|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Guard Scheduling Conundrum0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Data Breach Trends|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465ESRM: A Shift in Global Risk|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465In the Zone|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Industry News: Icelandic Prison Security, The Latest Government Contracts and Partnerships, and More|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465The Guard Scheduling Conundrum2017-08-14T04:00:00Z|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465After an Active Shooter2017-05-01T04:00:00Z|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Book Review: Network Video2017-08-01T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465When Simulation Means Survival2016-04-01T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Book Review: Insider Threat2017-07-01T04:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now Review: Network VideoGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>CRC Press;; 366 pages; $79.95.​</em></p><p>The true value of this second edition of <em>Intelligent Network Video</em> is found in its subhead: <em>Understanding Modern Video Surveillance Systems. </em><br></p><p>A quick glance through the comprehensive table of contents provides the reader with a virtual encyclopedic source of all things technical. Readers are introduced to terms for video networking such as progressive, interlaced, and 2CIF-based video screening; rolling shutter distortion; dwell time and heat mapping; and megapixel, multimegapixel, and ultra HD networks. Although there is no accompanying glossary for reference, the author does a superb job of providing clear definitions and descriptions throughout the text. </p><p>Author Fredrik Nilsson draws connections between the cyber and physical security worlds and demonstrates why and how convergence will affect all professionals under the security umbrella. As someone who has concentrated mostly on physical security and shied away from the technology side, I learned a lot from this discussion.</p><p>While the first edition of this book was excellent, new chapters on serious topics such as cloud computing, thermal camera and video developments, and the updating of network video standards improve it. The book is full of photos and detailed illustrations reinforcing the written material and demonstrating the value and comparison of various technology system components, and applications within network systems. </p><p>Nilsson does a fantastic job of educating the reader on the historical timelines and development of the entire industry and what makes it tick. More experienced practitioners will learn from the advanced, technically rich chapters. And readers will appreciate the candid discussion of the advantages and disadvantages of the various systems. This is a valuable addition to any security practitioner’s library. <em>CRC Press;; 366 pages; $79.95.</em></p><p><em><strong>Reviewer: Terry Lee Wettig, CPP</strong>, is an independent security consultant. He was previously director of risk management with Brink’s Incorporated and a U.S. Air Force Chief Master Sergeant. He is a doctoral candidate in organizational management and a member of ASIS.</em></p> Review: Data HidingGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><p><em>Syngress;;  324 pages, $49.95.​</em></p><p>Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. It’s often used by those in countries where the sending of encrypted messages is illegal or would raise suspicion.</p><p>In <em>Data Hiding Techniques in Windows OS: A Practical Approach to Investigation and Defense</em>, authors Nihad Ahmad Hassan and Rami Hijazi offer valuable information to two different communities: First are those living in countries controlled by oppressive regimes or outsiders trying to help them use steganography in their struggle for freedom. On the other side are those trying to break steganography when it’s used. Some examples are law enforcement personnel, forensic investigators, and students. </p><p>The book opens with a brief introduction to encryption and steganography, and then dives into the deep content. This is very much a hands-on guide, and about half the book consists of screen shots and figures. Users who want to use steganographic techniques will find this to be a helpful reference, and law enforcement will want to pay close attention to the section that deals with anti-forensic techniques.</p><p>While this guide won’t explain the theory of steganography, it comprehensively covers the practical side both for those aiming to hide data and those trying to uncover it.</p><p><em><strong>Reviewer: Ben Rothke, </strong>CISSP (Certified Information Systems Security Professional), PCI QSA (Qualified Security Assessor), is a principal eGRC consultant with the Nettitude Group.</em></p> to Protect Your House of WorshipGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Fifteen years ago, attackers threw grenades into a church in Islamabad, Pakistan, killing at least five people and injuring numerous others. No one claimed responsibility for the attack.</p><p>The attack garnered international response because it was in the diplomatic quarter of the city near the U.S. Embassy and was attended by diplomats and their families. Officials, according to CNN, said the church was only lightly guarded with a single officer responsible for overseeing access via its three entrances.</p><p>In 2015, Jim McGuffey, CPP, PSI, PSP, chair of the ASIS International Houses of Worship (HOW) Committee (a subgroup of the ASIS Cultural Properties Council) was in Pakistan and visited that church. He met the pastor and offered to do a security assessment for the church, which the pastor took him up on.</p><p>The interaction made him think about the increasing threats to houses of worship and how a limited security budget—or no security budget at all—could affect their security posture.</p><p>“These churches often can’t afford to have barriers, metal detectors, or bollards,” McGuffey says. “Most churches are not big money makers—most of them are smaller churches and not well-funded. When we approach them with security countermeasures, we have to think outside the box.”</p><p>This led to the creation of the Security Risk Analysis (SRA) Guide for houses of worship by the Cultural Properties Council that was released earlier this year. </p><p>It’s designed to share a “modified version of the SRA process, so that with guidance by a qualified security professional, house of worship leaders will be able to identify critical assets and assess threats and hazards,” according to a white paper on the guide. “This information will help determine levels of undesirable consequences and profitability of occurrence in order to select cost effective security strategies to mitigate risk.”</p><p>The modified version of the SRA guide includes selecting a safety focus team, conducting a security survey, identifying and prioritizing vital assets for protection, identifying threats and hazards, selecting cost effective security strategies, implementing those strategies, and maintaining those strategies.</p><p>And for houses of worship that don’t have the resources—either financial or man-hours—to conduct the SRA, the committee also released actionable steps to improve churches’ safety and security at little to no expense. </p><p>Those 34 steps include suggestions like never allowing staff or volunteers to work at the facility alone, ensuring opening and closing procedures are in place, making sure all doors and windows have functioning locks, and maintaining an inventory of expensive or easily stolen items.</p><p>The council specifically included these steps, McGuffey says, for those who “want to see some immediate impact and for whatever reason the SRA process isn’t going to happen…this way they will see a significant improvement in safety and security.”</p><p>In 2015, the ASIS Savannah Low Country Chapter hosted a workshop with a local police department and invited 40 clergy from South Carolina and Georgia to participate and learn about the not-yet released SRA and actionable steps. </p><p>McGuffey says the workshop was a success, and the committee held another one in April 2016 to help local clergy “walk away with the tools to take back to their churches and implement what they have learned.”</p><p>The committee is planning future events to work directly with clergy and local law enforcement to share the SRA, and McGuffey says it will continue to adapt the SRA as new threats emerge.</p><p>“I’ve made a point of saying, as with any document, we always have to audit them and make appropriate changes to meet revised threats,” McGuffey explains. “It’s a living document.”  </p> Breach TrendsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Early in the afternoon on May 12, 2017, the United Kingdom’s National Health Service (NHS) confirmed that it had been hit by a massive ransomware attack that was spreading its way around the globe.</p><p>“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” the NHS said in a statement, confirming that at the time it was released, 16 of its organizations had been affected by WannaCry ransomware.</p><p>MalwareTech, a cybersecurity blogger and researcher, saw that NHS had been hit by the attack at approximately 2:30 p.m. That fact tipped him off “that this was something big,” MalwareTech wrote in a blog post.</p><p>To find out what was happening, he got a sample of the malware, ran an analysis, and registered an unregistered domain for $10.69 that the malware had queried. </p><p>“Now one thing that’s important to note is the actual registration of the domain was not on a whim,” MalwareTech explained. “My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I’m always on the lookout to pick up unregistered malware control server domains.”</p><p>In the course of registering that domain name, however, MalwareTech effectively stopped WannaCry, the ransomware infecting 200,000 computers globally, demanding that users pay a ransom of about $300 in Bitcoin to decrypt their data.</p><p>MalwareTech’s efforts, along with an emergency patch released by Microsoft for Windows XP (which hasn’t been supported since 2014), stopped WannaCry. But that doesn’t mean they will be so lucky in the future as ransomware and other types of crimeware become more prevalent.<img src="/ASIS%20SM%20Callout%20Images/0817%20Cyber%20Chart.png" class="ms-rtePosition-2" alt="" style="margin:5px;" /></p><p>In the recently released Verizon 2017 Data Breach Investigations Report, Verizon analyzed data from 65 organizations and found that 88 percent of breaches fell into nine patterns identified in 2014: crimeware, cyber espionage, denial of service, insider and privilege misuse, miscellaneous errors, payment card skimmers, point-of-sale intrusions, physical theft and loss, and Web application attacks.</p><p>These attacks are successful, in part, because most companies erroneously believe they won’t be targeted, wrongly think they have the basics of cybersecurity covered, are failing to set strong password requirements, and are relying on how they have always done things—as opposed to being innovative and proactive.</p><p>“While attackers are using new tactics and tricks, their overall strategies remain relatively unchanged,” the Verizon report explains. “Understanding them is critical to knowing how to defend your organization from cyberattacks.”</p><p>The report also finds that it’s not just major companies being targeted. Instead, 61 percent of breaches in the report affected businesses with fewer than 1,000 employees.</p><p>Manufacturing, healthcare, and the financial services sectors were major targets for data breaches in 2016. But Verizon Global Head of Cybersecurity Strategy and Marketing John Loveland said that companies should not be distracted by that fact.</p><p>“I would say put a big emphasis on ‘industries most at risk,’ but that can be unhelpful because I think it may distract from the idea that every organization is a potential target,” Loveland said in a Verizon podcast interview.</p><p>Bryan Sartin, Verizon global security services executive director, echoed Loveland’s comments, and said that no organization should rest on its laurels.</p><p>Though they may be in denial, org­an­izations are going to be targeted, Sartin explained on the podcast. “Whether it’s design plans, medical records, or good, old-fashioned payment card details—somebody, somewhere will see it as their meal ticket and as an opportunity to get a hold of that, exploit vulnerabilities, find that data, get it out, exfiltrate it, and try to convert it into cash. Most cybercriminals aren’t that fussy about who they steal from.”</p><p>Ransomware. One of the unchanged strategies that cybercriminals are using is ransomware, which was the twenty-second most common form of malware in 2014. It’s now moved up to the number five position.</p><p>“For the attacker, holding files for ransom is fast, low risk, and easily monetizable—especially with Bitcoin to collect anonymous payment,” according to the Verizon report. Due to the success of ransomware in the past several years, criminals have become more innovative about how they use it to turn a profit.</p><p>“Criminals introduced time limits after which files would be deleted, ransoms that increased over time, ransoms calculated based on the estimated sensitivity of filenames, and even options to decrypt files for free if the victims became attackers themselves and infected two or more other people,” the Verizon report says.</p><p>And while the hackers behind WannaCry didn’t make a great deal of money from the ransomware—CNBC estimated they made about $50,000 in Bitcoin in May—the way the malware spread was concerning for future attacks, says Jonathan Couch, senior vice president of strategy at ThreatQuotient, a threat intelligence platform.</p><p>This is because WannaCry spread through an initial infection, such as a malicious email that was opened, but from there operated like a peer-to-peer network, he explains.</p><p>“Clients would search for other clients on the network, spreading that way, rather than having a user spread the ransomware,” Couch says, adding that this is one of the reasons that WannaCry spread so quickly—because it was able to do so on its own.</p><p>The ability of ransomware to target an organization, as opposed to an individual, was a major change to ransomware in 2016, and attackers combined this tactic with other strategies to make their efforts even more successful.</p><p>“Ransomware campaigns targeting organizations often have additional characteristics, such as credential theft to spread the attack throughout the organization, delayed encryption to infect as many machines as possible before detection, and code that targets corporate servers as well as user systems,” according to the report.</p><p><img src="/ASIS%20SM%20Callout%20Images/0817%20Cyber%20Fact%20Box.png" class="ms-rtePosition-1" alt="" style="margin:5px;width:282px;" />These tactics will likely make future versions of ransomware even more powerful than what has been seen so far, Couch says. “People are going to improve the peer-to-peer to spread [ransomware] faster, and are going to use more encryption within their code to hinder analysis,” he adds. </p><p>Couch also predicts that future models will actually extract data from victims’ systems and encrypt it—rather than encrypting the data on the existing network. “One of the ways to fight ransomware is to do a backup…so if I have a good backup, I just use that,” Couch says. “If you have taken all my files, now I run the risk of you exposing my information.”</p><p>While ransomware is not likely to go away anytime soon, the security industry is stepping up to the challenge to detect ransomware before infections become critical, protect organizations from criminal campaigns, and help rescue ransomed systems without paying cybercriminals.</p><p>The industry is doing this by improving endpoint protection and detection of ransomware, sharing threat information with law enforcement agencies and other organizations, and supporting the No More Ransom! Campaign. </p><p>Started in July 2016, the campaign now has 57 corporate, association, and public sector members that work to help victims recover their encrypted data without paying ransoms.</p><p>“To that end, currently hosts 27 decryption tools, which can recover files from a wide range of ransomware families,” according to the report. “No More Ransom! calculates that they have successfully diverted more than $3 million from criminals by offering free decryption tools to thousands of victims around the world.”</p><p>Cyber espionage. Another major pattern in 2016 identified by the Verizon report was the increase in the number of attacks linked to state-affiliated actors who may—or may not—have a motive of espionage.</p><p>Twenty-one percent of the breaches examined by Verizon in the 2017 report were related to espionage, and the manufacturing sector accounted for 86 percent of the breaches. And of those breaches, 73 percent of perpetrators used a combination of a social engineering attack—such as a phishing attack—to install malware.</p><p>“A malicious email is the cyber spy’s favored way in. But this is no smash and grab,” according to the report. “The initial email is typically followed by tactics aimed at blending in, giving the attacker time to collect the data that they need.”</p><p>Attackers want to infiltrate their target, find out where its secrets are kept, and then slowly collect them until they are detected—ideally, as long as possible. </p><p>“When state-affiliated actors are involved, their operations are targeted attacks, rather than opportunistic,” the report explains. “In other words, the criminals are coming directly for a particular organization with a specific purpose in mind.”</p><p>The cyberattacks on French President Emmanuel Macron’s campaign in spring 2017 is a prime example of this tactic. After Russia’s efforts to influence the U.S. presidential election in 2016, Macron’s team knew it was likely to be targeted by similar efforts to help Russia-friendly candidate Marine Le Pen win. After winning a position in the final round of the election, Macron’s team began to receive sophisticated phishing emails.</p><p>Because Macron had limited staff resources, his team decided to create a disinformation campaign to confuse any potential hackers instead of focusing on keeping the hackers out altogether, said Macron’s digital director, Mounir Mahjoubi, in an interview with The New York Times following the election.</p><p>Mahjoubi said the team went on the counteroffensive, creating false accounts full of fake content that could be used to trap hackers. This way, once the hackers got into the accounts, they would have to spend precious time determining what content was fake and what was real.</p><p>While this was effective in slowing down the hackers and preventing the hack from being completely damaging, it’s not the best defensive approach to take, says Alex Vaystikh, cofounder and chief technology officer of SecBI, a threat detection provider.</p><p>“If we look at it from a defensive point of view, it’s a bad approach in terms of defense because the defense has come to the conclusion that there’s nothing it can do to prevent the hack,” Vaystikh explains. “The only way is to confuse the hacker with enough false information that when he gets in, he’ll have to go through certainly a lot of noise. Kind of a denial of service attack on the hackers with information.”</p><p>Several companies have taken this same approach to cybersecurity, which Vaystikh says is frustrating because it seems that they have resigned themselves to the fact that hackers are going to get in.</p><p>“It’s somewhat frustrating in the world of cybersecurity because it means that we’ve given up... and our only hope is that by the time [the hacker] gets the sensitive information and figures out what it is, it will no longer be that sensitive,” Vaystikh adds.</p><p>Instead, companies should be proactive about securing their systems and monitoring them, he argues, echoing suggestions from Verizon’s report.</p><p>For instance, Verizon recommends that companies separate their highly sensitive data to allow only those who need access to have access, provide phishing training to all employees, monitor internal networks, and implement data loss prevention controls “to identify and block improper transfers of data by employees.”</p><p>According to the Verizon report, “If a username and password is the only barrier to escalating privilege or compromising the next device, you have not done enough to stop these actors.” ​ ​ ​</p> A Shift in Global RiskGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The quest to better understand the sources of global risk, and the effect those sources of risk may have on security, is of continuing importance to many practitioners of enterprise security risk management (ESRM). </p><p>And now, global risk has entered into a new era, with people around the world facing more political instability, more economic challenges, and the prospect that more national policy decision making will be driven by emotion rather than reason, a new study finds. </p><p>The study, The Global Risks Report 2017, is the 12th edition of one of the flagship reports issued annually by the World Economic Forum. The report postulates that the new era of risk began last year, a watershed time for instability when increasing economic populism and political polarization came to a head in unexpected election results and the disquieting rise of former fringe nationalist parties. </p><p>“The year 2016 saw profound shifts in the way we view global risks. Societal polarization, income inequality, and the inward orientation of countries are spilling over into real-world politics,” reads the study, which was conducted with the help of academic advisors from the University of Oxford, the National University of Singapore, and the Wharton Risk Management and Decision Processes Center at the University of Pennsylvania. </p><p>The report argues that five “gravity centers” will shape global risks moving forward, and it sketches out the challenges that will result from each of them.  First, continued slow economic growth, in tandem with high debt and demographic changes, will create an environment conducive to financial crises and growing inequality. Second, corruption and unequal distribution of the benefits of growth will convince a growing number of people that the current economic model is not working for them.</p><p>Third, the transition towards a more multipolar world order will put a greater strain on global cooperation. Fourth, the fourth industrial revolution—Internet-connected technologies—will continue to transform societies, their economies, and their ways of doing business. Fifth, more people will seek to reassert identities that have been blurred by globalization, so decision making and election choices will be increasingly influenced by emotions rather than reason.</p><p>There is no one silver bullet solution to these challenges. But the report argues that the problems “create the opportunity to address global risks and the trends that drive them.” In that spirit, the study sets out several actions that leaders should take to push forward in creating a more secure and stable world. </p><p>The report argues that political leaders need a deeper commitment to fostering inclusive development and equitable growth, on both a national and global scale, instead of allowing increasing economic inequality to further destabilize societies. And while the report praises innovation, it also argues for better management of technological change, so the growth of new uses for technology causes less disruption and leaves fewer behind. </p><p>Finally, at a time when multinational institutions like the European Union and NATO are under unprecedented attack, the report calls on leaders to redouble efforts to protect and strengthen systems of global collaboration. Destabilizing international events—which range from migration flows created by the Syrian war to major weather events that impact several countries to a potential global water crisis—all warrant more cooperation between countries.  </p><p>“It is ever clearer,” the report argues, “how important global cooperation is on the interconnections that shape the risk landscape.”</p> the ZoneGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The term “Green zone” refers to a heavily fortified international center in a high-threat country—the original Green Zone is in Baghdad, Iraq, an area that American forces overtook in 2003 and turned into an international safe haven. It is now home to the U.S., British, Australian, and Egyptian embassies.</p><p>Other diplomatic centers throughout the world have adopted the term. That’s why Afghans were shocked by what occurred in Kabul’s Green Zone just before 8:30 a.m. on May 31, 2017, when a truck exploded in the center of the zone, killing at least 80 people and injuring upwards of 500.</p><p>The bomb destroyed buildings and demolished cars in a several-block  radius. Although the blast took place in a diplomatic area of the city, it was mostly Afghan civilians who were killed, including guards for several of the embassies in the zone. </p><p>The circumstances surrounding the massive blast in the Green Zone create a macabre juxtaposition. Officials have yet to figure out how a vehicle carrying enough explosives to create a 15-foot crater was able to enter the heavily-fortified area surrounded by 10-foot high blast walls. On the other hand, security measures were so heavy that security checkpoints snarled traffic, resulting in the high number of civilian casualties.</p><p>Nobody has claimed responsibility for the attack, and investigators reportedly believe that the vehicle carrying the explosives was a waste collection truck, which is perhaps how it was allowed through checkpoints. </p><p>But the attack has left diplomatic officials trying to find the balance between fortress-like security measures and fostering a more open and transparent relationship with the host country, both physically and strategically. </p><p>The 1998 bombings of American embassies in Nairobi, Kenya, and Dar es Salaam, Tanzania, which killed more than 220 people, and the 2012 Benghazi, Libya, attack that left four dead, all drastically shifted the way the U.S. Department of State approaches embassy security. </p><p>The United States has more than 300 embassies, consulates, and diplomatic missions around the world—the most of any country. After the 1998 attacks, the State Department determined that more than half of those embassies needed to be completely replaced to meet security requirements. The State Department then created a standard embassy layout that was used all around the world. <img src="/ASIS%20SM%20Callout%20Images/0817%20NS%20Fact%20Box.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:246px;" /></p><p>Since then, more than 30,000 diplomatic staff have been moved into hardened facilities that meet heightened physical security standards, including a 100-foot setback from the site’s perimeter, anticlimb walls and antiram barriers, hardened building exteriors, and controlled access to the compounds.</p><p>American embassies and consulates have different threat levels based on factors such as the overall security landscape and host country crime rates, explains Robert Baggett, CPP, PCI, PSP,  a former Diplomatic Security Service (DSS) special agent for the State Department and current cochair of the ASIS International Academic and Training Programs Council. </p><p>Baggett led various Regional Security Office portfolios, such as local embassy guard forces and teams that identified security threats for U.S. missions in China, Iraq, and Vietnam. He tells Security Management that the risk ratings for individual embassies and consulates are assessed on a constant basis in light of any changes that may alter security posture.  </p><p>“Once a post is designated as high-threat, then other facets come into play in terms of additional funding, security preparedness, or staffing,” Baggett notes. </p><p>Currently, 78 embassies are ranked as high-threat, high-risk posts, which means that all mission chiefs must receive Foreign Affairs Counter Threat (FACT) training that focuses on topics such as emergency response, first aid, offensive driving, and evacuations. </p><p>“FACT training provides familiarization on what can be expected while serving at these posts, thereby improving one’s situational awareness and empowering them to work more effectively and safely in this type of high-threat environment,” Baggett explains.</p><p>Approximately 14,000 American foreign service officers and specialists work at U.S. missions around the world. These Americans are bolstered by more than 50,500 locally employed staff, who are typically citizens of the host country where the U.S. mission is located. </p><p>Some high-threat posts, such as the U.S. Embassy in Baghdad, are also staffed by third-country national security forces—many of which hail from South America or Africa—that are employed under American-owned company security contracts. These guards often supplement the mission’s security force that comprises DSS special agents, special protective specialists, American civilian security force operators, and other personnel. </p><p>“In any embassy or consulate, you’re going to have to heavily rely on foreign service national staff to support operations, including political and economic sections, human resources, general services, and especially the local guard force,” Baggett notes. “These individuals not only speak the native language, they are truly vital to the mission where they are familiar with host country laws, policies, and customs. They serve as an embassy or consulate’s foundation to conduct U.S. foreign policy overseas, have cultivated host country government contacts, and possess the historical knowledge of the mission, which is truly priceless since foreign service officers and specialists typically rotate assignments every one to three years.”</p><p>Maintaining effective communication between a U.S. mission and the host country’s government, regional offices, and local law enforcement is imperative for strengthening the embassy or consulate’s security, as well as the bilateral relationship with the host country, Baggett explains. </p><p>“Many times we would hear information through our foreign service national staff or established professional contacts, but we weren’t hearing it through official channels,” he says. “Other times we’d see plainclothes local law enforcement officers in front of our embassy and wonder why, and two hours later there’s a big protest that we didn’t know anything about. Being able to establish and develop professional local law enforcement relationships is paramount in receiving such potential threat information directly from the field rather than waiting on obtaining information from official channels.”</p><p>Strengthening the strategic relationship between embassy personnel and the host country goes beyond information sharing and includes the physical presence of the embassy. </p><p>Almost 15 years after the 1998 Africa bombings and subsequent implementation of standardized, high-security embassy construction, there was a push to allow more flexibility in embassy design while maintaining certain security standards. Dubbed the Excellence Approach, it gave the State Department’s Bureau of Overseas Building Operations (OBO) the ability to contract directly with individual design firms to “improve embassies’ appearance in representing the United States, functionality, quality, and operating costs,” according to a new U.S. Government Accountability Office (GAO) report.</p><p>“The whole idea of building these new embassies is to get our people into safer and more secure facilities,” says Michael Courts, director of international affairs and trade at GAO. “State Department officials believed they would have greater design control because they could customize the designs to the locations where they were being built.”</p><p>This is important because the previous standard design did not allow for embassy customization based on the region, space availability, or climate, lowering the flexibility and functionality when it came to building new embassies, Courts tells Security Management. </p><p>Instead, the Excellence Approach requires OBO and design firms to work together to make sure certain security standards are met at each unique facility while emphasizing location and design that will further the diplomatic mission. </p><p>The new policy emphasizes considering American values in promoting a sense of openness, accessibility, and transparency through location; proximity to other embassies and host country facilities; and a location that is connected to public transportation and infrastructure, according to the GAO report.</p><p>“How you implement those standards can change depending on what sort of site you’re building on, the density of the surrounding urban area—that is going to be somewhat challenging for the State Department because they are going to have to try to adapt to each context as they build their embassies,” Courts notes.</p><p>Keith Bobrosky, vice president of sales at Delta Scientific, agrees. “It’s subtle to an outsider, but from what we’ve seen it’s very important,” he explains. “For years they had standard embassies—all one design and arguably very militaristic and not very inviting. Now the embassy needs to mimic the surrounding environment aesthetically a lot more, so we still want to keep the utmost in vehicle barrier and perimeter security, but aesthetics play a far more important part when we’re a guest in some of these other countries.”</p><p>Bobrosky has been involved with the implementation of barrier protection at hundreds of overseas building operations for the State Department and the FBI. Despite the design changes, State has been relatively consistent in what it requires for perimeter security at its embassies, he says, but the technology itself is continuously changing to improve longevity and environmental impact. </p><p>For example, Bobrosky notes that embassies have always used hydraulic barrier systems—which rely on hydraulic fluids to operate their motion—but some newer builds have started turning to electromechanical barriers because they are more environmentally friendly. </p><p>“We’ve seen a paradigm shift from hydraulic to a more politically correct product—electromechanical—because there’s no fluid that could leak in these other countries where we’re really a guest,” Bobrosky says. “Some of them are very environmentally aware where they do not want to have any hydraulic fluid possibly hitting the soil.”</p><p>This fits in line with the shift Bobrosky has seen as OBO has implemented the Excellence Approach—placing emphasis on how the embassy can fit in to its surroundings while being respectful of the host country. </p><p>“Sometimes these fences are dozens of years old and the barriers we put in have to match,” he notes. “Or the cobblestone street in front of the embassy may be hundreds of years old, so when we install the bollards we have to meticulously move each cobblestone and replace it in the same manner.”</p><p>The customized embassy approach has been around for five years, but it’s unclear what effect the new, individualized designs have on security, the GAO report notes. OBO employees are divided on whether the Excellence Approach has improved the construction programs—37 percent agreed that it had, 34 percent disagreed, and the remainder were not sure, according to the GAO report. OBO has not defined performance measures to quantify the success of the new approach, the report explains.</p><p>“Without performance measures specific to Excellence and sufficient systems to collect and analyze relevant data, OBO will not be able to demonstrate whether the performance of Excellence projects over time justifies the increased emphasis on and investment in their designs,” according to the report.</p><p>Meanwhile, physical security providers such as Bobrosky continue to see small shifts in operations that make embassies more inviting. He notes that all barrier systems include in-ground vehicle detection, which prevents the accidental deployment of a barrier on an innocent party, such as a gate closing on a cleared vehicle. </p><p>“We’ve seen some changes in the last few years in this argument between safety and security,” Bobrosky explains. </p><p>Some embassies are requiring infrared sensors near their barriers, which are more accurate and would keep barriers or gates from being accidentally deployed on pedestrians. </p><p>“It’s a little less secure because there’s more of a chance for someone to keep the gate from operating as it should, but it’s a lot safer for pedestrians and vehicles alike,” he says. “It’s hard to have the best of both safety and security, because you have to take from one to get more of the other.” ​</p>