Product Review: Sighthound

One of the first topic areas that caught my eye was video analytics. As a video surveillance monitor for a lot of my career in physical security, I felt I had a good grasp on why most surveillance systems fail to detect bad guys as much as they should. If you're a physical security professional, you know where that weak link is as well - the monitors. Yup. It took me less than six months looking at video screens most of my day to understand most irregular events fail to go noticed or are properly assessed. This happens for a variety of reasons:

• Monitor fatigue. This happens when a monitor stares at a screen for too long and either falls asleep or becomes easily distracted. We're humans and no one likes gazing at an empty parking lot for hours on end. So, the mind begins to wonder and bad things can happen. If you'd like to learn more about monitor fatigue, this is a great resource. - https://en.wikipedia.org/wiki/Alarm_fatigue (I know it's Wikipedia but as a primer, it's not too shabby)
• Monitors are expected to recognize irregular events in a huge ocean of regular benign events. That parking lot I mentioned before could have 400 cars in it and thousands of people coming and going. If mixed in with benign events, irregular events can appear to be okay and fit with the norm. This explains why some folks can get robbed right in front of a camera and no one notice.
• There are too many "rules" to remember and act upon on too many feeds for a single monitor. Sometimes, with human monitors, too much video is just as bad as driving into someone else's headlights.

Where else are all these problems more demonstrative than in a home security environment? I have friends who have 6 or more cameras on a home and they call themselves "monitoring" those feeds constantly. No, you're not. What I find most often is the direct opposite - they're monitoring one or two cameras, maybe. The others go either unwatched or constantly recording over each other. So what's the solution to ensure all the feeds are being monitored and reporting and recording events as they occur?

Sighthound is a software application that acts as a monitoring platform with an embedded analytics package. You can not only monitor your feeds from various cameras but you can also have those feeds report only when "rules" are broken which include:

• A person entering a zone.
• Someone leaving a zone.
• Motion inside a zone.

The feeds can be viewed remotely. You have to pay for that feature, though, there is a trial version which includes this for 14 days. Given recent issues with Internet of Things being exploited for DDOS attacks, I highly recommend changing whatever default passwords that are on your cameras, ensuring the firewall on your router is working, and updating the firmware on the device. If you can run a scan to see what ports are open on your machine using the scanner at https://iotscanner.bullguard.com and close them, if possible. Also, check out routing the camera through a DNS provider like DynDNS.

I digress. While you can have the software email you or send a notification to the smartphone app, you can also have it do a myriad of options through IFTTT. The possibilities are almost endless from there. Oh and perhaps the most creative option and one I particularly like is the ability to execute a command should an event be triggered. For example, you could set it to send you a snapshot of the event and then shutdown your computer. Why is that cool? If your PC is full-disk encrypted, then you have just ensured a key mitigation piece is activated. You also have a picture or video of the event and can determine if you need to respond further.

What I like most about Sighthound is how quickly it responds to events. Almost 5 or 10 seconds after an event, I received a notification of the event and was able to view a snapshot. That's pretty cool when you consider how costly an enterprise system can be offering the same service.

There are some things I'd like to see it offer in the future:

• Security options. I'd like to password protect my remote feeds. This maybe here already and I just missed it. If so, I feel like this is kind of an understated feature.
• More event triggers. It covers the basics but I'd like to see triggers for things noise detection with those cameras that offer audio in their feeds.
• Possibly some interoperability with other devices. I'd love it if it could network with other sensors through the home and capture those events as well. Some proprietary device systems already do this but I'd like to see something that would allow me to work with events involving a smoke detector and my camera.

Overall, I THOROUGHLY love Sighthound. It has tremendous potential and is extremely affordable. I hope this is a new movement within the home security surveillance sector. I'd like to see less machines that can't or won't cooperate with other devices to successfully mitigate potentially dangerous events. It isn't perfect but I find it is certainly a great step in that direction.

As of now, I haven't reached out to the Sighthound team for an interview. I will soon, though. I'd love to hear what more they have to offer.

If you know of any other physical security applications or devices you'd like me to review, contact me via the "Contact Me" link above.

How To Get Your Family Interested in Security

A question I get asked sometimes is "How do I get my family interested in security?" The question, surprisingly enough, comes from security professionals who are passionate about what they do but find that their families either don't share their affinity for our trade or are rather lackadaisical about upholding mitigation techniques. Come on. Don't kid yourself. Your family could probably care less about security too. Your spouse probably says "That's why I have you, Mr./Mrs. Security Dude. That's your job." Yeah, I roll my eyes too.

As I stated in my previous podcast, you could pay $10,000 for the world's greatest door lock and have your entire mitigation ruined by a spouse or absent-minded child who forget to lock the door. It happens more than we like to admit. I also surmise it's why some of us are so passionate about security awareness training at work. Given that we view them sometimes as the "weak" link, let's look at how we can get them better at not just maintaining mitigation but also becoming independent security stakeholders.

1. Chill out and recognize who you're working with. You don't get to always hire friends and family. So, we're stuck with people who wouldn't know the difference between a padlock and deadbolt at times. And....why should they? "That's what you're here for" is a phrase I've heard countless times. Recognize the role you've taken as the security person of the house and how that has enabled them.
2. Don't scare them. We know things about the world in which we live that our families should never be exposed to. It's kind of why we do what we do, right? But ignorance isn't always bliss. In sales, I learned a term called "finding pain". It's a term used to describe learning what someone's personal security nightmare is and then exploiting that to get them to buy a proudct you sell to alleviate that "pain". Sounds pretty awful, huh? But it works. Do the same with your family. Ssssssssssllllllllllooooooowwwwwwwllllllllyyyyyy. This is where you explain to them how they could lose things they care about very easily if mitigation isn't there to stop the bad guy or at least aid in getting their valuables back or replaced. I have found explaining value and risk in its most basic and pure form has been very helpful with getting children on early as stakeholders. It takes a lot of time and patience but it is well worth it.
3. Invite them along to do a risk survey of the home. This sounds like something a bit too intense for your home but it's really not and rather easy to do.
• Give each person an area they're responsible for like their rooms or designated work/play areas.
• Have them inventory all of the items in that area they place value on. Tell them to ignore easily disposable items and clothes (absent something truly expensive).
• Also have them include photos of the most expensive items and to include any serial numbers if possible in the inventory.
• Give them value parameters. I make mine rather simple - irreplaceable, replaceable but painful to lose (cost too much or would take forever to get back), replaceable with very little to any pain. For smaller children, this could be a challenge so I encourage you to explain this a bit more in-depth and accompany them throughout the process.
4. Do your vulnerability assessments with them. We've identified things of value and the amount of pain it would create getting them back if it were possible. Now, have them look at all of the ways someone or something could make that risk a reality. For kids, you're going to have be patient and listen to every "ninja scenario". With boys, you'll hear this threat profile thrown around a lot. Get used to it. Explain the difference between a likely exploitable vulnerability and one's that will probably always remain vulnerabilities (Bad guys cutting a hole in your roof). Get out a map or overlay and have them articulate the vulnerability.
5. Address threats. Be sure to caution them to stay away from "thinking like a wolf" mentality. Most often, your family is a mix of really good people. So have them look at likely threats instead. With smaller kids, explain that because it's "likely" doesn't make it real. A bad guy could walk down the street and decide to randomly steal your kid - that doesn't mean every stranger is the bad guy. Explain that because we don't know every person who could be down the street means we can't exclude all of them as potential bad actors for certain crimes. This is also a good time to explain that most violent crimes occur when victims already know their attackers. If we know all good people, then we can reasonably say our probability of meeting harmful attackers is minimal. Crimes of opportunity can be more difficult to simply dismiss because the likelihood exists that you could be a victim of a stranger. Thus we have to mitigate that threat, as well. Discuss any sort of special security issues you face (i.e. any jilted lovers, enemies from prior jobs, stalkers, etc.). 
6. Buy door and window alarms from the Dollar Store and have them work through a variety of home security projects. My absolute favorite activity to do with children is building "booby-traps" with these Dollar Store gadgets. I have them take a map and examine their likely avenues of approach, chokepoints, and areas of final denial. Then, I talk about how the gadgets serve one purpose only - detection. Afterwards, we mark where the gadgets are on the map. Finally, it's time to deploy them. An old trick I learned was fishing line attached to magnet on the "alarm" and securing the sensor/annunciator to the object it's resting on. When the bad guy trips the wire that's wrapped around another object and attached on the other end to magnet, it will then yank the magnet from the sensor it's resting on and sound the alarm. Trust me. Kids love this activity.
7. Go over "secret" codes and how the alarm system at your home works. Sounds pretty basic but you'd be surprised how easy it is to get them on-board by having them understand how the control panel works. Maybe, you don't share the activation code but you can show them how to work the duress code and how to call for help. I like the idea of a "secret" code that's for everyone in the family only, as a way of building into the family a living duress code system for everyday use.
8. Next, go over contingency plans. Where do we go? What do we do? Who do we call? What are our "actions on contact"? Again, we're not making everyone in the house Jason Bourne but are making everyone in the house prepared for other events than just a house fire. Having a plan and even rehearsing that plan are absolutely key to having a comprehensive home security program.
9. Address access control. Growing up in my house, my mother would call this "Don't you let anyone in my house I didn't invite". Yeah, it was that serious. It's almost as if she was grooming me for this trade. Explain the rules for allowing people into the home. BE VERY FIRM HERE, ESPECIALLY WITH SMALL CHILDREN (WHO SHOULDN'T BE ANSWERING THE DOOR ANYWAYS).
10. Teach them situational awareness. This can be very challenging for some members of the family. Be patient and make it fun. I like to start with memory games by asking questions like "What was the color of the car outside as we pulled up?" or "What kind of hat did the guy walking down the street have on?" Do this enough times and you'll be in amazement with how fast they catch on.

Your experiences with this will certainly vary. I've had a lot luck here but I would be seriously remiss, if I didn't disclose that it's been challenging. The key is patience. Take your time. Understand the lay of the land. Most importantly, make this about us rather than about something you do.

Let me know if you have any ideas of your own.

How to Pick A Legit Professional Security Certification aka How Not To Get Scammed In Ten Easy Steps!!

One of the cornerstones of any successful career is training. It's no different in security. Whether you're at a seminar or enrolled in a course, you're doing so because you want to move forward professionally. What better way to demonstrate you're prepared for the "next step" than to take a course or two and learn a new skill? Yeah, it often sounds cooler than it is. What's even worse, in my opinion, is that for many of us the price of pursuing professional development ain't cheap.

I love the American Society for Industrial Security International (ASIS). It is awesome for all-things professional development in security. It has networking, great conferences, expos, a reference library, and its own bookstore. ASIS is also host to some of the most sought-after professional certifications around the world for security. There's one catch - it's pricey. It'll run you about $400 dollars including annual dues to pursue their Physical Security Professional (PSP) certification. It's recognized even by the United States government in the SAFE Act and also has ANSI/ISO 17024 Personnel Accreditation.

ASIS isn't the only horse in the stable offering professional certifications in security. My only problem is almost none of them require the breadth of knowledge, professional recommendations, and experience levels ASIS requires. Many are purely paper-mills.

There is a professional certification body that has a horrific reputation in our industry. I've heard from numerous of their certificate holders all that was needed for their certification was a check and they received a lapel pin, t-shirt, a CD with reference materials which were mostly outdated, and a diploma. In fact, if you go to their site and attempt to pull up their "sample" certification test, you get a 404 error code. There have been a number of articles written on the founder as well.

Getting a professional certification or even getting good training from reputable people can be difficult. My advice?

1. Ask around on security, tactical, or law enforcement forums. There are lots of forums on the Internet that cover these schools and certifications. You're not the only person who wants to grow professionally. Be careful - look for guys who have a solid reputation in the group. My favorite sources are the folks who don't have to tell you what they do every post but you have an idea.
2. Find a mentor to ask. Seriously, if you don't have a mentor in security, you're doing your career all-kinds of wrong. Get a mentor and ask about training and certifications.
3. Search LinkedIn. I know. I know. LinkedIn can be seen as the worst place to network. I get that which I said "search". That's right - look at the qualifications of folks who are where you want to be professionally and see what certifications they have. See if the certification passes your "sniff test". Basically, if it seems legitimate and checks out with other reputable sources, then it might just be okay. Be careful - even "legit" folks fall for the trap of easy paper-mill certifications.
4. Investigate who recognizes certain certifications. The easiest way to spot a fake certification is to which, if any government bodies formally recognizes them. By "formally", I mean look for statutory and regulatory citations of the certifications. If they won't recognize it on "official letterhead", then already have a good idea it may be something you don't need or want. 
5. Check to see if a certification is needed for jobs similar to a job you're wanting but on another employer's site. It sounds shadier than it sounds. Okay, it does sound a bit shady but let me explain. We're not looking for a new job - yet. We're looking to see if other employers require a certification for that position. For example, the other day I saw a job listing for a job I would give my left arm and my dog's favorite bowl for. Yes, it was that serious. That job listing had a certification I had never heard of and certainly not one I had seen on other listings. I scour the Internet and sure enough, it's really cool and legitimate certification. Psssst. If anyone knows a guy who knows a guy who can get me to a Lenel certification, I'd greatly appreciate it.
6. Check the price tag. I hate to tell you this but security training and certification ain't cheap. Personally, I have spent well over a few thousand dollars of my own money to get certifications and training. These certifications and training have given me a "leg up" on the competition in some ways and have afforded me new skills but they did not come cheap. Most of the legitimate stuff that is out there is expensive. If you can't get your employer to pay for it (because they're either too cheap or you're not employed), then I suggest saving up and paying later. Trust me. If it's cheap and supposed to be amazingly career-enhancing, chances are it's probably not one of those things.
7. Read and research the testimonials. A lot of places brag about having "security directors" and "officials" but often, this is just pure fluff. Wait. I misspoke - it's just a flat-out lie. I suggest you read the testimonials. I'm not saying some certification bodies don't have management and executives getting their certifications. There are some who definitely are not honest, though. Find out more about the people who laud the body - who they are professionally, do they actually exist, and whether they have a bias. You shouldn't base your decision on testimonials but they can be a key component in the process.
8. Check the reference materials needed for the course. I love any certification that requires industry-standard texts (ahem, ASIS....That's why I love how you certify). I also like certifications that have online instruction materials as well. Most paper-mills will furnish you with a text and have you take it open-book. Nope. Kind of a red flag for me.
9. Avoid open-book certifications. Not all open-book certifications are bad. Most are very cool. This was my preferred method of certification in the military. That said, I'm a grown-up now and employers like something that forces you to study and come away with industry-standard competence in both skill and comprehension. In other words, an open-book exam doesn't "teach" you anything.
10. Any respectable training or certification vets its students. Any program that doesn't ask you any questions beyond your credit card is probably not the kind of place you want a certification from. ASIS has you submit references for the PSP exam and sign a "blood oath". Just kidding, ASIS. No, just the references. I know if I was going to certify a person on a skill-set that could get people killed if not applied properly, I'd want them screened beforehand so I'd know if they could handle that responsibility. Pain in the butt for us going for the certification? No doubt. Make you feel like you belong to an elite group of professionals? No doubt.

Here are some legit certification and training bodies in security (PLEASE, NOTE THIS LIST ISN'T ALL-INCLUSIVE. I PROBABLY LEFT OUT YOUR FAVORITE TRAINING OR CERTIFICATION. BREATHE DEEP AND CHILL OUT):

• International Foundation for Protection Officers
• American Society for Industrial Security International
• International Information System Security Certification Consortium 
• American Society of Civil Engineers
• National Tactical Officers Association
• National Rifle Association
• Federal Emergency Management Agency
• Federal and State Law Enforcement academies
• Private tactical operations schools
• Government Training Institute
• Tactical Energetic Entry Systems
• Executive Protection Institute
• Executive Security Institute (it's been around for ages - I was once a student)
• Law Enforcement Learning
• TEEX

There are other thoughts I'm sure on this. The simple truth is getting certified is no easy task and if it were easy, you wouldn't like it very much.