If I Had To Design A Parking Lot, This Is How I'd Do It

The other day, I noticed in a discussion group someone asked about designing a parking lot access control system. This got me to thinking about why security officials are often tasked with designing and deploying these systems and why they are flawed many times. Here's the response I gave.

There is no technological answer for this. This would be dependent upon METT-TC (Mission, Enemy, Terrain, Troops—Time, Civilians). The best parking plans I've seen first started by looking at the mission of the facility.

• This immediately beckons you to ask if any of the vehicles parked are or will at some point need to be mission critical. In other words, if this is a hospital, would it be prudent to have access control measures which take into account emergency vehicles? Will you have sufficient room in the lot to accomodate them and an emergency egress? I would also determine who NEEDED to be able to park in this lot. Not everyone needs to park in your lot though they may want to. This should create a decent entry authorization list wherein you can identify who will need an expedient, yet effective means of gaining access. How critical is the facility? Tech is great but sometimes having a guy at the gate is more prudent, with respect to handling visitors, LEOs/first responders without access control tags, etc.

• It is also really helpful to not interfere with the mission of your facility, when designing your access control system whether for the parking lot or anywhere else. Seriously. I can't overstate this enough. DO NOT make your system so cumbersome or strict that it impedes on the mission of those who do the work that pays you and your personnel. I have seen parking plans so restrictive that mission-essential personnel have been denied access to their facilities for things such as day-old expired vehicle tags and hours-old expired vehicle passes. Make sure your plan is flexible enough to accommodate those who need access right away but need to get their credentials in order.

• Be wary of making it susceptible to social engineering, though. I find the best way to mitigate this is through codification of your policies with exceptions allowed to accommodate those whose credentials may be lacking but can be verified. NEVER allow anyone access without verification. Ensure your access control system has authenticators, whether it be electronic or solely paper-based. However, ensure your authenticators are never discussed with anyone. I'd suggest making this a definitive terminable offense. 

• I'd also consider your threat profile. Who has an interest, as a nefarious actor, to gain entry to this lot or through this lot to your facility? How can you mitigate this, bearing in mind how they could obtain entry feasibly? Seriously. Don't plan on ninjas and SOF to make entry if that's not your threat. Plan physical measures with this in mind.

• What's the size of your lot? Has your lot grown to an extent where it requires fencing? If it does, how often do your security officers check that fence? No sense in having a fence if you're not checking it. Remember fences are a demarcation AND a detection piece of your plan. Also determine if your lot is situated with any physical obstructions wherein you can't observe who may have circumvented your parking plan. Consider CCTV or even a roving patrol to help if needed. Also, I find that if you use stickers, a few things tend to happen. One, people tend to park illegally and need to be towed. This takes up precious time and resources. And it could create confusion depending on how "creative" your sticker plan is. If you use stickers, keep it simple and wheel lock. Give each of your patrolmen a wheel locks and authority to deploy on cars illegally parked in select spots. Also address parking violations on a stakeholder basis as well. Talk to them about the potential loss in revenue should responders be delayed because of illegal parking in their reserved spots. Also describe what you're trying to accomplish and how a sound parking plan can be a force multiplier (Boss, if our plan works, I can reduce the number of patrols and increase security efficiency and efficacy by x-amount).

• Start thinking about how you want to accommodate vehicles in terms of their egress and entry. How long should it take them to leave and get in? Are there any chokepoints in the plan that can cause congestion and make for additional security heartaches?

• Finally, consider the impact your plan could have on civilian or non-business related entities such as neighbors. Will you have to consider parking off campus? Will your plan cause congestion that impacts them? Will your plan address neighbors and their parking plans? Will your plan have a demarcation for neighbors to know where your property extends?

INFOGRAPHIC: Charateristics of a Burglar

Kenya Mall Shooting - Why It Went All Wrong & What We Can Do To Be Better

Yesterday, the New York City Police Department released a report from its SHIELD initiative about the Kenya mall shooting/terrorist attack. It was a pretty damning report to say the least. Before we talk about the report, let's talk about SHIELD is and why that's important to understand in the context of this report. SHIELD is the NYPD's homegrown information-sharing component with private sector security. It provides analysis on current and future threats. I've previously read some of SHIELD's reports. Some were good and some were typical of fusion center reports - some meat and some potatoes but not a full meal. This report was driven, in part, to go over what NYPD and private security could learn about what happened in Nairobi. There was plenty.

There were some startling revelations:

1. Kenyan police were VASTLY outgunned. The report states, "The typical Uniformed Kenyan Police Officer is not as well equipped as their western counterparts, typically only carrying a long gun, most commonly an AK-47 style rifle with a folding stock, loaded with a single 30 round magazine. They do not carry handguns, wear body armor, gun belts or have portable radios to communicate." Each of the terrorist were carrying 250 rounds of 7.62 mm ammunition. Lack of body armor and radios to communicate resulted in fratricide. More on that later.
2. Responding plainclothes officers were also outgunned and had no visible identification. Remember what I said about fratricide? From the report: "Very few of any of the plainclothes law enforcement first responders displayed any visible law enforcement identification such as a badge, arm band, ID card or  a raid jacket, making identification as “friend or foe” extremely difficult for other armed first responders."
3. Realizing the police were outgunned, Kenya made the incident response a military matter. That's as bad as it sounds. The report says, "Kenyan government officials decide to transfer the handling of this incident from the police to the military. A squad of Kenya Defense Forces KDF soldiers enters the mall and shortly afterwards, in a case of mistaken identity, the troops fired on the GSU-RC Tactical Team.They kill one police officer and wounding the tactical team commander. In the ensuing confusion both the police and military personnel pull out of the mall to tend to the casualties and re-group."
4. Responding military forces used an RPG-7 as a room clearing tool. I kid you not. And the destruction was insane. "It is reported that at some point during the day the Kenya Defense Forces decided to fire a high explosive anti-tank rocket (possibly a RPG-7 or an 84mm Recoilless Rifle) as part of their operation to neutralize the terrorists in the Nakumatt Super Market.The end result of this operation was a large fire and the partial collapse of the rear rooftop parking lot and two floors within the Nakumatt Super Market into the basement parking."
5. It is possible the terrorists escaped in part because the Kenyan security forces failed to secure a perimeter. It is rather elementary for the very first thing Western police do in these scenarios is to lock down the perimeter. No one comes in or out unless they can be positively identified as a "friendly". This credentialing occurs by checking IDs and only first admitting law enforcement and first responders to exit upon verification.
6. The mall employed unarmed officers who performed unsatisfactory "wand searches". This is irritating to say the least. Why? Unarmed officers are appropriate for certain environments and are the way to go in most environments. However, in high value targets, such as mass gathering locations in places like Kenya, I would have used an armed component. Armed officers are not only armed but can be equipped with radios and are usually uniformed. This makes identifying them for law enforcement somewhat easier. Also, armed officers can do things unarmed officers can't due to safety concerns such as locking down perimeters and evacuating victims.
7. Wand searches are weak. I dislike them with a passion. Why? Officers get tricked into believing a search was "good" because the wand didn't annunciate. This is all kinds of bad. A search should be thorough in high value targets. If you're going to employ officers and have them search, have them be thorough and do it without a wand. I would use the wand only in environments where I had other search mitigators in place such as backscatters or X-ray search devices.

So what does this attack teach us in the West?

1. The desire of terrorist groups to attack mass gathering locations is still very alive.
2. Places like malls should consider Kenya to be a warning. If you're in mall security, I highly suggest going over your active shooter plan and rehearsing it on a fairly regular basis with local police departments and simulated shooters. In these exercise, test not just your ability to minimize casualties but to also test your security apparatus under stress. This is best accomplished by "killing" responders, taking hostages, attempting escape, and causing confusion among responders. Get your people used to chaos in these scenarios.
3. Never do wand searches at high value targets and test your people regularly. I've gone over why I think wand searches are bad. So let's examine why you should test and train your searchers regularly. Searching is one of the most important yet often neglected security components. We usually pick rookies and the "lowest common denominator" to do this function because it's "easy". Doing good and thorough searches that you can go to sleep easy with at night are not easy. Searchers should be trained on subject "tells", physical characteristics of forbidden items by touch, sound, smell, and sight, the tools they can use to do searches better, etc. They should also be regularly "red-teamed" which is to say you should have a non-attributable person walk through security and see what they can get through. When they're done, they should report to management their findings.
   
   Here's a video I did on how I would search bags:
   
   
4. CCTV and analytics are EXTREMELY important to an active shooter scenario. There are several takeaways from what we learned about CCTV and the lack of analytics in Nairobi. First, CCTV coverage was spotty in some areas. Also, the CCTV coverage was easily identified and avoided by the terrorists. We also know while they had remote viewing capability, it was five miles away and more than likely not cross-fed into the police. While a CCTV monitor can't identify every threat, video analytics can alert them to suspicious activity. At the very least, consider it an option.
5. Garages and parking lots should be regularly patrolled. While there was a guard posted at the entrance of the garage, had a response element been closer by, they could have locked the exterior doors to the mall.
6. Train your employees on how to sound the alarm and IMMEDIATELY lock down their storefronts and secure customers. I would consider including them as a part of your active shooter training as well. Make that mandatory training for all storefront management and their trusted employees. I would include it in a leasing agreement if I had to.
7. Have a HIGHLY accessible public address system to sound the alarm.
8. Train local non-law enforcement responders on the need to "shoot, move, and communicate". Seriously, I can't stress this enough. There is a huge debate in the US surrounding concealed carry permit holders as responders. I'm okay with them responding, though I prefer they receive some training on  the need to identify themselves to law enforcement prior to responding via a phone call if time and circumstance permit.
9. Equip every security person and law enforcement officer with a radio.  If you want to avoid wasting your time clearing rooms that have already been cleared or fratricide, then you HAVE TO equip your responders with radios and share your frequencies with them.
10. Train your personnel on reporting formats like SALUTE. We've covered this before so I won't bore you with the details.
11. Train your security management personnel on casualty collection points, IED mitigation, cordons, perimeter searches, and periodic vulnerability assessments. These things can't be overstated in training. Trust me. You'll thank me for this later.

Lessons Learned By a Security Blogger Whose Office Had Been Burglarized

My office at 9:00 AM. I arrived to hear my office had been broken into over Super Bowl weekend.

There is a certain amount of irony one must acknowledge when his own office has been burglarized soon after posting articles talking about burglaries. Some would call it foreshadowing. I'll call it a great streak of luck. What? Yup. Good luck. Why? Mostly because of the lessons I learned. This wasn't my home office. It was the office where I work. Many times we prepare ourselves for the eventuality of being burglarized at home, but seldom do we think of our work. With that, we'll inherently learn lessons about issues we never considered.  So what did I learn?

1. You need an inventory of all the equipment they issued you at work. This inventory will be much like the inventory for your home but this should also encompass day when you were issued the equipment, number of items, serial numbers, and office responsible for accounting for the gear. Go through this list when you look for missing items.
2. Keep an inventory of personal belongings. Let me be clear: "Personal does not mean your lunch bowl". I'm talking about sentimental and expensive items like your iPad, laptop, DVD player, etc. See the lesson from above to consider what to annotate. You may want to keep this list at home or online. 
3. People will undoubtedly start to go crazy. Most people have never been the victim of a crime, so they often experience shock, sadness, and anger about being a victim. It happens and you could feel the same way. When you feel these emotions, remember people rob businesses and government agencies all the time. Sometimes, there is little you can do to prevent it except pay attention to what countermeasures failed you and which things worked. Then get to work and fix what's broken.
4. People will be tempted to play detective. Listen, it's great that you watched all of Perry Mason and Law and Order. However, you probably won't be able to solve this caper. Becoming distracted with how and why you were victimized, keeps you away from fixing what's broke with your security measures. Remember, the best thing you can do is give law enforcement exactly what they need (any video, scene protection, etc.) and think about what went wrong (did someone not lock a door, did someone not set the alarm, is this an inside job).
5. Protect the crime scene. The first thing people want to do when they hear they've been burglarized is find out what was taken. Sounds great. So you let them walk around and look inside drawers, open filing cabinets,turn on computers, etc.. You see no problem with this. Do me a favor - STOP your coworkers from entering the crime scene until law enforcement says they can. It'll impede operations but save the cops a lot of time in processing the scene.
6. Have a procedure in place. We have mechanisms for setting alarms and responding to false calls but no one ever has a procedure for an actual break-in. It's really simple. Write it out. Who needs to be notified? Who needs to know what? When do you need to call? Where should co-workers report for work? What's the impact on operations if the cops need inside? Who should have alarm codes? Who has a master key? What are your lost key procedures? Where are the list of emergency contacts for employees? The list could go infinitely. You get the idea, though. Make it simple, yet comprehensive.
7. Never assume it was anyone's fault other than the burglars? Seriously, don't be stupid and start blaming people for not setting the alarm. People forget things. The alarm code could be one thing. Let it go and work on who should be able to open and close your office. Opening and closing is a big responsibility. Ensure you're entrusting the code to someone who can deal with this added duty. Ensure the people you authorize are the only people allowed 24 hour access. Trust me. You'll thank me later.
8. After the burglary is not the best time to learn your security system sucks. Be intimately familiar with your system and monitoring station protocols. Don't assume anything with a monitoring station. Their procedures for validating the current security status of your facility could be incompatible to your facility. If your monitoring station calls the second floor about the security status of the third floor for which they have no discernible access, then this could very well be counterproductive.
9. If you share an office building with several other tenants, find out what the existing procedures are for lobby security after-hours. You may want to know why they leave the lobby unlocked during the weekend when no one is there. Just saying.
10. Cameras are WORTHLESS if you don't have someone monitoring them. The American population is in the neighborhood of 300 MILLION people give or take. You can catch these guys on tape and get them put in jail if the cops get them. Go ahead - pat yourself on the back. You did a great deed. Ask your security company what it costs to monitor your cameras. Now you have a 24 hour surveillance system that can track and notify authorities of a threat. If not, then you're giving cops video so they can maybe arrest the perpetrator who will more than likely sell what he took. Don't get me wrong - I LOVE cameras. But I HATE when people claim they "feel safer" because of the new cameras they got put in AFTER a burglary. 
11. Your window adjacent the door will get smashed. Remember what I said about concentrating on fixing crappy security measures? Get that fixed.

That's it for now. I would love to hear your war stories about being burglarized. Please post some of the comment section below.

INFOGRAPHIC: 5 of the World's Most Secure Vaults & Bunkers

Prison Contraband: Vanguard by Current

Contributor Janet Choi goes inside a California state prison to investigate contraband smuggled inside the cells, and how cellphones are the new security threat. Watch Vanguard on Current TV Mondays at 9pm/8c. VIEW more Vanguard & SUBSCRIBE to the YouTube Playlist here... http://www.youtube.com/view_play_list?p=99EA424C68B5EB55

Inside Chicago School's Extensive Security Measures by ABCNews

As more Newtown shooting victims are laid to rest, we take a look at how one school protects itself.

Video: The History of Access Control

The history or evolution of access control is congruent with the history of security.  Some would argue that it is the cornerstone of what we think of as being "secure". We have tailored a many of our defenses and detection apparatus towards our entryways first because that's where we feel the threat is more likely to attack us from there.  In most cases this is true.  That being said, there has been an almost comedic approach to how we should conduct access control using technology as an aid.  It seems like security technology researchers work overtime just to find parts on our body to determine where we're most unique to qualify as an "identifier".

This video is an ode to such approaches.  While modern access control technology is effective in certain applications, this video demonstrates how we've gone from being okay with being "secure" to needing to be "mega-secure".  It was made by Peter Lanaris of Lido Distributors, a supplier of HID products, access control accessories and ID badging supplies.

The Power of Sound In Security

 

So, I don't have my hover-board nor my flying car. However, we have seen numerous technological feats within the security industry. Whether it be BRS Labs' use of artificial intelligence to "learn" and detect human behavior via CCTV feeds or the ever-changing world of biometrics, we have witnessed some very interesting and promising tech tools for the industry. Some of them we have featured here at The Security Dialogue.  The other day I came across the Twitter feed for Audio Analytics, a UK-based company which has developed a new dimension to the electronic security world.

Being the curious soul that I am, I contacted Audio Analytics about an interview to learn more about their products.  I spoke with Dr. Christopher Mitchell (PhD), Audio Analytics's CEO and Founder.  Going over his LinkedIn profile and other information I gathered from the Internet, I was drawn to Dr. Mitchell's extensive knowledge of sound information and signal processing.  He's received training at Harvard and a NCGE Fellow.  I digress.

Using audio in security applications is nothing new. Sonitrol was the first and remains the only company using audio as part of its monitoring service. So I asked what was the difference between what we've seen traditionally done with sound in our industry.  Dr. Mitchell replied, "Where Audio Analytic differs is that it does not capture a sound and then trigger an alarm at a monitoring station based on audio level for a human to interpret." Audio Analytic analyses the sound looking for specific sound pattern that can be used to raise an alert into an existing piece of security equipment such as a IP camera or VMS. The sound is looked at as data rather than as a recording or real-time stream of sound.

What surprised me about was the breadth of sound the software can detect.  Dr. Mitchell said it currently looks for sound in four categories - glass breaks, signs of aggression, car alarms, and gun shots. As you can imagine, glass breaks, gun shots, and car alarms didn't trigger as much interest as "aggression".  We've seen glass breaks and gun shot detection in various forms.  In law enforcement, ShotSpotter has become the latest in a growing use of sound analysis technologies.  When asked how they detect for "aggression", Dr. Mitchell stated they look for changes in pitch mostly and sounds attributed to aggressive behavior. Applications where you might see this deployed are lone workers, hospitals, convenience stores, and other places where any sign of aggressive behavior would need to be detected and mitigated as soon as possible.

Speaking of deployments, given the vast array of sounds Audio Analytic could possibly detect with applicable algorithms, it is not surprising to imagine the customers and applications extend far beyond the traditional security realm.  When pressed about this, Dr. Mitchell was quick to inform me they had been contacted by various entities who also recognize its potential and whose specific requests could not be discussed.

Knowing many of our customers are particularly liability conscious, I also inquired as to its implications to privacy. Mr. Mitchell explained the software "analyzes the sound as bits of data".  Therefore, there is not the ability within their software to "hear" the data being analyzed.  That capability would need to be addressed by a secondary piece of software or hardware.

Like all analytics, this is purely software that would need to be integrated with existing hardware designed to capture both sound and video. A company who has already integrated many of Audio Analytics' features is Next Level Security Systems an integrator offering a full suite of security services. NLSS' Gateway Security Platform provides "Audio Analytic with Glass Break Analytic and optional Gunshot, Aggression and Car Alarm packages", among a slew of other features. 

Overall, I am quite impressed with what I see being developed in analytics and Audio Analytic's software is no exception.  I can only imagine its applications and deployments as it continues to develop.  One of the greatest problems we face in security are false alarms.  Audio Analytic has the ability look deeper into the environments we protect and aid us in determining more accurately the difference between the benign and an actual threat.  Dr. Mitchell said it best, "In the security world, we have affection for silent movies".  Perhaps it's time we move on.  As I stated before with BRS Labs, I have seen the future and it's now.

Government Insecurity: How Many Attack Vectors Do You See?

How many attack vectors do you see on this door? Not surprising, this door is an exterior door outside a government building which does a lot of cash transactions in a high crime area with minimal natural observers and limited lighting. In addition, there were zero cameras. I was able to stand by the door and watch loads of people use this door with the code for entry.  There were several wedge marks on the frame.  Through the window on the door, you can see the cash registers and other sensitive equipment.  What else do you see?

Turkish Airport Security Caught Playing FPS Game On-Duty

First person shooter games are all the rage now and have clearly defined a new era of gaming.  However, as this picture below from Istanbul demonstrates, there is a time and place for everything.  Perhaps, playing Call of Duty, while on-duty as an airport security officer in a major international airport, is neither the time or the place.

(Captured from reddit.com user 26985's post on 1/2/2012)

Pwned: Russian Rocket-maker Guards Caught Sleeping on the Job

Guard management is perhaps the most important entity in any security infrastructure.  If your on-site security personnel are led properly, they are more vigilant and duty-focused.  However, should your guard supervisors fail to properly lead and conduct regular checks on their personnel, inevitably you will find out just how important knowing the difference between leadership and supervision is.

In Russia, Energomash, the rocket manufacturer of the Soyuz capsules, learned this lesson when fellow bloggers  Lana Sator entered their manufacturing plant while guards were sleeping on duty.  As a former supervisor of security personnel, I can attest there is nothing like having a facility penetrated because your responders were asleep.  To make matters worse, Lana and several of her friends made five visits and each time the guards were asleep.  They gained access to several critical manufacturing sections and posted their exploits online.  As you can imagine, Russian defense and space bureaucrats were not happy and are looking at steep punishments for guards and I'm sure, managers.

Here are some pictures from Lana's blog:

The Russians aren't alone.  In 2009, guards from one of the largest guard companies in the world, Wackenhut, were caught dozing off at a nuclear facility.  Check out the video below:

Top 10 MORE Questions To Ask Your Prospective Alarm Company

Not too long ago, fresh out the military, I was an alarm system salesman.  It was a wonderful learning experience that taught me many things.  One of those lessons was "All security companies are not created equal."  People assume, like they do with all major purchases, the most popular or cheaper brand is in fact the better brand.  The majority of the time they learn this is not case.  So, I decided to post some questions for prospective customers to ask when they begin their search for a security company.  (Please note this doesn't just apply to alarm systems.  You can apply these questions to camera systems, access control, locks, etc.)

1. What areas will this alarm system not cover?  There is an implied belief among some customers that an alarm system protects their entire property.  Have you ever considered what would happen if someone broke into your neighbor's store and punched a hole in the drywall you share?  Do you have a sensor that will pick up the noise or vibration?  Chances are you don't.  The problem with modern security systems is they advertise exactly where you have coverage and where you don't.  Don't believe me?  Walk into a small storefront and notice how many infrared sensors you set off.
2. What's your apprehension rate in my area?  This is particularly important if you're in an area where burglaries happen a lot.  If someone breaks into nearby businesses who use the popular name brand security service without getting caught, should you be buying from them?
3. What's your response time to service issues?  What happens if some drunk rams his car into a nearby power pole and kills your alarm system?  Does your system have battery backup until service is restored?  If not, how soon can your company arrive to remedy the issue?
4. How much do you charge per service calls?  Some companies make a living by selling a crappy installation and billing you every time it breaks and they have to come out and fix it.  You want a company with a good reputation for service and who makes house calls on the cheap.
5. Can I cancel at anytime?  One of my first sales lead I had was a lady who was opening up a small Internet cafe.  She knew she had a need for the system but was concerned about our price and contract obligation.  The economy was rough and she, like many small business owners, didn't know if she would be in business for 5 days let alone 5 years.  Pick a company who is sympathetic to that.
6. Are you developing original product lines or selling me something made by the lowest bidder?  I can't tell you how many companies I see selling all sorts of "new groundbreaking technologies" that were developed by a previous competitor just marketed differently.  If they'll lie about the product's origins, they'll lie about anything.
7. Can I manage my account all in one place online?  Some of you aren't real tech savvy nor like to handle business online.  I totally understand that and encourage you to do what's comfortable for you.  However, if you like doing everything online as much as possible, inquire if they offer online account management.  If you're responsible for a large system and want to track multiple alarms or trouble alerts, it would be extremely helpful to have this capability.
8. What kind of redundancy do you have for your alarm centers?  Do they transfer alarm monitoring to another facility if the original is affected by natural disaster?  Wouldn't it be a shame if where your building is at there are sunny skies, but the alarm center which is another state several thousand miles away was hit by a blizzard with no power for weeks?  What happens to your alarms?
9. How much familiarization do your sales personnel get with the product?  Wouldn't you hate being sold a car the car dealer never drove?  How can someone tell you about the quality of their installation and service components if they've never seen them in action?  I would be highly impressed by any company who had new sales personnel going out on these calls with their experienced technicians.
10. What separates you from everyone else?  Most salesmen will attempt to answer this but usually fail.  Why?  Because they're focused on what their company told them makes them different.  If he or she gives you an honest answer such as "We charge a higher price", he's good to go because he'll follow up with "You get what you pay for in life.  If you want a free root canal, I could give it to you but you won't sleep easy.  We charge more because we're worth more.  We provide better service, a better product that we developed, and a commitment to protecting your business rain or shine.  It took you a while to build this business.  We want to ensure you have a while to enjoy it."