Security Today

Comments, thoughts, and pet peeves about the application (or misapplication) of security today.

Thursday, September 29, 2005

ASIS - benefit, cash drain, vanity show, or all three?

Here's another request, and one that hits close to home. What are the benefits of belonging to ASIS? Are there any opportunities for students?

I know I'm not the best person to answer this, but here are my thoughts none-the-less...

ASIS International - formerly the American Society for Industrial Security - is the granddaddy of all security associations (as far as I know). They are and organization that has changed a lot since their beginnings and they are destined to change far more in the next decade.

Once upon a time when I first found my way into security I did not think too much of ASIS - why? Well my experiences were of rather pompous people that believed they knew everything; however they did not seem open to changes (so I figured ASIS were fitting initials). After some time I found that not being part of it could be a little dangerous to a career - at least from the networking and industry update side. I joined other organizations like the International Foundation for Protection Officers, the Academy of Security Educators and Trainers, and was inducted into The Nine Lives Associates, but I eventually realized that ASIS was where these pretty much all came from anyway. I'm still part of all of these as well as being involved in ASIS.

Is ASIS a good ol' boys group? Maybe once upon a time it was - and it certainly was in my perception - but I've noticed in just the last eight years a subtle change away from such an image. Now it could very well be that my perception has changed due to my involvement and interaction with a wider group of members. Either way, I now see ASIS as something very important to our industry and something worth being part of - if nothing else but to affect change for the better.

So what do I get from ASIS? I like training, news, interaction, argument - dissent, disagreement, and conflict - for the sake of getting better. I like to think and ask others to challenge my thoughts - and many are all too willing to do so in an almost unfriendly way. ASIS gives me access to many others within my own industry - saints and jerks alike. We can learn something from anyone, and with that in mind and something like 20,000 members there's a lot I can learn from ASIS.

ASIS also provides the most well known certifications. Why are these important? Consider this... Who do you want to do your taxes? A Certified Public Accountant or an Accountant? Why is that? To me a CPA represents someone that is willing to put their knowledge and skills to greater scrutiny - once for an examination - and continually by meeting the expectations of those that choose a CPA. They also have a Code of Conduct that is spelled out clearly for everyone to see. This means there are disciplinary actions that can be taken outside of the usual criminal and civil paths. Why is this important? It means that a CPA is willing to perform to a standard or be punished professionally. Now take that into the world of security. Who do you look for when you need an answer? A Security Manager or the CPP? Which would you prefer protecting your organization on a day-to-day basis? A security officer or a CPO? Do you expect a certain level of performance? Absolutely. When a standard is not met then 'professional' disciplinary action can be taken. ASIS, IFPO, ACFE, and ISC2 all have expected standards of performance. So the certifications are important by imparting an agreement by the designee, to perform in an acceptable way, the organization, to enforce their rules of conduct to maintain the quality of the certification in the public domain, and the public (or consumers), who expect that level of performance. It is a commitment to professionalism.

So what can students do in ASIS? LEARN! Take notes, train, NETWORK, and drive yourself to a higher standard than your own mentor. Oh yah, find a mentor (or mentors) and grow from their experience - but always think for yourself.

Attending training - when you can afford it - is essential to reaching that next level. Any training is good - even bad training. Bad training (and I've paid for my fair share of absolute crap disguised under the reputation of a "security pro") helps you to know who is full of crap in the industry and what they sound like when they talk. They will be your competition for good jobs. There's a lot to be said for these folks, but they're in every industry so just go out and meet them. Bad training can also get you hurt - think about everything that you are taught - so that the skills you learn do not govern your performance. Ask yourself, "How would I get around this?" or "How could this be defeated?" Sometimes it's worth asking someone who really knows. When I used to catch shoplifters I often asked them about previous fights with law enforcement or security. They'll talk - everyone who wins a fight talks - and this can be beneficial to you. Develop a "Discipline of Training" and stick with it. A little here, a little there. When you can't afford training (and I know how that feels making $5.90 catching thieves) get a book, conduct a free survey, plan a security system, engineer a breakin, and use your imagination to train yourself - it's free. Offer to work with someone on your off-hours; informal internships can be very useful. AND go where the knowledge is - just like salespersons go where the money is - spend time in the circles that your potential mentors will be and be involved. This is where ASIS can be a great help because you can go where the best are - monthly meetings, committees and so on. When you drink beer or otherwise socialize with these folks take some time to get advice on your career direction, opportunities, tricks and tips, and then make sure you don't monopolize the time. DON'T be afraid to offer your opinion on any discussion concerning security. If you're wrong you'll learn, and if you're right then you're contributing. If those with you blow you off and act like you should be a child - seen and not heard - then it's time to find a new group of pro's because there's little reason to waste your time with pompous fools unwilling to drive someone else's success. Your time is valuable - DO NOT waste it. Build your network - nurture your network - expand your network - improve yourself so others want to network with you - and focus on quality and not size. 200 business cards are just a stack of paper - 2 good contacts that you can reach out to and not be a stranger can change your life.

Those are my thoughts on ASIS - for me it is a facilitator for all of this.

Rob
/

See the entire post

Wednesday, September 28, 2005

Walk - don't run... No wait, run for your lives!!!

We have a special request for a very interesting, and I daresay relevant, topic. Oh, and a polite out-of-bandwidth comment on being lazy and not blogging.

How does one establish accountability when evacuating college dormitories and long term care facilities? Well, having never been responsible for either I'll take a stab at it and I may even hunt around to find someone with direct experience in this area. Here goes...

When I was in Korea (ah, the old days) we had a system on our camp (Camp Garry Owen - the old one near Yon Gi Gol) whereby we each possessed a "Garry Owen Card." A similar system was later introduced division-wide called a "Liberty Pass." How is this relevant? Well to get OFF camp we had to turn in out card with the gate guards. Top (and that's a First Sergeant) or the Bear (that'd be the Squadron Command Sergeant Major) could take your GO Card arbitrarily to keep you on the camp. Now maybe some folks deserved this - though not the countless hours of filling sandbags - but anyway you get the gist of this. It established accountability in a very quick sort of way. Who is not in the camp right now! This was a very important concept when it came to alerts (that would be something like a fire drill but it involved loading your life onto a vehicle and driving away from your home - possibly for the last time before someone blew it up). During an alert everyone would sprint back to the camp and grab the GO Card on the way in. At some point Top would contact the gate and find out who he was missing. Simple, neat and effective. So simple no dumb grunt can screw it up, right? Actually, we did have ways to get around it, but that's another story.

Anyway, any accountability system that will be used during a crisis, such as an evacuation, should be very simple to avoid a complete breakdown with no way to recover. Tokens - like the GO Card or Liberty Pass - provide this sort of simplistic accountability. Granted this system may be easier for the extended care facility rather than a college dorm since the amount of rapid access/egress activities are substantially lower. All you need is a control point where the tokens can be dropped off or picked up and a someone to manage this process CONSISTENTLY. Once such a system fails - it is likely to fail for good. Don't worry there'll be a new one - after the next event that costs someone their life.

How else might we do this? We could try the "Battle Buddy" system which makes everyone responsible for someone else - your "Battle Buddy" (or Ranger Buddy for those folks). Then hall wardens/monitors can then be responsible for a segment of the larger group and so on in a very hierarchical organization. This requires a specific level of responsibility which may not be present with students. Not to bust on students in dorms - I was one once (although I was out of the Army and much older than everyone else) - but they are generally young and there are few consequences for poor performance. That is except for maybe losing a friend, but that won't be thought of during the crisis. No matter what Resident Assistants and Resident Directors should be responsible for accounting for those under their charge. This, of course, requires training in whatever procedures are decided on, and exercises to test those procedures.

So we now have a token system and a buddy/leader accountability system. We can apply technology to the problem as well. We can make those student ID's proximity cards so that those entering and leaving are identified on an occupation roster. Guests would still need to be admitted by some means, which could include guest prox cards as well. This is still a token system but it could allow for greater throughput at the access points. And anyone responsible for planning access control systems knows that the throughput rate is everything to your client. Otherwise it just won't be used CONSISTENTLY.

Whether you are using manual or automated rosters it is essential - it is fundamental - and it is the deciding factor as to whether your system functions or breaks to ensure that it is used CONSISTENTLY. Test it - even use focus groups of true delinquents - to learn how it will be bypassed, subverted, and ignored. Then figure out if the system is worth making changes to or a new approach is warranted. As Richard Marchinko wrote in one of his books (or something to the effect anyway), "Do not get married to your plan." Be prepared to change - sometimes on a moments notice - to satisfy the needs of the threat environment, operating environment, and client opinions/preferences. Be absolutely sure that the method you choose fits with the organization's culture: No fit = No use = Disaster.

Is that enough? It certainly is not, but there's just a little too much to try and discuss here all at once. Send some more questions and you might get some more answers. I might even through up an example or two for fun... But keep it simple so that it works in a crisis.

Always be absolutely ruthless with your own plans - is sure beats the embarrassment of someone else doing it to you in front of your peers. OR, I can do it here for you. Send your plan in a comment and I'll gladly look for a way around it.

One other important saying applies here as well: "No battle plan survives contact with the enemy." So build in some features to account for this necessary flexibility!

Think fast...

See the entire post

Tuesday, September 20, 2005

Suicide bombers and public transportation

An image recently came to mind dating back to the London bombings... Searches at U.S. subway entrances. On television they appeared to be done professionally - and I'm discussing the issue of racial profiling just the searching methodology and not the selection.

I saw long lines of people snaking back just as they do at the airport as individuals were searched. Hello!!! Did anyone else see a problem here? We are dealing with individuals intent on injuring as many people as possible - remember the few affecting the many by affecting the few - and the crowd can just as easily be at the entrance as it can be in the tunnel. Granted the tunnel makes for greater problems, but for those that may be killed the issue is the same.

So now that I've griped about what was done - here's an alternative. Granted this is more costly but it defeats the attacker's goals and limits their potential success to a mere handful rather than everyone in line. Defense in depth is something we in the security field spout on about. Here is a prime example of its use.

Somewhere in the parking lot a considerable distance from the entrance is the first line of officers. They select those that they feel should be searched and accost those individuals - search their bags - and either place a seal on it or hand a tag on it. Then somewhat farther back towards the entrance but within eyeshot of the first line is the second line who repeat the same steps but select different individuals to search. One or two officers, and the line supervisor, would then monitor the approaching commuters to see if items are being passed back and forth to those who have been searched. There may be a third line and a fourth line if there is enough distance and need.

Why is this concept worthwhile? The number of persons nearby to the one being searched are at greatest risk. Reducing the number of persons that cluster together reduces the value of the target. Also, over distance a person or persons trying to avoid being searched will stand out much more so than simply evading one checkpoint. There are other benefits but we'll leave it at these.

Is it full-proof? Heck no! And I'm not arrogant enough to believe that any plan is, but I do believe in saving what you can while you can and spreading out the targets means a whole lot fewer people that will need saving after the fact. Manpower now, means less manpower during the response. Oh yah, private security folks can do this as well. That's right. Well trained security folks can do this job; especially if they are backed by a law enforcement team. So we can do it for less and we don't need to hire more and more LEO's to reach the short-term goal.

I'd be interested in hearing your thoughts on this...

Rob
/

See the entire post

Friday, September 16, 2005

Windows v. Linux: A Security Perspective...

Today I bumped into an individual at Borders Books and who asked which was more secure Windows or Linux. Well what do you think? I think it really depends more on the individuals using it and those administering it. Threats ultimately come from people and so do the defenses. So any poorly managed operating system is more vulnerable than a well managed operating system - with a few caveats... As for Windows and Linux. Windows is more widely used - so it is targeted more often; Linux is not. If you are designing malicious code to affect the widest population of users you must make have it target operating systems and applications that are most widely deployed. It makes not sense to create a virus - or other malware - that targets an operating system that works on only one machine. That is, of course, unless it is a very targeted attack like you might see in the movies.

Even though Windows will be targeted more often - due to its wider deployment - it is also worked on by more people on a daily basis. That means that there will more likely be a patch forthcoming in a timely manner - and the attack will also likely be detected more quickly since more systems will be affected in any given period of time.

So which is more secure? I think it is the OS deployment that suffers for poor or inept management.

Rob
/

See the entire post

Thursday, September 15, 2005

ASIS Orlando

I know I had planned to blog from Orlando but events overtook me and I'm back now. Needless to say that it was a huge event with tons of informational seminars and somewhere like 300 vendors showing their goods. One of those vendors also happens to be another organization that I am very involved with and it focuses on training for line security officers, supervisors and managers. These are folks that have to make the security happen everyday. I was once one of them and "it ain't easy." They are typically underpaid, undertrained, and treated like an incapable moron - who does everyone call when something happens? That's right - security! It has got to be one of the oddest paradoxes in our society. Oh, the organization is The International Foundation for Protection Officers based in Florida. They offer great training programs - of which I am a proud certificate holder - and an outlet for learning that really doesn't exist anywhere else in the industry.

I know this isn't about ASIS in Orlando - but that's it.

See the entire post

Friday, September 09, 2005

Katrina

I guess I should make some comments about Katrina - just like everyone else, right? I offer this.

Have a plan. Test your plan. Revise your plan. Keep your plan current.

But fight your enemy.

No plan survives contact with the enemy - stay flexible and stay effective.

Those are my thoughts. I don't care who screwed up at this point - the guillotine didn't get washed away so heads can roll when we're damn good and ready - but I do care about being effective. Special thanks to the U.S. Coast Guard for setting the example from the start.

See the entire post

ASIS International's annual conference

Next week is ASIS International's annual conference in Orlando, Florida. ASIS was formerly known as the American Society for Industrial Security but the name was changed to better reflect its worldwide involvement.

It is quite the show - new technologies along with some old ones - and several thousand security professionals. I'm guessing but I'd assume that nearly every other security organization, in the U.S. as least, can trace some aspect of its heritage to ASIS and so there are many additional meetings that occur at the same time. There are training seminars, in addition to the exhibits, and some are really worthwhile. Some are dull and some just don't live up to what they promise, but then again they are presented by volunteers to their peers (read competitors).

Assuming the hurricane doesn't cause problems for the event yours truly will be present, and I may even offer some updates from there as well. New technologies or new techniques, who knows. See you there.

Rob
/

See the entire post

Sunday, September 04, 2005

Disaster and Continuity Planning

We have all seen the devastation that was brought by Katrina. Amazing isn't it? The sheer capability of the event to destroy and area roughly the size of England! How does one prepare and what exactly do you prepare to do anyway. There is constant discussion, argument and annoying debate concerning Continuity and Disaster Planning; however these are not the same. Continuity planning is the process of being able to continue operations while a serious event is occuring - essentially operating without being affected - and Disaster Recovery is the process of fixing everything after it has been broken.

Organizations, and individuals, in New Orleans have had to experience both aspects of the response to disruptivec events, to say the least. I mean let's face it, there is so much that can be discussed (and no doubt will by every talking head that can be found) concerning the many failures discovered by the hurrican, but here let's just touch a little on Business Continuity Planning (BCP) and Disaster Recovery (DR). Each term has found a relatively secure home through the IT industry due to everyone's dependence on connectivity (and other related needs).

BCP, of course, requires some advance preparation (hence the term planning in business continuity planning) in advance of an event. How does one do this and what do they prepare for? Thanks for asking that's a great question. First, whoever is doing the planning - and it preferably should include persons from all parts of an organization - should know what the priorities are in terms of preserving operations. What is critical and what isn't. In comparison with the human body we tend to use Maslow's Heirarchy of Needs so the most critical things would be an environment that the organism (in this case a human) can survive in - so air, appropriate temperature and so on - followed by water (anyone that has been really dehydrated knows how painful a lack of water is), then food, then shelter and so on. Medication would most likely fit nicely between water and food. Anyway and organization - or person - must plan on protecting supplies and utilities to support critical operations. OR, to move operations someplace - permanently or temporarily - to someplace more hospitable. For the human this exercise can be called survival - and, well, it can for the organization as well. The other end of BCP, in short, is how to restore operations to normal after the event has passed. Using a person again - how do you get to a place where the stress returns to what you understand and can manage, and how do you begin to repair the damage done. Disaster Recovery isn't too far off - possibly more focused - but how, after the event ends, do you return to normal. Get back to servicing customers and conducting business.

Now there is clearly much much more to this, but it's a start at least. Remember the old adage: Proper Planning Prevents Piss Poor Performance. So plan, prepare and be brutal about it. Take nothing for granted. Assume the worst. And then start over and make it worse. I think it was Richard Marcinko that said: Training should be real as to make the real thing seem fake - or something like that. There is no reason for you, or your organization, to be experiencing the chaos that has marked the past week down south. Plan, prepare, implement your plan, revise it as it make it work, and when it's over you MUST critique your performance - benchmark peers - and fix whatever didn't work for next time.

One other thing. If, after seeing what has happened, you are not looking at your organization's capabilities and preparations then shame on you. This is your opportunity to learn from others. When the disaster is so great as to break the entire civil system of controls it will only be your prior efforts that guarantee continued survival.

See the entire post