. Realistically you should plan on a minimum of 7-10 days before getting help. We could make it 30-60 days if we had to, perhaps longer if needed – but the cats wouldn’t like it.
For each option think about how you get out, what you take with you, what you leave behind, how you communicate and meet up (who gets the kids?), and how to secure what you’re leaving behind.
I won’t lie – my plans aren’t perfect and there is still some gear I want on my list (like backup radio communications). But I’m in pretty good shape – especially with emergency rations and base supplies. A lot of it wasn’t in place until after I got back from Katrina and realized how important this all is.
Long intro, and hopefully it helps at least one of you prep better.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian’s Dark Reading post on DB Security in the Cloud.
- Adrian’s Database Activity Monitoring Tips for Search Security.
- The Network Security Podcast, Episode 233.
- Rich quoted in Federal Computer Week on tokenization.
Favorite Securosis Posts
- Mike Rothman: Table Stakes. Hopefully you are detecting a theme here at Securosis. Stop bitching and start doing. Rage and bitching don’t get much done.
- David Mortman: Technology Caste System.
- Adrian Lane: Greed Is (fill in the blank).
Other Securosis Posts
- Updated RSA Breached – SecureID Affected.
- The Problem with Open Source in Commercial Software.
- Is the Virtual Desktop Hype Real?.
- Incite 3/16/2011: Random Act of Burrito.
- The CIO Role and Security.
- Security Counter Culture.
- Network Security in the Age of Any Computing
Favorite Outside Posts
- Mike Rothman: REVEALED: Palantir Technologies. Not much is known about HBGary’s partner in, well, whatever. A decent overview of what is really a glorified big data analysis engine applied to intelligence and finance. The technology isn’t novel, but the time/detail to set it up for the use models is.
- David Mortman: An Aristotlean Approach to Devops and Infrastructure Integration.
- Rich: I love WAFs and so should you. We’ve been saying similar things, and I like how this one lays it out.
- Adrian Lane: Why U.S. Broadband is So Slow. Not security related, but very informative.
- Pepper: JoT 1512: The Internet is running out of tubes! Genius!
- Dave Lewis: Did a 16 year old hack HBGary? Probably not, but he/she sure pwned a reporter.
Research Reports and Presentations
- The Securosis 2010 Data Security Survey.
- Monitoring up the Stack: Adding Value to SIEM.
- Network Security Operations Quant Metrics Model.
- Network Security Operations Quant Report.
- Understanding and Selecting a DLP Solution.
- White Paper: Understanding and Selecting an Enterprise Firewall.
- Understanding and Selecting a Tokenization Solution.
- Security + Agile = FAIL Presentation.
Top News and Posts
- Open Letter to RSA Customers.
- Twitter adds option to always use HTTPS.
- ATM ripoff uses glued-down keys. Old skool is da bomb! Never underestimate the creativity of people too lazy to get real jobs.
- Obama Administration calls for new privacy law.
- Adobe Warns of Attacks on Critical Flash Player Bug. A Flash 0-day? Say it ain’t so!
- Rustock Botnet Flatlined, Spam Volumes Plummet.
- ENISA Reports on Fighting Botnets.
- Wiki-leaker could face death penalty.
- SMS Trojan Author pleads guilty.
- NIST SHA-3 Status Report.
- Robert Graham Predicts Thunderbolt’s an Open Gateway.
- Malware infects 50 Android Apps.
- Thoughts on Quitting Security.
- Gh0stMarket operators sentenced.
- DoD increasing data security.
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to yadab das, in response to Technology Caste System.
I do not think it is developer specific, you can map it to any branch you want. I have seen developers who knows only c++/java or something and for them (software development == C++/Java). These are Drone Programmer, Filling the fat in a true bell curve. These people shy away from new technology, avoid learning (I mean producing also) new things. Most large development shops are full of drones because of management. When it is your hobby to draw, you draw with your heart, emotion and intellect but Can I do that? No. If I have to I will buy some imprints :-). So, it is whether that developer is a programmer or a drone ?
Rich, excellent post about preparation. I really like the 3-tiered plan items. I can’t say I’m going to go out tonight and stock up, but I’m definitely adding this to my short-list of personal projects to research and actually act on. I for one greatly appreciate and respect your experience and knowledge in emergency response! Definitely one of the better skills you can get from a job/hobby/duty, imo. Thanks!
I will follow the above guidelines. Thank you so much for this great contribution.
By IT infrastructure