How a Car-Jacking Influenced my Security Posture

Are you prepared?

I mean really prepared ... for anything ... like a car-jacking? I wasn't.

During this incident I was running on instinct. But afterwards I started analyzing what went right - and what could have gone terribly wrong.

The Attempted Car-Jacking

(Actual Dashcam Video)

Accidents happen. Some people only learn how to drive from Grand Theft Auto. I've accepted that. So when a car side-swiped me on the West Side Highway in NYC, I went into evidence mode - taking out my mobile phone to take pictures of the damage, insurance cards, driver's license and license plates. My phone was ready.

However, once I saw three men get out of the Zipcar , my assessment of the situation changed dramatically. My purpose now was to take control of the situation without escalating. As the driver approached me, I showed him I was video recording him. He backed away. I stood up and insisted on seeing his identification. He backed away even further.

The second man was peering into my passenger side window. I fell back on a de-escalation technique I was taught to vocalize what I believe they were thinking. I calmly asked them, "Are you looking to see if there's anything valuable? Are you looking to see how you're going to take the car?" The second man backed away.

The third man identified my dashcam and immediately waves off the other two. The men retreat into their vehicle and take off.

So ... I survived. And the attempted car-jacking was thwarted with only minor damage to my car. Was it luck? Was it really something I did?

I want to believe it was a combination of tools (dashcam / mobile phone), continuous situational assessment (change in narrative), protocols (evidence mode), playbooks (de-escalation techniques), and mindset (my ability to stay calm and not act like a victim before becoming one).

In hindsight, it was most likely the $40 dashcam as the tipping point that saved me from a few thousand dollars in stolen assets and personal harm.

Could it have gone bad? Absolutely. Indeed, luck was a major factor. In the end, if they asked, I would have given up the car without a fight.

I have car insurance to replace the vehicle. And although I have health (and life) insurance to cover me if I struggled with them, injury (or death) is a bad trade-off for a car only worth a few thousand dollars.

The Security Posture Trade-Off

It occurred to me that the there is a lesson here for all of us: $40.

Are we prepared for cyber events? Probably not as well as you believe. We were not prepared for the Morris Worm in 1988, StuxNet in 2010, WannaCry Ransomware in 2017, nor SolarWinds Sunburst / SuperNova in 2020. At the time these were new tactics; but in the aftermath, we learned and adapted.

Organizations can take some lessons from my attempted car-jacking.

• Deploy tools that prevent known threats. Make the barrier to entry difficult. Can $40 save you from $1000s is losses? (relatively speaking)
• Perform continuous situational assessments to identify potentially unknown threats. This is where AI models can help reduce the time to detect.
• Execute protocols to protect users and assets. ZTA (need I say more?)
• Create (and practice) playbooks to respond and de-escalate situations. Printed playbooks and recurring incident response table-top exercises are table stakes.
• Nurture leadership mindset to mitigate and recover from incidents calmly and effectively. Executive-level incident response tabletop exercises are eye-opening experiences for everyone, and should be mandatory when new executives onboard into the organization.

Insurances such as cyber insurance, E&O and D&O, are necessary when all these steps fail to stop a threat actor from taking your car.

However, relying on insurance as an incident management strategy is a bad trade-off. Spend the $40.

I hope I've learned and adapted from this experience, because I was indeed lucky. I may act differently next time ... or not.