Here's another request, and one that hits close to home. What are the benefits of belonging to ASIS? Are there any opportunities for students?
I know I'm not the best person to answer this, but here are my thoughts none-the-less...
ASIS International - formerly the American Society for Industrial Security - is the granddaddy of all security associations (as far as I know). They are and organization that has changed a lot since their beginnings and they are destined to change far more in the next decade.
Once upon a time when I first found my way into security I did not think too much of ASIS - why? Well my experiences were of rather pompous people that believed they knew everything; however they did not seem open to changes (so I figured ASIS were fitting initials). After some time I found that not being part of it could be a little dangerous to a career - at least from the networking and industry update side. I joined other organizations like the International Foundation for Protection Officers, the Academy of Security Educators and Trainers, and was inducted into The Nine Lives Associates, but I eventually realized that ASIS was where these pretty much all came from anyway. I'm still part of all of these as well as being involved in ASIS.
Is ASIS a good ol' boys group? Maybe once upon a time it was - and it certainly was in my perception - but I've noticed in just the last eight years a subtle change away from such an image. Now it could very well be that my perception has changed due to my involvement and interaction with a wider group of members. Either way, I now see ASIS as something very important to our industry and something worth being part of - if nothing else but to affect change for the better.
So what do I get from ASIS? I like training, news, interaction, argument - dissent, disagreement, and conflict - for the sake of getting better. I like to think and ask others to challenge my thoughts - and many are all too willing to do so in an almost unfriendly way. ASIS gives me access to many others within my own industry - saints and jerks alike. We can learn something from anyone, and with that in mind and something like 20,000 members there's a lot I can learn from ASIS.
ASIS also provides the most well known certifications. Why are these important? Consider this... Who do you want to do your taxes? A Certified Public Accountant or an Accountant? Why is that? To me a CPA represents someone that is willing to put their knowledge and skills to greater scrutiny - once for an examination - and continually by meeting the expectations of those that choose a CPA. They also have a Code of Conduct that is spelled out clearly for everyone to see. This means there are disciplinary actions that can be taken outside of the usual criminal and civil paths. Why is this important? It means that a CPA is willing to perform to a standard or be punished professionally. Now take that into the world of security. Who do you look for when you need an answer? A Security Manager or the CPP? Which would you prefer protecting your organization on a day-to-day basis? A security officer or a CPO? Do you expect a certain level of performance? Absolutely. When a standard is not met then 'professional' disciplinary action can be taken. ASIS, IFPO, ACFE, and ISC2 all have expected standards of performance. So the certifications are important by imparting an agreement by the designee, to perform in an acceptable way, the organization, to enforce their rules of conduct to maintain the quality of the certification in the public domain, and the public (or consumers), who expect that level of performance. It is a commitment to professionalism.
So what can students do in ASIS? LEARN! Take notes, train, NETWORK, and drive yourself to a higher standard than your own mentor. Oh yah, find a mentor (or mentors) and grow from their experience - but always think for yourself.
Attending training - when you can afford it - is essential to reaching that next level. Any training is good - even bad training. Bad training (and I've paid for my fair share of absolute crap disguised under the reputation of a "security pro") helps you to know who is full of crap in the industry and what they sound like when they talk. They will be your competition for good jobs. There's a lot to be said for these folks, but they're in every industry so just go out and meet them. Bad training can also get you hurt - think about everything that you are taught - so that the skills you learn do not govern your performance. Ask yourself, "How would I get around this?" or "How could this be defeated?" Sometimes it's worth asking someone who really knows. When I used to catch shoplifters I often asked them about previous fights with law enforcement or security. They'll talk - everyone who wins a fight talks - and this can be beneficial to you. Develop a "Discipline of Training" and stick with it. A little here, a little there. When you can't afford training (and I know how that feels making $5.90 catching thieves) get a book, conduct a free survey, plan a security system, engineer a breakin, and use your imagination to train yourself - it's free. Offer to work with someone on your off-hours; informal internships can be very useful. AND go where the knowledge is - just like salespersons go where the money is - spend time in the circles that your potential mentors will be and be involved. This is where ASIS can be a great help because you can go where the best are - monthly meetings, committees and so on. When you drink beer or otherwise socialize with these folks take some time to get advice on your career direction, opportunities, tricks and tips, and then make sure you don't monopolize the time. DON'T be afraid to offer your opinion on any discussion concerning security. If you're wrong you'll learn, and if you're right then you're contributing. If those with you blow you off and act like you should be a child - seen and not heard - then it's time to find a new group of pro's because there's little reason to waste your time with pompous fools unwilling to drive someone else's success. Your time is valuable - DO NOT waste it. Build your network - nurture your network - expand your network - improve yourself so others want to network with you - and focus on quality and not size. 200 business cards are just a stack of paper - 2 good contacts that you can reach out to and not be a stranger can change your life.
Those are my thoughts on ASIS - for me it is a facilitator for all of this.
Rob
/
Thursday, September 29, 2005
Wednesday, September 28, 2005
Walk - don't run... No wait, run for your lives!!!
We have a special request for a very interesting, and I daresay relevant, topic. Oh, and a polite out-of-bandwidth comment on being lazy and not blogging.
How does one establish accountability when evacuating college dormitories and long term care facilities? Well, having never been responsible for either I'll take a stab at it and I may even hunt around to find someone with direct experience in this area. Here goes...
When I was in Korea (ah, the old days) we had a system on our camp (Camp Garry Owen - the old one near Yon Gi Gol) whereby we each possessed a "Garry Owen Card." A similar system was later introduced division-wide called a "Liberty Pass." How is this relevant? Well to get OFF camp we had to turn in out card with the gate guards. Top (and that's a First Sergeant) or the Bear (that'd be the Squadron Command Sergeant Major) could take your GO Card arbitrarily to keep you on the camp. Now maybe some folks deserved this - though not the countless hours of filling sandbags - but anyway you get the gist of this. It established accountability in a very quick sort of way. Who is not in the camp right now! This was a very important concept when it came to alerts (that would be something like a fire drill but it involved loading your life onto a vehicle and driving away from your home - possibly for the last time before someone blew it up). During an alert everyone would sprint back to the camp and grab the GO Card on the way in. At some point Top would contact the gate and find out who he was missing. Simple, neat and effective. So simple no dumb grunt can screw it up, right? Actually, we did have ways to get around it, but that's another story.
Anyway, any accountability system that will be used during a crisis, such as an evacuation, should be very simple to avoid a complete breakdown with no way to recover. Tokens - like the GO Card or Liberty Pass - provide this sort of simplistic accountability. Granted this system may be easier for the extended care facility rather than a college dorm since the amount of rapid access/egress activities are substantially lower. All you need is a control point where the tokens can be dropped off or picked up and a someone to manage this process CONSISTENTLY. Once such a system fails - it is likely to fail for good. Don't worry there'll be a new one - after the next event that costs someone their life.
How else might we do this? We could try the "Battle Buddy" system which makes everyone responsible for someone else - your "Battle Buddy" (or Ranger Buddy for those folks). Then hall wardens/monitors can then be responsible for a segment of the larger group and so on in a very hierarchical organization. This requires a specific level of responsibility which may not be present with students. Not to bust on students in dorms - I was one once (although I was out of the Army and much older than everyone else) - but they are generally young and there are few consequences for poor performance. That is except for maybe losing a friend, but that won't be thought of during the crisis. No matter what Resident Assistants and Resident Directors should be responsible for accounting for those under their charge. This, of course, requires training in whatever procedures are decided on, and exercises to test those procedures.
So we now have a token system and a buddy/leader accountability system. We can apply technology to the problem as well. We can make those student ID's proximity cards so that those entering and leaving are identified on an occupation roster. Guests would still need to be admitted by some means, which could include guest prox cards as well. This is still a token system but it could allow for greater throughput at the access points. And anyone responsible for planning access control systems knows that the throughput rate is everything to your client. Otherwise it just won't be used CONSISTENTLY.
Whether you are using manual or automated rosters it is essential - it is fundamental - and it is the deciding factor as to whether your system functions or breaks to ensure that it is used CONSISTENTLY. Test it - even use focus groups of true delinquents - to learn how it will be bypassed, subverted, and ignored. Then figure out if the system is worth making changes to or a new approach is warranted. As Richard Marchinko wrote in one of his books (or something to the effect anyway), "Do not get married to your plan." Be prepared to change - sometimes on a moments notice - to satisfy the needs of the threat environment, operating environment, and client opinions/preferences. Be absolutely sure that the method you choose fits with the organization's culture: No fit = No use = Disaster.
Is that enough? It certainly is not, but there's just a little too much to try and discuss here all at once. Send some more questions and you might get some more answers. I might even through up an example or two for fun... But keep it simple so that it works in a crisis.
Always be absolutely ruthless with your own plans - is sure beats the embarrassment of someone else doing it to you in front of your peers. OR, I can do it here for you. Send your plan in a comment and I'll gladly look for a way around it.
One other important saying applies here as well: "No battle plan survives contact with the enemy." So build in some features to account for this necessary flexibility!
Think fast...
How does one establish accountability when evacuating college dormitories and long term care facilities? Well, having never been responsible for either I'll take a stab at it and I may even hunt around to find someone with direct experience in this area. Here goes...
When I was in Korea (ah, the old days) we had a system on our camp (Camp Garry Owen - the old one near Yon Gi Gol) whereby we each possessed a "Garry Owen Card." A similar system was later introduced division-wide called a "Liberty Pass." How is this relevant? Well to get OFF camp we had to turn in out card with the gate guards. Top (and that's a First Sergeant) or the Bear (that'd be the Squadron Command Sergeant Major) could take your GO Card arbitrarily to keep you on the camp. Now maybe some folks deserved this - though not the countless hours of filling sandbags - but anyway you get the gist of this. It established accountability in a very quick sort of way. Who is not in the camp right now! This was a very important concept when it came to alerts (that would be something like a fire drill but it involved loading your life onto a vehicle and driving away from your home - possibly for the last time before someone blew it up). During an alert everyone would sprint back to the camp and grab the GO Card on the way in. At some point Top would contact the gate and find out who he was missing. Simple, neat and effective. So simple no dumb grunt can screw it up, right? Actually, we did have ways to get around it, but that's another story.
Anyway, any accountability system that will be used during a crisis, such as an evacuation, should be very simple to avoid a complete breakdown with no way to recover. Tokens - like the GO Card or Liberty Pass - provide this sort of simplistic accountability. Granted this system may be easier for the extended care facility rather than a college dorm since the amount of rapid access/egress activities are substantially lower. All you need is a control point where the tokens can be dropped off or picked up and a someone to manage this process CONSISTENTLY. Once such a system fails - it is likely to fail for good. Don't worry there'll be a new one - after the next event that costs someone their life.
How else might we do this? We could try the "Battle Buddy" system which makes everyone responsible for someone else - your "Battle Buddy" (or Ranger Buddy for those folks). Then hall wardens/monitors can then be responsible for a segment of the larger group and so on in a very hierarchical organization. This requires a specific level of responsibility which may not be present with students. Not to bust on students in dorms - I was one once (although I was out of the Army and much older than everyone else) - but they are generally young and there are few consequences for poor performance. That is except for maybe losing a friend, but that won't be thought of during the crisis. No matter what Resident Assistants and Resident Directors should be responsible for accounting for those under their charge. This, of course, requires training in whatever procedures are decided on, and exercises to test those procedures.
So we now have a token system and a buddy/leader accountability system. We can apply technology to the problem as well. We can make those student ID's proximity cards so that those entering and leaving are identified on an occupation roster. Guests would still need to be admitted by some means, which could include guest prox cards as well. This is still a token system but it could allow for greater throughput at the access points. And anyone responsible for planning access control systems knows that the throughput rate is everything to your client. Otherwise it just won't be used CONSISTENTLY.
Whether you are using manual or automated rosters it is essential - it is fundamental - and it is the deciding factor as to whether your system functions or breaks to ensure that it is used CONSISTENTLY. Test it - even use focus groups of true delinquents - to learn how it will be bypassed, subverted, and ignored. Then figure out if the system is worth making changes to or a new approach is warranted. As Richard Marchinko wrote in one of his books (or something to the effect anyway), "Do not get married to your plan." Be prepared to change - sometimes on a moments notice - to satisfy the needs of the threat environment, operating environment, and client opinions/preferences. Be absolutely sure that the method you choose fits with the organization's culture: No fit = No use = Disaster.
Is that enough? It certainly is not, but there's just a little too much to try and discuss here all at once. Send some more questions and you might get some more answers. I might even through up an example or two for fun... But keep it simple so that it works in a crisis.
Always be absolutely ruthless with your own plans - is sure beats the embarrassment of someone else doing it to you in front of your peers. OR, I can do it here for you. Send your plan in a comment and I'll gladly look for a way around it.
One other important saying applies here as well: "No battle plan survives contact with the enemy." So build in some features to account for this necessary flexibility!
Think fast...
Tuesday, September 20, 2005
Increased threats + Increased Concerns <> Increased Security
The Jewish high holidays are on their way and just in time for the recent threats from "the American Al-Queda" against targets in the U.S. and Australia and the break-up of another Southern California plot. But Australia? I must admit I'm not sure why he picked them, but hey it's his videotape anyway. Regardless of my personal feelings about those who wish to change my beliefs by force - I want to discuss the fallacy that merely increasing our concerns somehow increases our security.
Efforts will be made to increase the preparedness of Jewish and Israeli property all over the world, but I keep hearing people say that somehow we're better prepared because of our awareness. Well, I must admit that this is somewhat true, BUT it is the preparedness supporting this awareness that brings the security. Imagine of we all knew that 9/11 was going to happen but lacked a way to tell anyone besides each other? OK maybe this isn't the best example but we must have a plan for reporting and responding to threats - regardless of when we must react. Thus plans must be dynamic to be useful if a plan is discovered at any phase up to and including its successful manifestation. So we must have a way to report our suspicions and investigate them. This may be from a conversation overhead in public (however unlikely) or it may be THAT PERSON WALKING TOWARDS US NOW!
So now that we have the heightened awareness going for us we need to get the plans in place (and communicated) to ensure we are able to identify, assess, respond, and resolve all real or potential encounters.
The hard part is coordinating the activities of the good guys - private, local law enforcement, state law enforcement, federal law enforcement, and the intelligence capabilities of each.
What private intelligence capabilities you ask. Every organization possessed an immense intel ability. How many of our members here information in public, find information on the web, or are able to collate information from all of these sources? I worked with a firm that tracked domestic environmental extremists for a client. Were we successful? Very much. So much so that after some of the less publicized acts of Eco-terror we provided much of the contextual information to law enforcement investigators.
As they say - Keep you ear to the ground. Oh, and have a plan, test it, revise it, test it again, communicate it, and keep it flexible. Your defense in-depth starts with your intel, progesses through your passive and active defensive measures and ends with your ability to react to a successful event.
Rob
/
Efforts will be made to increase the preparedness of Jewish and Israeli property all over the world, but I keep hearing people say that somehow we're better prepared because of our awareness. Well, I must admit that this is somewhat true, BUT it is the preparedness supporting this awareness that brings the security. Imagine of we all knew that 9/11 was going to happen but lacked a way to tell anyone besides each other? OK maybe this isn't the best example but we must have a plan for reporting and responding to threats - regardless of when we must react. Thus plans must be dynamic to be useful if a plan is discovered at any phase up to and including its successful manifestation. So we must have a way to report our suspicions and investigate them. This may be from a conversation overhead in public (however unlikely) or it may be THAT PERSON WALKING TOWARDS US NOW!
So now that we have the heightened awareness going for us we need to get the plans in place (and communicated) to ensure we are able to identify, assess, respond, and resolve all real or potential encounters.
The hard part is coordinating the activities of the good guys - private, local law enforcement, state law enforcement, federal law enforcement, and the intelligence capabilities of each.
What private intelligence capabilities you ask. Every organization possessed an immense intel ability. How many of our members here information in public, find information on the web, or are able to collate information from all of these sources? I worked with a firm that tracked domestic environmental extremists for a client. Were we successful? Very much. So much so that after some of the less publicized acts of Eco-terror we provided much of the contextual information to law enforcement investigators.
As they say - Keep you ear to the ground. Oh, and have a plan, test it, revise it, test it again, communicate it, and keep it flexible. Your defense in-depth starts with your intel, progesses through your passive and active defensive measures and ends with your ability to react to a successful event.
Rob
/
Suicide bombers and public transportation
An image recently came to mind dating back to the London bombings... Searches at U.S. subway entrances. On television they appeared to be done professionally - and I'm discussing the issue of racial profiling just the searching methodology and not the selection.
I saw long lines of people snaking back just as they do at the airport as individuals were searched. Hello!!! Did anyone else see a problem here? We are dealing with individuals intent on injuring as many people as possible - remember the few affecting the many by affecting the few - and the crowd can just as easily be at the entrance as it can be in the tunnel. Granted the tunnel makes for greater problems, but for those that may be killed the issue is the same.
So now that I've griped about what was done - here's an alternative. Granted this is more costly but it defeats the attacker's goals and limits their potential success to a mere handful rather than everyone in line. Defense in depth is something we in the security field spout on about. Here is a prime example of its use.
Somewhere in the parking lot a considerable distance from the entrance is the first line of officers. They select those that they feel should be searched and accost those individuals - search their bags - and either place a seal on it or hand a tag on it. Then somewhat farther back towards the entrance but within eyeshot of the first line is the second line who repeat the same steps but select different individuals to search. One or two officers, and the line supervisor, would then monitor the approaching commuters to see if items are being passed back and forth to those who have been searched. There may be a third line and a fourth line if there is enough distance and need.
Why is this concept worthwhile? The number of persons nearby to the one being searched are at greatest risk. Reducing the number of persons that cluster together reduces the value of the target. Also, over distance a person or persons trying to avoid being searched will stand out much more so than simply evading one checkpoint. There are other benefits but we'll leave it at these.
Is it full-proof? Heck no! And I'm not arrogant enough to believe that any plan is, but I do believe in saving what you can while you can and spreading out the targets means a whole lot fewer people that will need saving after the fact. Manpower now, means less manpower during the response. Oh yah, private security folks can do this as well. That's right. Well trained security folks can do this job; especially if they are backed by a law enforcement team. So we can do it for less and we don't need to hire more and more LEO's to reach the short-term goal.
I'd be interested in hearing your thoughts on this...
Rob
/
I saw long lines of people snaking back just as they do at the airport as individuals were searched. Hello!!! Did anyone else see a problem here? We are dealing with individuals intent on injuring as many people as possible - remember the few affecting the many by affecting the few - and the crowd can just as easily be at the entrance as it can be in the tunnel. Granted the tunnel makes for greater problems, but for those that may be killed the issue is the same.
So now that I've griped about what was done - here's an alternative. Granted this is more costly but it defeats the attacker's goals and limits their potential success to a mere handful rather than everyone in line. Defense in depth is something we in the security field spout on about. Here is a prime example of its use.
Somewhere in the parking lot a considerable distance from the entrance is the first line of officers. They select those that they feel should be searched and accost those individuals - search their bags - and either place a seal on it or hand a tag on it. Then somewhat farther back towards the entrance but within eyeshot of the first line is the second line who repeat the same steps but select different individuals to search. One or two officers, and the line supervisor, would then monitor the approaching commuters to see if items are being passed back and forth to those who have been searched. There may be a third line and a fourth line if there is enough distance and need.
Why is this concept worthwhile? The number of persons nearby to the one being searched are at greatest risk. Reducing the number of persons that cluster together reduces the value of the target. Also, over distance a person or persons trying to avoid being searched will stand out much more so than simply evading one checkpoint. There are other benefits but we'll leave it at these.
Is it full-proof? Heck no! And I'm not arrogant enough to believe that any plan is, but I do believe in saving what you can while you can and spreading out the targets means a whole lot fewer people that will need saving after the fact. Manpower now, means less manpower during the response. Oh yah, private security folks can do this as well. That's right. Well trained security folks can do this job; especially if they are backed by a law enforcement team. So we can do it for less and we don't need to hire more and more LEO's to reach the short-term goal.
I'd be interested in hearing your thoughts on this...
Rob
/
Friday, September 16, 2005
Windows v. Linux: A Security Perspective...
Today I bumped into an individual at Borders Books and who asked which was more secure Windows or Linux. Well what do you think? I think it really depends more on the individuals using it and those administering it. Threats ultimately come from people and so do the defenses. So any poorly managed operating system is more vulnerable than a well managed operating system - with a few caveats... As for Windows and Linux. Windows is more widely used - so it is targeted more often; Linux is not. If you are designing malicious code to affect the widest population of users you must make have it target operating systems and applications that are most widely deployed. It makes not sense to create a virus - or other malware - that targets an operating system that works on only one machine. That is, of course, unless it is a very targeted attack like you might see in the movies.
Even though Windows will be targeted more often - due to its wider deployment - it is also worked on by more people on a daily basis. That means that there will more likely be a patch forthcoming in a timely manner - and the attack will also likely be detected more quickly since more systems will be affected in any given period of time.
So which is more secure? I think it is the OS deployment that suffers for poor or inept management.
Rob
/
Even though Windows will be targeted more often - due to its wider deployment - it is also worked on by more people on a daily basis. That means that there will more likely be a patch forthcoming in a timely manner - and the attack will also likely be detected more quickly since more systems will be affected in any given period of time.
So which is more secure? I think it is the OS deployment that suffers for poor or inept management.
Rob
/
Thursday, September 15, 2005
ASIS Orlando
I know I had planned to blog from Orlando but events overtook me and I'm back now. Needless to say that it was a huge event with tons of informational seminars and somewhere like 300 vendors showing their goods. One of those vendors also happens to be another organization that I am very involved with and it focuses on training for line security officers, supervisors and managers. These are folks that have to make the security happen everyday. I was once one of them and "it ain't easy." They are typically underpaid, undertrained, and treated like an incapable moron - who does everyone call when something happens? That's right - security! It has got to be one of the oddest paradoxes in our society. Oh, the organization is The International Foundation for Protection Officers based in Florida. They offer great training programs - of which I am a proud certificate holder - and an outlet for learning that really doesn't exist anywhere else in the industry.
I know this isn't about ASIS in Orlando - but that's it.
I know this isn't about ASIS in Orlando - but that's it.
Peeling safes - huh?
I read a recent article about a number of church burglaries in a local community, and one of the churches had their safe "peeled." I don't know exactly what happened but I can offer a small about of info on breaching safes....
First of all safes are a barrier device! They are not a stand alone solution. Never forget that given enough time any barrier can be breached - this is especially so with things that contain money (or are perceived to contain money). That is why monitoring devices, like alarms, are used; they permit a response that shortens the available time to complete the attack. Back to safes -
Safes come in two general varieties - burglary resistant and fire resistant - and they are rated to describe their robustness. Fire safes are meant to prevent property inside from being destroyed by heat from the outside. Remember paper breaks down around 350 degrees Fahrenheit and magnetic media starts to go at about 150 degrees. Fire safes are also only good for a fixed period of time after manufacture - generally. Anyway, they are not meant to significantly delay physical entry by a determined attacker. Their sides are filled with insulation to repel heat and not tools. Simple tools can do wonders when used for forcible entry. They are ideal for those records that you do not want destroyed - although the best solution is to also store duplicates off-site (also done somewhat securely). Now burglary resistant safes, on the other hand, are an entirely different animal. They are meant to keep unauthorized folks out. Because their sides are typically made of steal they tend to work like an oven during a fire - so not good for important records. And yes you can use a fire resistant box inside a burglary resistant safe - again it's a heat issue... how long and how much. Burglary resistant (BR) safes that rated by the Underwriter's Laboratories carry ratings like TL-15, or my personal favorite TLTR-30x6. In short TL = tools, TR = torch, and TX = explosives (although you don't see many of these). So a TLTR is rated for tools and torches. The number after these designators represent the amount of time in minutes. Yes, that 200 pound safe is only rated for 15 minutes of protection! And they should be bolted to the floor and away from external doors because they can still be chained to a vehicle and dragged off. If a "x6" is attached to the end it means that the protection is extended to all six sides. Normally only the door is tested and rated. It is also the most likely point of attack. When locksmiths need to gain access they will either drill through the door or through the back so that they can see the door to manipulate the "wheelpack" which is how the combination works. But that's not the focus right now. Incidentally, safes are not intended to go beyond the 30 minute mark - after that you should be looking at a vault for protection, but that's for another time (and likely over on security-today.blogspot.com)
Safes can be breached (besides explosives) in a couple of ways with the most common being "peeling" and manipulation. Peeling is just how it sounds. A segment of metal is gotten hold of - often at the edge of the door - and pulled away. This along should tell you two things: the quality of the safe and the amount of force applied. Drilling into the door to allow he manipulation of the combination is dangerous if the safe is equipped with a "re-locking device" - which might be a sheet of glass that, when broken, causes spring-loaded rods to push into the door PERMANENTLY. The safe will now require a locksmith - of safe cracker - to gain access. My lesson learned came when a safe I needed at a store was pushed off the back of a truck - the glass broke and I had a very heavy empty metal box.
So there you have it in a nutshell. Choose your safe carefully and make sure you have a few layers of protection in front of it. And yes, we will discuss layered protection in the future..
Rob
/
First of all safes are a barrier device! They are not a stand alone solution. Never forget that given enough time any barrier can be breached - this is especially so with things that contain money (or are perceived to contain money). That is why monitoring devices, like alarms, are used; they permit a response that shortens the available time to complete the attack. Back to safes -
Safes come in two general varieties - burglary resistant and fire resistant - and they are rated to describe their robustness. Fire safes are meant to prevent property inside from being destroyed by heat from the outside. Remember paper breaks down around 350 degrees Fahrenheit and magnetic media starts to go at about 150 degrees. Fire safes are also only good for a fixed period of time after manufacture - generally. Anyway, they are not meant to significantly delay physical entry by a determined attacker. Their sides are filled with insulation to repel heat and not tools. Simple tools can do wonders when used for forcible entry. They are ideal for those records that you do not want destroyed - although the best solution is to also store duplicates off-site (also done somewhat securely). Now burglary resistant safes, on the other hand, are an entirely different animal. They are meant to keep unauthorized folks out. Because their sides are typically made of steal they tend to work like an oven during a fire - so not good for important records. And yes you can use a fire resistant box inside a burglary resistant safe - again it's a heat issue... how long and how much. Burglary resistant (BR) safes that rated by the Underwriter's Laboratories carry ratings like TL-15, or my personal favorite TLTR-30x6. In short TL = tools, TR = torch, and TX = explosives (although you don't see many of these). So a TLTR is rated for tools and torches. The number after these designators represent the amount of time in minutes. Yes, that 200 pound safe is only rated for 15 minutes of protection! And they should be bolted to the floor and away from external doors because they can still be chained to a vehicle and dragged off. If a "x6" is attached to the end it means that the protection is extended to all six sides. Normally only the door is tested and rated. It is also the most likely point of attack. When locksmiths need to gain access they will either drill through the door or through the back so that they can see the door to manipulate the "wheelpack" which is how the combination works. But that's not the focus right now. Incidentally, safes are not intended to go beyond the 30 minute mark - after that you should be looking at a vault for protection, but that's for another time (and likely over on security-today.blogspot.com)
Safes can be breached (besides explosives) in a couple of ways with the most common being "peeling" and manipulation. Peeling is just how it sounds. A segment of metal is gotten hold of - often at the edge of the door - and pulled away. This along should tell you two things: the quality of the safe and the amount of force applied. Drilling into the door to allow he manipulation of the combination is dangerous if the safe is equipped with a "re-locking device" - which might be a sheet of glass that, when broken, causes spring-loaded rods to push into the door PERMANENTLY. The safe will now require a locksmith - of safe cracker - to gain access. My lesson learned came when a safe I needed at a store was pushed off the back of a truck - the glass broke and I had a very heavy empty metal box.
So there you have it in a nutshell. Choose your safe carefully and make sure you have a few layers of protection in front of it. And yes, we will discuss layered protection in the future..
Rob
/
Tuesday, September 13, 2005
Panic buttons - When, Where and Why
This is an interesting post concerning a fire in a Mosque in South London last month. I haven't sought any clarifying information concerning the fire, but let's go with the statements and stick with arson and the use of panic buttons.
What is a panic button (or duress alarms, or silent hold-up alarm)? It is literally an alarm that may be activated when someone is being threatened - or panicking. They come in many shapes and sizes - some are hardwired (or fixed) and others are wireless (or portable). In the U.S. anyway - and I know the article is in South London - panic buttons generally garner a faster more serious response by the police - why? Well quite simply because a person has to actually activate it. That means some conscious thought went into it - or it is improperly placed to allow accidental activations. Whereas a motion sensor - of any sort - may cause a nuisance alarm because of some environmental condition the only environmental condition that cause the activation of a panic alarm is, well, panic. That means someone is under duress and needs immediate assistance. That's why the response it generally better. They are very useful and applicable to nearly any setting - not just for intruders or threats. They may be used for safety, such as for the elderly. Granted these transmit the signal someplace other than the police, but it's the same technology.
My only guess in this article is that the alarm is tied directly to the police and therefore special permission is required for its installation. In the U.S. these devices may be obtained through, and I'm guessing, just about every alarm monitoring service. They are generally inexpensive - after all they are just a button - and can be a great enhancement to your current system.
Where should they go? The receptionist (or any gatekeeper) for one, along with 'executive' (read clergy) offices, and in any "safe" rooms that may exist. These may be bathrooms or basement areas that are used for sheltering during threats and disasters. Wireless panic buttons are especially useful for use by those that must work with large sums of money - while they work with the money. This way they do not need to find the alarm - grope around aimlessly - when they are frightened.
Remember every device also needs to have policies and procedures governing their use, training, drills, and a plan for what to do next. Liaison with law enforcement is helpful so that everyone knows what to expect with the response. In many instances, if he PD must make any sort of entry they simply secure (handcuff) everyone and sort out the bad guys after controlling the facility. This can be pretty traumatic to those not expecting it.
Rob
/
What is a panic button (or duress alarms, or silent hold-up alarm)? It is literally an alarm that may be activated when someone is being threatened - or panicking. They come in many shapes and sizes - some are hardwired (or fixed) and others are wireless (or portable). In the U.S. anyway - and I know the article is in South London - panic buttons generally garner a faster more serious response by the police - why? Well quite simply because a person has to actually activate it. That means some conscious thought went into it - or it is improperly placed to allow accidental activations. Whereas a motion sensor - of any sort - may cause a nuisance alarm because of some environmental condition the only environmental condition that cause the activation of a panic alarm is, well, panic. That means someone is under duress and needs immediate assistance. That's why the response it generally better. They are very useful and applicable to nearly any setting - not just for intruders or threats. They may be used for safety, such as for the elderly. Granted these transmit the signal someplace other than the police, but it's the same technology.
My only guess in this article is that the alarm is tied directly to the police and therefore special permission is required for its installation. In the U.S. these devices may be obtained through, and I'm guessing, just about every alarm monitoring service. They are generally inexpensive - after all they are just a button - and can be a great enhancement to your current system.
Where should they go? The receptionist (or any gatekeeper) for one, along with 'executive' (read clergy) offices, and in any "safe" rooms that may exist. These may be bathrooms or basement areas that are used for sheltering during threats and disasters. Wireless panic buttons are especially useful for use by those that must work with large sums of money - while they work with the money. This way they do not need to find the alarm - grope around aimlessly - when they are frightened.
Remember every device also needs to have policies and procedures governing their use, training, drills, and a plan for what to do next. Liaison with law enforcement is helpful so that everyone knows what to expect with the response. In many instances, if he PD must make any sort of entry they simply secure (handcuff) everyone and sort out the bad guys after controlling the facility. This can be pretty traumatic to those not expecting it.
Rob
/
Friday, September 9, 2005
Katrina
I guess I should make some comments about Katrina - just like everyone else, right? I offer this.
Have a plan. Test your plan. Revise your plan. Keep your plan current.
But fight your enemy.
No plan survives contact with the enemy - stay flexible and stay effective.
Those are my thoughts. I don't care who screwed up at this point - the guillotine didn't get washed away so heads can roll when we're damn good and ready - but I do care about being effective. Special thanks to the U.S. Coast Guard for setting the example from the start.
Have a plan. Test your plan. Revise your plan. Keep your plan current.
But fight your enemy.
No plan survives contact with the enemy - stay flexible and stay effective.
Those are my thoughts. I don't care who screwed up at this point - the guillotine didn't get washed away so heads can roll when we're damn good and ready - but I do care about being effective. Special thanks to the U.S. Coast Guard for setting the example from the start.
ASIS International's annual conference
Next week is ASIS International's annual conference in Orlando, Florida. ASIS was formerly known as the American Society for Industrial Security but the name was changed to better reflect its worldwide involvement.
It is quite the show - new technologies along with some old ones - and several thousand security professionals. I'm guessing but I'd assume that nearly every other security organization, in the U.S. as least, can trace some aspect of its heritage to ASIS and so there are many additional meetings that occur at the same time. There are training seminars, in addition to the exhibits, and some are really worthwhile. Some are dull and some just don't live up to what they promise, but then again they are presented by volunteers to their peers (read competitors).
Assuming the hurricane doesn't cause problems for the event yours truly will be present, and I may even offer some updates from there as well. New technologies or new techniques, who knows. See you there.
Rob
/
It is quite the show - new technologies along with some old ones - and several thousand security professionals. I'm guessing but I'd assume that nearly every other security organization, in the U.S. as least, can trace some aspect of its heritage to ASIS and so there are many additional meetings that occur at the same time. There are training seminars, in addition to the exhibits, and some are really worthwhile. Some are dull and some just don't live up to what they promise, but then again they are presented by volunteers to their peers (read competitors).
Assuming the hurricane doesn't cause problems for the event yours truly will be present, and I may even offer some updates from there as well. New technologies or new techniques, who knows. See you there.
Rob
/
What do you think?
I bumped into this interesting post on another blog today and thought it might make for an interesting topic. By no means do I encourage or discourage anyone to carry a firearm anywhere let alone in a church, mosque, synagogue, temple, sanctuary, or other house of worship. That decision is not for me to make for others, but it does bring up something worth discussing.
What if you specifically (passionately or not) believe that firearms should not be carried in church - let's not worry about the rest of civilization just yet - what can you possibly do to combat an armed aggressor? Can you? Should you? Should anyone? Just how can the survival of as many people be helped? To answer this let's start with a short path analysis of what it takes to accomplish this. First let me just add that simply arming everyone is not the first answer that should be sought. Sadly, it may be necessary to have armed individuals present but if this is the only solution chosen then it implies a willingness to allow the violence to begin in the first place. Remember the pillars of security - Deter, Detect, Delay, Deny. We need to have layers of features in place for the greatest opportunity to mitigate such an event.
Back to the path analysis (a very simplified version)... The assailant must come onto the property, enter the facility, locate their target or choose the moment to initiate the attack. Now there probably isn't too much opportunity to keep this person off of the grounds since most people aren't challenged at this point, however it is often common to challenge people before entering the facility. What is that you say? Challenge, greet - same thing! There is no reason that you cannot use the greeting as an opportunity to make an evaluation - we do it naturally anyway. If a person seems out of sorts isn't just being a good neighbor to inquire to their need? Offer assistance? Find them counseling? I am not trying to say that any of these incidents could necessarily have been prevented, but we do know that there weren't any controls in place to be tested. So the greeter can be an important asset in detecting potential problems. They should be trained to ask how worshippers are and attempt to carry on a short conversation. What not enough greeters? Then seek more volunteers. What if the individual isn't seeking to harm anyone but is disturbed - a well trained greeter could be the first friendly voice that is heard and the first person to offer to guide them to help. Think about it. The plan cannot just be to catch shooters - it must be able to identify various sorts of problems. They are all people in need, right?
So the person has entered the facility, now what? Once it all "drops in the pot" there isn't too much that you can do, but react. If shooting starts, for any reason, the goal must be to get as many people out as quickly as possible. Subduing the attacker comes second, unless there persons prepared to engage in a force-on-force engagement - and that is what it is at that point. The winner is the one with the means to employ force more effectively. But let's not forget this is still in a church - so explore opportunities to 'cut' the path and avoid being too focused on just one sort of incident.
According to an old say, "Your mind is your primary weapon." Take a minute and employ yours to seek ways to detect and prevent violence rather than simply responding to it. Someone has to decide to commit violence, maybe we can convince them ahead of time that it's the wrong choice.
Rob
/
What if you specifically (passionately or not) believe that firearms should not be carried in church - let's not worry about the rest of civilization just yet - what can you possibly do to combat an armed aggressor? Can you? Should you? Should anyone? Just how can the survival of as many people be helped? To answer this let's start with a short path analysis of what it takes to accomplish this. First let me just add that simply arming everyone is not the first answer that should be sought. Sadly, it may be necessary to have armed individuals present but if this is the only solution chosen then it implies a willingness to allow the violence to begin in the first place. Remember the pillars of security - Deter, Detect, Delay, Deny. We need to have layers of features in place for the greatest opportunity to mitigate such an event.
Back to the path analysis (a very simplified version)... The assailant must come onto the property, enter the facility, locate their target or choose the moment to initiate the attack. Now there probably isn't too much opportunity to keep this person off of the grounds since most people aren't challenged at this point, however it is often common to challenge people before entering the facility. What is that you say? Challenge, greet - same thing! There is no reason that you cannot use the greeting as an opportunity to make an evaluation - we do it naturally anyway. If a person seems out of sorts isn't just being a good neighbor to inquire to their need? Offer assistance? Find them counseling? I am not trying to say that any of these incidents could necessarily have been prevented, but we do know that there weren't any controls in place to be tested. So the greeter can be an important asset in detecting potential problems. They should be trained to ask how worshippers are and attempt to carry on a short conversation. What not enough greeters? Then seek more volunteers. What if the individual isn't seeking to harm anyone but is disturbed - a well trained greeter could be the first friendly voice that is heard and the first person to offer to guide them to help. Think about it. The plan cannot just be to catch shooters - it must be able to identify various sorts of problems. They are all people in need, right?
So the person has entered the facility, now what? Once it all "drops in the pot" there isn't too much that you can do, but react. If shooting starts, for any reason, the goal must be to get as many people out as quickly as possible. Subduing the attacker comes second, unless there persons prepared to engage in a force-on-force engagement - and that is what it is at that point. The winner is the one with the means to employ force more effectively. But let's not forget this is still in a church - so explore opportunities to 'cut' the path and avoid being too focused on just one sort of incident.
According to an old say, "Your mind is your primary weapon." Take a minute and employ yours to seek ways to detect and prevent violence rather than simply responding to it. Someone has to decide to commit violence, maybe we can convince them ahead of time that it's the wrong choice.
Rob
/
Sunday, September 4, 2005
Are you locking your doors?
Some HOW are still able to get away with not locking up - and I say great it sounds like a community I want to live in. Everyone else, however sad it may be, realizes the need to lock their sanctuary to prevent criminal damage.
But who has a key? The best lock is worthless if everyone has a key!!! In the world of security this is called - prepare for the creativity of the name - Key Control. It sounds so simple - and many consultants will act like it is - but let's face it... Houses of Worship - churches, synagogues, mosques, and sanctuaries of all sorts - must provide access to lots of people for just as many reasons. So where then does one begin and how does it happen and what if it won't work for us and what if and what if and what if and what if... We haven't gotten that far yet. Save the "what ifs" for the right time - which is after you hear how the basic process works. Think of it in these phases: Sourcing access, granting access, managing access devices.
Sourcing access comes when you know who changed the locks (or rekeyed them) and how many keys were made for them. Typically this is done when they are rekeyed (we'll call it changing locks going forward rather than worrying about the technicalities between changing or rekeying locks) and the locksmith is right there. Once the work is done and all the keys are received there should be some documentation that indicates that, preferably, two responsible people acknowledge that the correct number of keys were received. Then the process of granting access starts. Who needs access and why. These individuals should be required to sign for their key - which is property of your organization - to acknowledge receipt. They should also have to sign an acknowledgement that they have received a copy of your organization's Access Control Policy (which we will discuss another time) that describes how and why the facility should be accessed and egressed, or occupied and vacated. This police will evolve so new ones can be distributed on a somewhat routine basis - maybe every six months to a year. Now people have access to the facility. The policy should include obligations not to reproduce the keys (access devices) or to share them with others, and to return them immediately upon request. Why would they have to return them? Well that should be in the policy as well, but don't be afraid to revoke access every so often if warnings and other agreements cannot be abided. This is part of managing access devices - revoking access - along with inventorying spare devices regularly and securing them appropriately so that those without access to the facility cannot conveniently get access.
Alright I think I'm done with this topic for now. I'd be glad to discuss it with anyone looking for help - so drop me a line.
Rob
/
But who has a key? The best lock is worthless if everyone has a key!!! In the world of security this is called - prepare for the creativity of the name - Key Control. It sounds so simple - and many consultants will act like it is - but let's face it... Houses of Worship - churches, synagogues, mosques, and sanctuaries of all sorts - must provide access to lots of people for just as many reasons. So where then does one begin and how does it happen and what if it won't work for us and what if and what if and what if and what if... We haven't gotten that far yet. Save the "what ifs" for the right time - which is after you hear how the basic process works. Think of it in these phases: Sourcing access, granting access, managing access devices.
Sourcing access comes when you know who changed the locks (or rekeyed them) and how many keys were made for them. Typically this is done when they are rekeyed (we'll call it changing locks going forward rather than worrying about the technicalities between changing or rekeying locks) and the locksmith is right there. Once the work is done and all the keys are received there should be some documentation that indicates that, preferably, two responsible people acknowledge that the correct number of keys were received. Then the process of granting access starts. Who needs access and why. These individuals should be required to sign for their key - which is property of your organization - to acknowledge receipt. They should also have to sign an acknowledgement that they have received a copy of your organization's Access Control Policy (which we will discuss another time) that describes how and why the facility should be accessed and egressed, or occupied and vacated. This police will evolve so new ones can be distributed on a somewhat routine basis - maybe every six months to a year. Now people have access to the facility. The policy should include obligations not to reproduce the keys (access devices) or to share them with others, and to return them immediately upon request. Why would they have to return them? Well that should be in the policy as well, but don't be afraid to revoke access every so often if warnings and other agreements cannot be abided. This is part of managing access devices - revoking access - along with inventorying spare devices regularly and securing them appropriately so that those without access to the facility cannot conveniently get access.
Alright I think I'm done with this topic for now. I'd be glad to discuss it with anyone looking for help - so drop me a line.
Rob
/
Disaster and Continuity Planning
We have all seen the devastation that was brought by Katrina. Amazing isn't it? The sheer capability of the event to destroy and area roughly the size of England! How does one prepare and what exactly do you prepare to do anyway. There is constant discussion, argument and annoying debate concerning Continuity and Disaster Planning; however these are not the same. Continuity planning is the process of being able to continue operations while a serious event is occuring - essentially operating without being affected - and Disaster Recovery is the process of fixing everything after it has been broken.
Organizations, and individuals, in New Orleans have had to experience both aspects of the response to disruptivec events, to say the least. I mean let's face it, there is so much that can be discussed (and no doubt will by every talking head that can be found) concerning the many failures discovered by the hurrican, but here let's just touch a little on Business Continuity Planning (BCP) and Disaster Recovery (DR). Each term has found a relatively secure home through the IT industry due to everyone's dependence on connectivity (and other related needs).
BCP, of course, requires some advance preparation (hence the term planning in business continuity planning) in advance of an event. How does one do this and what do they prepare for? Thanks for asking that's a great question. First, whoever is doing the planning - and it preferably should include persons from all parts of an organization - should know what the priorities are in terms of preserving operations. What is critical and what isn't. In comparison with the human body we tend to use Maslow's Heirarchy of Needs so the most critical things would be an environment that the organism (in this case a human) can survive in - so air, appropriate temperature and so on - followed by water (anyone that has been really dehydrated knows how painful a lack of water is), then food, then shelter and so on. Medication would most likely fit nicely between water and food. Anyway and organization - or person - must plan on protecting supplies and utilities to support critical operations. OR, to move operations someplace - permanently or temporarily - to someplace more hospitable. For the human this exercise can be called survival - and, well, it can for the organization as well. The other end of BCP, in short, is how to restore operations to normal after the event has passed. Using a person again - how do you get to a place where the stress returns to what you understand and can manage, and how do you begin to repair the damage done. Disaster Recovery isn't too far off - possibly more focused - but how, after the event ends, do you return to normal. Get back to servicing customers and conducting business.
Now there is clearly much much more to this, but it's a start at least. Remember the old adage: Proper Planning Prevents Piss Poor Performance. So plan, prepare and be brutal about it. Take nothing for granted. Assume the worst. And then start over and make it worse. I think it was Richard Marcinko that said: Training should be real as to make the real thing seem fake - or something like that. There is no reason for you, or your organization, to be experiencing the chaos that has marked the past week down south. Plan, prepare, implement your plan, revise it as it make it work, and when it's over you MUST critique your performance - benchmark peers - and fix whatever didn't work for next time.
One other thing. If, after seeing what has happened, you are not looking at your organization's capabilities and preparations then shame on you. This is your opportunity to learn from others. When the disaster is so great as to break the entire civil system of controls it will only be your prior efforts that guarantee continued survival.
Organizations, and individuals, in New Orleans have had to experience both aspects of the response to disruptivec events, to say the least. I mean let's face it, there is so much that can be discussed (and no doubt will by every talking head that can be found) concerning the many failures discovered by the hurrican, but here let's just touch a little on Business Continuity Planning (BCP) and Disaster Recovery (DR). Each term has found a relatively secure home through the IT industry due to everyone's dependence on connectivity (and other related needs).
BCP, of course, requires some advance preparation (hence the term planning in business continuity planning) in advance of an event. How does one do this and what do they prepare for? Thanks for asking that's a great question. First, whoever is doing the planning - and it preferably should include persons from all parts of an organization - should know what the priorities are in terms of preserving operations. What is critical and what isn't. In comparison with the human body we tend to use Maslow's Heirarchy of Needs so the most critical things would be an environment that the organism (in this case a human) can survive in - so air, appropriate temperature and so on - followed by water (anyone that has been really dehydrated knows how painful a lack of water is), then food, then shelter and so on. Medication would most likely fit nicely between water and food. Anyway and organization - or person - must plan on protecting supplies and utilities to support critical operations. OR, to move operations someplace - permanently or temporarily - to someplace more hospitable. For the human this exercise can be called survival - and, well, it can for the organization as well. The other end of BCP, in short, is how to restore operations to normal after the event has passed. Using a person again - how do you get to a place where the stress returns to what you understand and can manage, and how do you begin to repair the damage done. Disaster Recovery isn't too far off - possibly more focused - but how, after the event ends, do you return to normal. Get back to servicing customers and conducting business.
Now there is clearly much much more to this, but it's a start at least. Remember the old adage: Proper Planning Prevents Piss Poor Performance. So plan, prepare and be brutal about it. Take nothing for granted. Assume the worst. And then start over and make it worse. I think it was Richard Marcinko that said: Training should be real as to make the real thing seem fake - or something like that. There is no reason for you, or your organization, to be experiencing the chaos that has marked the past week down south. Plan, prepare, implement your plan, revise it as it make it work, and when it's over you MUST critique your performance - benchmark peers - and fix whatever didn't work for next time.
One other thing. If, after seeing what has happened, you are not looking at your organization's capabilities and preparations then shame on you. This is your opportunity to learn from others. When the disaster is so great as to break the entire civil system of controls it will only be your prior efforts that guarantee continued survival.
Subscribe to:
Posts (Atom)