Tom Dobbing, one of BRIDGE’s very own security consultants, writes as a guest blogger on our cyber security theme, musing on his recent vacation experience in Alaska. Not surprising that, for an info sec pro, it all comes back to security and risk, no matter how far from these matters he attempts to travel!
I recently had a great opportunity to go to Denali National Park and take a class that would teach me a number of mountaineering skills. In my mind, I figured this would be a great vacation, and one that would take me very far away from the daily technology and security work I normally do. In our field, it is always important to keep up to date with professional education credits and skill sets. In my mind, this vacation would be the total opposite of that. I didn’t realize then the surprising security and risk lessons I would learn.
The first day of vacation was the time to finally not think about work. Great. I gave myself plenty of time to get to the airport and relax comfortably before my flight. Due to delays, my flight out of TF Green Airport in RI was two hours late. My vacation was not starting off too well, I thought. The delay left me with very little time in Chicago to catch my connecting flight to Anchorage, but I figured I’d be okay. After arriving in Chicago, I had to sprint across two concourses to my connecting flight. The flight attendant was surprised to see me and had to reopen the doors to the plane. But I had made it and had dodged a bullet. I was able to enjoy a comfortable flight and catch up on some sleep.
As we descended and approached Anchorage, I was in awe at the scenery. The mountains, snow, ice and ocean all made for a spectacular view. This was going to be a great vacation. We finally landed, and I went straight to the luggage claim area because I didn’t want anyone taking off with my expensive mountaineering gear. This is the point when I found out that my luggage had never made the connecting flight. This was not good news, but I figured that I would just wait for the next flight to come in. I was sure it would be on that flight. Unfortunately for me, no one at the airline could even locate my bag. I was not happy, especially after paying an extra $100 baggage handling fee. I had one and only one shuttle that I could take to Talkeetna, the town used by the Park Ranger Service to register visitors for the park, and the final stop one can make for last-second provisions for a trip. You can’t get anything onto the glacier after this point. We’d fly from Talkeetna to the glacier.
I had to be on that bus at 5:00pm. No problem—I figured the airline had about eight hours to find my bag. I was fairly calm, but I figured I should call my mountaineering company to inform them of my dilemma. I soon wished that I had never made the call. Instead of reassuring me, they told me that if I didn’t have my stuff on time, I couldn’t go, since there would be no way to get my gear to me on the mountain. I started to panic. How could all this preparation—training, gear check, itinerary check—lead to this? I did everything right, but circumstances outside my control might prevent me from going on my mountaineering vacation. They told me to get on the shuttle and that hopefully the airline would get my gear to the hotel in Talkeetna. I reluctantly agreed, keeping my fingers crossed for a miracle. Eventually, the airline did find my bag and drove it three hours to my hotel that evening. I was extremely relieved, having just dodged another bullet.
The first day of mountaineering school was going to be a busy day. We had to go through a thorough gear check, a number of safety lectures, and then get on our DeHavilland Otter bush plane for the flight to the glacier. We arrived on the glacier, meeting with even more stunning scenery. Denali, Mount Hunter, Mount Frances, Mount Foraker all surrounded me. I felt so small, like a small dot in this vast outdoor environment. The guys on my team were from all different parts of the country and from different backgrounds. A few of them were in the technology and security fields, but I laughed and refused to talk shop. It wasn’t a problem–I think they were feeling the same way. The next few days were great, and mountaineering was everything I thought it would be. We learned and practiced a number of climbing techniques, running belays, ERNESTA anchors, rescue prusiks, avalanche awareness and, of course, crevasse rescue. With our skills in hand, we were off to climb some nearby peaks.
Our first climb was a small summit named Control Tower. It was a fairly easy but rewarding climb. We were exposed on some parts of the climb, but I never felt in danger. It seemed obvious why our instructors chose this as our first climb, but I couldn’t help thinking, what if I slipped? What was the risk? It was a long way to the bottom, and disability or even death were possible. I quickly put these thoughts out of my head and continued the climb. We made it to the top, and everyone was in good spirits. But one of the other climbers at the top had run out of water. How could he have possibly run out of water? We were all supposed to have two liters each and manage them accordingly. I gave him half of my water since I felt I had enough. Preparation, I thought. He needed to better pace himself. We spent about fifteen minutes at the summit and then turned back for camp.
We spent the next few days moving our campsite to another location and practicing more mountaineering skills. After eight days, over half of our team left. I had signed up for the twelve-day class, so I had a few more days of fun climbing ahead of me. There were four of us left, so we could take on some more challenging climbs now that we were dealing with the comparatively simple logistics of getting four climbers rather than eleven up a mountain. We decided that Mount Frances would be a good climb. Our view from camp and the topo maps had made it seem like a fairly easy climb, and we would be back down in time to avoid potential avalanches.
We started the climb early in the morning. The first 1,000 feet seemed to be very rugged terrain. It was not entirely vertical but might as well have been with our heavy backpacks. I had strong confidence in our instructor and had no qualms about following him, but clearly this climb would be the biggest challenge so far. As we continued climbing, my crampons kept balling up with snow, and there were areas where sheer willpower got me through some cruxes. It was fun but a struggle at the same time. We finally made it to the top of the ridge, and I felt a small feeling of accomplishment. The toughest part is over, I thought. I looked up at the summit—it seemed as though it was right there. I figured the climb would take only another half hour or so. What I didn’t realize was that I was looking at a number of false summits. Every time we reached the point I had thought was the very top, there was another summit to climb. This went on for hours. We finally got into a good climbing pace, and we were making good time. I could finally see the real top. One foot after another, deliberate pace and follow the instructor. I was second on our rope team, and I would place my footsteps in the same spots as my instructor. I started to enjoy the view and to look around when the next thing I knew I was falling backwards through darkness and air. I had just fallen into a crevasse, and it was pitch black.
From the tranquil view a split-second ago, I now saw nothing but a small window of light about ten feet over my head. I had felt my head hit something on the way down, and I was thankful for my climbing helmet. I looked below me. I could see nothing, but I assumed it descended 100+ feet or so into nothingness. This was not a place I wanted to be, and I wanted out of there fast. I quickly checked myself over. Luckily I was not hurt, but I was not sure if our crevasse-rescue training from earlier in the week was going to have to come into play. I heard my teammates calling to me. I responded that I was okay but I definitely wanted to get the heck out of there. They were beginning to set up a crevasse rescue, but I saved them time. I was able to chimney climb my way out. When I had made it out, I took a two-second breather before my instructor said, OK let’s go. Haha, kind of heartless, I thought. The sun was getting higher in the sky, and it was getting very warm. My instructor was starting to worry about avalanches, so I understood his urgency–somewhat! We finally made it to the top of the mountain and had a front row seat to Denali. It was one of the most awe-inspiring views I have ever seen.
We made it back down safely, but I was exhausted. The previous few nights, I had trouble sleeping, but this night, sleep was not a problem. We did another climb the following day and then concluded our trip. We flew back into Talkeetna and went to the local restaurants for some food and drinks. While there, we learned that two climbers had died in an avalanche on Mount Frances the day before we climbed it. We were not aware of it at the time, but the park rangers had been flying around looking for them the same time we were climbing. It shook me up to learn of their fate. These were the first two known deaths on Mount Frances.
So, you might be asking, what does this long story have anything to do with information security? Well, I think there are a lot of parallels that can be made between travel, climbing and security. I’d always felt that the proper equipment, training and guides would lead to a safe and controlled summit attempt. I’ve often felt the same way about information security. What I came to realize about climbing is that no matter your training or the risks you take into consideration, things can still go wrong. Much like climbing, information security is the same way. You can have all the latest training, you can have all the best tools, you can learn about all the known threats, but you know what? Things still happen, and they happen when you are not expecting them. Disasters arise, much like losing critical luggage.
What happens when your organization can’t meet your business continuity requirements? What happens when you, too, fall into a crevasse that you are not anticipating? What was once bright daylight turns dark very quickly, and you need to be prepared.
What type of incident management plan will you use? When a zero day threat is realized, what is your plan? It is not a matter of what might happen, but rather when it will happen. The question for you is, how will you react to it?