The Jewish high holidays are on their way and just in time for the recent threats from "the American Al-Queda" against targets in the U.S. and Australia and the break-up of another Southern California plot. But Australia? I must admit I'm not sure why he picked them, but hey it's his videotape anyway. Regardless of my personal feelings about those who wish to change my beliefs by force - I want to discuss the fallacy that merely increasing our concerns somehow increases our security.
Efforts will be made to increase the preparedness of Jewish and Israeli property all over the world, but I keep hearing people say that somehow we're better prepared because of our awareness. Well, I must admit that this is somewhat true, BUT it is the preparedness supporting this awareness that brings the security. Imagine of we all knew that 9/11 was going to happen but lacked a way to tell anyone besides each other? OK maybe this isn't the best example but we must have a plan for reporting and responding to threats - regardless of when we must react. Thus plans must be dynamic to be useful if a plan is discovered at any phase up to and including its successful manifestation. So we must have a way to report our suspicions and investigate them. This may be from a conversation overhead in public (however unlikely) or it may be THAT PERSON WALKING TOWARDS US NOW!
So now that we have the heightened awareness going for us we need to get the plans in place (and communicated) to ensure we are able to identify, assess, respond, and resolve all real or potential encounters.
The hard part is coordinating the activities of the good guys - private, local law enforcement, state law enforcement, federal law enforcement, and the intelligence capabilities of each.
What private intelligence capabilities you ask. Every organization possessed an immense intel ability. How many of our members here information in public, find information on the web, or are able to collate information from all of these sources? I worked with a firm that tracked domestic environmental extremists for a client. Were we successful? Very much. So much so that after some of the less publicized acts of Eco-terror we provided much of the contextual information to law enforcement investigators.
As they say - Keep you ear to the ground. Oh, and have a plan, test it, revise it, test it again, communicate it, and keep it flexible. Your defense in-depth starts with your intel, progesses through your passive and active defensive measures and ends with your ability to react to a successful event.
Rob
/
Tuesday, September 20, 2005
Suicide bombers and public transportation
An image recently came to mind dating back to the London bombings... Searches at U.S. subway entrances. On television they appeared to be done professionally - and I'm discussing the issue of racial profiling just the searching methodology and not the selection.
I saw long lines of people snaking back just as they do at the airport as individuals were searched. Hello!!! Did anyone else see a problem here? We are dealing with individuals intent on injuring as many people as possible - remember the few affecting the many by affecting the few - and the crowd can just as easily be at the entrance as it can be in the tunnel. Granted the tunnel makes for greater problems, but for those that may be killed the issue is the same.
So now that I've griped about what was done - here's an alternative. Granted this is more costly but it defeats the attacker's goals and limits their potential success to a mere handful rather than everyone in line. Defense in depth is something we in the security field spout on about. Here is a prime example of its use.
Somewhere in the parking lot a considerable distance from the entrance is the first line of officers. They select those that they feel should be searched and accost those individuals - search their bags - and either place a seal on it or hand a tag on it. Then somewhat farther back towards the entrance but within eyeshot of the first line is the second line who repeat the same steps but select different individuals to search. One or two officers, and the line supervisor, would then monitor the approaching commuters to see if items are being passed back and forth to those who have been searched. There may be a third line and a fourth line if there is enough distance and need.
Why is this concept worthwhile? The number of persons nearby to the one being searched are at greatest risk. Reducing the number of persons that cluster together reduces the value of the target. Also, over distance a person or persons trying to avoid being searched will stand out much more so than simply evading one checkpoint. There are other benefits but we'll leave it at these.
Is it full-proof? Heck no! And I'm not arrogant enough to believe that any plan is, but I do believe in saving what you can while you can and spreading out the targets means a whole lot fewer people that will need saving after the fact. Manpower now, means less manpower during the response. Oh yah, private security folks can do this as well. That's right. Well trained security folks can do this job; especially if they are backed by a law enforcement team. So we can do it for less and we don't need to hire more and more LEO's to reach the short-term goal.
I'd be interested in hearing your thoughts on this...
Rob
/
I saw long lines of people snaking back just as they do at the airport as individuals were searched. Hello!!! Did anyone else see a problem here? We are dealing with individuals intent on injuring as many people as possible - remember the few affecting the many by affecting the few - and the crowd can just as easily be at the entrance as it can be in the tunnel. Granted the tunnel makes for greater problems, but for those that may be killed the issue is the same.
So now that I've griped about what was done - here's an alternative. Granted this is more costly but it defeats the attacker's goals and limits their potential success to a mere handful rather than everyone in line. Defense in depth is something we in the security field spout on about. Here is a prime example of its use.
Somewhere in the parking lot a considerable distance from the entrance is the first line of officers. They select those that they feel should be searched and accost those individuals - search their bags - and either place a seal on it or hand a tag on it. Then somewhat farther back towards the entrance but within eyeshot of the first line is the second line who repeat the same steps but select different individuals to search. One or two officers, and the line supervisor, would then monitor the approaching commuters to see if items are being passed back and forth to those who have been searched. There may be a third line and a fourth line if there is enough distance and need.
Why is this concept worthwhile? The number of persons nearby to the one being searched are at greatest risk. Reducing the number of persons that cluster together reduces the value of the target. Also, over distance a person or persons trying to avoid being searched will stand out much more so than simply evading one checkpoint. There are other benefits but we'll leave it at these.
Is it full-proof? Heck no! And I'm not arrogant enough to believe that any plan is, but I do believe in saving what you can while you can and spreading out the targets means a whole lot fewer people that will need saving after the fact. Manpower now, means less manpower during the response. Oh yah, private security folks can do this as well. That's right. Well trained security folks can do this job; especially if they are backed by a law enforcement team. So we can do it for less and we don't need to hire more and more LEO's to reach the short-term goal.
I'd be interested in hearing your thoughts on this...
Rob
/
Friday, September 16, 2005
Windows v. Linux: A Security Perspective...
Today I bumped into an individual at Borders Books and who asked which was more secure Windows or Linux. Well what do you think? I think it really depends more on the individuals using it and those administering it. Threats ultimately come from people and so do the defenses. So any poorly managed operating system is more vulnerable than a well managed operating system - with a few caveats... As for Windows and Linux. Windows is more widely used - so it is targeted more often; Linux is not. If you are designing malicious code to affect the widest population of users you must make have it target operating systems and applications that are most widely deployed. It makes not sense to create a virus - or other malware - that targets an operating system that works on only one machine. That is, of course, unless it is a very targeted attack like you might see in the movies.
Even though Windows will be targeted more often - due to its wider deployment - it is also worked on by more people on a daily basis. That means that there will more likely be a patch forthcoming in a timely manner - and the attack will also likely be detected more quickly since more systems will be affected in any given period of time.
So which is more secure? I think it is the OS deployment that suffers for poor or inept management.
Rob
/
Even though Windows will be targeted more often - due to its wider deployment - it is also worked on by more people on a daily basis. That means that there will more likely be a patch forthcoming in a timely manner - and the attack will also likely be detected more quickly since more systems will be affected in any given period of time.
So which is more secure? I think it is the OS deployment that suffers for poor or inept management.
Rob
/
Thursday, September 15, 2005
ASIS Orlando
I know I had planned to blog from Orlando but events overtook me and I'm back now. Needless to say that it was a huge event with tons of informational seminars and somewhere like 300 vendors showing their goods. One of those vendors also happens to be another organization that I am very involved with and it focuses on training for line security officers, supervisors and managers. These are folks that have to make the security happen everyday. I was once one of them and "it ain't easy." They are typically underpaid, undertrained, and treated like an incapable moron - who does everyone call when something happens? That's right - security! It has got to be one of the oddest paradoxes in our society. Oh, the organization is The International Foundation for Protection Officers based in Florida. They offer great training programs - of which I am a proud certificate holder - and an outlet for learning that really doesn't exist anywhere else in the industry.
I know this isn't about ASIS in Orlando - but that's it.
I know this isn't about ASIS in Orlando - but that's it.
Peeling safes - huh?
I read a recent article about a number of church burglaries in a local community, and one of the churches had their safe "peeled." I don't know exactly what happened but I can offer a small about of info on breaching safes....
First of all safes are a barrier device! They are not a stand alone solution. Never forget that given enough time any barrier can be breached - this is especially so with things that contain money (or are perceived to contain money). That is why monitoring devices, like alarms, are used; they permit a response that shortens the available time to complete the attack. Back to safes -
Safes come in two general varieties - burglary resistant and fire resistant - and they are rated to describe their robustness. Fire safes are meant to prevent property inside from being destroyed by heat from the outside. Remember paper breaks down around 350 degrees Fahrenheit and magnetic media starts to go at about 150 degrees. Fire safes are also only good for a fixed period of time after manufacture - generally. Anyway, they are not meant to significantly delay physical entry by a determined attacker. Their sides are filled with insulation to repel heat and not tools. Simple tools can do wonders when used for forcible entry. They are ideal for those records that you do not want destroyed - although the best solution is to also store duplicates off-site (also done somewhat securely). Now burglary resistant safes, on the other hand, are an entirely different animal. They are meant to keep unauthorized folks out. Because their sides are typically made of steal they tend to work like an oven during a fire - so not good for important records. And yes you can use a fire resistant box inside a burglary resistant safe - again it's a heat issue... how long and how much. Burglary resistant (BR) safes that rated by the Underwriter's Laboratories carry ratings like TL-15, or my personal favorite TLTR-30x6. In short TL = tools, TR = torch, and TX = explosives (although you don't see many of these). So a TLTR is rated for tools and torches. The number after these designators represent the amount of time in minutes. Yes, that 200 pound safe is only rated for 15 minutes of protection! And they should be bolted to the floor and away from external doors because they can still be chained to a vehicle and dragged off. If a "x6" is attached to the end it means that the protection is extended to all six sides. Normally only the door is tested and rated. It is also the most likely point of attack. When locksmiths need to gain access they will either drill through the door or through the back so that they can see the door to manipulate the "wheelpack" which is how the combination works. But that's not the focus right now. Incidentally, safes are not intended to go beyond the 30 minute mark - after that you should be looking at a vault for protection, but that's for another time (and likely over on security-today.blogspot.com)
Safes can be breached (besides explosives) in a couple of ways with the most common being "peeling" and manipulation. Peeling is just how it sounds. A segment of metal is gotten hold of - often at the edge of the door - and pulled away. This along should tell you two things: the quality of the safe and the amount of force applied. Drilling into the door to allow he manipulation of the combination is dangerous if the safe is equipped with a "re-locking device" - which might be a sheet of glass that, when broken, causes spring-loaded rods to push into the door PERMANENTLY. The safe will now require a locksmith - of safe cracker - to gain access. My lesson learned came when a safe I needed at a store was pushed off the back of a truck - the glass broke and I had a very heavy empty metal box.
So there you have it in a nutshell. Choose your safe carefully and make sure you have a few layers of protection in front of it. And yes, we will discuss layered protection in the future..
Rob
/
First of all safes are a barrier device! They are not a stand alone solution. Never forget that given enough time any barrier can be breached - this is especially so with things that contain money (or are perceived to contain money). That is why monitoring devices, like alarms, are used; they permit a response that shortens the available time to complete the attack. Back to safes -
Safes come in two general varieties - burglary resistant and fire resistant - and they are rated to describe their robustness. Fire safes are meant to prevent property inside from being destroyed by heat from the outside. Remember paper breaks down around 350 degrees Fahrenheit and magnetic media starts to go at about 150 degrees. Fire safes are also only good for a fixed period of time after manufacture - generally. Anyway, they are not meant to significantly delay physical entry by a determined attacker. Their sides are filled with insulation to repel heat and not tools. Simple tools can do wonders when used for forcible entry. They are ideal for those records that you do not want destroyed - although the best solution is to also store duplicates off-site (also done somewhat securely). Now burglary resistant safes, on the other hand, are an entirely different animal. They are meant to keep unauthorized folks out. Because their sides are typically made of steal they tend to work like an oven during a fire - so not good for important records. And yes you can use a fire resistant box inside a burglary resistant safe - again it's a heat issue... how long and how much. Burglary resistant (BR) safes that rated by the Underwriter's Laboratories carry ratings like TL-15, or my personal favorite TLTR-30x6. In short TL = tools, TR = torch, and TX = explosives (although you don't see many of these). So a TLTR is rated for tools and torches. The number after these designators represent the amount of time in minutes. Yes, that 200 pound safe is only rated for 15 minutes of protection! And they should be bolted to the floor and away from external doors because they can still be chained to a vehicle and dragged off. If a "x6" is attached to the end it means that the protection is extended to all six sides. Normally only the door is tested and rated. It is also the most likely point of attack. When locksmiths need to gain access they will either drill through the door or through the back so that they can see the door to manipulate the "wheelpack" which is how the combination works. But that's not the focus right now. Incidentally, safes are not intended to go beyond the 30 minute mark - after that you should be looking at a vault for protection, but that's for another time (and likely over on security-today.blogspot.com)
Safes can be breached (besides explosives) in a couple of ways with the most common being "peeling" and manipulation. Peeling is just how it sounds. A segment of metal is gotten hold of - often at the edge of the door - and pulled away. This along should tell you two things: the quality of the safe and the amount of force applied. Drilling into the door to allow he manipulation of the combination is dangerous if the safe is equipped with a "re-locking device" - which might be a sheet of glass that, when broken, causes spring-loaded rods to push into the door PERMANENTLY. The safe will now require a locksmith - of safe cracker - to gain access. My lesson learned came when a safe I needed at a store was pushed off the back of a truck - the glass broke and I had a very heavy empty metal box.
So there you have it in a nutshell. Choose your safe carefully and make sure you have a few layers of protection in front of it. And yes, we will discuss layered protection in the future..
Rob
/
Tuesday, September 13, 2005
Panic buttons - When, Where and Why
This is an interesting post concerning a fire in a Mosque in South London last month. I haven't sought any clarifying information concerning the fire, but let's go with the statements and stick with arson and the use of panic buttons.
What is a panic button (or duress alarms, or silent hold-up alarm)? It is literally an alarm that may be activated when someone is being threatened - or panicking. They come in many shapes and sizes - some are hardwired (or fixed) and others are wireless (or portable). In the U.S. anyway - and I know the article is in South London - panic buttons generally garner a faster more serious response by the police - why? Well quite simply because a person has to actually activate it. That means some conscious thought went into it - or it is improperly placed to allow accidental activations. Whereas a motion sensor - of any sort - may cause a nuisance alarm because of some environmental condition the only environmental condition that cause the activation of a panic alarm is, well, panic. That means someone is under duress and needs immediate assistance. That's why the response it generally better. They are very useful and applicable to nearly any setting - not just for intruders or threats. They may be used for safety, such as for the elderly. Granted these transmit the signal someplace other than the police, but it's the same technology.
My only guess in this article is that the alarm is tied directly to the police and therefore special permission is required for its installation. In the U.S. these devices may be obtained through, and I'm guessing, just about every alarm monitoring service. They are generally inexpensive - after all they are just a button - and can be a great enhancement to your current system.
Where should they go? The receptionist (or any gatekeeper) for one, along with 'executive' (read clergy) offices, and in any "safe" rooms that may exist. These may be bathrooms or basement areas that are used for sheltering during threats and disasters. Wireless panic buttons are especially useful for use by those that must work with large sums of money - while they work with the money. This way they do not need to find the alarm - grope around aimlessly - when they are frightened.
Remember every device also needs to have policies and procedures governing their use, training, drills, and a plan for what to do next. Liaison with law enforcement is helpful so that everyone knows what to expect with the response. In many instances, if he PD must make any sort of entry they simply secure (handcuff) everyone and sort out the bad guys after controlling the facility. This can be pretty traumatic to those not expecting it.
Rob
/
What is a panic button (or duress alarms, or silent hold-up alarm)? It is literally an alarm that may be activated when someone is being threatened - or panicking. They come in many shapes and sizes - some are hardwired (or fixed) and others are wireless (or portable). In the U.S. anyway - and I know the article is in South London - panic buttons generally garner a faster more serious response by the police - why? Well quite simply because a person has to actually activate it. That means some conscious thought went into it - or it is improperly placed to allow accidental activations. Whereas a motion sensor - of any sort - may cause a nuisance alarm because of some environmental condition the only environmental condition that cause the activation of a panic alarm is, well, panic. That means someone is under duress and needs immediate assistance. That's why the response it generally better. They are very useful and applicable to nearly any setting - not just for intruders or threats. They may be used for safety, such as for the elderly. Granted these transmit the signal someplace other than the police, but it's the same technology.
My only guess in this article is that the alarm is tied directly to the police and therefore special permission is required for its installation. In the U.S. these devices may be obtained through, and I'm guessing, just about every alarm monitoring service. They are generally inexpensive - after all they are just a button - and can be a great enhancement to your current system.
Where should they go? The receptionist (or any gatekeeper) for one, along with 'executive' (read clergy) offices, and in any "safe" rooms that may exist. These may be bathrooms or basement areas that are used for sheltering during threats and disasters. Wireless panic buttons are especially useful for use by those that must work with large sums of money - while they work with the money. This way they do not need to find the alarm - grope around aimlessly - when they are frightened.
Remember every device also needs to have policies and procedures governing their use, training, drills, and a plan for what to do next. Liaison with law enforcement is helpful so that everyone knows what to expect with the response. In many instances, if he PD must make any sort of entry they simply secure (handcuff) everyone and sort out the bad guys after controlling the facility. This can be pretty traumatic to those not expecting it.
Rob
/
Friday, September 9, 2005
Katrina
I guess I should make some comments about Katrina - just like everyone else, right? I offer this.
Have a plan. Test your plan. Revise your plan. Keep your plan current.
But fight your enemy.
No plan survives contact with the enemy - stay flexible and stay effective.
Those are my thoughts. I don't care who screwed up at this point - the guillotine didn't get washed away so heads can roll when we're damn good and ready - but I do care about being effective. Special thanks to the U.S. Coast Guard for setting the example from the start.
Have a plan. Test your plan. Revise your plan. Keep your plan current.
But fight your enemy.
No plan survives contact with the enemy - stay flexible and stay effective.
Those are my thoughts. I don't care who screwed up at this point - the guillotine didn't get washed away so heads can roll when we're damn good and ready - but I do care about being effective. Special thanks to the U.S. Coast Guard for setting the example from the start.
ASIS International's annual conference
Next week is ASIS International's annual conference in Orlando, Florida. ASIS was formerly known as the American Society for Industrial Security but the name was changed to better reflect its worldwide involvement.
It is quite the show - new technologies along with some old ones - and several thousand security professionals. I'm guessing but I'd assume that nearly every other security organization, in the U.S. as least, can trace some aspect of its heritage to ASIS and so there are many additional meetings that occur at the same time. There are training seminars, in addition to the exhibits, and some are really worthwhile. Some are dull and some just don't live up to what they promise, but then again they are presented by volunteers to their peers (read competitors).
Assuming the hurricane doesn't cause problems for the event yours truly will be present, and I may even offer some updates from there as well. New technologies or new techniques, who knows. See you there.
Rob
/
It is quite the show - new technologies along with some old ones - and several thousand security professionals. I'm guessing but I'd assume that nearly every other security organization, in the U.S. as least, can trace some aspect of its heritage to ASIS and so there are many additional meetings that occur at the same time. There are training seminars, in addition to the exhibits, and some are really worthwhile. Some are dull and some just don't live up to what they promise, but then again they are presented by volunteers to their peers (read competitors).
Assuming the hurricane doesn't cause problems for the event yours truly will be present, and I may even offer some updates from there as well. New technologies or new techniques, who knows. See you there.
Rob
/
What do you think?
I bumped into this interesting post on another blog today and thought it might make for an interesting topic. By no means do I encourage or discourage anyone to carry a firearm anywhere let alone in a church, mosque, synagogue, temple, sanctuary, or other house of worship. That decision is not for me to make for others, but it does bring up something worth discussing.
What if you specifically (passionately or not) believe that firearms should not be carried in church - let's not worry about the rest of civilization just yet - what can you possibly do to combat an armed aggressor? Can you? Should you? Should anyone? Just how can the survival of as many people be helped? To answer this let's start with a short path analysis of what it takes to accomplish this. First let me just add that simply arming everyone is not the first answer that should be sought. Sadly, it may be necessary to have armed individuals present but if this is the only solution chosen then it implies a willingness to allow the violence to begin in the first place. Remember the pillars of security - Deter, Detect, Delay, Deny. We need to have layers of features in place for the greatest opportunity to mitigate such an event.
Back to the path analysis (a very simplified version)... The assailant must come onto the property, enter the facility, locate their target or choose the moment to initiate the attack. Now there probably isn't too much opportunity to keep this person off of the grounds since most people aren't challenged at this point, however it is often common to challenge people before entering the facility. What is that you say? Challenge, greet - same thing! There is no reason that you cannot use the greeting as an opportunity to make an evaluation - we do it naturally anyway. If a person seems out of sorts isn't just being a good neighbor to inquire to their need? Offer assistance? Find them counseling? I am not trying to say that any of these incidents could necessarily have been prevented, but we do know that there weren't any controls in place to be tested. So the greeter can be an important asset in detecting potential problems. They should be trained to ask how worshippers are and attempt to carry on a short conversation. What not enough greeters? Then seek more volunteers. What if the individual isn't seeking to harm anyone but is disturbed - a well trained greeter could be the first friendly voice that is heard and the first person to offer to guide them to help. Think about it. The plan cannot just be to catch shooters - it must be able to identify various sorts of problems. They are all people in need, right?
So the person has entered the facility, now what? Once it all "drops in the pot" there isn't too much that you can do, but react. If shooting starts, for any reason, the goal must be to get as many people out as quickly as possible. Subduing the attacker comes second, unless there persons prepared to engage in a force-on-force engagement - and that is what it is at that point. The winner is the one with the means to employ force more effectively. But let's not forget this is still in a church - so explore opportunities to 'cut' the path and avoid being too focused on just one sort of incident.
According to an old say, "Your mind is your primary weapon." Take a minute and employ yours to seek ways to detect and prevent violence rather than simply responding to it. Someone has to decide to commit violence, maybe we can convince them ahead of time that it's the wrong choice.
Rob
/
What if you specifically (passionately or not) believe that firearms should not be carried in church - let's not worry about the rest of civilization just yet - what can you possibly do to combat an armed aggressor? Can you? Should you? Should anyone? Just how can the survival of as many people be helped? To answer this let's start with a short path analysis of what it takes to accomplish this. First let me just add that simply arming everyone is not the first answer that should be sought. Sadly, it may be necessary to have armed individuals present but if this is the only solution chosen then it implies a willingness to allow the violence to begin in the first place. Remember the pillars of security - Deter, Detect, Delay, Deny. We need to have layers of features in place for the greatest opportunity to mitigate such an event.
Back to the path analysis (a very simplified version)... The assailant must come onto the property, enter the facility, locate their target or choose the moment to initiate the attack. Now there probably isn't too much opportunity to keep this person off of the grounds since most people aren't challenged at this point, however it is often common to challenge people before entering the facility. What is that you say? Challenge, greet - same thing! There is no reason that you cannot use the greeting as an opportunity to make an evaluation - we do it naturally anyway. If a person seems out of sorts isn't just being a good neighbor to inquire to their need? Offer assistance? Find them counseling? I am not trying to say that any of these incidents could necessarily have been prevented, but we do know that there weren't any controls in place to be tested. So the greeter can be an important asset in detecting potential problems. They should be trained to ask how worshippers are and attempt to carry on a short conversation. What not enough greeters? Then seek more volunteers. What if the individual isn't seeking to harm anyone but is disturbed - a well trained greeter could be the first friendly voice that is heard and the first person to offer to guide them to help. Think about it. The plan cannot just be to catch shooters - it must be able to identify various sorts of problems. They are all people in need, right?
So the person has entered the facility, now what? Once it all "drops in the pot" there isn't too much that you can do, but react. If shooting starts, for any reason, the goal must be to get as many people out as quickly as possible. Subduing the attacker comes second, unless there persons prepared to engage in a force-on-force engagement - and that is what it is at that point. The winner is the one with the means to employ force more effectively. But let's not forget this is still in a church - so explore opportunities to 'cut' the path and avoid being too focused on just one sort of incident.
According to an old say, "Your mind is your primary weapon." Take a minute and employ yours to seek ways to detect and prevent violence rather than simply responding to it. Someone has to decide to commit violence, maybe we can convince them ahead of time that it's the wrong choice.
Rob
/
Sunday, September 4, 2005
Are you locking your doors?
Some HOW are still able to get away with not locking up - and I say great it sounds like a community I want to live in. Everyone else, however sad it may be, realizes the need to lock their sanctuary to prevent criminal damage.
But who has a key? The best lock is worthless if everyone has a key!!! In the world of security this is called - prepare for the creativity of the name - Key Control. It sounds so simple - and many consultants will act like it is - but let's face it... Houses of Worship - churches, synagogues, mosques, and sanctuaries of all sorts - must provide access to lots of people for just as many reasons. So where then does one begin and how does it happen and what if it won't work for us and what if and what if and what if and what if... We haven't gotten that far yet. Save the "what ifs" for the right time - which is after you hear how the basic process works. Think of it in these phases: Sourcing access, granting access, managing access devices.
Sourcing access comes when you know who changed the locks (or rekeyed them) and how many keys were made for them. Typically this is done when they are rekeyed (we'll call it changing locks going forward rather than worrying about the technicalities between changing or rekeying locks) and the locksmith is right there. Once the work is done and all the keys are received there should be some documentation that indicates that, preferably, two responsible people acknowledge that the correct number of keys were received. Then the process of granting access starts. Who needs access and why. These individuals should be required to sign for their key - which is property of your organization - to acknowledge receipt. They should also have to sign an acknowledgement that they have received a copy of your organization's Access Control Policy (which we will discuss another time) that describes how and why the facility should be accessed and egressed, or occupied and vacated. This police will evolve so new ones can be distributed on a somewhat routine basis - maybe every six months to a year. Now people have access to the facility. The policy should include obligations not to reproduce the keys (access devices) or to share them with others, and to return them immediately upon request. Why would they have to return them? Well that should be in the policy as well, but don't be afraid to revoke access every so often if warnings and other agreements cannot be abided. This is part of managing access devices - revoking access - along with inventorying spare devices regularly and securing them appropriately so that those without access to the facility cannot conveniently get access.
Alright I think I'm done with this topic for now. I'd be glad to discuss it with anyone looking for help - so drop me a line.
Rob
/
But who has a key? The best lock is worthless if everyone has a key!!! In the world of security this is called - prepare for the creativity of the name - Key Control. It sounds so simple - and many consultants will act like it is - but let's face it... Houses of Worship - churches, synagogues, mosques, and sanctuaries of all sorts - must provide access to lots of people for just as many reasons. So where then does one begin and how does it happen and what if it won't work for us and what if and what if and what if and what if... We haven't gotten that far yet. Save the "what ifs" for the right time - which is after you hear how the basic process works. Think of it in these phases: Sourcing access, granting access, managing access devices.
Sourcing access comes when you know who changed the locks (or rekeyed them) and how many keys were made for them. Typically this is done when they are rekeyed (we'll call it changing locks going forward rather than worrying about the technicalities between changing or rekeying locks) and the locksmith is right there. Once the work is done and all the keys are received there should be some documentation that indicates that, preferably, two responsible people acknowledge that the correct number of keys were received. Then the process of granting access starts. Who needs access and why. These individuals should be required to sign for their key - which is property of your organization - to acknowledge receipt. They should also have to sign an acknowledgement that they have received a copy of your organization's Access Control Policy (which we will discuss another time) that describes how and why the facility should be accessed and egressed, or occupied and vacated. This police will evolve so new ones can be distributed on a somewhat routine basis - maybe every six months to a year. Now people have access to the facility. The policy should include obligations not to reproduce the keys (access devices) or to share them with others, and to return them immediately upon request. Why would they have to return them? Well that should be in the policy as well, but don't be afraid to revoke access every so often if warnings and other agreements cannot be abided. This is part of managing access devices - revoking access - along with inventorying spare devices regularly and securing them appropriately so that those without access to the facility cannot conveniently get access.
Alright I think I'm done with this topic for now. I'd be glad to discuss it with anyone looking for help - so drop me a line.
Rob
/
Disaster and Continuity Planning
We have all seen the devastation that was brought by Katrina. Amazing isn't it? The sheer capability of the event to destroy and area roughly the size of England! How does one prepare and what exactly do you prepare to do anyway. There is constant discussion, argument and annoying debate concerning Continuity and Disaster Planning; however these are not the same. Continuity planning is the process of being able to continue operations while a serious event is occuring - essentially operating without being affected - and Disaster Recovery is the process of fixing everything after it has been broken.
Organizations, and individuals, in New Orleans have had to experience both aspects of the response to disruptivec events, to say the least. I mean let's face it, there is so much that can be discussed (and no doubt will by every talking head that can be found) concerning the many failures discovered by the hurrican, but here let's just touch a little on Business Continuity Planning (BCP) and Disaster Recovery (DR). Each term has found a relatively secure home through the IT industry due to everyone's dependence on connectivity (and other related needs).
BCP, of course, requires some advance preparation (hence the term planning in business continuity planning) in advance of an event. How does one do this and what do they prepare for? Thanks for asking that's a great question. First, whoever is doing the planning - and it preferably should include persons from all parts of an organization - should know what the priorities are in terms of preserving operations. What is critical and what isn't. In comparison with the human body we tend to use Maslow's Heirarchy of Needs so the most critical things would be an environment that the organism (in this case a human) can survive in - so air, appropriate temperature and so on - followed by water (anyone that has been really dehydrated knows how painful a lack of water is), then food, then shelter and so on. Medication would most likely fit nicely between water and food. Anyway and organization - or person - must plan on protecting supplies and utilities to support critical operations. OR, to move operations someplace - permanently or temporarily - to someplace more hospitable. For the human this exercise can be called survival - and, well, it can for the organization as well. The other end of BCP, in short, is how to restore operations to normal after the event has passed. Using a person again - how do you get to a place where the stress returns to what you understand and can manage, and how do you begin to repair the damage done. Disaster Recovery isn't too far off - possibly more focused - but how, after the event ends, do you return to normal. Get back to servicing customers and conducting business.
Now there is clearly much much more to this, but it's a start at least. Remember the old adage: Proper Planning Prevents Piss Poor Performance. So plan, prepare and be brutal about it. Take nothing for granted. Assume the worst. And then start over and make it worse. I think it was Richard Marcinko that said: Training should be real as to make the real thing seem fake - or something like that. There is no reason for you, or your organization, to be experiencing the chaos that has marked the past week down south. Plan, prepare, implement your plan, revise it as it make it work, and when it's over you MUST critique your performance - benchmark peers - and fix whatever didn't work for next time.
One other thing. If, after seeing what has happened, you are not looking at your organization's capabilities and preparations then shame on you. This is your opportunity to learn from others. When the disaster is so great as to break the entire civil system of controls it will only be your prior efforts that guarantee continued survival.
Organizations, and individuals, in New Orleans have had to experience both aspects of the response to disruptivec events, to say the least. I mean let's face it, there is so much that can be discussed (and no doubt will by every talking head that can be found) concerning the many failures discovered by the hurrican, but here let's just touch a little on Business Continuity Planning (BCP) and Disaster Recovery (DR). Each term has found a relatively secure home through the IT industry due to everyone's dependence on connectivity (and other related needs).
BCP, of course, requires some advance preparation (hence the term planning in business continuity planning) in advance of an event. How does one do this and what do they prepare for? Thanks for asking that's a great question. First, whoever is doing the planning - and it preferably should include persons from all parts of an organization - should know what the priorities are in terms of preserving operations. What is critical and what isn't. In comparison with the human body we tend to use Maslow's Heirarchy of Needs so the most critical things would be an environment that the organism (in this case a human) can survive in - so air, appropriate temperature and so on - followed by water (anyone that has been really dehydrated knows how painful a lack of water is), then food, then shelter and so on. Medication would most likely fit nicely between water and food. Anyway and organization - or person - must plan on protecting supplies and utilities to support critical operations. OR, to move operations someplace - permanently or temporarily - to someplace more hospitable. For the human this exercise can be called survival - and, well, it can for the organization as well. The other end of BCP, in short, is how to restore operations to normal after the event has passed. Using a person again - how do you get to a place where the stress returns to what you understand and can manage, and how do you begin to repair the damage done. Disaster Recovery isn't too far off - possibly more focused - but how, after the event ends, do you return to normal. Get back to servicing customers and conducting business.
Now there is clearly much much more to this, but it's a start at least. Remember the old adage: Proper Planning Prevents Piss Poor Performance. So plan, prepare and be brutal about it. Take nothing for granted. Assume the worst. And then start over and make it worse. I think it was Richard Marcinko that said: Training should be real as to make the real thing seem fake - or something like that. There is no reason for you, or your organization, to be experiencing the chaos that has marked the past week down south. Plan, prepare, implement your plan, revise it as it make it work, and when it's over you MUST critique your performance - benchmark peers - and fix whatever didn't work for next time.
One other thing. If, after seeing what has happened, you are not looking at your organization's capabilities and preparations then shame on you. This is your opportunity to learn from others. When the disaster is so great as to break the entire civil system of controls it will only be your prior efforts that guarantee continued survival.
Saturday, August 27, 2005
Eco-terrorism - Just what is it?
There has been some recent discussion concerning Eco-terrorism including Congressional hearings with testimony by the FBI and The Center for Consumer Freedom, along with attention by the Southern Poverty Law Center. So is there Eco-terrorism, is it a real threat, and what is the motivation of those engaging in it. Wow, that's an awful lot to look at so I'll just hit the high points.
Is there Eco-terrorism? The government, the private sector (at least the portion involved with animals) and the Environmental/Animal Rights movements certainly think so, but the question is in how it is defined. According to Paul Watson, founder of The Sea Shepards Conservation Society, explains in Terrorists or Freedom Fighters that the actions of the companies and governments that damage the environment are acts of terrorism; however the FBI (and likely all federal law enforcement) and those companies in the private sector that have been targeted see Eco-terrorism in a different light - as terrorism. Why the difference? Well, simply put, no one calls themselves a terrorist - at least not seriously. They are always something else because they have a cause, and they generally also have interpretation of morality that justifies their actions. In this case the Enviro-Animal Rights movement works around a couple of justifications that are essentially synonymous.
First is 'Biocentrism,' or the belief that all life is equally valuable. Second is Speciesism, which is similar to racism or sexism in that humans wrongfully mistreat other species rather than treating them as equals. What? You say this doesn't jive with your sense of morality? Well it doesn't have to at this point. There are, however, those that feel you need to change, and they are willing to use violence to affect that change. This, of course, depends on your definition of violence. The Animal Rights/Liberation folks argue that violence can only be committed against animals and not property, so they do not describe their actions as violent - because they only destroy property. Destruction in the form of arson, denial of service attacks, intimidation and open threats.
Yah, but they're only freeing animals from labs, you say? Take a reality check, now! I'm not talking about those that engage in legal protests or "relatively harmless" efforts to rescue animals. No I'm talking about the arson in San Diego costing over $50 million in damage - that's right $50,000,000. I'm talking about posting the names, addresses, and family information (children's schools, etc.) of executives for companies that have been targeted on the web for all to see. This may not seem so bad to you, but imagine if you were hated by a group of people - a group large enough to provide individual anonymity - and your information was posted at a website frequented by these members. Members that read such material as "Eco-defense: A Field Guide to Monkeywrenching" and other materials that discuss methods for intimidating individuals - threatening letters, phone calls and the like. Wouldn't you be just a bit concerned? I think so.
The goal with these movements are similar but not identical. The Environmental movement comes in several varieties that can be seen as a continuum. On one end are those that are focused on conservation, or protecting current wild lands, and leading to those that want to reintroduce wildlife - particularly predators - into these wildlands, which lead to others that want to reclaim wildlands - including displacing humans now in residence - and still others at the far, far extreme that want to reverse the technology clock altogether. So the goal is to protect the environment from human damage - often seen to be caused by technology and overpopulation - and to improve the environment. Some radicals argue against vaccines as inappropriate meddling with nature while she is trying to balance the ecology by reducing the populations. The Animal Rights movement, as it is generically called, can also be seen on a continuum. On one end is Animal Welfare, followed by Animal Rights, followed by Animal Liberation. Animal welfarists tend to argue specifically against cruelty to animals but may not elevate them to the same status as humans. Animal Rights folks argue that animals are equals and will work to rescue them with their fringe element, Animal Liberationists, being those willing to commit serious crimes to "liberate" animals and damage enterprises that are considered exploitative.
So is it a real threat? Sure. As much as any other movement can be when they are willing to break the law, destroy property, and threaten human lives. How far will their efforts go? Well that really depends on many things, but it's unreasonable to believe they will simply change their beliefs and go home - expect to see these folks around for some time now.
For some more information search such topics as: Stop Huntingdon Animal Cruelty, Animal Liberation Front, Earth Liberation Front, Earth First!, Animal Rights, and so on....
Is there Eco-terrorism? The government, the private sector (at least the portion involved with animals) and the Environmental/Animal Rights movements certainly think so, but the question is in how it is defined. According to Paul Watson, founder of The Sea Shepards Conservation Society, explains in Terrorists or Freedom Fighters that the actions of the companies and governments that damage the environment are acts of terrorism; however the FBI (and likely all federal law enforcement) and those companies in the private sector that have been targeted see Eco-terrorism in a different light - as terrorism. Why the difference? Well, simply put, no one calls themselves a terrorist - at least not seriously. They are always something else because they have a cause, and they generally also have interpretation of morality that justifies their actions. In this case the Enviro-Animal Rights movement works around a couple of justifications that are essentially synonymous.
First is 'Biocentrism,' or the belief that all life is equally valuable. Second is Speciesism, which is similar to racism or sexism in that humans wrongfully mistreat other species rather than treating them as equals. What? You say this doesn't jive with your sense of morality? Well it doesn't have to at this point. There are, however, those that feel you need to change, and they are willing to use violence to affect that change. This, of course, depends on your definition of violence. The Animal Rights/Liberation folks argue that violence can only be committed against animals and not property, so they do not describe their actions as violent - because they only destroy property. Destruction in the form of arson, denial of service attacks, intimidation and open threats.
Yah, but they're only freeing animals from labs, you say? Take a reality check, now! I'm not talking about those that engage in legal protests or "relatively harmless" efforts to rescue animals. No I'm talking about the arson in San Diego costing over $50 million in damage - that's right $50,000,000. I'm talking about posting the names, addresses, and family information (children's schools, etc.) of executives for companies that have been targeted on the web for all to see. This may not seem so bad to you, but imagine if you were hated by a group of people - a group large enough to provide individual anonymity - and your information was posted at a website frequented by these members. Members that read such material as "Eco-defense: A Field Guide to Monkeywrenching" and other materials that discuss methods for intimidating individuals - threatening letters, phone calls and the like. Wouldn't you be just a bit concerned? I think so.
The goal with these movements are similar but not identical. The Environmental movement comes in several varieties that can be seen as a continuum. On one end are those that are focused on conservation, or protecting current wild lands, and leading to those that want to reintroduce wildlife - particularly predators - into these wildlands, which lead to others that want to reclaim wildlands - including displacing humans now in residence - and still others at the far, far extreme that want to reverse the technology clock altogether. So the goal is to protect the environment from human damage - often seen to be caused by technology and overpopulation - and to improve the environment. Some radicals argue against vaccines as inappropriate meddling with nature while she is trying to balance the ecology by reducing the populations. The Animal Rights movement, as it is generically called, can also be seen on a continuum. On one end is Animal Welfare, followed by Animal Rights, followed by Animal Liberation. Animal welfarists tend to argue specifically against cruelty to animals but may not elevate them to the same status as humans. Animal Rights folks argue that animals are equals and will work to rescue them with their fringe element, Animal Liberationists, being those willing to commit serious crimes to "liberate" animals and damage enterprises that are considered exploitative.
So is it a real threat? Sure. As much as any other movement can be when they are willing to break the law, destroy property, and threaten human lives. How far will their efforts go? Well that really depends on many things, but it's unreasonable to believe they will simply change their beliefs and go home - expect to see these folks around for some time now.
For some more information search such topics as: Stop Huntingdon Animal Cruelty, Animal Liberation Front, Earth Liberation Front, Earth First!, Animal Rights, and so on....
Tuesday, August 23, 2005
Shoplifting - boosting, lifting - The five-fingered discount
In a recent article concerning a study on retail theft, Dr. Richard Hollinger of the University of Florida makes points that are no doubt interesting; however if you've ever worked in retail security it shouldn't be news.
Roughly 8% of people that enter a store will steal something. Sounds alarming, but there has long been an accepted honesty continuum in the retail loss prevention (LP). It's commonly called the 80/20 rule but it does not resemble Pareto's law very much. It goes something like this: 10% of your employees will steal, 80% may steal, and 10% will never steal. It is generally applied to any population. The purpose of the concept is to reinforce the need for internal controls. The consequence for a lack of internal controls can be found by searching news sources for 'embezzlement.' Controls provide an opportunity to encourage the fenceriders (the 80% that may steal) not to take assets without permission.
Getting back to shoplifters... They come in all shapes and sizes and profiling them is best done based on behavior rather than some cultural feature. From my own experience as an LP Officer over just three years I apprehended persons as young as 10 years old and as old as, yes I'm serious, 74 years old. What did they steal? Whatever they wanted from clothes to linen to pillows to lingerie to the silliest little knickknacks you can imagine (like refrigerator magnets). Some fought (and fought hard) but most just come back to the store when asked. Why do they steal? Now that is a question that draws much debate, but it's not generally because they lack the funds. By far the vast majority of those I apprehended had enough money on their person to pay for the items they had stolen. "They just forgot," you say? Some may have, but those I did not apprehend. Why? Because we had a policy of following those that had not concealed the merchandise (indicating their knowledge that they possessed the merchandise) until they did conceal it. Did some realize their mistake and go back to pay, yes, and they probably never knew we were behind them all the way back. Why apprehend when you can make a sale? The fact they returned without encouragement would indicate to me that they were sufficiently embarrassed by their own conscience.
As I said, all shapes and sizes - and so were the amounts of their thefts. Some take only one item and are quite difficult to catch, while others take considerable amounts for resale. Consider another continuum with amateur on one side and professional on the other. The pro's live off their thefts and the amateurs do not. Everyone in the middle supplement their lifestyles to differing degrees with stolen items.
What do shoplifters do? Well, first this is not to be construed as legal advice to go out and start putting your hands on people or accusing anyone of wrongdoing, but here are a few thoughts. Most SL's get nervous before their actual theft. The theft technically occurs (in many states within the U.S.) at the time of concealment. The SL must look around to ensure they are not being watched, or head to a very concealed place (like a fitting room or bathroom). Other times their nervousness causes them to act somewhat erratically - going from lingerie to tools, or women's dresses to men's jeans - as they try to determine if they are being followed. So the eyes give it away and the hands make the move. Those that are part of an organized theft team will typically steal in large quantities using bags, boxes or other "tools." What do they want - the good stuff - of course. They may be selling them to a fence (pawn shop or other illegal buyer) or they may be delivering them to re-pack houses for shipment to legitimate customers that are unknowingly buying stolen goods.
I can go on forever about shoplifters... Call it a perennial thorn in my side since my earliest days in security. Heck, we didn't mention refund-artists or credit fraud at all. One day we'll get to those as well.
Rob
/
Roughly 8% of people that enter a store will steal something. Sounds alarming, but there has long been an accepted honesty continuum in the retail loss prevention (LP). It's commonly called the 80/20 rule but it does not resemble Pareto's law very much. It goes something like this: 10% of your employees will steal, 80% may steal, and 10% will never steal. It is generally applied to any population. The purpose of the concept is to reinforce the need for internal controls. The consequence for a lack of internal controls can be found by searching news sources for 'embezzlement.' Controls provide an opportunity to encourage the fenceriders (the 80% that may steal) not to take assets without permission.
Getting back to shoplifters... They come in all shapes and sizes and profiling them is best done based on behavior rather than some cultural feature. From my own experience as an LP Officer over just three years I apprehended persons as young as 10 years old and as old as, yes I'm serious, 74 years old. What did they steal? Whatever they wanted from clothes to linen to pillows to lingerie to the silliest little knickknacks you can imagine (like refrigerator magnets). Some fought (and fought hard) but most just come back to the store when asked. Why do they steal? Now that is a question that draws much debate, but it's not generally because they lack the funds. By far the vast majority of those I apprehended had enough money on their person to pay for the items they had stolen. "They just forgot," you say? Some may have, but those I did not apprehend. Why? Because we had a policy of following those that had not concealed the merchandise (indicating their knowledge that they possessed the merchandise) until they did conceal it. Did some realize their mistake and go back to pay, yes, and they probably never knew we were behind them all the way back. Why apprehend when you can make a sale? The fact they returned without encouragement would indicate to me that they were sufficiently embarrassed by their own conscience.
As I said, all shapes and sizes - and so were the amounts of their thefts. Some take only one item and are quite difficult to catch, while others take considerable amounts for resale. Consider another continuum with amateur on one side and professional on the other. The pro's live off their thefts and the amateurs do not. Everyone in the middle supplement their lifestyles to differing degrees with stolen items.
What do shoplifters do? Well, first this is not to be construed as legal advice to go out and start putting your hands on people or accusing anyone of wrongdoing, but here are a few thoughts. Most SL's get nervous before their actual theft. The theft technically occurs (in many states within the U.S.) at the time of concealment. The SL must look around to ensure they are not being watched, or head to a very concealed place (like a fitting room or bathroom). Other times their nervousness causes them to act somewhat erratically - going from lingerie to tools, or women's dresses to men's jeans - as they try to determine if they are being followed. So the eyes give it away and the hands make the move. Those that are part of an organized theft team will typically steal in large quantities using bags, boxes or other "tools." What do they want - the good stuff - of course. They may be selling them to a fence (pawn shop or other illegal buyer) or they may be delivering them to re-pack houses for shipment to legitimate customers that are unknowingly buying stolen goods.
I can go on forever about shoplifters... Call it a perennial thorn in my side since my earliest days in security. Heck, we didn't mention refund-artists or credit fraud at all. One day we'll get to those as well.
Rob
/
Subscribe to:
Posts (Atom)