5 Security Lessons Today From A 911 Hero

This month marks the 15th anniversary of the devastating attacks of 911 upon the World Trade Center. For all the misery and suffering that occurred that day, it is also worth remembering that there were some truly remarkable stories of human decency and courage. One of the most inspirational to me is that of Rick Rescorla a retired United States Army Officer and previously decorated war hero, originally born and raised in Hayle, Cornwall in the United Kingdom.

Through Rescorla’s foresight and actions, nearly every employee of his company located within the South Tower made it safely out of the building before it collapsed. Rescorla himself died whilst returning to the tower because it is understood that he would not leave a single employee under his watch behind. As humbling as such altruistic bravery is, it wasn’t Rescorla’s courage alone that saved those people’s lives. It was also his brains, diligence and exceptional foresight as a security chief.

As a tribute to his legacy, there is much of value for practitioners of Information and Cyber security to draw upon and aspire to from Rescorla’s corporate security career and his tenacious approach to improvement. Acknowledging of course that the challenges most of us will encounter day to day pale into insignificance when put in context with the harsh physical reality of having to rescue real people under such terrifying circumstance.

1 – Seek the expertise of others

We all need to recognise when to seek advice, listen to a different perspective, defer to subject matter specialists and bring in the right expertise when and as required. The reach will have to go much further in some instances than just the IT, involving the likes of legal and forensics specialists.

‘Team Rescorla’ was the working name given to Rick’s extended and diverse network of trusted allies, confidantes and consultants. These included writer Fred McBee and Dan Hill an ex-special forces soldier with whom Rescolra had served. Hill was engaged for his training in counter-terrorism and the first person Rescorla turned to when assessing risk on the 22 floors of the World Trade Center.

2 – Look beyond the obvious threats

A poorly scoped penetration test or network health check that simply ‘runs the tools’ or ‘checks the tickboxes’ will rarely offer new insights and may even create a false sense of assurance. The value really comes from experts with not only the tools and skills but the ability to objectively think outside the box and find the weaknesses we can’t. Often because we’re so close to them day to day, we just don’t think to look there. The one question such tests should be able to answer is the same straight mandate Rescorla gave Dan Hill when conducting a review of his offices in 1990:

“How would you take this out?”

Hill could find no obvious fault with the office areas themselves. He actually observed that Rescorla already had it ‘pretty well covered, nothing I could tell him about that.’ Rather than leave it there however, he decided to step outside the box and look more broadly at the building itself. Starting from the bottom up, he noticed an open garage area in the basement with no obvious access restriction. He entered, unchallenged and commented “This is a soft touch, I’d drive a truck full of explosives in here, walk out, and light it off.”

His words proved horribly accurate when three years later on February 26, 1993, a truck bomb was driven into and then exploded in the basement of the World Trade Center.

Following this first major attack on the building, the basement access was of course finally secured. Never complacent however ‘Team Rescorla’ had by then already started to look at the residual risks. With the ground vulnerability now covered they started to envision the next logical vector of attack, this time from the air.

3 – Never dismiss unconventional or inconvenient warnings

Rescorla had actually presented a report which included the vulnerability identified with the basement before the 1993 attack ever occurred. But he was apparently informed that the existing buildings security evaluation already “took into account all known threats at that time,” and it “was better than in most office buildings in New York.” As astounding as this now seems with hindsight, the position was likely rooted in the conventional risk view of the time. A more innocent era which never anticipated the scale of terrorist attack on US soil to come and therefore deemed the threat as having little credibility or priority.

Conventional views of InfoSec & cyber today can quite easily fall into a similar sense of complacency and belief that they have taken into account all that they need to be concerned with. Just because an organisation has met a particular compliance or bought itself a new and expensive set of cyber widgets, they must be OK – right? Thereby often apportioning low priority or even outright dismissal to some inconvenient or unconventional anomaly or warning. We do so at our peril.

4 – Work the best you can within whatever remit you have

For Information Security and Governance to be truly effective it has to be embedded into the whole culture of an organisation and will always work best when driven top-down. Security of whatever kind will always be there to ultimately protect and support the core business rather than necessarily steer it however. For that reason, as professionals we must accept that some of our recommendations (as rational as they may be from a purely security perspective) simply may not be accepted by the business. That doesn’t mean we should become necessarily demoralised nor simply accept doing nothing. There is rarely any real satisfaction to be gained within any field of security in being able to say “I told you so.” Instead, we should try to go back and approach the problem again. Creatively look at other ways to mitigate the same risk perhaps, albeit in a sometimes reduced  way. Some mitigation and/or damage limitation is after all better than none. This isn’t defeatist, at times it’s just plain realistic.

When Rescorla was effectively told that the wider building security was not his concern and to only worry about his companies leased space – he did just that but he did it very effectively.  By the mid-nineties he had become so convinced that the building would be attacked again, he proposed that the company move out of the WTC and even Manhattan itself altogether. Due to the existing office lease running until 2006 this literal ‘risk removal’ approach was simply never going to gain acceptance. So instead he continued to work within his remit, creating and practicing new and improved evacuation plans. These drew upon and learned from what had previously gone wrong in the 1993 attack where many people were left for hours within smoke filled offices. Security was tightened wherever he could, he appointed dedicated fire wardens to work with security staff, ensured fail-safe lighting and smoke extractors throughout all the offices and stairwells and ensured every employee including the most senior took part in highly disciplined and regular evacuation drills.

5 – Plan & prepare for incidents

Detection, identification, containment, eradication and closure are the well understood essentials of all good cyber incident response plans. To avoid abject chaos we must know in an instant the people, processes and technology that we will need to turn to and how to access them. We also need to recognise when an event is serious enough to invoke matters to another level. We therefore need to know exactly who the key stakeholders are to be and who will ultimately take the tough decisions. As Information Security practitioners at all levels we need to be reviewing and re-evaluating our incident response plans, procedures and policies for changes that may have affected any aspect of them. Something as seemingly innocuous as an out of date contact name or number may make all the difference in the eye of the storm. Something as critical as a key technology solution which has changed and therefore behaves in an unexpected manner may have far wider consequences. We should also be installing into our staff a continual awareness of what suspicious looks like and constantly encouraging blameless reporting at the earliest opportunity. The first few hours are after all the most significant.

Rescorla keenly observed the “Eight ‘P’s,” mnemonic he had learned from the military. When the Towers were hit on that fateful day, his highly prepared and practiced evacuation plans meant that he knew exactly what to do. Around 2700 people lived to tell the tale as a result.

[su_box title=”About Angus Macrae” style=”noise” box_color=”#336588″][short_info id=’88480′ desc=”true” all=”false”][/su_box]