Showing posts with label Physical Security. Show all posts
Showing posts with label Physical Security. Show all posts

Saturday, August 24, 2019

OPINION: Isn't It About Time Security Gets Its Own Crowd Mitigation Laws?


If I were the seriously academic type, I'm quite certain there would be a white paper I could write on how many lives the fire service saves by having cities empowering the fire marshal to enforce fire codes. Seriously, when you sit back and examine the impact fire codes have had in either showing how dangerous crowds can be and how mitigating their growth in dense packs reduces casualties in fire events, it's truly amazing at how well they work in both regards. If people die in a crowded nightclub because of a fire, no one writes a think-piece on what drove the fire or the firestarter. No one even contemplates if we need stricter anti-fire laws. Nope. Within a few seconds of reading there was a fire at a crowded nightclub, we automatically deduce a large amount of the carnage was because the club was too densely packed. What if after every active shooter incident we did the same?

Imagine a set of laws structured around mitigating mass casualties during active shooter events in target-rich environments. At the heart of how we effectively deal with these incidents is how we deal with the crowds. You've heard me say this before but I believe the largest contributor to target selection and engagement is the crowd. With security, there's a misguided public perception businesses will act in the best interests of life safety and business owners and operators will take threat mitigation seriously. For those of us in security, we know this is a daily battle - one in which we suffer countless deaths for. In a world where businesses are rewarded by showcasing demand and not minimizing their risk caused by demand, motivation to encourage, grow, and develop further crowds often outweighs those associated risks. What we require is a set of codes which the authorities can enforce to make those risks unacceptable without effective mitigation.

What would my proposed "codes" look like? As is said in the military, it's all METT-TC or "situation-dependent". That said, here's a very rough idea of what I envision:
  • Utilize the same formula and science, the fire service uses in determining acceptable crowd sizes in densely packed areas. This encompasses looking at egress points, potential points of origin, probable incident path, time to egress, and potential secondary hazards.
  • Make it mandatory businesses have a minimum number of egress points solely for active shooters. The egress points should be fully expansive and allow for fluidity in crowd movement. There should be more than one way out of an area.
  • Ensure employees have a means of ensuring those egress points remain available and unencumbered.
  • Fire exits can be utilized for egress but should not be the sole means. Fire and security/LE will likely have different concerns about crowds and their movements.
  • Egress should be marked and illuminated. Egress from fire emergency exits should also be alarmed and enunciate at a fire and police dispatch center.
  • Every venue where crowds are a consideration and are likely targets of active shooters should have "blue boxes" which would contain a button like fire call boxes. These boxes would sound an immediate alarm with a "tactical response required" notification to the local police.
  • Schools and daycare centers should rehearse mandatory crowd mitigation drills. School event planners should attend a mandatory crowd mitigation course which addresses basic event security guidelines to be implemented. Failure to follow the guidelines should be considered violations of the law. Exceptions can be addressed by through an SRO and approved by a department chief.
  • All on-duty security personnel should attend a mandatory course on behavior detection and tactical response. Failure to pass the initial and follow-up training should result in a mandatory suspension of their security license. Posting unlicensed and untrained personnel should be considered a violation of law.
  • Stadiums and large scale event security should be required to do annual mass casualty event drills. Active shooters should be addressed in those scenarios.
  • Businesses must have a crowd mitigation plan filed with their local police department.
  • No-notice inspections by the police should be done semi-annually. Inspection failures should be considered for a mandatory 30-day operations suspension, depending on the nature of violation. Serious violations should constitute permanent operations termination.
I know. I know. Too harsh? Perhaps, but I think this is the shot in the butt we all need as practitioners and business owners. These events happen in places we're supposed to be protecting. Yet, everyone pretends like they won't see these incidents, despite evidence which says we don't have a clue as to when, where, or even how they could occur. What I'm asking for takes minimal effort and is ever-evolving as the threat also changes. That's what makes it such a great idea, to be quite honest.

Saturday, August 18, 2018

The Tale of a Very Bad Gun Safe

So this is terrible. Like super duper bad. I LOVE me some Harbor Freight but this gun safe sucks.

This dude hits the lock so many ways that it seems unfair. Seriously. It's a very bad gun safe.
  1. You can do it without leaving any discernible forensic trace. Tool marks might be found on the interior and may some small nicks on the front. That's if you're sloppy.
  2. The entire security of the safe rests in the PIN code and a reset button. Both of which are easily bypassed.
  3. The front door of the safe has a gap large enough to allow any thing tool access to the reset button and the release.
  4. The top peels off and exposes a hole for access to the interior.
  5. There are holes along the sides which allow access to the reset button.
Thankfully, it's been recalled by Harbor Freight. It's bad. Have a watch. (h/t @DeviantOllam)

Deviant Ollam Is Thinking About Doing A Smartphone App

Update: It looks like a Twitter user brought up, Haven - The Guardian Project's physical security app developed by Edward Snowden.

Welp, it looks like @DeviantOllam, the physical security penetration tester and trainer, is looking to do a hotel room security app. If he can check off all the boxes and can provide some more features, I'd be all in.
What would I be looking for in a physical security smartphone app?

  1. Various ways to notify users of an event. Push alerts to my other devices would be great, as well as home AI integration with Alexa or Google Home.
  2. Motion sensor sensitivity and detection range settings that are user-friendly. Other apps do this but they don't walk you through these settings.
  3. The ability to choose between cloud storage or phone storage.
  4. The ability to use a tilt sensor for drawer openings.
  5. Noise detection.
  6. Customized annunciation. I like customized audio messages for various intrusion-related alerts.
  7. Integration with a door stop physical device. When bumped by a door, it would set off an alert. Great for closets in hotels.
  8. The use of your phone's flash as a strobe when an intrusion has been detected.
  9. Using a combination of alerts to determine the nature of your alert. I may want to know if the maid came into my room but I'd really be interested to know if they entered that closet I placed the door stop at.
  10. Remote SMS alarm disarm.
What would you want to see?

Thursday, December 8, 2016

VIDEO: DEFCON 19 - Safe to Armed in Seconds: A Study of Epic Fails of Popular Gun Safes


Before you watch this video, let me clarify a few things:
  1. I TOTALLY support the right to bear and keep arms. Period. Full stop.
  2. The words "gun safe" is a HUGE play on words. Most of these "safes" aren't safes at all and solely designed and engineered to keep a weapon secure from inadvertent breach from children or other curious individuals and readily accessible. They offer little in the way of any of the protection safes tend to provide.
  3. I fully expect you to comply with laws in your jurisdiction. Don't mess this up. Follow the rules. Just understand what the "gun safe" is there for and deploy them with that in mind.
  4. Consider other mitigation strategies to go along with the safe. There are a few products on the market. Personally, this is one of my favorites.
This presentation took place during DEFCON 19. Deviant gave an awesome talk. It's great to see the perspective a gun owner who happens to know a ton about physical security when discussing these devices.

OMG. I TOTES WANT THIS LOCK!!!


Yeah. I know. Me too. I TOTALLY want one of these. If you want more information on how you can get one, then you should probably click here and sign up to be on their mailing list.

https://www.bowleylockcompany.com/

Also, here's a video of the lock's mechanics in animation. Yeah. It's pretty freaking awesome. I'd like to mention this lock gives me hope. As a non-fan of the consumer lock industry, this lock is a VERY development for the sector. Unpickable. Unbumpable. That said, you should probably look at other door strengthening techniques just in case your adversary doesn't bring a pick or have a key bump but has a good size boot and a decent pair of thighs.

Wednesday, November 30, 2016

Video: The Search For the Perfect Door - Deviant Ollam

If there's just one video you watch today, you should watch this one. Deviant Ollam, a physical security penetration tester was at ShakaCon, an information security conference talking about how to pick the perfect door. I won't spoil the video but he covers way more than just doors. It's both insightful and illuminating. Well worth a view.

Friday, June 12, 2015

OPINION: Why Security Is Killing Risk Management


   For more than a little while, I have been writing quite a bit about the difference between security and mitigation. In that time, the United States has been riddled with numerous security breaches in both the physical and cyber realms. Whether they were riots over allegations of police brutality or breached firewalls protecting sensitive data, our headlines seem to allude to a failing state of security.
 
   As a professional who is on social media quite a bit, I have witnessed, firsthand the hysteria surrounding these incidents. Every attack seems to be tweeted or blogged about to a point bordering on obsession. To be honest, I could not be more enthralled. Sure, these events are quite insightful for practitioners wherein we learn how to defend against similar attacks in the future or conduct them ourselves. But that’s not what excites me. No. I’m thrilled to see events which demonstrate the connection between the psychology behind security, the illusion of protection it provides, and how our confusion about the differences between security and mitigation has created our current security crisis.

Security vs Mitigation

   In order to understand how security is killing risk management, let’s go over a few key terms. First, as stated before, security is nothing more than a psychological construct to provide us with the assurance that we’ve done everything possible to keep us safe from various threats. Humans are very fearful of their demise and naturally, see threats to their survival as intolerable. Often, this feeling of security comes from repeating “safe” behaviors and providing what we assume are adequate protection measures. This, as we all know, is often based on untested data and the myth wherein victims can think in much the same way as their assailants.
 
   Protection is what we do proactively to deter, deter, delay, and destroy attackers, through mitigation. A great example is an executive protection detail. No successful detail operates on the assumption they can prevent attacks. Everything they do is with respect to the attack happening. This is what makes them very good at what they do and why so many in this field go on to become successful throughout the security industry.

   Security, as we know it, is often done with the mindset victims can prevent attacks. For example, we lock doors because we assume they will deny an adversary entry. What we fail to grasp is that the lock is there to delay the attacker so natural observers or victims can have sufficient time to detect the attack and take action. Many victims enter into a mindset where a locked door is all they require to be safe, without sufficiently comprehending the scope of the adversary’s capabilities and the target’s inadequate mitigation tools. Knowing the difference between security and mitigation is a great start to understanding the importance of risk management over just feeling safe. Heck. It’s the key to it.

The Important and Not-So Subtle Difference Between Threats and Vulnerabilities

   Speaking of risk management, there are a few other terms I think we should cover. Risk management has two fundamental keystones - threats and vulnerabilities. Often, we confuse threats with vulnerabilities in ways we don’t catch always. For example, I’ve seen people react to discovering a vulnerability as being one of the worst security events. This couldn’t be further from the truth. In fact, I find knowing there are areas where a potential bad guy can exploit to enable their attack to be quite insightful. Sure, we like to catch these vulnerabilities before an attack but that’s not always the case. What’s our insurance policy for such attacks? Planning ahead as if it’s already going to happen. What do we call that? Oh, that’s right - mitigation. Threats are merely bad actors who use vulnerabilities to conduct kinetic operations against their targets.

   Sometimes, I feel as if we forget that catching bad guys is the goal of effective protection measures. The threat will come and you should be prepared long before they do. You could plug every hole you can find but ultimately, as I heard throughout my military career, “the enemy gets a vote”. He will find a way in, inevitably, that you will miss. You should plan as though Murphy’s law is actually true. Often, no matter what you do, you may not catch the bad actors. This leaves you with having to take away as much power from the enemy’s punch as possible. Whether you’re reinforcing concrete or hardening firewalls, the premise is the same - if you can’t beat ‘em, make it hard as heck for them by shoring up existing vulnerabilities and anticipating the impending attack.

   Perhaps, two of the most important and misunderstood terms in risk management are probability vs possibility. I see you over there laughing. If you are, then you probably know exactly why this is such a pet-peeve of mine. With every major security event, there’s always someone on social media who declares “the end is nigh”. They begin rattling off how bad the breach was and then end by telling you how bad it’s going to get. Very few times, do you actually receive any sort of mitigation advice. If you’ve been following me since the now-infamous OPM hack, you’ve no doubt heard me prattle about this.

   Most of the consternation about the state of security is centered around our confusion between probability and possibility. This was perfectly illustrated by a not-so recent story about the Islamic State capturing an airbase which had a few MiGs. Immediately, social media erupted with reports and predictions about ISIS flying MiGs very soon. If you know anything about training modern pilots and how the U.S. conducts targeting operations, you know this is not likely to happen. In other words, the probability of MiGs flying over ISIS territory is very small. Sure, it’s possible but not likely. A reality star who isn’t a narcissist is possible but not very probable. This is important to remember because security measures often fail based on how possible something is rather than it’s probability. Countless resources are expended on something that is not likely, while we ignore the threats we encounter daily. Successful security organizations employ measures based on a balance struck between a high probability of attacks happening always and the needs of the end-users.

Protect Yourself By Understanding Your Risks

   Risk management is nothing more than understanding what you have, whether you can lose it, who or what could take it from you, and what it will take to get it back or recover from its loss. In essence, risk management is nothing but acting proactively against a probable threat and ensuring you’re able to protect and if need be, recover from its loss or damage. The problem is, if social media is any indicator, many companies and organizations don’t do this. Again, let’s briefly discuss the OPM hack. I saw the eyeroll. I know we don’t have all the facts. I get that. I digress.

   OPM was allegedly hacked by attackers who stole sensitive data on federal employees. This is, understandably, big news. As it should be. The attackers were able to gain the information by attacking non-patched Department of Interior servers. The information, according to folks formerly in the intelligence community, is extremely valuable counterintelligence information and compromise is completely unacceptable. What’s striking is, as I have noted on Twitter, the servers were connected to the Internet and vulnerable to outside attackers. Yet, neither OPM or the Department of Interior bothered to patch the servers or encrypt their data. They, presumably, thought the threat of attack was minimal and did not require adequate mitigation. Imagine the likelihood of uproar had they just simply encrypted the data they stored. The government did everything I said earlier not to do.

   So what’s the answer? Simply, don’t do security but do mitigation. Being proactive with protecting yourself and your assets doesn’t require hiring Blackwater/Xe to track down Chinese hackers before they strike. No. Tailor your protection to what you will do when the attack occurs, the mission and goal of protection (detect, deter, delay, and destroy attackers), and what it will take to recover from the attack. Balance your measures between the likely or probable threats versus those that are possible but not highly likely. Before venturing off into the great abyss of security’s greatest enablers (fear, uncertainty, and doubt), I implore you to “see the light” and find the “truth” in mitigation through risk management.

Tuesday, November 25, 2014

Riots: The Physical Security Considerations


LONDON, ENGLAND – AUGUST 08: A rioter throws a rock at riot police in Clarence Road in Hackney on August 8, 2011 in London, England. (Photo by Dan Istitene/Getty Images)

Last night, riots erupted all over Ferguson, MO after the grand jury announced they would be declining to indict Darren Wilson, the police officer who shot and killed Michael Brown. This post isNOT about that decision or the investigation itself. My opinions on that will remain out of the public sphere. However, I would like to discuss the unique physical security considerations mass protests and riots present for security practitioners. I’d like to discuss what those challenges are and how we can counter the physical attacks against assets during these events.
  1. Protests are extremely dynamic and what looks peaceful five minutes from now could be a full-blown riot the next. People assume they can do a lot of things they simply can’t. Predicting the actions of hundreds of people and whether they view your assets as a legitimate target is one of them. This is almost impossible to do. So don’t. Just err on the side of caution and just assume your assets are.
    Social media and the news can lull practitioners into believing the intelligence they’re receiving about the threat is accurate. In many cases, it can be. However, you should never use anyone else other than yourself to determine how a crowd will behave and view your assets.
  2. Agitators carry an assortment of tools to target your assets. Just because you’re seeing rocks and water bottles being thrown now does not mean you’ll only see that as a weapon against your assets. They may use chainsaws, bats, pipes, bricks, Molotov cocktails, guns, etc. against you and your assets. Consider the full gambit of tools they will have access to, factor in the time they have had to pre-stage gear, and experience. Make sure your preparations are comparable for probable threats.
  3. The people protesting aren’t always your biggest threats – they can also be your savior. In many cases, as we saw in August and last night, bystanders and peaceful protesters stood up to defend local businesses in Ferguson. Most of those storefronts were businesses who had made in-roads with protesters beforehand. Also, the peaceful protesters realized their protest was being hijacked by anarchists and thus, losing the narrative. Because of this, many protesters actively protected storefronts. You should make every effort to reach out to protesters beforehand. In some cases, I would consider offering a reward for any protester caught seeing defending your assets.
  4. Some storefronts are targeted not because of who they are but for what they have inside. Last night, I advised any pawnshop owner to remove all weapons from their locations. Why? Because most physical security measures used to defeat thieves is usually meant for one or two persons attempting the threat and reliable police response. As last night proved, the police will be to busy with other response to ensure adequate protection to those stores. If you can’t move the guns, then remove their firing pins and ammunition immediately. If you have some clue that rioting could occur, you owe it to yourself and the community you service to at least remove the weapons or firing pins until you know for sure the threat is gone.
  5. Consider how we’re trained as professionals to protect assets in your riot contingency. We detect, deter, delay, and if necessary, stop the threat. Are the measures you’re implementing do that? Can they do that with a crowd amassing your facility? If not, can you afford the risk of failure?
Here are some measures you should think about about implementing, in my opinion:
  • Remove any weapons or explosive materials from stores.
  • Shutdown gas station pumps.
  • Consider constructing steel shutters or a roll cage around your storefront. The shutters and roll cage should be secured with a heavy-duty lock with a buried shackle to prevent cutting it or using a shim to pick it.
  • Install heavy-duty glass or board windows from the inside and outside.
  • Remove cars from parking lots to other secure areas. If this is not possible, consider erecting a larger fence where the top is bent facing towards the adversary. This configuration is used in prisons to prevent scaling which is difficult to do for most people. A ladder is required in most cases. Also, remove those assets closest to the fence.
  • Conduct counter-surveillance daily before the protest is said to occur. Be on the lookout for any suspicious behavior. Have you noticed new people around your stores you haven’t seen before? How much loitering occurs and is any of it out of the ordinary? Are people asking strange questions about when you typically shutdown for the day or when do you “really lock the doors”? Have your loss prevention guys noticed any increased observance of camera locations?
  • Barriers.  Use them. I can’t say this enough. When I was a young Airman, barriers were a part of my everyday life. We used them a lot for increased threat mitigation, civil disturbance, crowd control, and even presidential visits. My preference is for the plastic jersey barriers to be filled with water or sand. Water should be used in winter because it’s more likely to freeze than like, unlike in summer where it tends to so a lot. Jersey barriers, when not filled, are highly mobile and allow the practitioner flexibility in how, when, and where they can be deployed. In many cases, a pick-up and a few able-bodied people is all you need to move them, where concrete and sandbags require forklifts and more bodies.
  • Fences. Put them up. You should make every effort to ensure protesters will have to struggle to get to your assets. The cheapest and best way to do that is through proper fencing. You should install a fence typically around 10 to 15 feet and weigh whether or not your insurance can handle barbed wire. Another consideration, if you’re using barbed wire, is aesthetics. Can you do business with the barbed wire on the fence? Some customers respond differently to that.
  • Consider guards if you have no other choice. Seriously, don’t hire guards if you don’t need to. Security officers are great at what they do. If the target of the protests is law enforcement, who do you think the rioters will look at as a potential target? Those stores with guards in uniform. Not saying you shouldn’t use guards but understand their risk and that they don’t always lower your threat profile.
  • Don’t get political. Seriously, if you have a Twitter profile for your store and you’re talking about how you hate the protesters all the time, you’re making yourself a larger target. That’s what we call “begging for a fight”. Stop. Instead, talk about how many people in the community you employ, how long you’ve been there, and how the damage impacts you and other businesses. Stay away from any discussions about what is being protested.
My list here is not all-inclusive. I am sure there are other ideas. Please, submit your ideas below so we can continue the discussion.

Tuesday, October 7, 2014

OPINION: The Fine Art of Failing vs Mitigating in Security




Last week, I wrote a post regarding “security myths”. In that post, I was hesitant to be overly critical of the United States Secret Service’s response to recent intrusions. In the days following my article, there have been very illuminating leaks regarding exactly what happened that day. One revelation was the intruder actually made his way inside the White House. Before the leaks, I stated whatever the After Action Reports revealed; the entire incident was not a mission failure. I stand by that conclusion for a few of the reasons outlined below:




1. Mitigation is the goal of any security program. The idea that we, in security, prevent bad things from happening is a huge myth. You can lock your doors and windows to thwart bad guys but the only people who make the final determination whether the bad guys continue are the bad guys. We mistakenly believe security is a physical entity we can see, when in fact, it is a psychological construct designed to enable us to move on from our fears to do other important things vital to survival. What we seek is protection which is only achieved by mitigation. Mitigation is what we do to reduce the potential harm inflicted on us if the adversary should show up. So the lock does not prevent crimes but its presence gives us some sense of security, while it also mitigates potential threats that may come via the doors.

Prevention is perhaps the one thing we don’t control but assume we should. In the case of the Secret Service, yes, there were lapses in security. Uniformed personnel were obviously not able to sufficiently cover the grounds of the White House. They could have done more to secure the doors and should have posted someone able to engage a threat coming for the North Portico doors. Someone at Secret Service did on multiple occasions succumb to allowing convenience to overrule the imperatives of adequate mitigation. The White House staff and the United States Secret Service did fall for the psychological trap of security, instead of following a plan that guaranteed mitigation.

Feeling safe is not the same as being safe. That being said, various mitigation tools did work like the successful evacuation of the press and staff who were in danger. Also, an off-duty agent was successful in aiding in the apprehension of the subject. It’s important to note the Secret Service’s mission is to protect the President and Vice President as well as all principles designated by law. In short, with no loss of life, this mission was accomplished solely because other mitigation tools had a chance to do what they were designed to do. It was a mess and it certainly does not reflect well on the Secret Service.

2. Prevention as a security goal and task are unrealistic. An old adage I remember from my days in the Air Force is “the enemy gets a vote”. No matter how good your plan is or how great your mitigation tools and techniques are, nothing you do will prevent the enemy from doing anything except killing him. Detention is, at best, only guaranteed to delay their actions. In fact, the only reason I believe the saying “Only you can prevent forest fires” is because I always thought Smokey the Bear was talking to potential perpetrators of forest fires and not victims. So why do we insist on believing prevention is realistic, if we’re solely addressing victims? What most people want are more effective mitigation tools but assume the semantics mean the same when they don’t.

3. Every security organization is bound by the use of force continuum. Some argue the Secret Service should have killed the subject immediately. Many of these people ignore Graham vs Connor which dictates the level of force an officer can use against any subject. That standard is called the “objective reasonableness standard”. This comes from the idea an officer can use whatever force is necessary to stop any threat as long as that force is comparable to what a reasonable officer would deploy in similar circumstances. Would a reasonable officer shoot a potentially unarmed man just because he committed a trespass violation? Imagine the precedence we could set by implying under certain circumstances it is reasonable to kill someone for seemingly minor offenses. Does a simple trespass have the potential to be more at the White House? Oh, for sure. Until a person displays a lethal “intent, opportunity, and capability” against another, we are bound to use the force a reasonable officer would to stop the threat. Otherwise, we stand the chance of the White House become a favorite spot for those looking to die via “suicide by cop” or placing the White House and its security at the center of a potential tragedy.If these statements make you upset, then I implore you to read what I said again. I never said deadly force was not authorized. It is. Deadly force can be used as soon as the threat meets those three criteria I established prior.

4. Like it or not, the White House is a tourist attraction and that complicates things greatly. Did you know the White House receives millions of visitors annually? This accounts for those who merely gaze through the fence and those who come to take a tour. In partnership with the Park Service, the United States Secret Service is tasked with protecting the White House in spite of the enormous opportunity various threats have to carry out an attack either against the throng of tourists or the President. In most executive protection assignments, the principles address is a matter of neither public record nor access. The Secret Service is in the unenviable position of protecting the President in a vastly different environment. Measures we’d like to see taken in one regard (i.e. fortifications) which help mitigate the visibility of the grounds and the principles are often not what the public envisions when they come to see their “house”.

5. In some executive protection circles, if not most, there is a delicate balance between protection and convenience. Most people who have never worked an executive protection detail don’t get how often the people protecting dignitaries are overridden when it comes to matters of convenience. I have known a many of personal protection officers who have complained they have been told to “stay with the car” when a VIP goes some place where his protection details has no visibility. 

With the White House incident, we learned a key mitigation tool was rendered ineffective because the White House Usher’s Office decided the intrusion notification system was too loud and needed to be turned off. In a world where one sees protection and is lulled into feeling “safe”, this is an easy mistake to make. It never costs you in the short-term. It won’t hurt today but you can bet when the adversary shows up, you’ll wish you had that mitigation tool in place. Is this a fault of the Secret Service? Sure, in some ways. They could have pressed the issue and said “no”. They, not the Usher, are legally mandated to protect the President. If that tool aids them in doing so, then the tool stays. Period. Is there a culture in Secret Service that enables this? I don’t know. What I can tell you is there is a culture in DC and the White House that does. Hopefully, the hearings which are going on will further highlight the need to silence the parts of that culture that negate sound protection practices.

6. Finally, stuff just happens. During my 14 years in this industry, I spent 10 in the service of the United States Air Forces in military law enforcement and security. My first few years were spent as a young Airman performing what is commonly termed as “gate guard” duties. I stood at the main gate of our installation controlling entry and exit. I was also responsible for issuing countless visitor passes. I was really good at my job. So good that I was winning awards and accolades above my peers. However, on one fateful day, I encountered something no one expected.

A female Technical Sergeant and her male guest came to the visitors’ center looking to get a visitor pass. All that was required at the time was a military ID card from her and a government issued ID from him. I checked his ID which was a passport and noted all of the details had matched. Our conversation was good and I detected nothing extremely peculiar. Actually, I did note something but I was stationed in Idaho so it was not a big deal at the time. Her guest asked if he could bring his personal weapon on the base. I told him he could not and asked if he had the weapon. He replied he hadn’t and she reassured me he hadn’t one. The question seemed one of mere curiosity in an attempt to make “small talk”. I had done everything I could do at that moment.

It was not until two days later was I approached by our investigators and several federal agents informing me several tactical vehicles were coming to apprehend him for being a fugitive – he had killed several people and almost killed a police officer. I was crushed. How could this happen? Should I have asked more questions? Would they blame me?

Years later, still torn by this, I asked a mentor who informed me I had done nothing wrong and in fact did everything right. Despite my best efforts, the adversary won. This is an unfortunate but inherent ingredient of protection. No matter what you do, the enemy will still do what he does and it is your job to prepare for that and win.

Monday, September 22, 2014

OPINION: Top Eleven Myths Supporting Security Critiques



Well, this seems to be the season for "major" security breaches.  There seems to never be a week in the last few months some retailer or government entity isn't revealing how it's been penetrated. Along with those revelations comes the torrent of critics who ask "How could this happen?" and proclaim "This is the worst thing ever!....Incompetence!....This is epic!" Please, note the heavy amount of snark and sarcasm there. As one of a few people who sort of gets security, I often find myself getting increasingly frustrated about the growing number of amateur critics who have in some way implied "expertise" on a topic few professionals in the industry actually get. So in an effort to educate everyone and to vent (okay, mostly to vent), I've decided to do a piece on the myths surrounding security. Bear with me. If it feels like I've kicked you in your stomach, good - that's why I'm doing it.
  1. Physical security is easy. Sigh. This is the most upsetting and doggone frustrating statement a security professional could hear. Contrary to popular belief, security is not easy. It's pretty hard, actually. There's a lot more that goes into security than just bag searches, menacing guards, cameras, and alarms. It encompasses multiple disciplines which contribute to the security mission. They range from everything from the information security to operations security to risk management to executive protection to physical security to personnel security to personal security. All of them bring something unique to the table. Each is an integral part of the total security package. It takes a professional versed in all of them to be able to deploy the package seamlessly.
  2. Anyone can do security. Ugh. Wait, no. Double - ugh!! Not everyone can "do" security. As I stated before, it's hard. It's not rocket science but if the only thing you've ever protected in your life was a bike in a bad neighborhood, you may not be as qualified as you think to speak expertly on matters such as the security surrounding rather complex and sensitive facilities as the White House or military bases. I know I just made a lot of folks in the DC press conglomerate very unhappy. So let me explain. You can have all of the facts on an issue but still not get the nuances behind how to properly execute an effective security plan or understand the stark realities those facilities face. As a matter of fact, there are people in the job who barely get some of these concepts which explains why so many security plans fail.

    I've been in this industry for 14 years and there are things I'm learning every day. I am no "expert" and I often eschew any effort to attribute me to that title. It is also my suggestion, given my background, if I admit to knowing far less than most "experts" with less experience are willing to, then maybe you should be questioning their "expertise" as well. Think you can "do" security? I'd happily place you in charge of physical security at the White House which receives MILLIONS of visitors every year and hosts the most targeted human being on the face of planet Earth. Good luck.
  3. There's entirely too much security for this. Another sigh. Seriously, folks. Unless you've walked in the shoes of the person who designed the security apparatus for that facility or worked in a similar post, you may not understand the thought-process behind how security is set-up there. In order to better educate most folks who are not familiar on this topic, I'll take a moment to digress and speak on the mission of security and how it is often set-up.

    Security's primary mission, no matter the discipline, is pretty much the same minus some semantics. It is to detect, deter, delay, and destroy. There are professionals who will undoubtedly find issue with my choice of words here. My message to them is clear - I get it but let's think more figuratively. While it is optimal in security to see the threat before he arrives, that may not always be the case. In fact, there is very little empirical data to suggest much of what is done in physical security actually deters the truly dangerous threat. However, what is quantifiable is delaying and subsequently disrupting or destroying the threat's ability to continue their actions.


    A great example of classic defense-in-depth

    Finally, let's examine what drives most security plans. Much earlier, in another post, I wrote extensively about risk management which is a process by which security professionals and their stakeholders ascertain the level of risk they're able to maintain and the mitigators they plan to deploy minimize the risk.  As you can imagine, this process is what most security plans are derived from. Within those plans, therein lies the basic outline of how most modern security is implemented - defense-in-depth. This is best explained by asking you to imagine an onion. As you peel the skin on any onion, you'll note the various layers contained. Security is much like that. Every protected resource has an outer layer of protection which supports the inner layers. The close you get to the resource, the more intimate the security. Imagine the White House. The far most outer layer of security there could be the scores of CCTV systems found all over the DC area. From there, the security mechanics become more intimate with their resource. Stop laughing. I hear the jokes. Serious. Stop it. The inner layers encompass a new level of protection more closer to the resource than the next. See, I cleaned it up for you.
  4. The security guys just need to do a better job. Really? Like seriously. What qualifies you to make statements like that? Have you examined the actual, no-kidding threat intelligence or data to understand the nature of the adversaries those "security guys" may face or the countless attacks which get thwarted. A great example of this is a conversation I had recently with a political website editor regarding how the United States Secret Service would be better served by doing a "better job of managing its fence" rather than deploying checkpoints further from the ones already at the gates closest to the White House. I strongly disagreed not because I love checkpoints (I don't - see my thoughts on crowds) but because I understand (because I've actually done executive protection and physical security versus offering critiques about something I only read about) what drove the US Secret Service to acknowledge they were considering checkpoints. You would be remiss as a professional not to consider them as an option. I think we would all do a lot better to understand the difference between a consideration and an implementation.
  5. I have a PhD so I have the magic ability to know all things related to security, though, my PhD is in an unrelated field or I've written books non-security professionals think is dope. I won't waste a lot of time and space on this but this is a growing issue throughout social media. Stop it. There are few things more irritating than to be dismissed by an academic or author who thinks their degree or books written provide them with omnipotent ability to know everything they need in order to criticize security. As I've stated before, you're probably extremely smart in your area of expertise. This does not lend itself to transference into what I've done for 14 years. Sorry. But that's the truth. Again, I don't know a whole lot and there are guys in my field who are far more impressive than me. That being said, read this and #2.

  6. You say tomato and I say TOH-MAH-TO. Same difference. No, it's not the same. In security, certain terms do matter. They really do. For example, I had a very good conversation with a national security pundit I follow on Twitter, Joshua Foust. Joshua is smart when it comes to matters of national security and almost ties John Schindler in trolls except Joshua doesn't have a parody account yet and his and John's tweets are thought-provoking.  That being said, our discussion this morning was about the efficacy of passport revocations. Joshua intimated revocations made jihadi terrorists stateless people. I find that most people confuse revocation of passports with revocation of citizenship. The two sound the same but are vastly different both in mechanics and impact. However, because they sound the same they are often confused. We saw this when Snowden's passport was revoked. People claimed he had been stripped of his citizenship, although he never formally renounced his citizenship nor did Congress or the President revoke it. In fact, the passport revocation is nothing more than a travel restriction. You're allowed to travel to other countries as long as your country provides you with a valid passport. If your country revokes your passport, you're no longer able to travel and can only come back to your home country.

    Joshua would later admit the semantics were different and we both agreed there were mechanisms already in place with respect to fugitive warrants and the Foreign Terrorist Organization designation. Neither, from my limited knowledge, have been integrated when it comes to jihadi foreign fighters. Something, I'm sure the President and other leaders are seeking to change because the inherent value of Western foreign fighters for groups like the Islamic State is their passports. Western travel documents can gain you access to a variety of countries, if they're not revoked or cancelled.
  7. I could take down security anywhere and I could break in there if I wanted to. Okay, that sounds very cool. I'm sure you could. However, taking down an unarmed security guard because he's 75 years old with a bad limp is vastly different than being faster than his radio and being tougher than the eight burly deputies who will respond. You might also be able to break into a facility. That's also great and amazing. However, keep this in mind - sometimes breaking into a facility has more to do with luck rather than skill or technical acumen - remember one of the latest White House fence-jumpers was a toddler. In other words, the sun shines on a dog's rear every now and then. You also may not be as lucky as you think.

  8. OMG, this breach was the worst breach EVER!! Stop. Full-stop. Don't move. Breaches happen all over physical security for a variety of reasons. Some are preventable, sure. Some are not. Some occur in ways professionals never thought of. Some occur because the security manager and his/her stakeholders accepted too much risk. All I ask is that before you roll up a physical security breach as the worst ever, analyze not only the breach but the totality of circumstances. Some people are making a big deal about the recent White House fence-jumper who made his way "into the White House". I'll take a moment and explain why this is wrong.

    Yes, the White House fence-jumper recently made his way to an inner layer of the mansion. Keep in mind what I said about layers. Here's something most critics won't acknowledge mostly out of ignorance. The doors, which I have pictured below, are actually an entrapment area. Wait. What? Yes, the North Portico doors are indeed an entrapment area. What does that mean? Simply put, the exterior doors remain unlocked so exterior personnel (security and non-security) can enter through them and gain access through the second set of doors which remain locked and more than likely, guarded by on-duty US Secret Service Uniformed Division personnel. In other words, someone or something would need to verify your credentials before allowing entrance into the interior.


    The diagram of the White House showing the doors.


    The North Portico doors UNLOCKED. But do you see the doors behind them?


    Scriven, how does this change the fact that he should have never gotten that close? It doesn't. However, it's always best to remember while this is the first time someone has made it to those doors, there have been other more egregious breaches. Thirty-three others, to be exact. Remember when the airplane crashed in the White House lawn? I digress. Did the USSS accept too much risk by keeping the doors unlocked? Sure, but I'm also aware these doors were probably unlocked more for convenience for certain non-USSS personnel. How do I know that? Because I've done something similar in a variety of security situations. So what does this little exercise tell us? First, it tells you I have entirely too much time on my hands and I spend a lot of time on Twitter. Second, it tell tells you exactly why layers exist and whether they function properly. In this case, a few layers were breached but the resource was secured by one. Third, a lot of people are making wild assumptions without having read the official report nor has there been an accurate articulation from which direction the jumper entered or whether he had been observed (my guess is he was). Also, some of these same people make all kinds of weird guesses about the nature of security at the White House based on rumor and what television and the movies convey. No, the President will not firing an RPG at multiple jumpers next time.

    Finally, it teaches us the value of relativity and complexity - this was bad but was it the worst? It's all relative. Seriously, can you imagine managing the security of POTUS and his/her staff and guests AND the most iconic tourist attraction in the Western world? It poses some SERIOUS security challenges which are countered every single day, mostly with zero incidents. If this was the "worst", then the Secret Service did an excellent job of containing the threat.

  9. Security is pretty simple. I can't even.
  10. The Israelis do it better.

Wednesday, March 19, 2014

A Totally Awesome DIY Security Project - Raspberry Pi Face Recognition Treasure Box


As you know, I'm currently working on a few DIY security projects to share with you guys. My favorite place to go for inspiration has been, Make. These folks do some seriously awesome DIY projects. Most of them beginner to intermediate-level DIYers can do themselves. While perusing their site, I found this gem:

Tuesday, March 18, 2014

If I Had To Design A Parking Lot, This Is How I'd Do It



The other day, I noticed in a discussion group someone asked about designing a parking lot access control system. This got me to thinking about why security officials are often tasked with designing and deploying these systems and why they are flawed many times. Here's the response I gave.
There is no technological answer for this. This would be dependent upon METT-TC (Mission, Enemy, Terrain, Troops—Time, Civilians). The best parking plans I've seen first started by looking at the mission of the facility.
  • This immediately beckons you to ask if any of the vehicles parked are or will at some point need to be mission critical. In other words, if this is a hospital, would it be prudent to have access control measures which take into account emergency vehicles? Will you have sufficient room in the lot to accomodate them and an emergency egress? I would also determine who NEEDED to be able to park in this lot. Not everyone needs to park in your lot though they may want to. This should create a decent entry authorization list wherein you can identify who will need an expedient, yet effective means of gaining access. How critical is the facility? Tech is great but sometimes having a guy at the gate is more prudent, with respect to handling visitors, LEOs/first responders without access control tags, etc.
  • It is also really helpful to not interfere with the mission of your facility, when designing your access control system whether for the parking lot or anywhere else. Seriously. I can't overstate this enough. DO NOT make your system so cumbersome or strict that it impedes on the mission of those who do the work that pays you and your personnel. I have seen parking plans so restrictive that mission-essential personnel have been denied access to their facilities for things such as day-old expired vehicle tags and hours-old expired vehicle passes. Make sure your plan is flexible enough to accommodate those who need access right away but need to get their credentials in order.
  • Be wary of making it susceptible to social engineering, though. I find the best way to mitigate this is through codification of your policies with exceptions allowed to accommodate those whose credentials may be lacking but can be verified. NEVER allow anyone access without verification. Ensure your access control system has authenticators, whether it be electronic or solely paper-based. However, ensure your authenticators are never discussed with anyone. I'd suggest making this a definitive terminable offense. 
  • I'd also consider your threat profile. Who has an interest, as a nefarious actor, to gain entry to this lot or through this lot to your facility? How can you mitigate this, bearing in mind how they could obtain entry feasibly? Seriously. Don't plan on ninjas and SOF to make entry if that's not your threat. Plan physical measures with this in mind.
  • What's the size of your lot? Has your lot grown to an extent where it requires fencing? If it does, how often do your security officers check that fence? No sense in having a fence if you're not checking it. Remember fences are a demarcation AND a detection piece of your plan. Also determine if your lot is situated with any physical obstructions wherein you can't observe who may have circumvented your parking plan. Consider CCTV or even a roving patrol to help if needed. Also, I find that if you use stickers, a few things tend to happen. One, people tend to park illegally and need to be towed. This takes up precious time and resources. And it could create confusion depending on how "creative" your sticker plan is. If you use stickers, keep it simple and wheel lock. Give each of your patrolmen a wheel locks and authority to deploy on cars illegally parked in select spots. Also address parking violations on a stakeholder basis as well. Talk to them about the potential loss in revenue should responders be delayed because of illegal parking in their reserved spots. Also describe what you're trying to accomplish and how a sound parking plan can be a force multiplier (Boss, if our plan works, I can reduce the number of patrols and increase security efficiency and efficacy by x-amount).
  • Start thinking about how you want to accommodate vehicles in terms of their egress and entry. How long should it take them to leave and get in? Are there any chokepoints in the plan that can cause congestion and make for additional security heartaches?
  • Finally, consider the impact your plan could have on civilian or non-business related entities such as neighbors. Will you have to consider parking off campus? Will your plan cause congestion that impacts them? Will your plan address neighbors and their parking plans? Will your plan have a demarcation for neighbors to know where your property extends?

Wednesday, March 5, 2014

DIY Security Projects For This Year


Winter is sort-of, almost, hopefully over soon. Every summer, I set about teaching my son the various ways of my craft. Last summer, I did a DIY security project where me and my son built a booby-trap of sorts. We used Dollar Store magnetic window alarms, fishing line, and two-sided tape to create an audible tripwire alarm.

$3.00 Set-up Cost
Over the course of the last year since then, I have also created an audible duress alarm. I will post a video as well as a how-to later on.  Suffice it to say, this was an EXTREMELY fun project.

This year, I have several DIY security projects I'd like to build and deploy.
  1. A motion sensor alarm using Raspberry Pi. I haven't decided whether I want the alarm to be just be audible or if I want it to be audible and tweet or send a text message when there's been a breach.
  2. I created a duress alarm in my home, previously, using NFC tags in my car to be triggered when my phone made contact. This summer I'd like to expand on this with an NFC-enabled video surveillance system. More on this later.
  3. I'm also interested in putting together a much more comprehensive security system in my home using basic battery power, online-purchased sensors, control panel, and monitoring station. I have a rough idea as to what I want. I may do a series of articles about this.
  4. I'm also in the process of completing a covert surveillance project that has been demonstrated online.
  5. Next year, I will embark on my biggest project - my very own DIY drone. This will take considerable time but I think it could be well worth it.
  6. I also plan on doing a series of small but inexpensive (some FREE) DIY security projects. Look out for stories on DIY security containers and other cool stuff.
All of my projects are to help teach my son the ways of using inexpensive tools to provide sound mitigation and response to actual emergencies. I hope it will also demonstrate for him the value of doing things for yourself and how when done for providing protection for your family and yourself, it can be richly rewarding. Wish me luck and stand-by for a killer year.

Sunday, February 23, 2014

INFOGRAPHIC: Charateristics of a Burglar


The State of Aviation Security



I have often said our biggest vulnerabilities can be found in places where people congregate. Human targets are often selected by bad guys simply because they are part of a crowd. This goes against our natural instinct to believe bad actors won't pursue us in a crowd and will wait until we're alone. This is true for some attackers. However, terrorists and active shooters pick crowds because our intolerance towards suffering any casualties makes a target-rich environment like a mall an almost irresistible target. The meme above personifies how often we protect against the last known vulnerability and losing sight of the vulnerabilities we create or ignore.

Here's the scene of a major airport's TSA screening area. Notice the crowd aka potential targets.


Thursday, February 20, 2014

VIDEO: Using NFC Tags In My Car



I decided to do this project because I felt I had a few security vulnerabilities with respect to my vehicle. There are plenty of things I can do to perhaps prevent an attack on myself in my vehicle. That is a fool-hearty goal at best. Prevention of any crime is difficult to measure. We assume crime is prevented by the things we do but we have no idea as to whether the threat ever went away. Our best course of action, then, is to think about mitigation. In other words, we seldom plan for WHEN the attack or emergency will occur. In this scenario, I felt I a great mitigator would be the use of a discreet mechanism alerting authorities and other concerned persons if I found myself in an emergency. I felt NFC (near field communication) tags would be best, since my phone is an integral part of my travels in my vehicle. Placement of course was key, so I positioned the tag just below where I keep another tag that commands my phone to turn on my map an increase its brightness. The duress tag alerts the authorities and tweets out a duress message to friends and followers on social media. As you can see from the video it is place in a way where I can't accidentally activate the duress command. Imagine a scenario where the phone is mounted on the phone holder while I'm carjacked. The bad guy asks for the phone and I have an opportunity to grab the phone and place it on the tag for a second to activate my duress. I stall the attacker until the authorities arrive. I set the phone to activate the duress with the screen locked out when activated with no speakers on and only the microphone working.

Here is the pic of where my tags are located inside my vehicle:



A couple of great links to where you can buy some tags.

http://www.amazon.com/NFC-tags-Writea...

http://www.tagstand.com/

There are also a number of apps to use. I use Trigger. See the link below to download it from the Google Play Store:

https://play.google.com/store/apps/de...

The thing about NFC tags is they are very inexpensive and relatively easy to implement. Almost a perfect security tool when properly used.

To learn more about NFC tags:

https://en.wikipedia.org/wiki/Near_fi...

Be sure to check out my blog for my DIY security projects and security related topics - http://blog.thesecuritydialogue.org

About Us