Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Facilities Security

Do Terrorists have Lower IQ’s?

Is it nature or nurture? Do you think there’s a correlation between the intelligence of a person and their choice of terrorism as a vocation?

I’m not talking here about the brilliant, twisted strategists who create the idea of the revolution. I’m talking about the mules – the new recruits who can’t wait to blow themselves up for the cause. Or shoot and kill innocent people – like the Holocaust Museum incident in 2009.

Take “The Underpants Bomber”, for example. If he REALLY wanted to blow up the plane, why didn’t he go into the bathroom and light himself up there? Why go back to his seat where it is always crowded anyway? Only one conclusion can be reached – he is stupid! He suffers from a serious flaw in his reasoning ability.

One of the most interesting films I have seen recently was done by Fareed Zakaria and which aired on HBO. It is called, “Terror in Mumbai” and Fareed narrates it.
Take the forty-five minutes needed to watch it because it is incredible and goes right to my point about terrorists being dumb.

After the Mumbai bombing attacks started, the government was able to hook up to the actual cell phones being used by the terrorists to communicate with the Big Brain Terror Leader ( also called his Controller, or Handler??) back in Pakistan. So the movie is actually the real conversations between the operatives and their Controller.

At one point, the Controller tells them to set the hotel mattresses on fire. They try but can’t get a fire going, so the Controller screams into the phone – go back and light them again.

The on-the-ground terrorists seem to have no idea of how to kill anyone, and are almost goaded into doing it by the Controller on the phone who has to explain to them what to do next, and who you hear him screaming into the phone, “Shoot him in the head”.

They seem almost like puppets and, as you watch the movie, you realize that these guys couldn’t terrorize anyone on their own. They are uneducated, unsophisticated young men who probably would have gone sightseeing if the Controller hadn’t kept a tight rein on them.

Some people think there are more of these unthinking people around than the thinking kind. I hope that isn’t true, and it really speaks to the power of education and sophistication as the best weapon we have against this sort of mindless terrorism



How to get Management On Board with Security Enhancements — or how to avoid cocktail party security decisions.

One of the most aggrevating issues that security people have to deal with is someone who has no security background and knows little about the current technology, who decides what should be funded based on:

1. My wife thinks cameras are an invasion of privacy.
2. My secretary like X instead of Y
3. My friend, Sam, said his company was adding
some new widget.

This applies whether you are doing corporate security or information security and it is basically having your management make an emotional decision, or what I call a “cocktail party decision” about where the security budget should be spent.

Don’t confuse them with the facts. In fact, most of this is from people who do not understand the complexities of security or the interactions of various security solutions with each other.

Last evening, I spent quite a bit of time with a client from Asia, who had a big client who couldn’t decide which solutions they wanted to implement. Should it be A or B; and how to set it up? Regionally? by Business Unit? By Subsidiary? By Sub-subsidiary?

As we discussed it, I realized that the Director in question was really avoiding having to spend any money! It wasn’t about the decision – it was sort of smoke and mirrors to avoid having to admit a lack of funding for security.

In these cases, when your organization may have had the budget trimmed, cut or slashed — it is imperative to be able to use some quantative measurement of the risk to justify the cost of the controls. Whether you have enough budget for one control, or for everything, it must always be prioritized by NEED and by RISK. By Return On Investment. What losses can we prevent or avoid if we add this specific control? How much loss are we preventing? What is our potential exposure if we do nothing?

These are the elements that need to be understood by management in order to get the right controls in place, in the right amounts, at the right time.



Hotel Bombing in Jakarta – A Dangerous Trend

The hotel bombings yesterday were a bad sign. According to an article this morning in USA TODAY, both hotels had been assessed by iJet, a security and intelligence company based in Annapolis, and had received high ratings, said iJet president Bruce McIndoe. The fact that Friday’s blast didn’t do more damage shows those measures were effective, McIndoe said.

“(With) the new security procedures, all they could do is get suicide bombers in and blow out some windows,” he said. “You can’t stop it — there’s no 100% foolproof way. But they’ve minimized the impact. It was a fairly sophisticated operation. (The terrorists) put a lot of time and effort into this, with very little outcome (in terms of ) death and destruction.”

McIndoe is correct that there wasn’t a catastrophic loss of life in these bombings and the damage was relatively minimal. I started to review some of my hotel experiences and see how much security COULD you put into an international business hotel. If the bombers took the bombs right up their rooms in their suitcases — there are a couple of obvious next steps.

1. All luggage gets turned over to hotel staff at the curb, or entry area, and
then is screened in an anteroom before it is taken up to the room by the hotel security staff. That seems to be a relatively easy program to implement, and would dramatically improve security.

2. Bring in the x-ray scanners and all visitors go thru the metal detector and have luggage, briefcases and shopping bags inspected upon entering the hotel. This would be more expensive and intrusive, but probably more effective and just one more travel inconvenience to get used to.

We have a model developed for hotel and casino security. The hotel/hospitality model is a little more complicated than your average business facility because it has more than one purpose. What I mean is that a business is usually set up to conduct business — but a hotel/casino has several lines of business including overnight room business; gambling; shops; restaurant business and also meeting business. All these have different objectives and they are influence the other business lines.

The maids, maintenance personnel, engineers, waitresses, cooks, etc., are all local elements that could potentially be used to gain access for terrorism purposes. Everyone has a cousin somewhere that may use family ties to get access to even a secure facility. The stowaways that get into ships, are almost always the result of the exploitation of family ties.

Better background checks conducted on hotel personnel may be another area that needs work, and would probably improve the hotel’s bottom line because other areas such as cash-handling and letting friends access empty rooms could also be improved at the same time.

Having stricter access controls and luggage/package controls at hotels would just extend the aggravation of current airport security programs right to your next hotel. Let’s hope it doesn’t come too soon.



Building a Model for Security Governance, Risk and Compliance

I recently began to think about how to integrate security seamlessly into an organization — without having security activities and processes pigeonholed into a stovepipe like physical security (the 3 Gs, guns, guards and dogs); or in the rarified atmosphere of the IT Department.

Other business processes are already thought of as an integral part of a business.  Think personnel, finance, shipping, sales.  All basic parts of any organization, including government agencies (which are another kind of business), have these different categories but security is never mentioned as one of these basics.

Of course, my readers know that none of the other pieces would get very far without good, or even great security.  You can’t run an organization without locks on the doors.  You can’t run a network with security controls or it would just collapse into a heaping pile of spam within a few hours and become totally useless.

So if we wanted to integrate security and use the risk assessment process to do it — what are the pieces we would integrate?   One night over dinner with other security people, we started to build a security model, which could then by assessed and each category would have steps which could be combined to create THE PERFECT INTEGRATED SECURITY GOVERNANCE MODEL!!

I am open to suggestions about other aspects but here’s the list of the ones we started off with:

1.  Access Controls

2.  Accountability

3.  Budget/Fiscal Responsibility

4.  Compliance

5.  Information Technology

6.  Investigations

7.  Measurement/Evaluation

8.  Personnel Management

9.  Policies & Procedures (Ps & Ps)

10. Risk Assessment & Management

11.  Security Planning

12.  Training and Awareness

In the model I’m proposing, each of these areas could by quantified into a 5-step program with zero meaning no progress in that area, and five meaning it has been integrated into the organization as a standardized, budgeted process.

Send me an email if you’d like to see a graphic of the model.  The point of a model is to get an idea of where you are on the pathway to integration of the security model into the business process.  For example, you could find out that you doing great on access control and technology, but not so good on accountability or awareness.  Then you could put more emphasis, or resources into those deficient areas.

If you’ve ever read this blog before, you know that my mantra is, “if you can’t measure it — you can’t manage it” (quote by the late, great Dr. Peter Drucker).

While listening to talk radio people discussing the problems of AIG, I heard another great line, “Companies that are ‘to big to fail’ … are probably ‘to big to manage’.   And that’s probably right, because those companies, with tentacles out into industries all over the world, are probably ALSO TOO BIG TO MEASURE!

So having metrics applies to all these corporate processes and managing security using metrics must be an idea whose idea has come.   Often the security departments in companies are isolated from the C-level and may not be included as often as other corporate or department managers are.    This is why the breakdown occurs that leads to weakness in compliance with regulations, which can destroy the entire organization, or, if you’re a bank, can lead at a CDO (Cease and Desist
Order).

Often these twelve critical security elements are absolutely essential to the running of the organization and that is why it is important to create a management model to measure how they are working in YOUR organization!



Hurricanes and Risk – Unexpected Consequences

Murphy’s Law states that anything that can go wrong — will go wrong.  Natural disasters like earthquakes, power outages and hurricanes always seem to prove that this old axiom is still true.

Many people are allergic to change and when their environment starts to change drastically, as it will in a natural disaster — say a hurricane. And when the environment and familiar patterns start to break down, people get anxious, anxiousness turns into nervousness and in a state of anxiety, bad decisions are made.

The continual push to have emergency responders train, train and train some more, the importance of doing drills and testing emergency plans reflects the importance of people feeling COMFORTABLE and FAMILIAR with the disaster operations and steps toward recovery.   Almost every requirement, whether it is for a physical security standard like FEMA 426 (How to Protect Buildings from Terrorist Attacks), to a bank standard like the FFIEC (Federal Financial Institutions Examination Council) the requirements requires disaster plan testing, and training for the personnel who will be affected by the disaster. The better and more frequent the testing and training, the better the plan will perform during an actual disaster.

Stories keep making the rounds about the South Street Seaport outage in lower Manhattan, and the emergency vehicles who raced to the scene and found there was no electricity to plug into. 

If we put aside the original disaster, then you will often find peripheral activities that are thrown off and do not behave as planned.  When I first moved to the DC area, we had a major power outage in the high rise office I off the beltway.  No problem — the building manager had a diesel generator up on the roof.  But he had stored the diesel fuel in the basement, and it was about 88 degrees that day.  He managed to carry the fuel up the 16 flights of stairs to the waiting emergency generator, but he was hot and tired and when he poured the diesel, he slopped it over the side and it spilled down the outside the building and then soaked into the walls, and we had diesel leaking out of the electrical outlets!   If you ever drive by the “Darth Vadar” building right at Route 50 and the Beltway — you can still see the stain on the building.

So when hurricanes are heading west, north and east, all at the same time, it’s a good idea to encourage your associates to breathe deeply, calm down, and take extra time to make sure that things get done correctly. 

One of my friends is leaving Brownsville to get away from Hurricane Ike as I am writing this.  And I had Hurricane Hanna visiting Annapolis less than a week ago.

Stay safe.



The Latest Risk – Data Center Theft

In November of 2007, a co-location data center with state-of-the-art technological controls in place on all of its equipment was broken into for the fourth time. The burglars simply took a masonry saw and cut out a section of the concrete wall. According to a letter from officials — the night manager was repeatedly tazered and struck with a blunt instrument. After violently attacking the manager, the intruders stole equipment belonging to the data center and its customers and at least 20 data servers were stolen.

So does this mean that we have crossed the threshold where the information is more important than the equipment on which it resides? Even more amazing is that this particular co-location center has experienced more than FOUR break-ins! That’s certainly some kind of record.

My theory is that whenever the economy takes a downturn, robbery, burglary and other petty crimes start going up. White collar crime also starts to increase as employees start feeling that their job may not be secure as they thought – and start helping themselves to whatever the company has given them access to, maybe paperclips, maybe something more interesting.

There’s so much talk about “convergence”, the fusion of physical and information security. I think it is still typical in most companies to handle these two types of security completely separately and when the crime rate is increasing, that’s when you have to make sure that the correct physical controls are in place. In the same vein, the background checks on key personnel should be done more often and certainly should be done for all new employees.

A time-honored mantra for security people has always been “the insider threat is always worse than the outsider threat”. You can see the logic in this immediately, because the trusted insider has access to lots of information and with the use of a thumb drive or memory stick, its easy to get information out of a facility. Many organization ban thumb drives for this reason, but they are also not searching the purses, gym bags and other paraphernalia an employee may bring to work.

Data breaches disclosed by Hannaford Bros Supermarket Chain, GE Money, and Georgetown University are just some of the 167 breaches reported during the first quarter of 2008, up 1/3 over the previous quarter, according to the non-profit Identity Theft Resource Center (ITRC). This is more double the first quarter of 2007 (which was 76 breaches). It is an easy theft with a big upside and you can just sell the information to a sort of electronic fence so you don’t have to do much yourself.

Many of the investigations I have been involved with have uncovered employees doing another kind of theft – capacity theft. They are running their own businesses on the organizations boxes, basically stealing capacity and storage, plus the loss of their time and energy while they are engaging in these practices. This can extend from running sex rings which we have seen in state government data centers as well as a recent incident with Congress, to taking the client lists and selling them to spammers.

So with the external environment making lots of people think they could use a few extra bucks, it is probably a good time for improving access control systems, doing background checks on a more frequent basis, and generally improving the facilities security of your data center. Of course, it goes without saying that you should be doing your risk assessments on a more frequent basis.

Besides doing the security checks, a side benefit is that if you publicize the fact that you are doing an assessment, employees will back off their extracurricular activities on your systems. Once again — the risk assessment is a win-win.

Visit RiskWatch.com for more Information




top