Security Today

What is the best way to arrange alarm sensors?

2011-10-28T07:29:00.000-07:00

It's the way that detects the intrusion the quickest and most accurately. And, that is done how?

Keep these in mind:
• What are you protecting and where is it? [the asset]
• What are you protecting it from and how will it get there? [the threat]
• What accommodations are needed to function with and within the protected area? [your activities]

The Assumptions:
The goal of the alarm system is to deter a criminal with a siren once an intrusion is detected and to summon a law enforcement (or private security) response. It is also going to provide some insight into the intruders path and possibly their intentions during the attack.

The asset is inside your home or business. There is most likely more than one asset and they are not necessarily grouped together. This makes for multiple areas to specifically protect.

The threat is coming from outside. This may not be true in reality; however it is an assumption for this exercise. It will need to pass through a door, window, wall, floor or ceiling to gain access.

You, your family, or your business associates might want to conduct some limited activity inside sometimes when the alarm is armed. Most of the time the location will be vacated when it is alarmed.

The Basics:
1. All exterior doors should certainly have a magnetic contact or other point sensor installed.
2. Exterior windows should also have magnetic contact or point sensor installed.
3. The areas directly inside the exterior doors and windows should have at least one volumetric sensor.
4. Large areas of glass, or glass that may be targeted by street punks, should have a glass break sensor.
5. Some individual assets may warrant specific protection such as sensors inside safes, or liquor cabinets (for teenagers).
6. The alarm control panel should be in a well protected location (rapid access to this will disrupt the alarm communication and response)
6a. If the communications module for the panel are located away from the panel it too should be well protected.

The Next Step (for the Unoccupied State):
The most likely path(s) that an intruder might use should be monitored by sensors. This offers insight to their activity during the intrusion. The degree of insight comes from the nature of the sensors that are focused on that asset.

The Next Step (for the Occupied State):
Think about where you wish to move while the alarm is armed. Plot this area on a set of floor plans if necessary. Now is it still possible to effectively detect an intrusion with these areas not monitored? In a perfect environment you and your family will be able to use the restroom and walk to each other without activating the alarm. This may not be ultimately possible; although it is with some creative planning. Keep in mind that some burglars have been known to move around the bedrooms of their victims while they were sleeping in the room.

With the sensors planned - we'll jump beyond the whole installation part - there is at least one more step. And it is quite possibly the most important one....

Cyber Security Awareness Month - what's the hype about

2011-10-23T14:30:00.000-07:00

"Every American has a stake in securing our networks and personal information" All the daunting and cool hacker stories today may leave the everyday citizen feeling... well a little uninvolved. NOT SO! Consider for a moment how this directly affects you....

You are a but a cog in the machine is the global information systems. You could be an important cog and never know it. First it's important to realize that most "hacking" is similar to the average burglary. Really it is. Remember the average burglary gains entry through an open or unlocked door or window, right? Well the average malware (malicious software - the projection of the hacker) gains access to your computer by getting past poorly maintained firewalls, anti-virus software that is not updated, and through unpatched/updated software applications. And what does this malware do you ask? What does a burglar do? The malware may roam your machine and look for interesting data, it may lay in wait for you to enter interesting information and it carries it away to for someone else to use. A burglar takes you TV and fences it. A hacker using malware may steal your credit card, social security number, phone numbers, addresses and what not, and then fence them on a website. Or they may just use them for their ends.

What is the most significant difference between a burglar and a network hacker? Threat Population! At any given time there are only so many people within travel distance of your home or office with the tools, expertise and desire to break into your home or office. Let's just make it easy and say the population of the metro area where you live and work. Now the available population for attacking your online presence is everyone connected to the Internet who can download a free software to seek out vulnerable machines and exploit them (so nearly everyone connected). The population difference for the threat is several orders of magnitude larger. Imagine a burglar that was able to cast out their thoughts (fanciful I know but bear with me) and in the telepathic scan can know who did not lock a door or window to their home or office without ever leaving the comfort of their warm soft couch and the other amenities that bring any lazy minimalist pleasure. That is what a hacker may do when they scan the portion of the Internet where your machines are connected. The easiest targets become apparent - the low hanging fruit of cyber theft.

Now an updated firewall, anti-virus software, and application software will not protect you from everything - not even close. Though it will cover the laziest of online miscreants. If you apply the Pareto Principle to this it means that 20% of your effort will be sufficient for 80% of the problems. Updating software also helps to keep it operating smoothly and efficiently.

Why mess with it if it works. I like to install it and leave it alone you say? Consider this analogy for unmaintained firewall. A firewall is a device or software used to separate networks. It's the difference between an open door and a door with an armed receptionist to manage authorized traffic. So you have a security officer come to your home every night to check and make sure everything is locked up and no one can get it. Now everything requires maintenance, even the officer. After a time the vision in his right eye begins to fade but he keeps reporting to you that everything is locked up tight. Then one day you hire a new officer because you had too and suddenly he reports that the last guy didn't see that one of the windows had been unlocked - the one on the right. Who knows how long that window has been open and your resources have been leaving through it.

When you get infected with malware you may be sending to your friends, and their friends, and their acquaintances. Just like a nasty STD. You send an email or message that the malware has attached itself to without your knowledge. Your friend trusts you and opens the email and maybe even an attachment. They're infected now too. The malware that your half-blind security let it might be sending these emails without your knowledge as well. So, please keep your software, firewall, anti-virus, and applications up-to-date. It's a start.

A bit more on sensors

2011-10-21T04:00:00.000-07:00

Arranging sensors to protect asset(s) just isn't as simple as looking at set of property plans and sprinkling a pepper shaker over it and placing sensors where the pepper falls. The most likely impact is budgetary - these things cost real money. Next is the unlikeliness that the pepper shaker has such mystical powers as to predict an intruder's path. Lastly, there are some design considerations you might want to entertain that affect the usability of the system. For instance, you might want to be able to use the restroom in the middle of the night without summon the local SWAT team for assistance.

Placing sensors in your home, business or other facility must work within your financial constraints, protect the asset(s), and facilitate your use of the space. We'll work with a home for now as an example.

It is important to detect the intrusion as early as possible. The farther away that the attack is detected and assessed the greater the opportunity to prevent them from being successful - regardless of their intent. It is essential to keep in mind that simply detecting activity is not sufficient. It must be assessed to ensure the detection is legitimate and not an error. There is a point between when a attack begins and when they are successful called the Critical Detection Point. It is that point after which a response will not be quick enough to thwart the success of the attack. With home burglaries it is an unfortunate fact that a response is not likely to arrive very quickly. Why is this you ask. Police departments are overwhelmed with service calls, most alarm activations are false alarms, and a burglar doesn't need to spend very much time in a home to get some good stuff and escape. This may not be as true if you live in a very large house that resembles a museum. In that case there are other concerns. The average home burglar will either be sent away when a loud siren activates or they will not. We'll address the bad guy a little later.

Early detection and assessment. In some areas the alarm must be assessed by phone contact by the central station, or by remotely viewing closed-circuit television (CCTV) or microphones, or possibly just through multiple sensor activations. Let's assume you do not want to have any CCTV systems in or around your home. It may just be enough to arrange the sensors to demonstrate the intent of an intruder and decrease the opportunities for unnecessary police dispatches. This is simply done with layers of sensors.

Many security professionals discuss "Concentric Circles." This is just as it sounds. Layers of protection wrapped around the asset being protected. This is also called "Defense in Depth" as well. Unfortunately this is not so easy in a typical residential structure. There simply aren't enough worthwhile layers. The wall of the house is typically the first line of physical defense (excluding the deterrent value of lighting and other features) and maybe there is a sturdy bedroom door after that - unless the bad guys uses a window.

Think in terms of occupied and unoccupied conditions. Will you be setting the alarm in the evenings while you rest or just when the home is vacant? If you plan on arming the system while you are inside the structure, try to created "protected corridors." These should let you move where you need to while wrapping the adjacent areas with reliable detection zones. In addition to the restroom and childrens' rooms, allow yourself enough movement to assess any odd noises or activities while keeping the alarm armed!

Next we can consider sensor types and locations...

Picking up where we left off.... (so many years ago)

2011-10-21T01:00:00.000-07:00

I sincerely hope no one has waited all this time to plan their alarm system. If you have I can only scratch my head...

We left off with the promise of some discussion of sensor types as they relate to planning an alarm system. Here we go...

But first, it is important to determine whether the system will be monitored remotely by a central alarm station or just a local alarm with a siren. Monitored systems provide the opportunity to summon help and come with a fee for the service. Local systems may be cheaper but with the limitation that the only help will need to be within the sound of the alarm and choose to respond. Insurance companies will often require the system to be monitored as well

Alarm systems use sensors to detect activity and there are a very wide variety of sensors to choose from. They can be classified a number of different ways. There are sensors to detect movement, changes in temperature, the presence of water (flooding), capacitance (changes to an electrical field), light and so on. The typical consumer system will normally be a combination of balanced magnetic switches, some sort of volumetric sensors, possibly glassbreak sensors, and maybe panic buttons. Here's a real quick translation:

A balanced magnet switch is commonly referred to as a "door contact" and consist of a magnet next to the sensor to complete the electrical circuit. When the door opens the magnet moves and the sensor detects the break in the circuit. The balanced aspect of the magnet makes it more difficult to defeat the sensor as shown in one of the Beverly Hills Cop movies. These sensors are useful on doors and windows or any objects that may be moved.

Volumetric sensors monitor an area (volume) and include such examples as acoustic (microphones), microwave (radar), passive infrared (ambient heat). There are dual-technology sensors that use a combination of these capabilities to either increase the likelihood of detection (increases false positives) or to increase to the certainty of a valid detection (increases false negatives). The difference between the two choices is nothing more than how the logic within the sensor is configured. This can be referred to as an "And" versus an "Or" that either requires one or both of the technologies to detect the activity. Glassbreak sensors are a form of volumetric sensor that listens for the sound of breaking glass. These are nice because they do not need an intruder to actually intrude before activating. They can also react to other loud sounds as well.

Panic buttons are personal alarm devices that simply allow a user to manually activate the alarm system. The central monitoring station sees each sensor type differently and therefore can place a greater emphasis on a panic button.

What makes the system valuable is the selection and arrangement of these sensors. Poorly selected technologies will generate excess false positives (nuisance or false alarms) and reduce the effectiveness of the response over time. You may have heard the story of the boy who cried wolf? Well alarm systems that cry intruder too often stop being believed too.

One important point to the selection and arrangement of the sensors is considering the asset(s) the system is meant to protect. Is it an expensive collection of something in one spot, random stuff scattered about, or just the piece of mind that no one is waiting inside when you open the door enter?

For a much greater (in every way) discussion of sensors try The Design and Evaluation of Physical Protection Systems by Mary Lynn Garcia.

Next... we'll take a look at arranging the sensors - tricks, tips, and pitfalls.

Wireless Sure... But how do I plan a system anyway?

2007-02-05T04:15:00.000-08:00

Not to put the cart before the horse as I did with the previous post... Before you can plan to go wireless with a burglar alarm system you should really plan it a little. After all wired vs. wireless may not be the right question to ask at the beginning anyway. What is the right questions and how do you begin your system plan? Come in and see...
Burglar alarm systems, hereafter referred to just as alarm systems (gotta love the legalese once in a while), are there for piece of mind. Let me make this point clear first - THEY DO NOT STOP A DETERMINED INTRUDER!!! These systems will let you know if someone has activated a sensor which may mean they have already gained access. But they fill other purposes as well. How do you know when you enter your home that someone isn't waiting for you inside? Well that might be the greatest value of an alarm system. An adversary that abducts you inside your house wins in every way possible. They are not in the travelled way, not in public view, and it is highly unlikely that you will have time to dial 911 for help. You alarm system should be planned well enough so that you can be reasonably confident that you are the only person that has entered your home when you open your door.

Planning a system requires a bit of discussion on sensor types, activities and spaces, and access/traffic patterns. So the next couple of posts will deal with each of these briefly.

Why go wireless???

2007-01-31T23:28:00.000-08:00

Ever thought about a burglar alarm but didn't want to deal with the wires? Ever think that wireless wasn't good enough? Maybe it's because of movies like The Score, The Italian Job, Heat, and the others that portray very talented thieves and complicated thefts. The kind that generally just don't happen everyday in real life. The common burglar will use the door or window that is left unlocked. Or they may put a foot against the door or destroy a window. Either way the greatest threat comes from the path of least resistance.

Realistically, what are the chances that someone would bring equipment to generate a radio signal to jam a wireless alarm system? But what if your wireless system could detect the jamming attempt and use that as a trigger for an alarm?
Welcome to the real world of quality wireless alarm systems. What is quality? See Zen and the Art of Motorcycle Maintenance for a detailed discussion of that topic. But a worthwhile wireless alarm system will likely include all UL listed parts. And is should do some very important things like detect jamming attempts, prevent data collision, and device supervision.

Data collision is what occurs when two or more devices try to communicate to the system panel at one time. Worthwhile systems will not do this. While device supervision is just what it sounds like. The system panel periodically checks the status of each device. What a device fails to respond then the panel makes notifications that something needs to be done.

What might be the best reason for looking at a wireless systems is their resilience during power outages. The backup battery that should be fitted with the system panel is good and may last for 12 hours, but when that battery does not have to support each individual sensor it lasts much longer. See with wireless systems each device has its own battery and thus is not affected by power outages in the same way as a traditional wired system.

Now you may think that he batteries are expensive, but its not the expense that is likely to cause a problem since they usually last for about one to two years. The greatest issue the annoyance of actually changing the batteries every so often. But there are trade-offs with everything.

Keep in mind that there are disadvantages to wireless systems as well, but for the most part they should work just fine for you home and small business needs.

More on planning an alarm system and monitoring options next...

More on your home computer

2006-08-21T06:51:00.000-07:00

Here is a link to some sound advice on securing your home computer from the folks over at CERT at Carnegie Mellon.

Sorry folks there just wasn't much more to say about this one.

Personal Firewalls

2006-08-17T07:48:00.000-07:00

This article on Personal Firewalls does a really nice job of discussing the "long and the short of it."

Firewalls are a necessity, period (fullstop for those speaking the Queen's English). Folks in the security industry often speak of "Defense in Depth." In other words, you don't put everything you have in place, much like the French did prior to WWII with the Maginot Line. This incredible fortress was bypassed by the Germans, making it useless to the defense of France. Unfortunate for their history and disasterous for your data if you try it on your home computer or home network.

However, that is exactly what most folks do when they only use Anti-virus protection. And it some ways it is similar to using the same vendor for all phases of your defense. Many folks use the all-in-one packages (firewall, anti-virus, anti-spyware) from the major vendors like McAfee or Norton, but again all of the muscle is in one product. And that puts all the work on the processor of one computer as well.

My thoughts on this are simple for those with broadband internet access. Start with a hardware firewall (perimeter firewall). It's a box that is physically between your cable/DSL modem and your computer. There are several brands such as Netgear. Now do you need all the muscle it offers? Probably not, but for about $100 why not add that extra layer of protection. With this the work of your software protection products is a little less intensive. It only needs to focus on everything that gets by the hardware firewall.

Think of it this way. You keep the front door of your house open so you can speak with your neighbor across the street. Bugs tend to fly through the door and you have to spend a bunch of time and effort with a flyswatter getting rid of them. Then you install a screen door and you only have to open your door once in awhile, so your "flyswatter time" is reduced.

It think that might be enough today.

Liquid explosives? And what it means for the rest of us...

2006-08-17T03:27:00.000-07:00

What does all this mean for everyday life? Well, it's sort of the same situation as 9/10 syndrome. The only thing that's different between today and "yesterday" is how we perceive the situation. Liquid components for explosives have been a concept for a long time; I even knew some folks in high school that toyed with them.

The difference is that we are reacting to it now. Here's the deal on flying and I don't intend this to sound like a bunch of false bravado.

Whether or not someone sneaks a bomb onto a plane is generally out of your (and my) control. Simply stay alert and help where and when you can. If all you can do is calm others that are interfering with any response then do it. Rick Rescorla did much more than this on 9/11 and he exemplifies what the security professional, but the one thing that everyone that walked past him keeps stating in interviews was his calm and his efforts to keep everyone else calm as they evacuated.

So do what you can, when you can, but remember that very little has changed since the day before the announcement, except maybe your perception.

A short hiatus

2006-08-15T05:35:00.000-07:00

Sorry for the break folks, I have recently moved to Washington State for a new opportunity. Just a short move across the entire U.S. from one Washington to another.

I plan on being just a tad more regular here in the near future.

SHAC six found guilty on ALL counts!!!

2006-03-03T17:19:00.000-08:00

I'll get links to articles up soon, but in the meantime just know that the federal jury in Trenton, New Jersey found Kevin Kjonas and the rest guilty of terrorism under the Animal Enterprise Act.
This is exceptional news and it means that it may become just a tad easier to defend your organization from such attacks.

Here is a short list of SHAC's tactics:

Posting executive and employee information on the web. This information sometimes went so far as to show what schools the executive's children attended. Not that it makes any difference, this was not just information about HLS employees but also that of other companies that did business with HLS.
Home protests - that's right they would visit an employee's home and protest outside with graphic signs. They might also canvass the neighborhood to inform their neighbors of the "horrible" things their neighbor was involved in.
Telephone campaigns - companies were inundated with phone calls that amounted to little more than denial of service attacks.
Others limited only by creativity...

Although The ALF usually claimed responsibility for other more intimidating actions they were often done in a manner that just so happened to forward the goals of SHAC. These included:

Vandalizing employee homes and cars - throwing paint on the houses and using etching acid to write on house and car windows. They would also use paint stripper to write in the paint on cars.
Booby-trapped letters were mailed to some executives - not explosives but razorblades.
Threatening phone calls, letters, emails and the like.
At least one denial of service attack on a bank.
Vandalizing the Marsh offices.
And let's not forget the Chiron and Shaklee bombings in California.
This is just the short list.

We will have to wait and see what the result of these convictions will be in terms of attacks and the implicit threats. We may see this whole thing move just a little more underground. That is where it largely was until the 1990's when it pretty much went mainstream and no one took too much notice. The ELF and ALF pose real threats and because they function more as "movements" than as traditional organizations it may be very difficult to shut them down. This is ever more true with the Internet since their operations manuals, manifestos, creedos, and the like will continue to be available for distribution to anyone. That is free speech and it's the price we pay for our freedom.

So, if your organization has done business with HLS in the past, is involved in any sort of animal testing in particular, or other uses of animals targeted by the Animal Rights movement it would be prudent to be prepared for random retaliatory actions.

More thoughts on your home network

2006-02-28T07:37:00.000-08:00

Here's a news story that you probably won't find as a headline, because it happens all too often... My friends house was burglarized and among his losses - possibly the least of his concerns - were his computers.

So we chatted a good bit about it and I got a little food for thought as well.

First, was the question how anyone would know that he had computers in the first place. Anyone? Anyone? Here are three quick possibilities:

The comings/goings of persons with "laptop cases" - we all know what they look like and it's pretty unavoidable.

Looking into the windows of the house. How many of us actually try to conceal our computers from the windows? Afterall, they're so common.

Wireless networks. That's it. Anyone with a laptop running XP that turns it on will see the network listed, unless....

So what are some solutions?

As for the laptop cases, there are some designer bags that don't "have the look," but they're pricey. I'm pretty cheap so my solution involves my favorite daybag (book backpack) and a bit of swag from my buddy at Cisco. For you, just find a bag or briefcase that you like and works for you. Then get a padded carrier for the laptop and put in inside your bag/briefcase. It may not be pretty, unless you put some time into it, but it works nicely. I like it for airports and other public places. No one would ever put a laptop in my ratty old backpack, so no one gives it a second look.

The windows problem should be pretty easy. If not, you have much larger problems. And if you problems are much larger, like you have a server rack in your kitchen, then it's time to get creative with your window treatments. Possibly frosting the lower half of window will prevent casual observation.

Wireless networks are a problem - and one that just won't go away. Most folks look at this issue in terms of encrypting data and the like. The focus is on a hacker, not a burglar. So you can turn off your SSID Broadcast to make it a little harder form someone to find your network. This has little benefit and does create some headache. While it makes the network stop broadcasting "its name" it still has to transmit the data and you must "tell" your computer the name of the wireless network it is looking for before it can get access. Keep in mind that someone with moderate skill will be able to find your network, sniff all you packets, crack you encryption and get onto your network. It's coming, but right now the average burglar probably isn't going through this trouble. If he/she did they probably wouldn't enter your home since they could steal your data remotely. So consider lowering the profile of your wireless network. Turn it off when out of the house. Turn off the SSID. Turn on the MAC filter - again, this has limited benefit with additional headache. Oh, and I should not have to mention this, but make sure you change the password to your router.

I'll stop this here, but don't worry this topic will come up often I'm sure.

You Network, Your Computer - protect it.

2006-02-03T11:55:00.000-08:00

I know I'm a little late on this topic, but I'm really not just writing about this new threat.

There are three things that everyone should have in place on their home network.

A firewall
Anti-virus Software
Anti-spyware Software

Now here's why...

The firewall is a tool for separating networks. Think of it more as a doorman than a wall. I think the tech guys just thought firewall sounded better in the beginning. The doorman or receptionist's job is to keep the wrong visitors out and admit the right ones. It's not perfect and there are ways to get around it. The most common is when traffic is initiated from the inside. Like when I send you an email with a link to a website; that you dutifully click on. This tells the firewall that you wanted the communication in the first place. That is one way to get the bad stuff past the firewall - it's not foolproof. The better firewalls are on the lookout for bad data trying to get through.

It is ideal to have a firewall on your network; that is at the point of origin in your house (by the cable or DSL modem). It should be an appliance - a physical box separate from your computer. It will handle the bulk of the work and screen all sorts of bad stuff.

It is also ideal to have a software firewall on your computer - desktop or laptop. This does not need to be some robust system like Norton Internet Security because your appliance is carrying the bulk of the workload. This firewall gives you more control over who your computer tries to contact - outbound traffic. On a laptop this is an essential tool if you ever connect to public networks where such a lightweight firewall prevents many disasters. This local firewall let's you more easily keep those programs you just installed from reaching out to the web - ah you didn't know they did that, huh. Remember though, the more robust (read powerful) this firewall is the more of your computer's resources it will consume; which means slower downloads, graphics processing, etc.

Anti-virus software is like the linebacker behind the firewall. It prowls around and makes sure that anything that gets through gets special attention. It also fills the role of a free safety by making sure that everthing crossing the line is covered. In other words - for the non-football minded - this software makes sure that the code (program) that is malicious is not able to install or run. How it does this is not really important here; what is important is having it installed and running ALL THE TIME!

Anti-spyware is still evolving and is useful for preventing some of the methods used for tracking your activity on the computer. Try a few like Spybot, Adaware, Microsoft, and the others; then see which combination is best for you since none get everything.

When it doubt... Google the application that is trying to reach the web, or the term you do not understand. Google and Wikipedia are your friend and partner on this and will help choose the right programs to deny access to the web.

That's the quick and dirty. For more advice, send an email.

The Ineffective Risk Manager - A Comedy or maybe a tragedy

2006-02-03T11:43:00.000-08:00

This in from a close friend. It took awhile to stop laughing.

So museums, like other firms, high these folks called Risk Managers. Otherwise they have security or safety professionals that fill this role, and sometimes they just have to rely on an operations manager to do this job. Well here's the result when no one is observing the environment with an objective eye and taking appropriate actions to safeguard the assets.

And here is the asinine comment of the day:

"Whilst the method of displaying objects is always under review, it is important not to over-react and make the museum's collections less accessible to the visiting public," he added in a statement."

Wrong! Assets like these - that is IRREPLACEABLE - must be less accessible to the public. That doesn't mean they need to be hidden either, but some sort of barrier should prevent destructive unauthorized access.

Let's face it, it's not like these can be replaced. The insurance carrier MIGHT pay a claim, and right there is a problem. The carrier should have dictated specific safeguards to be used in the display of the asset, otherwise no claim check. But even with the money the museum is out the vases, out the exhibit, and out the patronage that the vases drew. They were a key exhibit, why weren't they protected?

The priceless vases, dating from the late 17th or early 18th century, were donated to the museum in 1948 and have become one of its most recognizable exhibits.

And here's the absolute funniest quote from the article:

Shocked but determined museum staff members have vowed to glue the shards back together again.

I guess they were all absent the day that the whole Humpty Dumpty fairytale was covered.

Here's the moral of the story... Take a step back; look at your facility; know your organization's mission; then ask what if, what if, what if, and don't stop asking until the day you retire.

Interesting vulnerability for Laptops with Microsoft OS

2006-01-17T14:52:00.000-08:00

Here is a nice little article concerning a vulnerability for laptops operating with Microsoft operating systems (as if there are all that many laptops not using windows). However the news is not bleak, and for those of you that know me personally, I've been talking about the countermeasures for a long time anyway. But here's the problem...

I don't know why everyone with a wireless enabled laptop doesn't have a firewall or routinely disable the wireless antenna. These two simple countermeasures are useful for other important reasons. First, disabling the antenna will help conserve battery life. Oh, you say you're plugged in so battery life isn't an issue. So what! Why would you have the antenna turned on if you don't need to? It's sort of like leaving a door open to your house - why do it if you really don't need to. And the firewall is like a screen door on the house. It lets you know when people are trying to get in and lets the legitimate "air" through. It's not foolproof but it's a very nice tool. Firewalls now have gotten more user friendly and are pretty lightweight in terms of consuming system resources. Granted with the antenna turned off you really don't need an active firewall, but it's not that big a deal to leave it up.

The author of the article notes that his firewall had to be disabled for the vulnerability to be properly exploited. So keep the firewall up and pay attention to any notifications that the firewall might provide for attempts at accessing your system. So just turn off the antenna if you don't need it and use a firewall. There's one bundled with the Microsoft operating system and there are free applications available on the web. You may not need a "big honkin'" firewall, just one that restricts access effectively.

Rob
/

ELF exists!!!

2006-01-09T15:29:00.000-08:00

There have been a series of articles, like this one, along the lines that the ELF (Earth Liberation Front) either does not exist or does not have members. This is an interesting argument that is being propagated for reasons I do not know, but the recent focus on ELF and ALF is the result of two events: the recent arrests of those accused of several arsons in the name of ELF and the FOIA document releases indicating that the FBI monitored such groups as PeTA.

First let's get the minutia out of the way...

The FBI was monitoring groups like PeTA for any number of reasons, but the best one that I can think of are the contributions PeTA made to Rod Coronado's criminal defense of roughly $70,000 so he could fight charges of arson that he eventualy plead guilty to and PeTA's contribution to the Earth Liberation Front which was stated to be for publicity. These funds were likely used just for that but it still creates enough suspicion for a little monitoring. Both of these groups, the ELF and the ALF, are considered to be terrorist organizations because they espouse the destruction of property in furtherance of their cause... And there are many arguments that they make about this being non-violence because humans are not targeted, but that is neither here nor there right now.

The problem here is the concern as to whether a person can be charged, implicated or considered a member of an organization that admittedly does not have "true" members. Anyone can claim to act on the organization's behalf as long as they abide by their rules - which can be easily found of the web. But let's attack this from another direction... There are "prisoner" support networks for both the ALF and the ELF. The North American Animal Liberation Front Support Group provides information about arrested activists and directions for making donations or sending care packages. Now if there is no organization with no members then who are these people that need support?

This point was make clear when one of the recent defendents requested that his information be removed from the support group website. This is presumably to make it harder to convince a jury that he a member of a terrorist organization rather than a lone arsonist with an ax to grind. Fine lines that could mean years difference in a sentence.

In other words, as long as an organization exists, in name or form, that encourages actions that target another they are a threat and should be treated appropriately.

With that said, keep in mind this is not some vast organization of shadowy activist but much more likely very very small handfuls of individuals getting a little worked up. Security programs should stay informed and stay focused rather than taking "knee-jerk" actions that cost unnecessary funds and damage the credibilty of the security team. Work with the local law enforcement, collect your own intel and make some sound judgements - or find someone more capable to assist you.

Rob
/

So you want to be an investigator

2005-12-05T15:44:00.000-08:00

Seen some old reruns of Magnum PI or VIP and suddenly being an investigator seems like a great career. Well it can be, but not for any reason that may be found in these TV shows. Investigations - private or public - tend to be a lot of legwork, thinking, talking, and most of all listening.

There are all kinds of investigations and investigators. On the public side are those in law enforcement, inspector generals, background investigators, and the like. Out in the world of private employment there are many different types of investigators; however each of these various jobs require nearly identical skills. So how does one become an investigator and how do they become an exceptional investigator?

For the most part, it really doesn't matter whether you are investigating a theft, an arson, or someone's background because the foundation skills are pretty much the same.

Think of it this way: An investigator is responsible for telling a story, as factually as possible. According to Sennewald there are two kinds of investigations. One attempts to reconstruct an event and explain it factually and the other attempts to uncover illegal activity. Clearly the first one is purely reactive; a homocide is committed and it is investigated. The second may be somewhat reactive but it may also be proactive; much like the efforts of Anti-crime police units or integrity shops in retail environments. So that's the big picture, but what kinds of skills does it take?

A good memory, notetaking skills, strong observation skills, and reasoning abilities (deductive and inductive). Inductive reasoning? Well it's the opposite of deductive reasoning. Deductive reasoning is often explained as the moving from the general to the specific. Inductive would be from the specific to the general. For a few examples to better describe this go here, here, here, and here.

How do you get these skills? There are many ways. Clearly the best known way is probably to work for the government and attend an academy - local or state police, FLETC, or the FBI Academy. However it is also possible to get there other ways, especially if you have no interest in being a police officer. Some companies offer training - formal or on-the-job - and some states require specific training before allowing licensing as a private investigator. But if you just want to drive yourself to being better - that is always striving to keep the edge sharp - there are training programs available.

Quite possibly the most important skill of an investigator is the interview, either the informational or the admission-seeking interview. The Reid technique is taught by Reid Associates and Wicklander-Zewlawski, and Wicklander is quite likely the standard for retail interviews. I am, however, biased since that's where I learned to interview (special thanks to Shane Sturman whose advice and guidance over those two days were invaluable). There are other methods and there are a large number of books available on the topic. Investing time in these books - and lots of practice - will pay off.

There are other helpful programs. You know I'll mention those by the IFPO. They offer the Certified Protection Officer, Security Supervision and Management, and a new program - Crime and Loss Investigations. There are other programs out there and it never hurts to do a little, dare I say, investigation to help you get what you need. There are also many books on the general topic of investigations such as Chuck Sennewald's The Process of Investigation and Dempsey's Introduction to Investigations.

You can also begin to build your skills by seeking employment (part-time can be as helpful as full-time) with private investigators, retail security departments, forensic accounting firms, or even investigative reporters.

The key to investigations is knowing what the "standards of evidence" are for whatever you are looking into at that time. The government has rules for what information is needed to "prove" a crime, and companies have rules as to what is acceptable for disciplinary actions. Know what information you need. Just keep these three questions in mind: What do we know? What don't we know? What do we need to know?

More later..

'tis the season... For evil holiday ELF's

2005-11-22T09:40:00.000-08:00

This Washington Post article reminds of the radical environmentalists. Now that may not be a bad thing if you're a supporter of the movement, but the those who thought their house would be completed soon it's definitely a disappointment.

So there may be an active Earth Liberation Front (ELF) cell in the western Maryland area or maybe one that has migrated here. We'll just have to wait and see how the investigation progresses...

If you want a better idea why this sort of thing happens read this document, or at least the philosophy section at the beginning.

The Earth Liberation Front is the newest re-radicalization of the environmental movement. There's a nice little history piece here, and another piece here. I tend to lead folks back to my own paper on the topic because it's just not healthy to try and understand today's environmental movement separately from the animal liberation movement.

Back to this issue, though. The largest issue in dealing with the ELF, or Earth First! for that matter, is the anti-organization design of leaderless resistance. For those that don't know about it it works like this. Someone, or someones, write a set of guidelines, manifesto, rules, mission statement, or similar ideological document that spells out what is acceptable conduct. Sounds like any other organization right? Now it gets sticky. Then these someones say that anyone that does stuff (legal or otherwise) that forward the goals, while abiding their conditions on conduct, can claim to be members. That's it. No leader - just an ideology. Now there's quite a bit of discussion as to where this all started and some put the beginning with the white supremacists after the American Civil War. I don't know when it started but I know it is extremely popular now. Wanna know why? Consider this. The easier it is to track people and activities to establish criminal wrongdoing then the more likely a leader will be arrested, killed, or otherwise destroyed from a credibility standpoint. Once you take away the leader you eliminate two things. One, the "Cult of Personality" that tends to exist around this sort of movement. Once that personality is removed the movement crumbles - so no leader = no target - but an idea can live on and on and on. Especially, it seems, the bad ones. The second thing that is removed is a clear definition and understanding of the adversary. How big is it? Who is in it? Etcetera, etcetera... Poof! We now have the makings of an underground guerilla army, or at least a core cadre of high-energy folks that are able to present the image of a larger force.

You see this organizational model works well against a democracy (or a republic in our case) that prizes its freedom of speech, but despises criminal acts of property destruction. It works well because it allows the "aboveground activist" to talk the talk and make veiled threats while not committing any clear criminal act. The "underground activist" then carries out acts of destruction to follow-up on those threats. What makes this pretty neat is the real lack of direct communication between to the two elements. The abovegrounders tell us how morally reprehensible we are and the undergrounders attack us. Sound familiar? Anyone British here? Sounds far too much like the old Sein Fein - IRA (Irish Republican Army) model. Maybe it's time we called it what it is, the way it is.

Maybe we are all too afraid of sounding callous and insensitive. Are we? If so, we as a society will ultimately lose. We must be prepared to say that regardless of how much we might like to see the environment left the hell along, it is wrong to commit acts of property destruction. Period. End of story. If we were all so environmentally concerned then we would donate tons of money to groups to buy the land that we won't protected. Maybe PeTA would have been better off not spending nearly $50,000 dollars on the criminal defense of Rod Coronado (Earth First! and ALF operator) rather than on showing people better ways to care for animals. There I said it. I'm a security guy by trade and by belief. If you don't think homes should be built somewhere then get out there and generate support and take legal action. If an eighteen year-old can be elected Mayor by write-in vote then many well intentioned activists can stop a construction project.

I'll step off the soapbox now. It's important to understand how these groups work as well as what they really want from you. Americans like the rebel, but this is the wrong rebel to cheer.

Bad (domestic) Intelligence

2005-11-14T22:55:00.000-08:00

Let me begin by saying that from this article we just can't know the whole story, but it certainly sounds bad for the FBI. For those of you that haven't been around this blog before I've posted on both Eco-terrorism (here, here, and here) and Intelligence operations (here). I have also presented a background piece on Eco-terrorism in the U.S. that discusses the philosophy of the environmental and animal liberation movements and traces their development and tactics over the years. If you're more interested in Intelligence then I have a paper for you as well that discusses intelligence operations in the private sector.

Since these topics are near and dear to me let's discuss this a little. The FBI arrested the wrong person, released him, and will be paying for their mistake. There must be more to the argument, because it's generally rare that damages are paid when the wrong person is arrested. Why it sounds as though they may not have had probable cause. So how then did they decide that this was the right person to apprehend? I generally do not criticize law enforcement if I wasn't right there (I dislike those that tend to second-guess my efforts without realizing they weren't there); however this doesn't seem to be a decision that had to be made in the heat of the moment - so why the mistake?

It looks like the error was with bad intelligence or at least a poor interpretation of the available intelligence. Concerns from civil liberties groups over the Patriot Act and domestic intelligence gathering have been on-going for many years. These concerns predate the Patriot Act with the COINTEL (Counter-Intelligence) activities of the FBI from years past. We in the U.S. do not take too kindly to being spied on by our own government; however it is necessary whether we like it or not. Another recent episode in this matter deals with the Denver PD intelligence files which were found to have a couple of serious flaws. First they were never purged - that's right files were maintained for indefinite periods of time, and second they information on activities that are protected under the first amendment - things like legal protests.

One may have thought that an important lesson was learned from the COINTEL days... Maintaining extensive dossiers is inefficient and often counter-productive. I know from a very limited experiment. These files are cumbersome, time-consuming, and just don't provide much predictive information. Sure you feel like you 'know' your target, but you really don't know them. Anyway, it appears that a decision may have been made based on a similar "belief of knowledge."

So the FBI screwed up. Is there a threat posed by the Eco and animal liberators? Absolutely. Read my paper on the movement. The important thing to remember is that each new generation builds their beliefs where the last generation left off. What this means is that the Sierra Club wanted to preserve park land, but today's Earth First! and Earth Liberation Front want to restore the world to how it looked before the industrial revolution. While I find it intriguing to consider a time when we lived in greater harmony with the environment, I recognize that without excess agricultural capacity and the ability to store and preserve this excess we would be living one year to the next - just like the real old days. Regardless of my own beliefs on environmental impact, I find the use of violence, or the threat of violence, to reach one's goals to be reprehensible, and worthy of our efforts to defeat it. Will mistakes be made? No doubt. Should remuneration be made? When it is appropriate. Why?

To answer that we need to consider the writings of Carlos Marighella's Mini-Manual of the Urban Guerilla." While avoiding a discussion on why his techniques ultimately fail, it is important to understand one very important concept. The insurgents act against the government only. The government, being unable to discern between guerilla and general population, cracks down on the general population. This in turn drives support to the insurgent movement. Rinse and repeat! Eventually the government's oppressive actions destroy their legitimacy with the population. So will mistakes be made? Yes. Should the government try to make those wrongfully caught up in the process whole again? Yes. We as a population must not forget that the target is, and must always be, those that use violence or the threat of violence to attempt to achieve their goals.

Thanks for persevering to the end.

Veteran's Day 2005

2005-11-11T06:26:00.000-08:00

Please take a moment and consider the sacrafices over the years that have secured our blessings of liberty.

Here are a few interesting links in no particular order:

From the Department of Veteran's Affairs

From Wikipedia

Voice of America

Information from the Census Bureau

From the U.S. Army

From About.com

Hurricanes, earthquakes, mudslides, flooding - Natural Disasters - and contingency planning

2005-11-08T11:01:00.000-08:00

Mother Nature has a nasty, nasty temper as was clearly demonstrated by the last few months around the world. So what does all this mean for security? Business Continuity Planning? General preparedness? LOTS!!!

We, that is our industry (and probably most every business planner), learned a lot about how mass evacuations - or the lack thereof - affect BCP and Disaster Recovery (DR) plans. Your plan might have been great, right until it ran into everyone else's plan (and the odd hundred thousand without a plan).

Fundamentally speaking, it's no longer good enough to have a plan, rehearse the plan, improve the plan, and keep it current. Now you have to coordinate your plan with the plans of the local and state governments. Will you still try to shelter in place? Or, will you shift operations to another regional center and just pack up and go as early as possible. It's all about cost, right? Well consider the cost of if you tried to stay in New Orleans. It took quite some time before fuel and food arrived... How much do you plan to store? How will you deal with any looters and vandals that might remain behind?

It may just be better to contract the services of a remote hotsite provider such as Recovery Point Services. There are many others and there other options similar to this as well. In some instances, funds permitting, it may just be best to "get out of Dodge." Other times it may not be possible to do so - or to continue operations remotely. Then it may just be best to be sure your Business Interruption insurance is up to date and that you have coverage for natural disasters; not to mention how much coverage that actually is.

Plan carefully and make sure your plan blends with those around you.

Don't neglect to also develop a return to normal operations plan. How will you go about getting back to your old location, or when will you start looking for a new one? What has to moved first and when is the best time to do that? Etc. ad nausium.

Good luck.

CRASH!!! - Auto accidents

2005-11-06T18:40:00.000-08:00

Just a little deviation from the normal sorts of posts.

On Saturday night I, once again, witnesses a car accident. Not a bad one in terms of injuries, but an accident. My wife and I had just left a restaurant and were in the upper left section of a "T" intersection preparing to turn right - down the "T". The car in front of us turned right but the vertical section of the "T" had three lanes, two heading toward the intersection (up the T) and one heading away (down the T). The car in front of us turned into the middle lane, which is the left-hand turn lane, and hit a car coming toward the intersection head-on. I parked on the shoulder and got out to help. So here are a few thoughts on handling vehicle accidents...

First, it is important to follow your local laws and the direction of your insurance company's and/or attorney's direction and guidance. With that said remember that personal injury and health are the most important issue immediately after the accident. Make sure you are ok, and then worry about others. Keep yourself safe whenever you attempt to check-on or help others. It's the same way with professional rescuers - there's no point in getting yourself hurt and making yourself another casualty. So assess the situation quickly and determine if anyone is hurt and call for help. Try to get the contact information from not only the others involved parties but witnesses as well before they wander away - and no doubt they will.

Anyway, keep a few key things in your car like flares, a first aid kit, a disposable camera, pen/pencil and paper, insurance card, and any seasonal items that are appropriate - like a blanket in winter. As for the disposable camera, don't hold back; if you have 26 exposures then use 26 exposures. It's not like you want you vacation on that roll too.

If you're a witness - and you're civic-minded - make sure everyone is ok, get the tag numbers as quick as possible (and tag numbers of vehicles that have stopped briefly before leaving), call for help if no one else has, and then offer your assistance. Keep in mind that the involved parties probably have no idea what to do - take the lead. Offer to lay flares, get names and contact information, and take pictures.

Just a few thoughts on something off the beaten path.

Rob
/

Expansile Significance - "The Tip of the Iceberg" and how solving large losses often means addressing the insignificant ones

2005-11-03T11:00:00.000-08:00

What the hell is Expansile Significance you ask? So did I, though the problem wasn’t with the term but with the fact that our industry never bothered to create one for a time honored concept. To better explain it consider combining the idea of the “tip of the iceberg” and the “Broken Window” Theory (here, here, and here, with dissenting view here).

We’ve all seen it – in one way or another. In my retail days it was not uncommon to ‘interview’ a sales associate about a minor policy violation, say ringing their own transaction or giving their discount to a friend (aka employee discount abuse). And for those familiar with interview techniques (I started with Wicklander-Zulawski – which competes with Reid and LSI) you know you approach these interviews similarly to a known loss (theft) interview anyway. So there you are going through you doing your spiel with you realize that this person has done much more than you knew – on one occasion I went from one missing gift certificate to four felony theft cases.

In the world of law enforcement, former NYC Mayor Rudi Giuliani encapsulated it with through enhanced enforcement based on the “Broken Window” Theory. You know, by showing that minor violations won’t be accepted you decrease the appearance that more serious deviance is acceptable. I don’t intend to try and prove the efficacy of NYC’s efforts now. Instead keep in mind that if a violation is the time of enforcement then it’s worth the time to do it right.

Embezzlement – or any other form of stealing from an employer – is a great example of this. It is HIGHLY unlikely that you, or any other investigator, will catch someone on their first theft. Maybe their first theft using that method; however there have probably been other losses that they have caused. I recall from my W-Z training that a thief probably will not remember every individual theft, but will remember the first act and the most recent. Then you can work out some mathematical averages to estimate the total loss (which should then be used to help identify further evidence to corroborate or support this estimate). With this in mind it is important to explore all avenues of loss in an investigation – that is if you want to try and find the most accurate estimate and maybe get some hints for improving your internal controls.

Anyway take the time to conduct investigations properly. Be thorough and don’t arbitrarily assume you have the answers. I know that in the real-world time often is the biggest constraint so at least recognize what you may be missing – and work on ways to evaluate this more efficiently.

Rob
/

The Latest - Congress and the "SHAC" attack on the NYSE

2005-11-01T16:38:00.000-08:00

For the best on the current high-profile happenings in the Animal Rights/Liberation head to Animal Crackers.

Here's the short version... Huntingdon Life Sciences has been trying to be listed on the NYSE. On the eve of this listing the President of the NYSE blocked the listing, after being targeted by SHAC and friends. As a result, the U.S. Senate has had more hearings on Eco-terrorism including a guest appearence from Dr. Jerry Vlasik. There's some great video from this. The saga continues...

Once again, for more background information on Eco-terrorism, including Animal Rights/Liberation and the Environmental Movement try this.

Eco-terrorism - in the news and in front of Congress - again

2005-10-25T12:51:00.000-07:00

Brian Connor over at Animal Crackers has offered us information on the recent postponing of LSR (Life Sciences Research - otherwise known as Huntingdon Life Sciences) listing on the New York Stock Exchange (he draws from here, here and here). Further, it looks like there will be more hearings concerning the radical Animal Rights movement.

For clarification on the issue - because few others will bother - there are LOTS of people involved in the animal welfare/rights/liberation movement and they are not all the same. Think of a continuum with Animal Welfare on one end, Animal Liberation on the other and Animal Rights in the middle. If you think of Democrats and Republicans in the same way you get the picture of how different these groups are; both Dems and Reps want what's best for the country but differ on how to get there. Now you may understand the vast differences in the movement. There are two significant demarcations in the movement: whether an individual believes that animals are equal to humans in terms of the value of their lives and whether an individual feels it is acceptable to commit criminal acts that surpass the notion of civil disobedience - in other words property destruction and threats of violence. That's a very short description of the spectrum of the movement.

So why do I care and consider this a point to be discussed in security? Simple; if it's not Animal/Eco folks then it's some other type of militant that is willing to affect you business. Just give it time. Since the cultural revolution (and I apologize if I'm wrong but this is how it was taught to me) every idea is as valid as the next - meaning anyone is now justified in targeting you. Who knows, maybe the paint used for your establishment uses chemicals that affect groundwater (and shame on you not knowing this when your vendor used it), or maybe the paint was mixed by someone in an impoverished country, or maybe you like to fly the U.S. flag, your state flag, or for that matter the Jolly Roger; you could become a target. My personal experience has to do with the Animal Rights/Liberation movement targeting a client.

The broader issue here is understanding your threats. Is it local crime - burglaries and vandalism, or something more sinister? In the case of the AR/AL movement it is important to understand that they believe that every animal is as valuable as your life. Professor Steven Best at the University of Texas - El Paso stated in a speech that he would save his dog rather then an unknown human if they were both in a fire. See his dog means more to him than a unknown human. It's as simple as that. In Terrorists or Freedom Fighters (I'm not linking to it - because I'd rather you not buy it and fund more of his activities) Dr. Best argues that violence cannot be committed on property and therefore the ALF (Animal Liberation Front) is non-violent. This is also an underlying theme of supporters of the ALF; however it is important to keep in mind that property destruction carries with it an inherent threat.

This post could go on for a long time discussing this topic but I'll keep it short. The tactics used by the Eco/Animal Liberation movements are in fact terrorism [how the few affect the many by affecting the few with violence or the threat of violence] and it must be addressed as such. Collect data, know your threat, develop/implement effective countermeasures, and stay orientated toward your threat - it is an intelligent and adaptive threat.

For additional information concerning Eco-terrorism in the U.S. check out this document.

Rob
/

A special note to my new "friend" - Some people make crime easy

2005-10-21T10:41:00.000-07:00

Hey Steve! I'm calling your name so that you know this is about you - I gave you my card at the bookstore.

For everyone else, here's how it went...

I'm sitting at the cafe in the bookstore, minding my own business, when I hear a gentleman behind me start speaking on the phone. Nothing odd there; everyone does it - it's not like it's a library, right?

Then the call gets interesting. Steve began speaking about a donation. Being someone that considers Social Engineering (see a pro here, more here, and here) one of the most, if not the most, under treated security risk, I naturally began to listen more closely. And yes, he began to read off his credit card number (it was a Visa), along with his address, and year of birth.

Ah the damage that can be done with that. So Steve I gave you my card with little hope that you'll read this and appreciate the free advice of a security consultant.

This, of course, isn't really social engineering but instead a form of "shoulder surfing" which can also be an excellent way of getting passwords, PINs, and other access data.

Look folks. If you going to have that sort of conversation, take it outside so that you're not sharing the data with a handful of people that are reading - or in other words, focusing on remembering information. This sort of thing hurts to witness when so many people want advice on firewalls, alarm systems, shredders, and so on.

This is an example of poor OPSEC and I'm not saying we need to develop detailed OPSEC policies for our daily life, but hey at least keep your personal information and access to any financial resources "close to the chest," please.

Quick advert for a friend

2005-10-20T07:20:00.000-07:00

My best friend has started a new blog.

The Political Yak is where he plans to discuss politics - mostly local - and he is political accumen is exceptional.

So go check it out, bookmark it, and then come back here.

Rob
/

Valuable lessons from the USS Cole attack

2005-10-12T13:15:00.000-07:00

Let's all take a minute and remember the 17 dead and 42 wounded in the attack on the USS Cole five years ago today - that would October 12, 2000. See the Stars & stripes tribute many of the other news outlets.

Now take another few minutes and ask yourself what it is you, as a security professional (or just someone interested in security), can learn from this unfortunate event. For I'll start with the Cole Commission Report and work from that since we can all make unsubstantiated comments until the cows come home. Nothing beats information that can be sourced and, regardless of what you might think of commission reports, they generally do include some analysis of the facts surrounding the event.

I'll just take a few of the findings from the commission and equate them to the life of today's security manager or director. I'm sure there are other findings that can be used here, but these will suffice.

Disclaimer: All comments below are intended to relate the findings of the report to day-to-day security concerns - tending toward the commercial sector. In no way am I commenting on the performance of individuals involved or activities that affected the USS Cole.

Finding: Better force protection is achieved if forces in transit are trained to demonstrate preparedness to deter acts of terrorism

Deterrence works! Realistically it does not ALWAYS work, but then that's why a good security program goes beyond this one layer. Presenting a formidable (read: professional, well-trained, and prepared) image absolutely works in your favor. It discourages the casual nuisance and makes the committed plan more thoroughly - which means more time [the value of which we'll discuss further on], more tools and expertise (and probably money as well). Time, tools, expertise, and money are all commodities. To quote an old teacher, Dr. Kobetz, "Time is on no one's side. It is a commodity. You must decide how you will use it." I think we all familiar with the limitations on tools, expertise and money in preparing an attack.

Finding: Service AT/FP programs must be adequately manned and funded to support threat and physical vulnerability assessments of ports, airfields and inland movement routes that may be used by transiting forces

This goes right back to two recurring points - Know your environment and know what you are protecting. Sun Tzu said it like this (depending on the translation you read), "Know yourself and know your enemy; fight 100 battles have 100 victories. Know yourself and not your enemy; fight 100 battles have 50 victories. Know your enemy and not yourself; fight 100 battles have 50 victories." Get the point? The idea has been around for some time. So conduct Risk Assessments that include a view of the Assets, the Threats, and the Vulnerabilities - and keep them current over the years. A week old report is dated if it was conducted before an additional 100 employees are moved into your facility along with all their activities. So keep organizational plans in the mix as well.

Finding: The Geographic Commander in Chief should have the sole authority for assigning the threat level for a country within his area of responsibility

This applies in a couple of different ways here, but mostly a local security manager should be empowered (including being properly trained, mentored, guided, advised, and evaluated to be effective) to affect the protective posture of their site, location, facility, or area of responsibility. In an executive detail there is a fine line between the boss (principal/protectee) being in-charge and the protector. This is a very, very fine line that affects credibility when crossed one too many times. When the threat is identified then the principal's behavior must alter - this could mean many different things with the most extreme of which is being led by their security detail away to a safe location. In terms of a commercial facility it may simply be not allowing access through auxiliary doors and conducting a 100% ID check at the approved access point, or deploying counter surveillance folks into the parking lot/traveled way to observe those paying attention to the facility. This capability must reside at the lowest reasonable level to ensure timely preparation.

Finding: We need to shift transiting units from an entirely reactive posture to a posture that more effectively deters terrorist attacks

Here we are again with deterrence. Let the bad guys know that you mean business. In a retail setting this means signs, awareness programs, and making sure employees and customers know that security is involved. This does not mean that any shoplifter that is caught should be dragged by their hair through the store - don't forget the professional image. Roman soldiers were known for their discipline - they were feared because this discipline was unwavering - not so much because they were individually so ferocious. I once heard a quote from a friend that he claimed to have read (and I don't doubt him) concerning the Roman Army - "Ten disciplined soldiers are worth 100 warriors." Deterrence can be found in the effect of professional discipline and a willingness to act in concert. Consider the being the first barbarian commander to see the Romans employ the Greek technique of the tortoise formation with shields interlocked in front and overhead as they advanced - with each fallen soldier being immediately replaced by another. Now consider how your adversary may respond to a similar level of discipline and determination. Deterrence works at all levels from the initial appearance to the presentation of the response.

Finding: In-transit units require intelligence support tailored to the terrorist threat in their immediate area of operations. This support must be dedicated from a higher echelon (tailored production and analysis)

Intelligence - one of my favorites. Know your environment and how your adversary operates - but remember that this changes with very subtle geographic (and cultural) differences. Focus your intel efforts. What? You say you're a company and can't conduct collections. Hogwash! Get out and talk to people, but more importantly LISTEN to them and anyone around you. Search online; what you find may not be local but it also may provide context or a new mode, method, or technique you were unaware of - and it takes a professional to take this extra step. In retail this means going out into the mall or local community and watching, listening and talking with your peers. Stay within the law but collect.

Finding: Service counterintelligence programs are integral to force protection and must be adequately manned and funded to meet the dynamic demands of supporting in-transit forces

This is back to knowing your adversary or more accurately what they know or are trying to learn about you. Know your own "covert channels" (try here, or here for information). Who's watching you, your people, and so on. Again, at the very least, just listen to those around you, other employees, your industry peers, the news; just listen.

Finding: Service Level II AT/FP Training must produce a force protection officer capable of supervising unit training and acting as the subject matter expert for the commander in transit

This says so much. What do you know about security officer, security supervisor, or security manager training? Training is essential. If you are not taking every opportunity to train, improve, train, improve, train, and improve your protection team then shame on you. The military is generally really great for this mindset. Once again we should revisit Patton's thoughts on this, "A gallon of sweat in training is better than a pint of blood in battle." Or as presented in one of Marcinko's books, "Train hard, fight easy!" Although enough may be said about training - enough is rarely done about training.

Just a few comments on what every security professional/practitioner can learn from a tragic event.

Home care providers and workplace violence

2005-10-05T18:22:00.000-07:00

Here's an interesting topic that came up today: Security in home service industries. You know house cleaning services, home healthcare, and all the other services that involve someone being sent to a home to assist the homeowner.

Here are a couple of quick resources on the topic: book, article, article, article, article, government publication, another government publication, and there are more available on the web.

As far as security goes on these topics it's just a tad more complicated than usual. Not only is it important to vet your own employees so that they (hopefully) will not victimize your clients, but it's also important to vet your clients. Oh yah, that's right - the client should be checked. Why? Well it's like this. You are sending an employee to a "work site" and if that site is not safe then you have sent your employee into an unsafe environment... Potentially this could be construed to mean that - assuming the employer made no effort to determine the site's level of danger - the employer is responsible for placing the employee in harm's way. And what a costly oversight it could be and not just in dollars. Employee mistrust of management, lowered morale, uncertainty, and all those emotions that come when one feels that they have been betrayed by a superior. Enough doom and gloom!

What are some steps that can get in front of this potential problem? First, make sure your employees know that a site could include danger. Now we all know that danger could be around the next corner, but simply reminding someone that it could be there does two things. One, it means that you, the employer, has acknowledged the problem and want your employee to be safe, and two it puts the employee on guard - even just a little - which actually makes them better able to avoid the danger. Hand-in-hand with that is to develop organizational procedures for dealing with the issue. What does an employee have to do to refuse service? If the client has immediate medical needs then how will these be met so as not to endanger them, and possibly breach the contract. This might be referring the issue to emergency services personnel (calling an ambulance), sending an extra employee, maintaining phone contact throughout the visit, or whatever is most appropriate. Having a range of choices or escalating options is very appropriate for managing risks - it also lends itself better to profitability than a one-size fits all system.

It should be a given that an interview is conducted to determine the needs of the client, but consider including questions that answer to the needs of the caregiver. Who else has a key to the residence? Who else might be present when care is provided? Are there firearms or hazardous materials in the residence? Sound silly or unnecessary? Heck these are the types of questions asked by Executive Protection (see this, and this) details when they conduct an advance. Why? To manage risks simple as that. Now you have better idea of the physical environment the caregiver will be in, and you've only added what, a warning, a set of procedures and a couple of questions to your client interview.

Next consider the human factor. Determine whether a sex offender is registered to the client site or a nearby residence (available on state and often county/city register websites). Should this preclude service? No, but it should move the risk level up a notch. Follow this with other research, like a criminal background or maybe a civil record search for battery lawsuits. How far should you go? Only so far as a crime is foreseeable. foreseeability is one factor used during civil litigation to determine and employer's liability (please discuss this more closely with your counsel). On another note, you did this to your employee so that the client would feel safe; doesn't your employee deserve the same consideration? (See this on background research)

A couple of quick notes on background research. First it's always best to get consent up front; however public records are public so consent is not needed - credit reports are a different issue. Beware of databases - that would be the extremely cheap searches that are generally advertised online (something like this; however I have no direct experience with this example). If you find the right vendor they will send a researcher into the courthouse to look for records - the right vendor does such bulk that it's still pretty inexpensive. Databases can be outdated or simply not updated frequently enough. Enough said there.

New Training Program!!!

2005-10-03T19:50:00.000-07:00

The International Foundation for Protection Officers has just released a new training program: Crime and Loss Investigations. This isn't just for security officers either! It can be of great use to anyone responsible for managing losses.

In addition to a textbook this program also uses a few online papers as a supplement. Take a look.

I was lucky enough to have been able to get an article on intelligence operations into the training program.

But here's a really great article by a friend of mine on background investigations - he gives away practically all the secrets.

And another one on Interviewing - the lifeblood of retail loss prevention investigations.

It's a great program and something I'm proud to be part of so take a peek and see how it can be useful for you.

ASIS - benefit, cash drain, vanity show, or all three?

2005-09-29T14:08:00.000-07:00

Here's another request, and one that hits close to home. What are the benefits of belonging to ASIS? Are there any opportunities for students?

I know I'm not the best person to answer this, but here are my thoughts none-the-less...

ASIS International - formerly the American Society for Industrial Security - is the granddaddy of all security associations (as far as I know). They are and organization that has changed a lot since their beginnings and they are destined to change far more in the next decade.

Once upon a time when I first found my way into security I did not think too much of ASIS - why? Well my experiences were of rather pompous people that believed they knew everything; however they did not seem open to changes (so I figured ASIS were fitting initials). After some time I found that not being part of it could be a little dangerous to a career - at least from the networking and industry update side. I joined other organizations like the International Foundation for Protection Officers, the Academy of Security Educators and Trainers, and was inducted into The Nine Lives Associates, but I eventually realized that ASIS was where these pretty much all came from anyway. I'm still part of all of these as well as being involved in ASIS.

Is ASIS a good ol' boys group? Maybe once upon a time it was - and it certainly was in my perception - but I've noticed in just the last eight years a subtle change away from such an image. Now it could very well be that my perception has changed due to my involvement and interaction with a wider group of members. Either way, I now see ASIS as something very important to our industry and something worth being part of - if nothing else but to affect change for the better.

So what do I get from ASIS? I like training, news, interaction, argument - dissent, disagreement, and conflict - for the sake of getting better. I like to think and ask others to challenge my thoughts - and many are all too willing to do so in an almost unfriendly way. ASIS gives me access to many others within my own industry - saints and jerks alike. We can learn something from anyone, and with that in mind and something like 20,000 members there's a lot I can learn from ASIS.

ASIS also provides the most well known certifications. Why are these important? Consider this... Who do you want to do your taxes? A Certified Public Accountant or an Accountant? Why is that? To me a CPA represents someone that is willing to put their knowledge and skills to greater scrutiny - once for an examination - and continually by meeting the expectations of those that choose a CPA. They also have a Code of Conduct that is spelled out clearly for everyone to see. This means there are disciplinary actions that can be taken outside of the usual criminal and civil paths. Why is this important? It means that a CPA is willing to perform to a standard or be punished professionally. Now take that into the world of security. Who do you look for when you need an answer? A Security Manager or the CPP? Which would you prefer protecting your organization on a day-to-day basis? A security officer or a CPO? Do you expect a certain level of performance? Absolutely. When a standard is not met then 'professional' disciplinary action can be taken. ASIS, IFPO, ACFE, and ISC2 all have expected standards of performance. So the certifications are important by imparting an agreement by the designee, to perform in an acceptable way, the organization, to enforce their rules of conduct to maintain the quality of the certification in the public domain, and the public (or consumers), who expect that level of performance. It is a commitment to professionalism.

So what can students do in ASIS? LEARN! Take notes, train, NETWORK, and drive yourself to a higher standard than your own mentor. Oh yah, find a mentor (or mentors) and grow from their experience - but always think for yourself.

Attending training - when you can afford it - is essential to reaching that next level. Any training is good - even bad training. Bad training (and I've paid for my fair share of absolute crap disguised under the reputation of a "security pro") helps you to know who is full of crap in the industry and what they sound like when they talk. They will be your competition for good jobs. There's a lot to be said for these folks, but they're in every industry so just go out and meet them. Bad training can also get you hurt - think about everything that you are taught - so that the skills you learn do not govern your performance. Ask yourself, "How would I get around this?" or "How could this be defeated?" Sometimes it's worth asking someone who really knows. When I used to catch shoplifters I often asked them about previous fights with law enforcement or security. They'll talk - everyone who wins a fight talks - and this can be beneficial to you. Develop a "Discipline of Training" and stick with it. A little here, a little there. When you can't afford training (and I know how that feels making $5.90 catching thieves) get a book, conduct a free survey, plan a security system, engineer a breakin, and use your imagination to train yourself - it's free. Offer to work with someone on your off-hours; informal internships can be very useful. AND go where the knowledge is - just like salespersons go where the money is - spend time in the circles that your potential mentors will be and be involved. This is where ASIS can be a great help because you can go where the best are - monthly meetings, committees and so on. When you drink beer or otherwise socialize with these folks take some time to get advice on your career direction, opportunities, tricks and tips, and then make sure you don't monopolize the time. DON'T be afraid to offer your opinion on any discussion concerning security. If you're wrong you'll learn, and if you're right then you're contributing. If those with you blow you off and act like you should be a child - seen and not heard - then it's time to find a new group of pro's because there's little reason to waste your time with pompous fools unwilling to drive someone else's success. Your time is valuable - DO NOT waste it. Build your network - nurture your network - expand your network - improve yourself so others want to network with you - and focus on quality and not size. 200 business cards are just a stack of paper - 2 good contacts that you can reach out to and not be a stranger can change your life.

Those are my thoughts on ASIS - for me it is a facilitator for all of this.

Rob
/

Walk - don't run... No wait, run for your lives!!!

2005-09-28T21:10:00.000-07:00

We have a special request for a very interesting, and I daresay relevant, topic. Oh, and a polite out-of-bandwidth comment on being lazy and not blogging.

How does one establish accountability when evacuating college dormitories and long term care facilities? Well, having never been responsible for either I'll take a stab at it and I may even hunt around to find someone with direct experience in this area. Here goes...

When I was in Korea (ah, the old days) we had a system on our camp (Camp Garry Owen - the old one near Yon Gi Gol) whereby we each possessed a "Garry Owen Card." A similar system was later introduced division-wide called a "Liberty Pass." How is this relevant? Well to get OFF camp we had to turn in out card with the gate guards. Top (and that's a First Sergeant) or the Bear (that'd be the Squadron Command Sergeant Major) could take your GO Card arbitrarily to keep you on the camp. Now maybe some folks deserved this - though not the countless hours of filling sandbags - but anyway you get the gist of this. It established accountability in a very quick sort of way. Who is not in the camp right now! This was a very important concept when it came to alerts (that would be something like a fire drill but it involved loading your life onto a vehicle and driving away from your home - possibly for the last time before someone blew it up). During an alert everyone would sprint back to the camp and grab the GO Card on the way in. At some point Top would contact the gate and find out who he was missing. Simple, neat and effective. So simple no dumb grunt can screw it up, right? Actually, we did have ways to get around it, but that's another story.

Anyway, any accountability system that will be used during a crisis, such as an evacuation, should be very simple to avoid a complete breakdown with no way to recover. Tokens - like the GO Card or Liberty Pass - provide this sort of simplistic accountability. Granted this system may be easier for the extended care facility rather than a college dorm since the amount of rapid access/egress activities are substantially lower. All you need is a control point where the tokens can be dropped off or picked up and a someone to manage this process CONSISTENTLY. Once such a system fails - it is likely to fail for good. Don't worry there'll be a new one - after the next event that costs someone their life.

How else might we do this? We could try the "Battle Buddy" system which makes everyone responsible for someone else - your "Battle Buddy" (or Ranger Buddy for those folks). Then hall wardens/monitors can then be responsible for a segment of the larger group and so on in a very hierarchical organization. This requires a specific level of responsibility which may not be present with students. Not to bust on students in dorms - I was one once (although I was out of the Army and much older than everyone else) - but they are generally young and there are few consequences for poor performance. That is except for maybe losing a friend, but that won't be thought of during the crisis. No matter what Resident Assistants and Resident Directors should be responsible for accounting for those under their charge. This, of course, requires training in whatever procedures are decided on, and exercises to test those procedures.

So we now have a token system and a buddy/leader accountability system. We can apply technology to the problem as well. We can make those student ID's proximity cards so that those entering and leaving are identified on an occupation roster. Guests would still need to be admitted by some means, which could include guest prox cards as well. This is still a token system but it could allow for greater throughput at the access points. And anyone responsible for planning access control systems knows that the throughput rate is everything to your client. Otherwise it just won't be used CONSISTENTLY.

Whether you are using manual or automated rosters it is essential - it is fundamental - and it is the deciding factor as to whether your system functions or breaks to ensure that it is used CONSISTENTLY. Test it - even use focus groups of true delinquents - to learn how it will be bypassed, subverted, and ignored. Then figure out if the system is worth making changes to or a new approach is warranted. As Richard Marchinko wrote in one of his books (or something to the effect anyway), "Do not get married to your plan." Be prepared to change - sometimes on a moments notice - to satisfy the needs of the threat environment, operating environment, and client opinions/preferences. Be absolutely sure that the method you choose fits with the organization's culture: No fit = No use = Disaster.

Is that enough? It certainly is not, but there's just a little too much to try and discuss here all at once. Send some more questions and you might get some more answers. I might even through up an example or two for fun... But keep it simple so that it works in a crisis.

Always be absolutely ruthless with your own plans - is sure beats the embarrassment of someone else doing it to you in front of your peers. OR, I can do it here for you. Send your plan in a comment and I'll gladly look for a way around it.

One other important saying applies here as well: "No battle plan survives contact with the enemy." So build in some features to account for this necessary flexibility!

Think fast...

Suicide bombers and public transportation

2005-09-20T10:40:00.000-07:00

An image recently came to mind dating back to the London bombings... Searches at U.S. subway entrances. On television they appeared to be done professionally - and I'm discussing the issue of racial profiling just the searching methodology and not the selection.

I saw long lines of people snaking back just as they do at the airport as individuals were searched. Hello!!! Did anyone else see a problem here? We are dealing with individuals intent on injuring as many people as possible - remember the few affecting the many by affecting the few - and the crowd can just as easily be at the entrance as it can be in the tunnel. Granted the tunnel makes for greater problems, but for those that may be killed the issue is the same.

So now that I've griped about what was done - here's an alternative. Granted this is more costly but it defeats the attacker's goals and limits their potential success to a mere handful rather than everyone in line. Defense in depth is something we in the security field spout on about. Here is a prime example of its use.

Somewhere in the parking lot a considerable distance from the entrance is the first line of officers. They select those that they feel should be searched and accost those individuals - search their bags - and either place a seal on it or hand a tag on it. Then somewhat farther back towards the entrance but within eyeshot of the first line is the second line who repeat the same steps but select different individuals to search. One or two officers, and the line supervisor, would then monitor the approaching commuters to see if items are being passed back and forth to those who have been searched. There may be a third line and a fourth line if there is enough distance and need.

Why is this concept worthwhile? The number of persons nearby to the one being searched are at greatest risk. Reducing the number of persons that cluster together reduces the value of the target. Also, over distance a person or persons trying to avoid being searched will stand out much more so than simply evading one checkpoint. There are other benefits but we'll leave it at these.

Is it full-proof? Heck no! And I'm not arrogant enough to believe that any plan is, but I do believe in saving what you can while you can and spreading out the targets means a whole lot fewer people that will need saving after the fact. Manpower now, means less manpower during the response. Oh yah, private security folks can do this as well. That's right. Well trained security folks can do this job; especially if they are backed by a law enforcement team. So we can do it for less and we don't need to hire more and more LEO's to reach the short-term goal.

I'd be interested in hearing your thoughts on this...

Rob
/

Windows v. Linux: A Security Perspective...

2005-09-16T18:13:00.000-07:00

Today I bumped into an individual at Borders Books and who asked which was more secure Windows or Linux. Well what do you think? I think it really depends more on the individuals using it and those administering it. Threats ultimately come from people and so do the defenses. So any poorly managed operating system is more vulnerable than a well managed operating system - with a few caveats... As for Windows and Linux. Windows is more widely used - so it is targeted more often; Linux is not. If you are designing malicious code to affect the widest population of users you must make have it target operating systems and applications that are most widely deployed. It makes not sense to create a virus - or other malware - that targets an operating system that works on only one machine. That is, of course, unless it is a very targeted attack like you might see in the movies.

Even though Windows will be targeted more often - due to its wider deployment - it is also worked on by more people on a daily basis. That means that there will more likely be a patch forthcoming in a timely manner - and the attack will also likely be detected more quickly since more systems will be affected in any given period of time.

So which is more secure? I think it is the OS deployment that suffers for poor or inept management.

Rob
/

ASIS Orlando

2005-09-15T15:27:00.000-07:00

I know I had planned to blog from Orlando but events overtook me and I'm back now. Needless to say that it was a huge event with tons of informational seminars and somewhere like 300 vendors showing their goods. One of those vendors also happens to be another organization that I am very involved with and it focuses on training for line security officers, supervisors and managers. These are folks that have to make the security happen everyday. I was once one of them and "it ain't easy." They are typically underpaid, undertrained, and treated like an incapable moron - who does everyone call when something happens? That's right - security! It has got to be one of the oddest paradoxes in our society. Oh, the organization is The International Foundation for Protection Officers based in Florida. They offer great training programs - of which I am a proud certificate holder - and an outlet for learning that really doesn't exist anywhere else in the industry.

I know this isn't about ASIS in Orlando - but that's it.

Katrina

2005-09-09T12:08:00.000-07:00

I guess I should make some comments about Katrina - just like everyone else, right? I offer this.

Have a plan. Test your plan. Revise your plan. Keep your plan current.

But fight your enemy.

No plan survives contact with the enemy - stay flexible and stay effective.

Those are my thoughts. I don't care who screwed up at this point - the guillotine didn't get washed away so heads can roll when we're damn good and ready - but I do care about being effective. Special thanks to the U.S. Coast Guard for setting the example from the start.

ASIS International's annual conference

2005-09-09T11:57:00.000-07:00

Next week is ASIS International's annual conference in Orlando, Florida. ASIS was formerly known as the American Society for Industrial Security but the name was changed to better reflect its worldwide involvement.

It is quite the show - new technologies along with some old ones - and several thousand security professionals. I'm guessing but I'd assume that nearly every other security organization, in the U.S. as least, can trace some aspect of its heritage to ASIS and so there are many additional meetings that occur at the same time. There are training seminars, in addition to the exhibits, and some are really worthwhile. Some are dull and some just don't live up to what they promise, but then again they are presented by volunteers to their peers (read competitors).

Assuming the hurricane doesn't cause problems for the event yours truly will be present, and I may even offer some updates from there as well. New technologies or new techniques, who knows. See you there.

Rob
/

Disaster and Continuity Planning

2005-09-04T13:16:00.000-07:00

We have all seen the devastation that was brought by Katrina. Amazing isn't it? The sheer capability of the event to destroy and area roughly the size of England! How does one prepare and what exactly do you prepare to do anyway. There is constant discussion, argument and annoying debate concerning Continuity and Disaster Planning; however these are not the same. Continuity planning is the process of being able to continue operations while a serious event is occuring - essentially operating without being affected - and Disaster Recovery is the process of fixing everything after it has been broken.

Organizations, and individuals, in New Orleans have had to experience both aspects of the response to disruptivec events, to say the least. I mean let's face it, there is so much that can be discussed (and no doubt will by every talking head that can be found) concerning the many failures discovered by the hurrican, but here let's just touch a little on Business Continuity Planning (BCP) and Disaster Recovery (DR). Each term has found a relatively secure home through the IT industry due to everyone's dependence on connectivity (and other related needs).

BCP, of course, requires some advance preparation (hence the term planning in business continuity planning) in advance of an event. How does one do this and what do they prepare for? Thanks for asking that's a great question. First, whoever is doing the planning - and it preferably should include persons from all parts of an organization - should know what the priorities are in terms of preserving operations. What is critical and what isn't. In comparison with the human body we tend to use Maslow's Heirarchy of Needs so the most critical things would be an environment that the organism (in this case a human) can survive in - so air, appropriate temperature and so on - followed by water (anyone that has been really dehydrated knows how painful a lack of water is), then food, then shelter and so on. Medication would most likely fit nicely between water and food. Anyway and organization - or person - must plan on protecting supplies and utilities to support critical operations. OR, to move operations someplace - permanently or temporarily - to someplace more hospitable. For the human this exercise can be called survival - and, well, it can for the organization as well. The other end of BCP, in short, is how to restore operations to normal after the event has passed. Using a person again - how do you get to a place where the stress returns to what you understand and can manage, and how do you begin to repair the damage done. Disaster Recovery isn't too far off - possibly more focused - but how, after the event ends, do you return to normal. Get back to servicing customers and conducting business.

Now there is clearly much much more to this, but it's a start at least. Remember the old adage: Proper Planning Prevents Piss Poor Performance. So plan, prepare and be brutal about it. Take nothing for granted. Assume the worst. And then start over and make it worse. I think it was Richard Marcinko that said: Training should be real as to make the real thing seem fake - or something like that. There is no reason for you, or your organization, to be experiencing the chaos that has marked the past week down south. Plan, prepare, implement your plan, revise it as it make it work, and when it's over you MUST critique your performance - benchmark peers - and fix whatever didn't work for next time.

One other thing. If, after seeing what has happened, you are not looking at your organization's capabilities and preparations then shame on you. This is your opportunity to learn from others. When the disaster is so great as to break the entire civil system of controls it will only be your prior efforts that guarantee continued survival.

Eco-terrorism - Just what is it?

2005-08-27T11:48:00.000-07:00

There has been some recent discussion concerning Eco-terrorism including Congressional hearings with testimony by the FBI and The Center for Consumer Freedom, along with attention by the Southern Poverty Law Center. So is there Eco-terrorism, is it a real threat, and what is the motivation of those engaging in it. Wow, that's an awful lot to look at so I'll just hit the high points.

Is there Eco-terrorism? The government, the private sector (at least the portion involved with animals) and the Environmental/Animal Rights movements certainly think so, but the question is in how it is defined. According to Paul Watson, founder of The Sea Shepards Conservation Society, explains in Terrorists or Freedom Fighters that the actions of the companies and governments that damage the environment are acts of terrorism; however the FBI (and likely all federal law enforcement) and those companies in the private sector that have been targeted see Eco-terrorism in a different light - as terrorism. Why the difference? Well, simply put, no one calls themselves a terrorist - at least not seriously. They are always something else because they have a cause, and they generally also have interpretation of morality that justifies their actions. In this case the Enviro-Animal Rights movement works around a couple of justifications that are essentially synonymous.

First is 'Biocentrism,' or the belief that all life is equally valuable. Second is Speciesism, which is similar to racism or sexism in that humans wrongfully mistreat other species rather than treating them as equals. What? You say this doesn't jive with your sense of morality? Well it doesn't have to at this point. There are, however, those that feel you need to change, and they are willing to use violence to affect that change. This, of course, depends on your definition of violence. The Animal Rights/Liberation folks argue that violence can only be committed against animals and not property, so they do not describe their actions as violent - because they only destroy property. Destruction in the form of arson, denial of service attacks, intimidation and open threats.

Yah, but they're only freeing animals from labs, you say? Take a reality check, now! I'm not talking about those that engage in legal protests or "relatively harmless" efforts to rescue animals. No I'm talking about the arson in San Diego costing over $50 million in damage - that's right $50,000,000. I'm talking about posting the names, addresses, and family information (children's schools, etc.) of executives for companies that have been targeted on the web for all to see. This may not seem so bad to you, but imagine if you were hated by a group of people - a group large enough to provide individual anonymity - and your information was posted at a website frequented by these members. Members that read such material as "Eco-defense: A Field Guide to Monkeywrenching" and other materials that discuss methods for intimidating individuals - threatening letters, phone calls and the like. Wouldn't you be just a bit concerned? I think so.

The goal with these movements are similar but not identical. The Environmental movement comes in several varieties that can be seen as a continuum. On one end are those that are focused on conservation, or protecting current wild lands, and leading to those that want to reintroduce wildlife - particularly predators - into these wildlands, which lead to others that want to reclaim wildlands - including displacing humans now in residence - and still others at the far, far extreme that want to reverse the technology clock altogether. So the goal is to protect the environment from human damage - often seen to be caused by technology and overpopulation - and to improve the environment. Some radicals argue against vaccines as inappropriate meddling with nature while she is trying to balance the ecology by reducing the populations. The Animal Rights movement, as it is generically called, can also be seen on a continuum. On one end is Animal Welfare, followed by Animal Rights, followed by Animal Liberation. Animal welfarists tend to argue specifically against cruelty to animals but may not elevate them to the same status as humans. Animal Rights folks argue that animals are equals and will work to rescue them with their fringe element, Animal Liberationists, being those willing to commit serious crimes to "liberate" animals and damage enterprises that are considered exploitative.

So is it a real threat? Sure. As much as any other movement can be when they are willing to break the law, destroy property, and threaten human lives. How far will their efforts go? Well that really depends on many things, but it's unreasonable to believe they will simply change their beliefs and go home - expect to see these folks around for some time now.

For some more information search such topics as: Stop Huntingdon Animal Cruelty, Animal Liberation Front, Earth Liberation Front, Earth First!, Animal Rights, and so on....

Shoplifting - boosting, lifting - The five-fingered discount

2005-08-23T15:08:00.000-07:00

In a recent article concerning a study on retail theft, Dr. Richard Hollinger of the University of Florida makes points that are no doubt interesting; however if you've ever worked in retail security it shouldn't be news.

Roughly 8% of people that enter a store will steal something. Sounds alarming, but there has long been an accepted honesty continuum in the retail loss prevention (LP). It's commonly called the 80/20 rule but it does not resemble Pareto's law very much. It goes something like this: 10% of your employees will steal, 80% may steal, and 10% will never steal. It is generally applied to any population. The purpose of the concept is to reinforce the need for internal controls. The consequence for a lack of internal controls can be found by searching news sources for 'embezzlement.' Controls provide an opportunity to encourage the fenceriders (the 80% that may steal) not to take assets without permission.

Getting back to shoplifters... They come in all shapes and sizes and profiling them is best done based on behavior rather than some cultural feature. From my own experience as an LP Officer over just three years I apprehended persons as young as 10 years old and as old as, yes I'm serious, 74 years old. What did they steal? Whatever they wanted from clothes to linen to pillows to lingerie to the silliest little knickknacks you can imagine (like refrigerator magnets). Some fought (and fought hard) but most just come back to the store when asked. Why do they steal? Now that is a question that draws much debate, but it's not generally because they lack the funds. By far the vast majority of those I apprehended had enough money on their person to pay for the items they had stolen. "They just forgot," you say? Some may have, but those I did not apprehend. Why? Because we had a policy of following those that had not concealed the merchandise (indicating their knowledge that they possessed the merchandise) until they did conceal it. Did some realize their mistake and go back to pay, yes, and they probably never knew we were behind them all the way back. Why apprehend when you can make a sale? The fact they returned without encouragement would indicate to me that they were sufficiently embarrassed by their own conscience.

As I said, all shapes and sizes - and so were the amounts of their thefts. Some take only one item and are quite difficult to catch, while others take considerable amounts for resale. Consider another continuum with amateur on one side and professional on the other. The pro's live off their thefts and the amateurs do not. Everyone in the middle supplement their lifestyles to differing degrees with stolen items.

What do shoplifters do? Well, first this is not to be construed as legal advice to go out and start putting your hands on people or accusing anyone of wrongdoing, but here are a few thoughts. Most SL's get nervous before their actual theft. The theft technically occurs (in many states within the U.S.) at the time of concealment. The SL must look around to ensure they are not being watched, or head to a very concealed place (like a fitting room or bathroom). Other times their nervousness causes them to act somewhat erratically - going from lingerie to tools, or women's dresses to men's jeans - as they try to determine if they are being followed. So the eyes give it away and the hands make the move. Those that are part of an organized theft team will typically steal in large quantities using bags, boxes or other "tools." What do they want - the good stuff - of course. They may be selling them to a fence (pawn shop or other illegal buyer) or they may be delivering them to re-pack houses for shipment to legitimate customers that are unknowingly buying stolen goods.

I can go on forever about shoplifters... Call it a perennial thorn in my side since my earliest days in security. Heck, we didn't mention refund-artists or credit fraud at all. One day we'll get to those as well.

Rob
/

Are you safe with the new TSA guidelines????

2005-08-19T08:34:00.000-07:00

From this Washington Post Article it might appear that the government has lost its mind. Just a few years ago we were led to believe that everyone was to be a suspect and that small bladed knifes were as dangerous as guns. What are we to do now? I don't know if I'll feel safe flying now!!! Will you???

If you are easily scared by reality, or if you are a constantly worry about what if, what if, or what if, then read no further. Remain ignorant - and as unsafe as you ever were.

Look folks this change is a good thing! Let me say this again: "We are only safe when we choose to be safe!" We are never safe when we relinquish our moral obligation to self-defense to a third-party. (This takes nothing away from those who - everyday - go to work and attempt to provide security for others... Military, law enforcement, correctional officers, and, well yes, security professionals.)

First of all, finding small blades can be very difficult, at best, during a screening process such as one finds at airports. Ask any security professional responsible for building security. Throughput is king! With that said... I remember shortly after September 11, 2001 (yes I was flying on the first day flights were permitted) a flight attendant asked me to move to the front of the plane near the cockpit door and then asked, "If anything happens will you help me?" What a disturbing question. If anything happens. What is supposed to happen? We've been carefully stripped of all tools that human development has provided us to make us able to defend ourselves better. What was really disturbing is that someone may have said 'no'. After answering in the affirmative, all I could think was what all those years of telling citizens to submit to crime, criminals, and miscreants had done to us. We lost our will to resist. Why do I say this now? Because if you think that a pocket knife is that big of a threat on a plane then you lack a certain amount of the survival drive (I deeply apologize if this offends anyone, but keep reading).

A pocket knife is of little use, if you understand how resilient the human body is, against a determined defender. A human an bleed a considerable amount before experiences a serious degradation in their capabilities. Some say that bleeding is the most over-treated injury. So a little slice here or there might be disturbing but not seriously damaging. Now a thrust could be deadly. A thrust of just about two inches into the torso will hit an organ - not good. So how do you fight back on a plane? Think man, think! (Woman too). Be creative - MacGyver creative - what is around you in the passenger cabin? Seat cushions, magazines, headphones (with wire), air sick bags, the armrest, seatback trays, soda cans, plastic utensils, plastic cups, and anything in your carry on bags - like hard plastic bookmarks and so on. Roll up a magazine and strike yourself (not your little brother or best friend - belated sorry Russ) and see how much that hurts. Striking major muscles can cause them to malfunction - also called fluid shock techniques - or use it a means to keep that little toy knife at bay. Throw water in someone's face (cocktails are better) to distract them. A soda can weighs roughly one pound. It can really hurt when used as a rock - thrown or striking. If it's empty, tear the top and bottom off and fold the long strip of metal into a very sharp edge. So I ask again, "What do you defend yourself with?" And the answer is the same as it has been for centuries - Your Mind! Do not panic - react. Do not submit - overcome. Oh, by the way, a pocket knife is very likely to fold onto your own figures if you try to use it as a thrusting weapon - a bad experience I do not recommend.

That all sounds great, I know. I've been spouting if for years, but practically speaking the bad guys to have advantages at the of attack - mainly coordinated action. So how then are these changes to security policies worthwhile?

The threat has changed significantly. I would venture to say that, unlike the 1970's, if someone were to yell this is a hijacking they would be picking their teeth up off the floor pretty fast. The bad guys thrive on control, and they get it by instilling fear (terror). The few affecting the many by affecting the few. They threaten one person to hold everyone at bay and so. Anyway, these policies reflect the fact that times have changed. It's time to focus on the next threat, whatever that may be.

Rob
/

On to other matters

2005-08-18T10:20:00.000-07:00

Congratulations to the U.K. on their efforts on dealing with the terrorists among them, and now let's move on to other topics. That is, of course, until some other incident occurs that causes near 24-hour coverage.

Anyone ever hear of Eco-terrorism before? It is not new - although the most destructive efforts seem to appear in the 1970's (Animal Rights) and 1980's (Environmental) - but it is not often addressed. Why? Who knows exactly. Just ask a few people and the wide variety of answers says it all. We just don't seem to take the problem seriously as a nation. I sincerely hope no one feels that I don't think other domestic extremists are as serious a problem, or even more so. I don't tend to find too many individuals that are sympathetic to such causes as racial supremacy, racial separatists, religious militants - and that would be any that espouse violence as an acceptable means to convert or cleanse anyone else - or any other groups that can fall into categories that are often referred to in the media as hate groups. Oh by the way, there are quite a few good resources on the topic of hate (groups, violence, crime, etc.) but my favority is the Southern Poverty Law Center. They really do an excellent job of tracking activities and groups. Their Hatewatch newsletter is a free service that delivers convenient links to via email on hate activities in the news. Anyway the reason I brought them up specifically is a recent report concerning the current (and real threat) of "right-wing" domestic terrorism. So extremism of all kinds can be a threat, but back to the Eco stuff.

Although we can treat them separately, the Environmental Movement and the Animal Rights movement have drifted ever closer together in their efforts. So here's a snapshot at understanding their beliefs and motivations. Why is this important? Well, quite frankly, no one ever seems to call themselves a 'terrorist.' Instead this is a label that is applied externally. There are Jihadists (not Muslim terrorists), Animal Liberators rather than terrorists - you get the point. Understanding motivation goes a long way to understanding the "randomness" of any attack. This is not to say that it becomes any easier to predict the next target, but it does become possible to identify a class of targets. So off we go, first with two key terms for comprehending this are Biocentrism and Speciesism. In short, these terms state that humans are just one life form among many; standing no higher or lower than any other, and treating other species as other than equals is ethically wrong. This is a very simplistic way to look at this but the origins of this can, arguably, be traced back to Darwin and his writings on the Decent of Man. Peter Singer's book, Animal Liberation offers philosophical discussion on the topic, but for quite possibly the most interesting writing on the justifications for Animal Liberation by violent means there is Terrorists or Freedom Fighters and The Logic of Political Violence. To make a long argument short - Those that destroy property, threaten people and "liberate" animals are not terrorists because the animals our not ours to subjugate, and therefore it is morally correct to take action to free them in the face of illegal laws. These folks liken their efforts to the Nazi Resistance and the Underground Railroad. So there is their justification. Believe what you wish.

We can discuss this at some length - and you are probably getting bored with the topic as well - so we will come back a later time and look at the Animal Liberation and Environmental activities separtely. But if in the meantime take a look at just how many "direct actions" take place around the world.

Rob
/

A second round in London yesterday

2005-07-22T13:06:00.000-07:00

Once again there has been another theatrical presentation to frighten the west - and the UK in particular. Although this time there appears to have been some competency problems with the actors. These terrorists were apparently unable to successfully detonate their explosives. Lucky break, possibly, for everyone.

The biggest break from this may be the intelligence that can be gathered if the actors can be captured or arrested. However, there may also be very little intelligence to be gained as well. How these cells operate is not so secret any more - which is what has been leading to the pre-emptive dismantling of other plots - and hopefully some future plots. We will have to wait and see what intel comes from this.

It was reported that the police in London had responded to over 250 suspicious packages in the two weeks after the first attack. Remember, of course, that it is not how many packages are dealt with, but how many of the right packages are dealt with.

Once again - our best defense against terrorism is to recognize their goal and thwart that. Continue about your daily activities and be aware of your environment.]

Terrorism and criticism of intelligence

2005-07-11T17:39:00.000-07:00

Before starting this blog I put a couple of posts concerning the recent events in London.

But it's stil in the news and will be for some time. The story changes in the news periodically. First the devices were detonated at varing times and now the devices on the trains all are believed to have gone off at the same time.... This is an excellent illustration of the problems with intelligence operations. Here we have events that occured in an environment that is public and it still took nearly an entire day to refine the collected data into accurate information... Although this example is actually more of discussion on the exercises of historians it does illustrate a point.

Imagine trying to determine events that will occur in the future with such inaccurate, intentionally misleading, and incomplete data. This is world of intelligence operations. It is the process of trying describe the image presented in a puzzle as far before it is completed as possible. Doesn't sound too hard does it. Now make it more interesting and will the puzzle is being put together start pouring in pieces to other puzzles, mix them up, and now you have an inkling of the difficulties. How many pictures must be assembled? What if some pieces fit into multiple puzzles - how would you know.

My experiences with intelligence dealt with the Eco/Animal Rights movement with decidedly different consequences for failure but just as difficult. We criticize those analysts that were unable to read the signs, predict the future, and know the adversary's intention like God himself (or insert the appropriate term here for your beliefs).

I must say that I honestly hate very few things, but I absolutely hate quoting television and movies. It just seems a little less worthy than quoting some great written work. This, of course, is just a personal prejudice and I digress only because I must now quote a television show - and a Brit one at that.

There is a show in the UK called Spooks ( but here in the U.S. it is called MI-5). For those unaware, MI-5 is a U.K. intelligence agency with some similarities to the FBI - but not don't try to draw a clean connection. The U.K. is a different country with different rights and governmental structure. Anyway my point is that there is a line in an episode whena police officer is killed as a result of an MI-5 operation when the widow (and there's always a grieving widow on TV) challenges the patriotism of an MI-5 operative. And so a section leader made a statement to this effect, "You may question our methods, we certainly do it constantly, but never question our motive."

With that said let's just keep one thought in mind when we hear (or engage in) criticism of our intelligence efforts. No one, least of all those charged with identifying it ahead of time, likes to lose or look foolish. Nearly everyone gets a bloody nose from a sucker punch at least once in their life so in answer to some of the comments belittling the intel community I leave this posting. We can all "do our part" in the war on terror and still keep getting bloody noses because it's hard to figure out who in the crowd is going to punch next.

Damn this got long real quick. Sorry about that. If you persevered this far I offer one book that has some interesting reading on the topic - Cracking a Terror Network - is written as fictional account with a CD with supplemental information. If you curious what sorts of Eco inspired threats we have check out these: Terrorist or Freedom Fighters and The Logic of Political Violence.

Enough said. I'll try and keep them shorter in the future.

Starting now..

2005-07-08T09:51:00.000-07:00

Since starting the the House of Worship security blog it dawned on me that it might be better to also put together a blog on general security issues. Then the attack in London yesterday made the point a little more clear.

Here we will look at more general security concerns - businesses, schools, transportation, secure storage, networks, and so on... Not the same old technical rehash that hits ever other site, but instead a steady effort of addresses the concepts, foundations and thought-process to make the technical stuff work.

Yes, there is theory behind security. Not many realize it but it's there. Blame it on an industry that grew up under strange circumstances, with lots of different (and often competing) egos, and little thought to ethical goals or metaphysical concern.

So here goes... The foundation for today's organizational security efforts are grounded in the ancient concept of 'self-defense.' This can be traced back to the concept of 'self-preservation' however self-preservation may be used as a justification for aggressive violence which is not the point here - or within a society governed by the rule of law. Self-defense implies that another entity is the aggressor and the 'self' is taking action to thwart that aggression. So an individual is permitted to take action in self-defense. Since organizations within our society are granted many of the rights and obligations of an individual then they two are permitted to use this doctrine of self-defense. There we now have a foundation for our security efforts.

Why is this important you ask? Well, over time we will see some security activities and ideas that are pretty murky in terms of their 'rightness' and having some sort of a foundation provides the ruler to measure it.

But more importantly... It's the foundation for the effort and so a good place to start this blog.

Rob
/