Tuesday, October 25, 2005

Eco-terrorism - in the news and in front of Congress - again

Brian Connor over at Animal Crackers has offered us information on the recent postponing of LSR (Life Sciences Research - otherwise known as Huntingdon Life Sciences) listing on the New York Stock Exchange (he draws from here, here and here). Further, it looks like there will be more hearings concerning the radical Animal Rights movement.

For clarification on the issue - because few others will bother - there are LOTS of people involved in the animal welfare/rights/liberation movement and they are not all the same. Think of a continuum with Animal Welfare on one end, Animal Liberation on the other and Animal Rights in the middle. If you think of Democrats and Republicans in the same way you get the picture of how different these groups are; both Dems and Reps want what's best for the country but differ on how to get there. Now you may understand the vast differences in the movement. There are two significant demarcations in the movement: whether an individual believes that animals are equal to humans in terms of the value of their lives and whether an individual feels it is acceptable to commit criminal acts that surpass the notion of civil disobedience - in other words property destruction and threats of violence. That's a very short description of the spectrum of the movement.

So why do I care and consider this a point to be discussed in security? Simple; if it's not Animal/Eco folks then it's some other type of militant that is willing to affect you business. Just give it time. Since the cultural revolution (and I apologize if I'm wrong but this is how it was taught to me) every idea is as valid as the next - meaning anyone is now justified in targeting you. Who knows, maybe the paint used for your establishment uses chemicals that affect groundwater (and shame on you not knowing this when your vendor used it), or maybe the paint was mixed by someone in an impoverished country, or maybe you like to fly the U.S. flag, your state flag, or for that matter the Jolly Roger; you could become a target. My personal experience has to do with the Animal Rights/Liberation movement targeting a client.

The broader issue here is understanding your threats. Is it local crime - burglaries and vandalism, or something more sinister? In the case of the AR/AL movement it is important to understand that they believe that every animal is as valuable as your life. Professor Steven Best at the University of Texas - El Paso stated in a speech that he would save his dog rather then an unknown human if they were both in a fire. See his dog means more to him than a unknown human. It's as simple as that. In Terrorists or Freedom Fighters (I'm not linking to it - because I'd rather you not buy it and fund more of his activities) Dr. Best argues that violence cannot be committed on property and therefore the ALF (Animal Liberation Front) is non-violent. This is also an underlying theme of supporters of the ALF; however it is important to keep in mind that property destruction carries with it an inherent threat.

This post could go on for a long time discussing this topic but I'll keep it short. The tactics used by the Eco/Animal Liberation movements are in fact terrorism [how the few affect the many by affecting the few with violence or the threat of violence] and it must be addressed as such. Collect data, know your threat, develop/implement effective countermeasures, and stay orientated toward your threat - it is an intelligent and adaptive threat.

For additional information concerning Eco-terrorism in the U.S. check out this document.


Friday, October 21, 2005

A special note to my new "friend" - Some people make crime easy

Hey Steve! I'm calling your name so that you know this is about you - I gave you my card at the bookstore.

For everyone else, here's how it went...

I'm sitting at the cafe in the bookstore, minding my own business, when I hear a gentleman behind me start speaking on the phone. Nothing odd there; everyone does it - it's not like it's a library, right?

Then the call gets interesting. Steve began speaking about a donation. Being someone that considers Social Engineering (see a pro here, more here, and here) one of the most, if not the most, under treated security risk, I naturally began to listen more closely. And yes, he began to read off his credit card number (it was a Visa), along with his address, and year of birth.

Ah the damage that can be done with that. So Steve I gave you my card with little hope that you'll read this and appreciate the free advice of a security consultant.

This, of course, isn't really social engineering but instead a form of "shoulder surfing" which can also be an excellent way of getting passwords, PINs, and other access data.

Look folks. If you going to have that sort of conversation, take it outside so that you're not sharing the data with a handful of people that are reading - or in other words, focusing on remembering information. This sort of thing hurts to witness when so many people want advice on firewalls, alarm systems, shredders, and so on.

This is an example of poor OPSEC and I'm not saying we need to develop detailed OPSEC policies for our daily life, but hey at least keep your personal information and access to any financial resources "close to the chest," please.

Thursday, October 20, 2005

Quick advert for a friend

My best friend has started a new blog.

The Political Yak is where he plans to discuss politics - mostly local - and he is political accumen is exceptional.

So go check it out, bookmark it, and then come back here.


Wednesday, October 12, 2005

Valuable lessons from the USS Cole attack

Let's all take a minute and remember the 17 dead and 42 wounded in the attack on the USS Cole five years ago today - that would October 12, 2000. See the Stars & stripes tribute many of the other news outlets.

Now take another few minutes and ask yourself what it is you, as a security professional (or just someone interested in security), can learn from this unfortunate event. For I'll start with the Cole Commission Report and work from that since we can all make unsubstantiated comments until the cows come home. Nothing beats information that can be sourced and, regardless of what you might think of commission reports, they generally do include some analysis of the facts surrounding the event.

I'll just take a few of the findings from the commission and equate them to the life of today's security manager or director. I'm sure there are other findings that can be used here, but these will suffice.

Disclaimer: All comments below are intended to relate the findings of the report to day-to-day security concerns - tending toward the commercial sector. In no way am I commenting on the performance of individuals involved or activities that affected the USS Cole.

Finding: Better force protection is achieved if forces in transit are trained to demonstrate preparedness to deter acts of terrorism

Deterrence works! Realistically it does not ALWAYS work, but then that's why a good security program goes beyond this one layer. Presenting a formidable (read: professional, well-trained, and prepared) image absolutely works in your favor. It discourages the casual nuisance and makes the committed plan more thoroughly - which means more time [the value of which we'll discuss further on], more tools and expertise (and probably money as well). Time, tools, expertise, and money are all commodities. To quote an old teacher, Dr. Kobetz, "Time is on no one's side. It is a commodity. You must decide how you will use it." I think we all familiar with the limitations on tools, expertise and money in preparing an attack.

Finding: Service AT/FP programs must be adequately manned and funded to support threat and physical vulnerability assessments of ports, airfields and inland movement routes that may be used by transiting forces

This goes right back to two recurring points - Know your environment and know what you are protecting. Sun Tzu said it like this (depending on the translation you read), "Know yourself and know your enemy; fight 100 battles have 100 victories. Know yourself and not your enemy; fight 100 battles have 50 victories. Know your enemy and not yourself; fight 100 battles have 50 victories." Get the point? The idea has been around for some time. So conduct Risk Assessments that include a view of the Assets, the Threats, and the Vulnerabilities - and keep them current over the years. A week old report is dated if it was conducted before an additional 100 employees are moved into your facility along with all their activities. So keep organizational plans in the mix as well.

Finding: The Geographic Commander in Chief should have the sole authority for assigning the threat level for a country within his area of responsibility

This applies in a couple of different ways here, but mostly a local security manager should be empowered (including being properly trained, mentored, guided, advised, and evaluated to be effective) to affect the protective posture of their site, location, facility, or area of responsibility. In an executive detail there is a fine line between the boss (principal/protectee) being in-charge and the protector. This is a very, very fine line that affects credibility when crossed one too many times. When the threat is identified then the principal's behavior must alter - this could mean many different things with the most extreme of which is being led by their security detail away to a safe location. In terms of a commercial facility it may simply be not allowing access through auxiliary doors and conducting a 100% ID check at the approved access point, or deploying counter surveillance folks into the parking lot/traveled way to observe those paying attention to the facility. This capability must reside at the lowest reasonable level to ensure timely preparation.

Finding: We need to shift transiting units from an entirely reactive posture to a posture that more effectively deters terrorist attacks

Here we are again with deterrence. Let the bad guys know that you mean business. In a retail setting this means signs, awareness programs, and making sure employees and customers know that security is involved. This does not mean that any shoplifter that is caught should be dragged by their hair through the store - don't forget the professional image. Roman soldiers were known for their discipline - they were feared because this discipline was unwavering - not so much because they were individually so ferocious. I once heard a quote from a friend that he claimed to have read (and I don't doubt him) concerning the Roman Army - "Ten disciplined soldiers are worth 100 warriors." Deterrence can be found in the effect of professional discipline and a willingness to act in concert. Consider the being the first barbarian commander to see the Romans employ the Greek technique of the tortoise formation with shields interlocked in front and overhead as they advanced - with each fallen soldier being immediately replaced by another. Now consider how your adversary may respond to a similar level of discipline and determination. Deterrence works at all levels from the initial appearance to the presentation of the response.

Finding: In-transit units require intelligence support tailored to the terrorist threat in their immediate area of operations. This support must be dedicated from a higher echelon (tailored production and analysis)

Intelligence - one of my favorites. Know your environment and how your adversary operates - but remember that this changes with very subtle geographic (and cultural) differences. Focus your intel efforts. What? You say you're a company and can't conduct collections. Hogwash! Get out and talk to people, but more importantly LISTEN to them and anyone around you. Search online; what you find may not be local but it also may provide context or a new mode, method, or technique you were unaware of - and it takes a professional to take this extra step. In retail this means going out into the mall or local community and watching, listening and talking with your peers. Stay within the law but collect.

Finding: Service counterintelligence programs are integral to force protection and must be adequately manned and funded to meet the dynamic demands of supporting in-transit forces

This is back to knowing your adversary or more accurately what they know or are trying to learn about you. Know your own "covert channels" (try here, or here for information). Who's watching you, your people, and so on. Again, at the very least, just listen to those around you, other employees, your industry peers, the news; just listen.

Finding: Service Level II AT/FP Training must produce a force protection officer capable of supervising unit training and acting as the subject matter expert for the commander in transit

This says so much. What do you know about security officer, security supervisor, or security manager training? Training is essential. If you are not taking every opportunity to train, improve, train, improve, train, and improve your protection team then shame on you. The military is generally really great for this mindset. Once again we should revisit Patton's thoughts on this, "A gallon of sweat in training is better than a pint of blood in battle." Or as presented in one of Marcinko's books, "Train hard, fight easy!" Although enough may be said about training - enough is rarely done about training.

Just a few comments on what every security professional/practitioner can learn from a tragic event.

Wednesday, October 05, 2005

Home care providers and workplace violence

Here's an interesting topic that came up today: Security in home service industries. You know house cleaning services, home healthcare, and all the other services that involve someone being sent to a home to assist the homeowner.

Here are a couple of quick resources on the topic: book, article, article, article, article, government publication, another government publication, and there are more available on the web.

As far as security goes on these topics it's just a tad more complicated than usual. Not only is it important to vet your own employees so that they (hopefully) will not victimize your clients, but it's also important to vet your clients. Oh yah, that's right - the client should be checked. Why? Well it's like this. You are sending an employee to a "work site" and if that site is not safe then you have sent your employee into an unsafe environment... Potentially this could be construed to mean that - assuming the employer made no effort to determine the site's level of danger - the employer is responsible for placing the employee in harm's way. And what a costly oversight it could be and not just in dollars. Employee mistrust of management, lowered morale, uncertainty, and all those emotions that come when one feels that they have been betrayed by a superior. Enough doom and gloom!

What are some steps that can get in front of this potential problem? First, make sure your employees know that a site could include danger. Now we all know that danger could be around the next corner, but simply reminding someone that it could be there does two things. One, it means that you, the employer, has acknowledged the problem and want your employee to be safe, and two it puts the employee on guard - even just a little - which actually makes them better able to avoid the danger. Hand-in-hand with that is to develop organizational procedures for dealing with the issue. What does an employee have to do to refuse service? If the client has immediate medical needs then how will these be met so as not to endanger them, and possibly breach the contract. This might be referring the issue to emergency services personnel (calling an ambulance), sending an extra employee, maintaining phone contact throughout the visit, or whatever is most appropriate. Having a range of choices or escalating options is very appropriate for managing risks - it also lends itself better to profitability than a one-size fits all system.

It should be a given that an interview is conducted to determine the needs of the client, but consider including questions that answer to the needs of the caregiver. Who else has a key to the residence? Who else might be present when care is provided? Are there firearms or hazardous materials in the residence? Sound silly or unnecessary? Heck these are the types of questions asked by Executive Protection (see this, and this) details when they conduct an advance. Why? To manage risks simple as that. Now you have better idea of the physical environment the caregiver will be in, and you've only added what, a warning, a set of procedures and a couple of questions to your client interview.

Next consider the human factor. Determine whether a sex offender is registered to the client site or a nearby residence (available on state and often county/city register websites). Should this preclude service? No, but it should move the risk level up a notch. Follow this with other research, like a criminal background or maybe a civil record search for battery lawsuits. How far should you go? Only so far as a crime is foreseeable. foreseeability is one factor used during civil litigation to determine and employer's liability (please discuss this more closely with your counsel). On another note, you did this to your employee so that the client would feel safe; doesn't your employee deserve the same consideration? (See this on background research)

A couple of quick notes on background research. First it's always best to get consent up front; however public records are public so consent is not needed - credit reports are a different issue. Beware of databases - that would be the extremely cheap searches that are generally advertised online (something like this; however I have no direct experience with this example). If you find the right vendor they will send a researcher into the courthouse to look for records - the right vendor does such bulk that it's still pretty inexpensive. Databases can be outdated or simply not updated frequently enough. Enough said there.

Monday, October 03, 2005

New Training Program!!!

The International Foundation for Protection Officers has just released a new training program: Crime and Loss Investigations. This isn't just for security officers either! It can be of great use to anyone responsible for managing losses.

In addition to a textbook this program also uses a few online papers as a supplement. Take a look.

I was lucky enough to have been able to get an article on intelligence operations into the training program.

But here's a really great article by a friend of mine on background investigations - he gives away practically all the secrets.

And another one on Interviewing - the lifeblood of retail loss prevention investigations.

It's a great program and something I'm proud to be part of so take a peek and see how it can be useful for you.