|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Only A (Lonely) Test0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465A Museum of the World and for the World|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465World Water Woes,-Employment,-and-the-Law.aspxGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Brexit, Employment, and the Law|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Pesky Passwords|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465January 2017 Industry News2017-01-01T05:00:00Z|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Metrics and the Maturity Mindset2016-12-01T05:00:00Z|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465ASIS News November 20162016-11-01T04:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465Access to Bank On2017-01-01T05:00:00Z|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465An Intelligent Solution2017-01-01T05:00:00Z

Security Management

 Morning Security Brief

View RSS feed

 SM Weekly

Retrieving Data

 SM Daily

Retrieving Data
Not a Member? Join Now 2017 Industry NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​SECURITY AT ASIS 2016</h4><p>Allied Universal provided physical security at ASIS International’s 62nd Annual Seminar and Exhibits in Orlando, Florida. Allied Universal security officers and the company’s new robots patrolled the exhibit hall to help ensure a safe and secure environment. </p><p>Partnering with Allied Universal for security for the ASIS conference was Dan Taylor & Associates, LLC, a firm that specializes in trade show security. The companies have worked together for five years to provide security for the event. </p><p>Allied Universal is working with Knightscope to provide its new Machines as a Service program. The Knightscope K5 and K3 Autonomous Data Machines operate within a geofenced area and provide alerts generated by video cameras, thermal imaging, license plate recognition, audio recording, two-way intercom, and more. Shown here, Stacy Stephens of Knightscope (center) chats with two attendees.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>Altronix appointed Thomasson Marketing Group to represent its power and transmission solutions in California, Hawaii, Nevada, and Arizona.</p><p>SMARTair wireless access control from ASSA ABLOY is in use at Córdoba, Spain’s new Red Cross building.</p><p>Axis Communications will market network video products from Canon Inc. in Europe, the Middle East, and Africa, plus North America. </p><p>BriefCam announced a technology integration partnership with Digifort, enabling users to extract data collected on their surveillance systems and achieve better security and operational management.</p><p>Computer Products Solutions, a division of Panasonic System Communications Europe, and FusionPipe Software Solutions Inc. formed a partnership for Panasonic to sell and support FusionPipe’s patented QuikID authentication solutions.</p><p>Digi Security Systems partnered with March Networks to offer customers more electronic security products tailored specifically to the retail and banking markets. </p><p>DirectView Holdings, Inc., installed a comprehensive surveillance, alarm, and access control system for Primary at its flagship location in New York City.</p><p>New partnerships for exacqVision include integrations with Commend intercom systems and Hartmann Controls Web-based access control systems.</p><p>Handheld mobile reader systems using Farpointe reader modules are now available from Cypress Integrated Solutions. </p><p>Galaxy Control Systems is introducing a hosted access control partnership program. The first partners are Bold Technologies, Dynamark, and Advanced Access Security.</p><p>GET Group North America is partnering with Speed Identity to offer biometric, live capture solutions for identity, credential, and access management to the North American market.</p><p>Hanwha Techwin America announced that its SRM-872 mobile NVR now integrates with the Genetec Security Center 5.5 SR1 security platform, allowing its use on trains, buses, and other modes of public transportation.</p><p>South Africa’s Western Province Blood Transfusion Service contracted installer Verivision to develop a hybrid security solution. Verivision chose products from Hikvision as the basis for the system.</p><p>Morphean is hosting its management platform for content analysis videos and incident detection in Interoute’s Virtual Data Centre.</p><p>March Networks integrated its Searchlight for Retail software with high-performance RFID technology from Zebra Technologies.</p><p>Netwrix Corporation announced that Bank of the South chose Netwrix Auditor to secure customer data and facilitate compliance with regulatory standards.</p><p>OffSite Vision Holdings, Inc., played an integral role in the 2016 Texas Night event hosted by the ASIS Houston Chapter at B.B. King’s Blues Club in Orlando. The EmergenZ People Pass System helped streamline the entry process for authorized attendees. It incorporated technologies from multiple security vendors including Orion Entrance Control, Inc.; Genetec; and Blue Line Technology.</p><p>The integration between OnSSI Ocularis 5 and Hitachi Visualization Suite software and Video Management Platform provides a public safety solution that supports safer communities through connected intelligence. </p><p>Regroup Mass Notification and Lexco Security Systems entered a partnership that will provide organizations with the technology and thought leadership necessary to improve on-premises security and employee safety. Regroup is also partnering with Singlewire Software for an integrated notification solution.</p><p>RiverSafe is a partner of the ThreatQuotient Threat Alliance Partner program, providing both technology and consulting services to protect data and IT systems. </p><p>Plastilam will purchase millions of Smartrac PRELAM inlays for contactless access cards over the next three years. </p><p>Quantum Corp. announced joint development initiatives with four video management system providers: Aimetis Corp., OnSSI, Qognify, and Verint Systems Inc. have joined the Quantum Advantage Program.</p><p>Securonix formed a partnership with ThetaPoint, Inc., to deliver security solutions that predict, prevent, and detect cyberthreats to enterprise security.</p><p>PSA Security Network and Sensera Systems formed a partnership to distribute Sensera’s solar/wireless/cloud site camera solutions.</p><p>Sensory Inc. and Samsung SDS announced a global partnership to provide customers with authentication services. </p><p>Sopra Steria announced a new partnership agreement with Sybenetix to enable investment firms to integrate behavioral management and compliance solutions.</p><p>Talkaphone added PLG Security as a manufacturer’s representative for Canada and Intelligent Marketing Inc. to represent the company in the eastern and southeastern United States.</p><p>ZKAccess welcomed Associated Engineering Systems, Inc., as an authorized partner.​</p><h4>government Contracts</h4><p>BlackBerry’s secure tablet, integrated with government-grade MAM technology, was approved by the German Federal Office for Information Security at the “classified—for official use only” security level. </p><p>Buffalo Computer Graphics announced that its DisasterLAN Incident Management Software was recently used during the Vigilant Guard exercise administered by the Vermont National Guard and Vermont Division of Emergency Management and Homeland Security to test the state’s emergency response. </p><p>Working with Service Employees International Union-United Service Workers West, the Building Skills Partnership, passenger services contractor G2, and American Airlines, Los Angeles World Airports will develop a pilot training program for passenger service workers at Los Angeles International Airport in emergency response and situational awareness.</p><p>CNC Technologies was selected by the Bexar County Sheriff’s Office in Texas to deploy a mission-receive site to support the agency’s airborne policing and public safety operations. The system will enable personnel to receive encrypted data and video streams from department and partner agency aircraft.</p><p>COPsync, Inc., announced that the Bennington Oklahoma Police Department has joined the COPsync communication and information sharing network. </p><p>The Bergen County Sheriff’s Office in New Jersey selected Hanwha Techwin IP video surveillance cameras for security in its new parking structure and renovated police services building.</p><p>Hikvision USA Inc. provided Becker Public Schools in Minnesota with a security upgrade to protect students, staff, and facilities. </p><p>The International AntiCounterfeiting Coalition signed a memorandum of understanding with the City of London Police to formalize their solidarity in fighting for intellectual property rights. </p><p>Milestone Systems is helping the Topeka School District in Kansas with a video surveillance and integration platform for a systemwide upgrade. Integrator ISG Technology installed the system, which includes Axis network cameras and S2 Security access control.</p><p>MorphoTrak, a subsidiary of Safran Identity & Security, deployed an automated biometric identification system in the cloud for the Albuquerque Police Department.</p><p>As part of a safety plan program organized by the Tennessee Department of Education, in conjunction with the Tennessee Organization of School Superintendents and several Tennessee school districts, NaviGate Prepared is offering its customized Safety Plan Wizard to all K-12 Tennessee schools.</p><p>Qognify, formerly NICE Security, announced that Hefei Xingiao International Airport in China is expanding use of its video management system.</p><p>Siklu Inc. was selected by the Oakham Council in the United Kingdom to provide a wireless connectivity solution for Oakham’s new high-definition surveillance system. </p><p>Sopra Steria announced that four police forces within Yorkshire and Humberside collectively invested in a STORM Command and Control system to support the first collaborative crime scene investigation operation in the United Kingdom. West Yorkshire Police is the lead force in this collaboration.</p><p>TASER International received an order for TASER X2 Smart Weapons for the Florida Fish and Wildlife Conservation Commission. </p><p>Vigilant Solutions is providing fixed cameras to the La Verne Police Department in California to improve the safety of the community.​</p><h4>awards and CERTIFICATIONS</h4><p>Allied Universal was awarded the Brandon Hall Gold award for the Best Launch of a Corporate Learning University.</p><p>Geoswift has obtained TRUSTe Enterprise Privacy Seals in both English and Simplified Chinese for the Geoswift website and PayTuitionNow portal.</p><p>Global Technical Systems gained status as a National Security Agency Trusted Integrator for Commercial Solutions for Classified Programs.</p><p>Halton Regional Police Service of Ontario, Canada, has been named a 2016 Computerworld Data+ Editors’ Choice Award honoree for its use of Hexagon Safety & Infrastructure software in innovative Big Data initiatives. </p><p>The Hikvision PanoVu Panoramic Camera won a GIT SECURITY Award for its simple design, superior image quality, and easy installation.</p><p>At the CTIA conference, Smartvue Corporation won the IoT Emerging Company of the Year Award for the Consumer Market.</p><p>SPHERE Technology Solutions received national certification as a Women’s Business Enterprise by the Women Presidents Educational Organization.</p><p>Veridos announced that its ID smart card system was recognized with an Asia Pacific Smart Card Association Radiant Award for its smart technology. </p><p> announced that its data centers and cloud infrastructure have been validated for PCI DSS 3.1 compliance. </p><p>Frost & Sullivan presented Wurldtech, a GE company, the 2016 North America Frost & Sullivan Award for Product Line Strategy Leadership.</p><h4>ANNOUNCEMENTS<br></h4><p>The Partnership for Priority Verified Alarm Response announced that ADT has joined the organization as a full industry member. </p><p>Axon Public Safety Canada Inc., a subsidiary of TASER International, announced a partnership with the Canadian Centre of Public Safety Excellence to support the organization with access to technology including Axon body-worn cameras.</p><p>Cambridge Pixel is offering a free software tool to assist commercial security and defense integrators, installers, and developers to select the optimum location for a radar or other sensors.</p><p>Canadian Pacific Railway has introduced a new Web page that showcases its dangerous goods–</p><p>re­sponse capabilities, training avail­able to first responders, and other online resources.</p><p>The Centers for Medicare & Medicaid Services finalized a rule to establish consistent emergency preparedness requirements for healthcare providers participating in Medicare and Medicaid, increase patient safety during emergencies, and establish a more coordinated response to natural and man-made disasters. </p><p>COPsync, Inc., announced that Amber, Silver, and Blue alerts will be distributed via the COPsync Network to the thousands of officers using the system across the United States. </p><p>Eyewitness Surveillance secured an investment from LLR Partners to support the company’s expansion of its services and growth into new geographic and vertical markets. </p><p>Galaxy Control Systems offers an online video library on its website, including professional videos that provide answers to its eight most common tech support questions.</p><p>Hoyos Labs rebranded as Veridium, heralding a new corporate strategy and the launch of its end-to-end biometric authentication solution VeridiumID.</p><p>The Imaging Source Europe GmbH moved into new corporate headquarters in Bremen Überseestadt, Germany.</p><p>IntellCorp is making its services available in Portuguese-speaking nations around the world. </p><p>March Networks introduced a Security Audit tool to help systems integrators evaluate and improve the security of their video installation configurations and provide additional assurance to their customers.</p><p>OpenSesame is partnering with publisher Ed4Online to distribute a free Zika Virus Prevention Course worldwide.</p><p>Parabon NanoLabs is calling for participants in a research study, sponsored by the U.S. Department of Defense, in which DNA samples from distant relatives will be analyzed to improve familial matching. The research will assist in the identification of deceased service members.</p><p>Raytec launched a redesigned website dedicated to helping customers deliver the best lighting solutions for video surveillance.</p><p>To demystify pandemics, Send Word Now developed a new eBook: Is Your Organization Ready for a Pandemic? </p><p>Vulsec, LLC, unveiled a new YouTube video that details how companies can become vulnerable to cybersecurity attacks and what they can do to prevent and protect themselves from such attacks.</p><p>Weir-Jones Engineering Ltd., and SGS Canada Inc., will bring affordable Earthquake Early Warning System technology, known as ShakeAlarm, to countries with high seismic risk that currently do not have systems in place to protect lives in the event of a major earthquake.</p><p>Wombat Security Technologies updated its platform to provide users with flexible training via the release of seven mobile-responsive modules.</p><p>ZKAccess was a sponsor of the first annual Greystar Charity Golf Event to help raise funds for the Post Traumatic Stress Disorder Foundation of America.</p> to Bank OnGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The intersection of cyber and physical security is a critical consideration for banks with brick and mortar buildings, who also offer many of their services to customers online. To protect these assets, financial institutions have increased their information technology security spending by 67 percent since 2013, according to a recent survey by PricewaterhouseCoopers.</p><p class="p1">Zions Bancorporation is one such institution that has taken steps to converge its physical and cybersecurity systems to protect its customers and assets, which total approximately $60 billion. One of its affiliates, Nevada State Bank, recently upgraded its access control system to provide enhanced security, as well as convenience, for its workers.</p><p class="p1">To workers at Nevada State Bank, the old system of physical keys and hard locks was both a security concern and a nuisance. For example, an employee was at the park playing with her child when someone broke into her car. Along with the employee’s purse, the robber got away with a physical key to the bank’s branch where she worked. She made a phone call to corporate security, and the entire building had to be rekeyed that weekend. </p><p class="p1">“To rekey all the locks and replace keys could cost $3,000–or it could be even more costly if it’s a master key that’s lost,” says Bob Shandle, regional security officer for Zions Bancorporation. He adds that when employees lose their keys, “it almost always happens over the weekend,” an inconvenience to the security staff.  </p><p class="p1">Replacing physical keys with cards was one of the biggest advantages to upgrading access control at three Nevada State Bank branches, says Shandle, who introduced new security cameras and alarm systems as well. “Card access is just a small part of the big picture of what we’re trying to accomplish” in terms of security, he notes. </p><p class="p1">Zions worked with an integrator to find the best choice for an access control platform for the bank. In March 2015, it chose Sielox Pinnacle, the software that serves as the hub for the overall access control system. Sielox 1700 Network Controllers are used to support card readers installed at door locations, including hardwired doors located in the branch’s vault.</p><p class="p1">At the majority of its entryways, the bank first chose Allegion AD-400 wireless locks that integrated with the Sielox system. Because the locks are large and require drilling holes for installation, the AD-400 locks were functional but not ideal. In March 2016, Shandle purchased Schlage NDE locks, which have a smaller form factor and are more affordable. Both Schlage and Allegion are owned by manufacturer Ingersoll Rand, so the microchips inside employee access cards did not change. The cards were simply updated through the Pinnacle software. </p><p class="p1">“The NDE lock requires no special modifications to the door. It goes right on top of where your old lock used to be,” Shandle explains. This is especially useful given the “bandit barriers,” or bulletproof glass walls, that run throughout the branch to protect tellers from potential shooters. With a wired system, “you’d basically have to disassemble the entire door area” for installation, Shandle says. “With the NDE lock I was able to get the mount right on top of that heavy-duty Plexiglas, and it worked really well.” </p><p class="p1">He adds that the locks resulted in a “huge cost savings,” and says the price of the wireless access control system was roughly one-third the cost of a hard-wired one. Commissioning the lock to work with existing cards was also fairly seamless. Using a smartphone and tablet app from Allegion that integrates with the Sielox software, administrators create a username and password, and then link the wireless locks to Pinnacle. This enables the chips in the card to work with the control boards in the door readers. “Sielox is the only access controller provider in the market that seamlessly integrates the NDE locks from Allegion, so it really did work out well,” he adds.</p><p class="p1">In addition, someone at the bank is responsible for going through the card access database every day to ensure that it reflects employees who have been terminated, are on temporary leave, or have returned from leave. Changes can be managed within the Sielox Pinnacle online Web portal. Additionally, all actions are recorded and reported on every card, so security personnel can track activity and spot abnormalities in the log files. </p><p class="p1">Vendors who spend an extended period of time at a branch are assigned a bank employee who is responsible for their access card. “That supervisor or person from the bank would have to request the card in writing from us, and then we would issue it on a temporary basis,” he says. The assigned person from the bank is responsible for eventually getting the card back to security. </p><p class="p1">Currently three Nevada State Bank branches have card access throughout the building, as well as the central vault. Eventually Shandle says they hope to implement the system organization-wide. “We are trying to consolidate all of the branches under the Sielox Pinnacle card access system and eliminate the need for employees to carry keys altogether,” he notes. </p><p class="p1">The biggest concern with wireless access control readers is battery life, Shandle says, so Pinnacle has an application that tells security how long until the batteries on individual door readers are exhausted. And there is a small time-delay between putting the card up to the reader and when the door unlocks. “When it comes to presenting your credentials, the readers don’t always respond immediately like the hardwired ones do,” he notes. </p><p class="p1">However, these concerns are outweighed by the convenience of the overall system. A key can be disabled within minutes, no longer requiring an expensive and timely rekeying of the building. “It costs about $5, and I can have a key card removed from the system in a number of seconds,” Shandle says. “Even if you lose it on a Friday night, we can have that card disabled, so that the missing fob that grants access to our branch doesn’t work anymore.”</p><p class="p1"><i>For more information: Karen Evans,,, 856.861.4568​ ​</i></p> Intelligent SolutionGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A large, international finance company was recently planning to fire one of its employees, but the company’s leadership was concerned. The employee, whom we’ll call John, had a history of being aggressive towards his supervisors.</p><p>Thankfully, the actual termination went smoothly and without incident, but that’s where the company’s good fortune ended. During the days that followed John’s termination, several employees received notes from him on social media instructing them to “consider not going to work” on a specified day.</p><p>As a precautionary measure, the company contracted for additional physical security at its main office building. However, when it became aware of the social media threats, the company reached out to the author’s international protection, investigations, and consulting firm for advice on how to handle this new challenge.</p><p>The firm immediately began conducting physical surveillance, following John’s movements. It also started analyzing his social media accounts and noticed that he had made several posts about the company’s vice president of human resources. </p><p>Upon further observation, the firm discovered that John had recently driven to an intersection about one mile from the company’s building. This location was also on the route that the vice president took to get to work every day.</p><p>Using the intelligence gathered from social media and physical surveillance, the firm observed John’s behavior in real time and contacted law enforcement to prevent him from causing any harm to the vice president or to the company’s facility.</p><p>Not all workplace violence threats are so successfully mitigated. An average of 551 workers were killed each year between 2006 and 2010 as a result of work-related homicides, according to the most recent numbers from the U.S. Bureau of Labor Statistics (BLS). And as many as 2 million workers report having experienced workplace violence each year, according to the Census of Fatal Occupational Injuries.</p><p>Most alarmingly, shootings accounted for 78 percent of all workplace homicides—83 percent of which occurred within the private sector. </p><p>Unfortunately, the traditional corporate climate is reactive because most companies only respond after there’s been a highly publicized workplace violence incident. Furthermore, many do not enact changes at all once the dust settles and the incident is no longer in the media. </p><p>With concern growing over workplace violence from all sectors, there is a demand for protective intelligence, which can avert a crisis instead of reacting after it occurs. To put it simply, you cannot mitigate a risk that you have not anticipated.​</p><h4>Intelligence</h4><p>The primary objective of protective intelligence is to collect information to help determine if an individual demonstrates the intent and capability to formulate and execute a violent plan of action.</p><p>To determine this, most use the intelligence cycle—an important process for investigators or anyone who collects information for assessment or analysis. </p><p>Originally implemented by the U.S. Military Intelligence Division during World War I, this process is leveraged by many government entities and for a wide spectrum of tasks, such as by organizations like the Federation of American Scientists. This process is most notably used in the investigative processes within the FBI and within the U.S. Secret Service, namely the National Threat Assessment Center. </p><p>The FBI defines the intelligence cycle as “the process of developing unrefined data into polished intelligence for the use of policymakers.” Protective intelligence investigations differ from other kinds of investigations because the goal is to prevent violence or a loss, not simply secure the requested facts. </p><p>An individual, group, or organization must collect information that will develop the critical intelligence required to take preventative actions. The U.S. Secret Service defines this process as “gathering and assessing information about persons who may have the interest, motive, intention, and capability of mounting attacks against public officials and figures.”</p><p>The intelligence cycle has six steps. These steps are: identify requirements, plan and provide direction for intelligence that is to come, collect and gather information, process and exploit collected information, analyze and convert that information to produce raw intelligence, and disseminate intelligence to those who will use it for tactical, operational, and strategic decision making.</p><p><b>Identify requirements. </b>The first step is to identify the requirements the information is designed to satisfy. This step will help filter data into the most critical pieces of information and organize them by relevance.</p><p>For workplace violence investigations, investigators should focus on information that will help answer the fundamental question: Does this subject present a threat to protected individuals, groups, or organizations?</p><p>Some companies do designate internal employees as threat response personnel. Protective intelligence investigations are performed most effectively by those who have experience and training doing them and who are also unbiased, such as a third-party consultant. </p><p>Plan and provide direction.<b></b> The second step in the cycle is to create a plan and provide direction for the intelligence that is to come. </p><p><b>Collect and gather information. </b>Gathering of information is the third step and includes researching online databases, performing physical surveillance, and conducting interviews. </p><p><b>Process and exploit. </b>After col­lecting relevant information, the fourth step of the intelligence cycle is to process and exploit that information. This means filtering the data into useable bits for the decision-making processes defined by the requirements in the first step; the bits can be referred to as the dots. </p><p>For example, when conducting an investigation of a subject who may be on the path to violence, social media or other tools may reveal his whereabouts during certain times that may be indicative of a hostile planning process. Critical decision points for likely pathways the subject would take to commit an act of violence could be established, and their correlation with the information that has been revealed would create the dots. </p><p>This can be a time-consuming burden, especially for investigators using social open-source intelligence (SOSINT). To be effective at this task, investigators should combine resources by directly researching on social media sites and by using search engines to do the task. With this methodology, investigators can start to connect the dots, enabling analytical confidence—particularly when dealing with the concern of targeted violence.</p><p><b>Analyze and convert. </b>The fifth step of the process is to analyze and convert these bits of data to produce raw intelligence.</p><p>In the event that a subject’s behavior reveals the impending manifestation of a perceived threat, these connected dots are used to make decisions that will effectively impede the process.</p><p><b>Disseminate. </b>The final step of the cycle is disseminating the intelligence to those who will use it for tactical, operational, or strategic decision making. ​</p><h4>Sources </h4><p>Although most would believe that intelligence is gathered from secret or covert sources, the largest collection of information available to investigators is open-source intelligence (OSINT), or intelligence collected from publicly available resources.</p><p>Within the intelligence community, the term “open” refers to overt, publicly available sources drawn from public resources, such as the Internet, media coverage, photos, and geospatial information. However, it’s important to keep in mind that there is no authority ensuring the accuracy of any information available through OSINT. Because of this, employers who use this collection method have a responsibility to verify—or at least corroborate—its validity. </p><p>SOSINT, the collective term for information from sources such as Facebook, Twitter, blogs, and microblogging sites, is becoming more important within the intelligence community. SOSINT is a content-rich gold mine and a valuable investigative tool when seeking corroborative information about individuals or groups, such as behavioral changes, interests, emulations, gang activity, and general life circumstances.</p><p>Social media is particularly useful to investigators for several reasons. The first is the immediacy in which content is not only created, but disseminated. The Facebook news feed is the epitome of a media outlet for such content because there is no delay in publication and almost no restriction in its ability to spread virally. Social media provides a variety of ways for potential subjects to distribute thoughts or request tactical assistance, along with numerous ways for investigators to gather that information.</p><p>In 2014, LexisNexis published a survey, Social Media Use in Law Enforcement, of federal, state, and local law enforcement professionals in the United States who are users of social media on the job. The survey details how social media can enhance the assessment and threat management process. </p><p>The survey found that “respondents indicated several real-world examples in which they prevented or thwarted pending crime, including stopping an active shooter, mitigating threats toward school students, executing outstanding arrest warrants, and actively tracking gang behavior.” </p><p>For the private investigator seeking information on the behavioral circumstances of a subject, something as quick and easy as analyzing a subject’s status updates, check-ins, and posted photos may provide the information necessary to conclude if a legitimate threat exists.​</p><h4>Surveillance </h4><p>Physical surveillance is one of the oldest and most common practices within investigative services, yet it remains the best option in cases when real-time information is required. To do this, employers must hire a licensed professional who can conduct surveillance legally.</p><p>Surveillance in the investigative field is used mostly as a tool for developing factual evidence to prove or disprove circumstance. However, surveillance can also provide information that is critical to the decision-making pro­cess for a much broader spectrum of investigations than most private detectives recognize.</p><p>In conducting protective intelligence investigations, surveillance is a viable option to gather the necessary information on a subject because not all attackers make direct threats. This increases the difficulty of validating or legitimizing the threat through other sources. </p><p>Using information from OSINT may reveal the threat, such as general ideas and interests, but it is typically not specific. Surveillance can be used to confirm a suspected threat or to find out more details.</p><p>Furthermore, the analytical confidence from deriving conclusions based on direct observations versus assessing the quality and quantity of third-party information is an important factor. This provides the investigator and analyst a more profound confidence in the facts at hand. </p><p>In one such instance, upon investigating a subject who was facing possible termination following a history of unsatisfactory performance and increasingly aggressive behavior, the author’s firm noted a hunting license in the subject’s background investigation. </p><p>Taken in isolation, this is not a threatening piece of information. However, during the day of a contentious announcement of the firing from the company’s CEO, it was decided by the author’s firm—hired to provide executive protection for the company—to restrict access to the facility.</p><p>Local law enforcement helped bar the subject from the property. The former employee had a hunting rifle in his vehicle even though no hunting seasons were in effect. There was no violence that day, but the potential mitigation was worth the effort.</p><p>Once the subject is identified and background information has been collected, the main factors investigators should concentrate on during surveillance are the current living characteristics of the subject and context of the subject’s daily routine. </p><p>Surveillance should focus on factors in the subject’s life and environment that might increase the probability of an outburst or attack, such as living arrangements; actions and behavior; and daily activities and social interactions, particularly compared to possible known historical circumstances and behavior of the subject. This focus on routine can provide valuable information that can help assess the subject’s stability.</p><p>For example, if the subject does not currently have the means to satisfy the basic needs of food, clothing, shelter, or social interaction, then he or she may be in desperate crisis with no option left but to act out. </p><p>Additionally, researching, planning, and coordinating the attack are critical to the attacker’s success. The steps required in developing a plan will reveal the person’s intentions, actions, and acquaintances. </p><p>For instance, this can be seen in the events that led up to the kidnapping of Sidney Reso, former president of Exxon Co. Reso was kidnapped by Irene Seale and her husband Arthur Seale from the end of Reso’s driveway in suburban New Jersey on April 29, 1992. Reso was shot in the arm during the kidnapping, and died a few days later. However, the Seales claimed that he was alive and demanded $18.5 million in ransom before finally being discovered and apprehended.</p><p>Prior to kidnapping Reso, the Seales watched his home from a van parked down the street for almost a month. These preparations were highly visible and could have been easily identified. The Seales could have potentially been intercepted with a counter surveillance effort as part of an executive protection program.</p><p>For violent attackers, the chances of success and escape are the predominant factors in determining the location to attack. Therefore, research and planning efforts on site selection and even tactical decisions pertaining to that site are particularly revealing during physical surveillance. The subject’s behavior and rituals during this process are also extremely revealing because the attacker’s intention may not include any escape plans at all, potentially indicating the worst case scenario of a suicide attack. </p><p>This type of behavior was demonstrated by Khalid al-Mihdhar and Nawaf al-Hazmi who flunked their flying lessons because they were disinterested in the landing process, administrative actions, or flying anything other than Boeing jets. The two individuals failed to obtain their pilot’s license, but ended up being two of the four “muscle men” on American Airlines Flight 77, which flew into the Pentagon on 9/11. </p><p>The potential attacker will want to gain familiarity with the location, how to get there, and—in most cases—how to escape. He or she may even take pictures of the location for reference later in the planning process, and may conduct rehearsals to discover what the security response might be during a crisis or how effective access control is. </p><p>In the investigation that followed the mass shooting in the Aurora, Colorado, movie theater, it was revealed that gunman James Holmes had purchased his ticket for that showing of The Dark Knight Rises more than a week in advance, carefully selecting the time and place for his attack. </p><p>Additionally, he had set explosive traps at his apartment, planning for them to be tripped prior to his attack to send resources to that incident instead of the movie theater. </p><p>Real-time information gathered via surveillance can lead to making preventative decisions sooner and more reliably than other methods of investigation.<span style="color:#222222;font-family:novecentosanswide-bold, sans-serif;font-size:1.1em;text-transform:uppercase;">of investigation.</span></p><p>Examples of behaviors that may indicate the coordination or planning of an attack could be visiting others who share the same ideas and interests, visiting websites linked to the company, obtaining supplies, or purchasing weapons. At this point, the investigator should avoid bias and assumption, concentrating only on facts.</p><p>For example, if a suspect who has no historical interest in firearms obtains weapons and ammunition over the course of an investigation and then proceeds to a target location, investigators conducting the surveillance may be able to involve the authorities immediately. </p><p>To be effective at surveillance, the investigators must anticipate the subject’s actions. Investigators must ask themselves where the subject would have to be and what materials would have to be obtained. To that end, investigators should develop a list of locations and activities that may be part of the subject’s target selection or planning processes. </p><p>For investigators, protectors, and those who conduct threat assessments and evaluations, protective intelligence programs are a critical aspect of proactively preventing workplace violence incidents before they occur. When it comes to reducing workplace violence as a whole, we all share the responsibility of identifying, assessing, and intervening as early as possible.  </p><p>--<br></p><p><i><b>Joseph M. LaSorsa, CPP</b>, is senior partner at LaSorsa & Associates, an international protection, investigations, and consulting firm. He manages and conducts protective operations training courses and specializes in executive and bodyguard services; risk management consultations and seminars; workplace violence prevention seminars and intervention services; security consultations and seminars; private investigations; and technical surveillance countermeasures. ​</i></p> Museum of the World and for the WorldGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​On a rainy early spring morning, a group of security professionals made their way along Great Russell Street in fashionable, bustling Bloomsbury, London. They passed vehicle-distancing bollards, entered through the gate of a black iron fence, and crossed a large courtyard to reach a neoclassical building that dates from the Georgian period. </p><p>After a security inspection, the visiting professionals traversed the Queen Elizabeth II Great Court with its soaring, tessellated blue glass roof. Once the open-air courtyard outside the Victorian reading room of the British Library, in 2000, the area was refashioned into an epic enclosure worthy of the treasure in the surrounding galleries.</p><p>“The British Museum is of the world, for the world,” David Bilson, CPP, head of security and visitor services, told the security professionals later, when they were congregated for a special program in the BP Lecture Theatre of the Clore Center for Education. It was the day before the opening of the ASIS International 15th European Security Conference and Exhibition, and Bilson was the host and first presenter.</p><p>“People sometimes think that the museum is about the history of Britain, but it’s not,” he explains. “It’s about the history of mankind.”</p><p>Just a few of humanity’s priceless objects that the British Museum cares for are the Rosetta Stone—a rock stele with the same inscription in three languages that helped crack the puzzle of Egyptian hieroglyphs; the Sutton Hoo Anglo-Saxon burial treasure; the classical Greek Parthenon sculptures; colossal granite heads from the Ramesseum temple in Thebes, Upper Egypt; the 12th-century Lewis chessmen; an Easter Island gigantic figure (Hoa Hakananai’a); and a pair of Assyrian human-headed, winged bulls from Khorsabad, Iraq, which date to about 710 BC. (In February 2015, ISIS extremists destroyed a similar pair from the ancient city of Ninevah.)</p><p>At the British Museum, said Bilson, “We present items that date from 2 million years ago to the present day, in a collection that we are still continuing to build.”</p><p>The 18th century physician and hot-chocolate entrepreneur Dr. Hans Sloane laid the foundation for the collection. When Sloane died in 1753, he left everything to King George II. A public lottery raised funds for the original building. </p><p>“We welcomed our first visitors here in 1759, so it is our 257th birthday,” Bilson added. Since then, the collection has grown to more than 8 million items.</p><p>“We are one of the nation’s treasure houses,” Bilson told his audience. “We now welcome 6.8 million visitors per year, which makes us the U.K.’s leading visitor attraction—and I say that not to be glib, but because it brings us major security and public safety issues. We are one of London’s ‘crowded spaces,’ so therefore we have security risks.”</p><p>Art thieves are also a threat. For example, Chinese art has skyrocketed in price at auction, allowing thieves to easily sell stolen items on the black market.  In 2012, the Metropolitan Police New Scotland Yard intercepted a gang that planned to target objects in one of the museum’s public galleries. Working with law enforcement agencies is a key aspect of security operations at the museum.</p><p>In addition, Bilson said the museum “is a place that transforms at night. If you stand in the front hall of the museum at 5 to 6 o’clock, you’ll see all my security colleagues escorting visitors out and thanking them for coming. At 6 o’clock, all the contractors come in, and by five minutes till 7 p.m., the whole place may be transformed with tables for dinners or corporate events…which is another demand on the security services that we have here.” </p><p>Later that evening, the visiting security professionals would witness just such a transformation when the museum’s Egyptian Sculpture Gallery hosted an ASIS reception. The varied aspects of the museum’s security program were present and working, but even to the security practitioner guests, they were imperceptible.</p><p>Later, Bilson sat down with Security Management to discuss the security program at the museum and its myriad of security concerns.</p><p>The security context has changed tremendously for all museums, Bilson says, naming as examples the May 2014 attack on the Jewish Museum in Brussels, Belgium, the foiled 2014 attack on the Louvre in Paris, and the March 2015 attack on the Bardo National Museum in Tunis, Tunisia.</p><p>During the last four years, the British Museum has invested in various aspects of its security infrastructure. One part of that investment was completed in early April 2016 when security “switched to our new digital radio system with much better coverage across our locations,” Bilson says.</p><p>Also in place now are vehicle defenses. “I hope as you came through the front gate this morning, you admired our vehicle-standoff bollards, which are a substantial upgrade in our protective resilience,” he adds.</p><p>In 2013, the museum became a construction zone with the creation of the World Conservation and Exhibition Centre on the estate’s northwest corner. It comprises scientific laboratories, office facilities, and a major new public exhibition hall, “which gives us a bigger, more flexible space than we have ever had, and below ground, we have a secure collections storage area,” he says.</p><p>Security was involved in the design for the new facility, Bilson notes. “In fact, we upgraded security substantially because of the nature of that building. So that has become our benchmark for security across the rest of the estate. It integrates all the modern technology of cameras, alarms, access control, and now the new radio system.”</p><p>Guard force. Since the Great Court was built 16 years ago, the number of annual visitors to the museum has jumped by nearly 3 million. </p><p>“We are delighted to welcome more visitors but this of course impacts our operations; we want to ensure visitors have an enjoyable and safe visit,” Bilson says. </p><p>Guidance on the management of events in the United Kingdom has changed, too. This has led to an ongoing modernization of the guard force, which comprises 300 full-time, proprietary officers.</p><p>“We are looking to take up the best of that advice, as well as lifting the security standards for all of our officers here, to a high level of professionalism,” he adds. “They are all great people, and we want to lift them up still further into new ways of working.”</p><p>“In the U.K., there are two categories of security officers: you can either be proprietary if you are working in your organization on your site, but if you provide a security service…it has to be licensed,” he explains. “At the moment we are also using licensed support while we go through our improvements.”</p><p>There is a security central command center in the museum that is staffed around the clock. </p><p>“Not only are they doing a security watch, they are watching building systems and the condition of the building overnight, as well as the primary security function of protecting the collection,” Bilson points out.</p><p>Bag checks. While terrorism is a key threat to the museum, “The biggest challenge affecting us at the moment is the searching and screening of visitors,” Bilson says. “I’m not prec­ious about it. We’re working hard to improve upon it, but it is a challenge on a day when 20,000 visitors come through who are not timed in their entry, so we get these peaks in demand. More than 50 percent have some sort of bag with them.”</p><p>Visitor bag searching has been stepped up at the museum, resulting in an increase in the discovery of weapons.</p><p>“The majority of our visitors are of course law-abiding and are here to enjoy the collection,” Bilson says. “But I have been surprised that a minority have brought in inappropriate items that could pose a risk.”</p><p>To ensure that the museum can secure its premises from weapons brought in bags through the entrances, new visitor search facilities were recently installed outside the building.</p><p>The museum’s executive leadership supports decisions such as these. “We have great support here. The trustees, the board that oversees museum operations, are in favor of more security, doing more, but keeping a balance,” Bilson explains. “We want the visitors to know they are coming into a secure space, but to know that they are coming into a welcoming experience as well.”</p><p><b>Perimeter security. </b>Bilson says that perimeter security depends upon the state of the museum at various times of day. </p><p>For example, he explains that when the museum is on lockdown overnight, “we have clear definition of boundaries by way of walls and railings. They are guarded and protected by technology 24 hours per day. We use a range of technology measures, whether it is intrusion detection or surveillance or physical locks and access control.”</p><p>When the museum opens, the perimeter becomes porous, but with public boundaries, he says. “There are layers of defense within the site.” When the visitors leave, the perimeter hardens again.</p><p>“In explaining this to staff, I tell them we act in the same way as an airport—the secure air side and the public side,” he says. “So the status of areas within the museum changes, but broadly the back of house areas stay secure 24/7.”</p><p>Coordination between security and museum staff is “hugely important—that whole preplanning and coordination piece,” Bilson states. “We work very hard with facilities management and with events planning to think through levels of detail.”</p><p><b>Collection protection. </b>Museum security protects its collection in much the same way that businesses protect their own assets. “Security technology helps, but we need people to intervene in situations as well,” Bilson says.</p><p>Like all large museums, temporary major exhibitions are staged at the museum, such as Life and Death: Pompeii and Herculaneum, which ran throughout most of 2013 attracting 400,000 visitors, and the newest, Sunken Cities: Egypt’s Lost Worlds, which closed in November and broke attendance records, according to Bilson.</p><p>The arrival and departure of special exhibitions is ongoing and security plays a large role. Before items are loaned to the museum, “we have to give an account to the lenders of how good our [security and environmental] processes are here,” Bilson says.</p><p>The museum also lends artifacts and even major collections to museums around the globe. </p><p>“We apply all of our own security standards to the venue that the exhibition is going to,” Bilson explains. “Sometimes that is a learning experience for the people borrowing from us, and we try to help them get their security to such a standard that long-term they have a more resilient venue for themselves and can borrow more collections from around the globe.”</p><p><b>Travel.</b> “The museum is constantly changing, always taking on new ideas and new things to do,” Bilson notes. “It is a busy organization that is studying and researching and constantly evolving.”</p><p>Bilson says that the museum’s policies and procedures for staff working in other nations weren’t anywhere near as robust as they should have been. </p><p>An incident involving museum staff in another country caused the museum to rethink. “We asked ourselves, ‘Where are our people today? Do we know what countries they are in? Are they insured? Have we thought about their security and what measures have been taken?’” he explains.</p><p>Bilson discovered that there were free services tied to the museum’s insurance and travel services that had not been previously used, including “risk reports, country reports, access to services that we thought we might need one day…. Now we build emergency plans in case we need to bring teams home from overseas,” he says. “We put in place a good personal emergency plan for everybody, good support from London from the home department, and pre-travel risk assessments, advising staff before they go.”</p><p><b>Partnerships. </b>The museum actively partners with police, “whether at the operational level or counterterrorism level, intelligence services, or security design advisors,” Bilson says. “We have strong links with specialists around art and antiques thefts and crime. We have a national museum security group, and most recently, we have established a European roundtable of CSOs so that we can link with our colleagues. After the terrorist events in Paris and Brussels, we supported our friends in that group, exchanging advice, and helping them with things that could be done in their museums.”</p><p>Security also works with the policing teams in the area around the museum estate. The museum interacts with its neighbors about emergency planning and special events that could affect them, such as when Night at the Mus­eum was filmed on site or movies are shown outside on the lawn on sum­mer evenings.</p><p>Bilson says that as a security case study, the British Museum is different because it houses a world collection that must be protected alongside large numbers of visitors and staff and a 200-year old heritage building.  </p><p>While the museum doesn’t discuss security systems in detail, visitors—he insists—want to know that security is in place. </p><p>“Peaceful, law-abiding visitors to the museum are looking for that kind of protection,” Bilson says. “When we check their bags, we get thanked for doing so and know that it gives them reassurance.”   ​</p> PasswordsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Treat your passwords like your underwear: make them exotic, keep them to yourself, and change them from time to time. That’s the memorable approach that Cisco Chief Privacy Officer Michelle Dennedy takes to creating strong passwords. </p><p>But sadly, most people do not put that much effort into crafting passwords for their online accounts, and this can have dire consequences for corporations. In 2015, 63 percent of confirmed data breaches involved leveraging weak, default, or stolen passwords, according to the 2016 Verizon Data Breach Incident Report. </p><p>“The capture and/or reuse of credentials is used in numerous incident classification patterns,” the report explained. “It is used in highly targeted attacks, as well as in opportunistic malware infections. It is in the standard toolkit of organized criminal groups and state-affiliated attackers alike.”</p><p>The use of stolen, weak, or default credentials in breaches is not a new trend. In 2015, attackers who used stolen credentials in breaches predominantly used them to steal more credentials (1,095 instances), export data using malware (1,031 instances), and to conduct phish­ing (847 instances), among other threat actions, according to the Ver­izon report.</p><p>“We are realists here, we know that implementation of multi-factor authentication is not easy,” the report said. “We know that a standard username and password combo may very well be enough to protect your fantasy football league. We also know that implementation of stronger authentication mechanisms is a bar raise, not a panacea.”</p><p>But just what should those stronger authentication mechanisms be? What approach should you take to make your passwords stronger in 2017?</p><p>Make them exotic. Creating an exotic password can mean something different, depending on who you’re talking to. For Dennedy, having an exotic password means creating a password with different characters that’s not a dictionary word. For instance, pick a favorite book and use the first letters of the first paragraphs of various chapters in that book to create a password. </p><p>“And have some special characters thrown in there,” Dennedy explains. “That’s a great formula, and you don’t have to remember anything more than the book.”</p><p>Or, exotic passwords can be developed from a pattern that is special to a various website. “So having something that reminds you of your shopping list site and then adding on your special paragraph pattern,” Dennedy says. “These are tricks that can make your password exotic enough that it’s not guessable, and yet memorable enough that you actually get use out of it, rather than having to change your password every time because you’ve forgotten it.”</p><p>Another option is to go for length, says Lance Cottrell, chief scientist for Ntrepid’s Passages. “It used to be that if you had an eight-character password, that would be enough, they are not going to be able to guess your password,” he explains. “But realistically these days, that’s not true. They are able to get through much longer passwords, particularly if you’re not using the full breadth of characters available to you.”</p><p>Instead, users should aim for at least 20 characters and use upper case and lower case letters, numbers, and emojis—if that’s an option. </p><p>“You just can’t beat length; the longer your password is, the better off you are,” Cottrell says, adding that 20 characters is long enough because it’s well outside the realm of brute force attack ability, while remaining manageable to type when you need to type it.</p><p>However, Cottrell says he doesn’t type his passwords very often anymore, something he sees as key to creating strong passwords.“People are still in this mindset of ‘I’m going to make up this password and remember and then type them in from memory,’” he explains. “My general rule of thumb is a password that you can remember is probably too simple.”</p><p>That’s because “memory-based” solutions violate what Cottrell thinks of as the prime directive of password security: never reuse passwords.</p><p>“There should never be two websites with the same password from you,” he says. “Because it’s easy to guess your username; it’s probably your name or more often your email address. So if I steal your password on one website, I’m going to try that email address and password on every other website I know of. I’m going to hack it off of some website you don’t care about, and then try it on your bank and every bank out there just to see whether it will work.”</p><p>Instead of using a memory-based solution for his passwords, Cottrell uses a password management application to keep track of the passwords for his hundreds of online accounts created over the years. This application then syncs with his devices, such as his iPhone and iMac, so he doesn’t have to remember them.</p><p>“If there’s one practice that I could say, ‘Go do this thing and it will make your security better,’ it’s to start using a password manager application,” he says, adding that he uses the application 1Password to keep track of his.</p><p>Like most password management applications, 1Password allows you to create a login and then save all of your passwords for your online accounts to the site. It then encrypts your data, securing it from potential hackers who might try to gain access to the site to steal your credentials.</p><p>“I have one really good password for that vault,” Cottrell says. “I have one really big, long passphrase that I have memorized that unlocks that, and then that gives me access to everything else.”</p><p>While you can add passwords you’ve created to the password management application, you can also choose to have it automatically generate a password to your specifications—such as 20 characters in length—to give you completely random passwords for all of your online accounts.</p><p>One downside of password management applications, however, is that they can be inconvenient to use, which is one reason Dennedy adopted the practice and then gave it up. “I’ve tried them and I’ve made the super password easy enough that I’m not inconvenienced, and that makes me nervous,” she says, adding that she’s had trouble finding a solution that scales across all the places she needs to be, especially when traveling.</p><p>“My job is weird; no two days are the same and I’m doing planes, trains, and automobiles, so if my login fails, that’s a real pain,” Dennedy explains. </p><p>Keep them to yourself. Many users have been there before. They have access to a corporate account, such as a Twitter account, and another employee needs access to it. So, they email the other employee the credential. While that might be an efficient way to share access, it is not a secure one and should be avoided if at all possible, Cottrell says.</p><p>Instead, if you’re sharing an account, make sure the password is strong—exotic, long, and possibly generated by a password management application. Also, make sure that you’re not sharing it through email.</p><p>“Even sending it through a text message is better than sending an email,” Cottrell says. “Send it in a path that avoids email and using the computer…as that makes it much more difficult for an attacker to make use of it. An actual physical note with the password on it, that’s shredded later, is going to be even better.”</p><p>Also, when it comes to passwords, make sure you’re not giving information away on social media sites that could be used to compromise your password hint questions, which are often a fixed set of questions with information that’s easily discoverable.</p><p>“Don’t put as your security question the name of your real dog,” Dennedy says. “It’s okay to lie there.”</p><p>Instead, make up an answer such as using the name of a dog that you don’t own to answer your security question. And to keep track of these answers, you can set up a list in most password management applications to store them. This way, you don’t have to remember what your lie on your security question was, Cottrell says.</p><p>“So if the security question says ‘Where did you go to high school?’ Put in something like Richard Nixon High School or a Lord of the Rings reference,” he adds. “Anything you want can go in those slots, and then just add them to the notes section of your password management app.”</p><p>Change them. When it comes to changing your password, how often is too often? And does changing your password regularly make it less secure?</p><p>The answer is complex. U.S. Federal Trade Commission (FTC) Chief Technologist Lorrie Cranor made headlines in 2016 when she suggested that companies rethink mandatory password changes for employees.</p><p>“There is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily,” Cranor wrote in a blog post. “Unless there is a reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good.”</p><p>This is why all organizations should consider their risk profile and the security benefits and drawbacks of having employees frequently change their passwords, Cranor added in her post. </p><p>“Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely,” she explained. “Encouraging users to make the effort to create a strong password that they will be able to use for a long time may be a better approach for many organizations, especially combined with slow hash functions, well-chosen salt, limiting login attempts, and password length and complexity requirements.”</p><p>A cryptographic hash takes a message (your password) and computes it into an alphanumeric string, called the hash value, for password storage; this stores the alphanumeric string, instead of the original version of your password—making it more difficult for the password to be stolen. </p><p>Slow hashes are designed to be inefficient, making it harder to crack a password once it’s been exposed. Organizations can also use salt, random characters in the hash, to defend against dictionary attacks.  </p><p>Cranor makes a valid argument, Dennedy says, but only if you don’t follow all of Dennedy’s prescriptions—exotic, secret, and changed often.</p><p>“So if you’re changing passwords often ... between ‘1234567’ and ‘ABCDEFG,’ you’re still going to have an incredibly weak system,” she explains. People who change passwords frequently have trouble remembering them, so they do a lot of password recycling.”</p><p>And from a corporate security standpoint, having employees regularly change passwords is a good idea because it shrinks the window of opportunity for hackers to use stolen credentials to access corporate networks.</p><p>“It’s a real plus in reminding people what’s important [data] and it’s also helpful in that brute force attacks are quite brutal these days with computer power as strong as it is today, so even if you have a semi-exotic password and it’s static over a period of time, it’s that much easier to put the combination together,” Dennedy says. (The FTC did not return requests for comment on this article.)</p><p>But while developing good password habits can help increase security, it’s not a silver-bullet solution.</p><p>“If someone can hack the computer itself, they can probably get access to all of the passwords,” Cottrell says. “So no matter how good your password hygiene is, it’s no better than the security of the device you’re typing it into.” ​</p> Report January 2017GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>u.s. LEGISLATION<br></h4><p class="p1">114th U.S. Congressional Wrap-up. This month’s “Legal Report” is a round-up of the major security-related legislation considered by the 114th U.S. Congress, which concluded at the beginning of this month. Included in this summary are public laws that went into effect and legislation that was introduced but failed to pass. The bills that failed to pass will be nullified, and members of Congress will have to reintroduce them when they reconvene early in January as part of the 115th Congress.</p><p class="p2"><br></p><p class="p1"><b>Terrorism. </b>Congress reauthorized the Terrorism Risk Insurance Program, which allows the federal government to repay business costs following a catastrophic attack that costs more than $200 million in damages. </p><p class="p1">The law (P.L. 114-1) extends the program through December 31, 2020, and includes measures absent from the Terrorism Risk Insurance Act (TRIA) of 2002, such as new provisions increasing the original trigger amount from $100 million to $200 million and requiring the secretary of treasury to create a “reasonable timeline” to determine whether to certify an event as an act of terrorism.</p><p class="p1">Congress overrode President Barack Obama’s veto, allowing legislation to become law that gives terrorism victims and their families the ability to sue foreign states and officials for their role in an act of terrorism.</p><p class="p1">The veto override enacted the Justice Against Sponsors of Terrorism Act (P.L. 114-222), which removes sovereign immunity in U.S. courts from foreign governments that are not designated state sponsors of terrorism. It authorizes U.S. courts to hear cases involving claims against a foreign state for injuries, death, or damages that occur inside the United States as a result of a tort—including an act of terrorism—committed anywhere by a foreign state or official.</p><p class="p1">Legislation that would have created a U.S. Department of Homeland Security (DHS) Office for Countering Violent Extremism failed to advance in Congress.</p><p class="p1">The bill (H.R. 2899) would have authorized $10 million for the DHS secretary to establish the office through 2020 to coordinate DHS’s efforts to counter violent extremism by identifying risk factors and populations targeted by propaganda and recruiters. Managing DHS outreach and engagement efforts to at-risk communities was also included.</p><p class="p1">House Homeland Security Committee Chair Michael McCaul (R-TX) introduced the bill, which did not advance in the House.</p><p class="p1">The House also failed to pass a bill that would have encouraged banks to tip off federal investigators about terrorism financing. H.R. 5606 would have enhanced Section 314 of the Patriot Act to allow financial institutions to report to the federal government if they suspected funds were being used for “terrorist acts, money laundering activities, or a specified unlawful activity.” </p><p class="p1">The bill also would have shielded financial institutions from civil litigation for filing these reports. </p><p class="p2"><br></p><p class="p1"><b>Cybersecurity. </b>As part of an omnibus spending bill in 2015, Congress passed the Cybersecurity Information Sharing Act (P.L. 114-110).</p><p class="p1">The act allows private entities to share and receive cyberthreat indicators and defensive measures with other entities and with the federal government. Threat indicators are defined as information that is “necessary to describe or identify malicious reconnaissance.”</p><p class="p1">Companies, however, must remove personal identifying information not related to cybersecurity threats before sharing data under the act.</p><p class="p1">It also allows the director of national intelligence and the U.S. Departments of Homeland Security, Defense, and Justice to share cyberthreat indicators with private companies and state, tribal, or local governments.</p><p class="p1">Congress failed to advance legislation that would have directed the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to create federal standards to secure vehicles.</p><p class="p1">The bill (S. 1806) would have created vehicle performance standards that required all access points in vehicles to be equipped with reasonable measures to protect against hacking attacks, all collected information from the vehicle to be secured to prevent unwanted access, and all vehicles to be equipped with technology that can detect, report, and stop hacking attempts in real time.</p><p class="p2"><br></p><p class="p1"><b>Aviation. </b>Congress passed legislation (P.L. 114-50) that verifies that airports have working plans in place to respond to security incidents inside their perimeters. </p><p class="p1">The law directs the assistant secretary of homeland security to verify at all U.S. airports that the Transportation Security Administration (TSA) performs or oversees implementation of security measures and that airports have working plans in place to respond to active shooters, acts of terrorism, and incidents that target passenger-screening checkpoints.</p><p class="p1">The assistant secretary must then report his or her findings to Congress to identify best practices and establish a mechanism to share those with other airport operators.</p><p class="p1">Congress failed, however, to pass a bill that would limit airport employees’ access to secure areas within airport facilities. </p><p class="p1">The bill (H.R. 3102) would have directed the TSA to create a risk-based, intelligence-driven model for screening airport employees based on the level of employment-related access to Secure Identification Display Areas, Airport Operations Areas, or secure areas at U.S. airports. </p><p class="p1">Additionally, it would have required TSA to create a program to allow airport badging offices to use E-Verify, create a process to transmit applicants’ fingerprint data to a federal office for vetting, and assess credential application data received by DHS to ensure that it’s complete and matches data submitted by airport operators.</p><p class="p1">The House passed the bill, which stalled in the Senate Commerce, Science, and Transportation Committee.</p><p class="p1">In a Federal Aviation Administration (FAA) extension act, Congress created a variety of new security measures to enhance aviation security.</p><p class="p1">Under the law (P.L. 114-190), the number of government “viper teams” increased from 30 to 60. These teams stop and search suspicious passengers in public places outside the airport.</p><p class="p1">Another measure requires new passenger airlines to create secondary barriers to keep unauthorized individuals from gaining access when a pilot opens the cockpit door. It also requires the FAA to consider whether to implement additional screening for mental health conditions as part of a comprehensive medical certification process for pilots.</p><p class="p1">Additionally, the law requires TSA to use private companies to market and enroll more individuals in its PreCheck program. It also requires the FAA to authorize package deliveries by drones within two years of its passage.</p><p class="p2"><br></p><p class="p1"><b>Drones. </b>Congress failed to pass legislation that would address the security implications of drones. </p><p class="p1">The bill (H.R. 1646) would have required DHS to assess the security risks associated with commercially available small and medium unmanned aerial systems (drones). The measure would also have required DHS to develop policies, guidance, and protocols to prevent or mitigate the risks if drones are used in an attack.</p><p class="p1">The House passed the legislation, which later stalled in the Senate.</p><p class="p2"><br></p><p class="p1"><b>Privacy. </b>Congress extended some rights under the U.S. Privacy Act to European Union citizens and other designated allies.</p><p class="p1">The Judicial Redress Act (P.L. 114-129) allows the U.S. Department of Justice—with the agreement of the U.S. Departments of State, Treasury, and Homeland Security—to designate countries or organizations whose citizens may pursue civil remedies if they have appropriate privacy protections for sharing information with the United States.</p><p class="p1">The law was enacted as part of an agreement between the United States and the European Union that allows the two to exchange more data during criminal and terrorism investigations.</p><p class="p2"><br></p><p class="p1"><b>Human trafficking. </b>Congress expanded the definition of child abuse under the Victims of Child Abuse Act of 1990 to include human trafficking and the production of child pornography.</p><p class="p1">The law (P.L. 114-22) also expands prosecution to include individuals who patronize or solicit people for a commercial sex act, “making traffickers and buyers equally culpable for sex trafficking offenses.”</p><p class="p2"><br></p><p class="p1"><b>Communications. </b>A new law requires DHS to achieve and maintain interoperable communications. The law (P.L. 114-29) requires a DHS undersecretary to submit a strategy to Congress to achieve and maintain communications for daily operations, planned events, and emergencies. </p><p class="p1">The strategy must include an assessment of interoperability gaps in radio communications among DHS groups, information on DHS efforts to achieve and maintain interoperable communications, and information about the adequacy of mechanisms available to the undersecretary to enforce and compel compliance with interoperable communications policies and directives of DHS.</p><p class="p2"><br></p><p class="p1"><b>Screening.</b> Congress did not advance a bill that would require the FBI to ensure that select individuals applying for U.S. refugee admission receive full background investigations before being admitted to the country.</p><p class="p1">DHS already conducts such screenings, but the bill (H.R. 4038) would have required the FBI to perform background investigations on nationals or residents from Iraq or Syria, individuals with no nationality whose last residence was in Iraq or Syria, and individuals present in Iraq and Syria at any time on or after March 1, 2011. </p><p class="p1">The House passed the bill, which stalled when it reached the Senate floor.</p><p class="p2"><br></p><p class="p1"><b>Disaster relief. </b>Congress passed legislation that requires the Federal Emergency Management Agency (FEMA) to develop and implement a plan to control and reduce administrative costs for delivering assistance for major disasters.</p><p class="p1">Under the law (P.L. 114-132), FEMA must compare the costs and benefits of tracking administrative cost data for major disasters by public assistance, individual assistance, hazard mitigation, and mission assignment programs. </p><p class="p1">FEMA must then submit to Congress by November 30 each year—until 2023—a report on the total amount spent on administrative costs. </p><p class="p2"><br></p><p class="p1"><b>Prisons.</b> Congress authorized legislation that requires the director of the Bureau of Prisons to issue oleoresin capsicum spray (pepper spray) to designated individuals.</p><p class="p1">The law (P.L. 114-133) requires the director to issue the spray to any bureau officer or prison employee who may respond to an emergency situation in the prison. The law also allows the director to distribute the spray to other prison officers and employees as appropriate. Minimum and low-security prisons are excluded from the requirement.</p><p class="p1">Officers and employees designated to use the spray must first be trained on how to use it, and are required to under­­­go annual training on using the spray. </p><p class="p1">Equipment. The Senate failed to pass legislation that would have allowed DHS to give excess nonlethal equipment and supplies to foreign governments.</p><p class="p1">Under the bill (H.R. 4314), DHS would have provided these supplies to foreign governments if doing so furthered U.S. homeland security interests and enhanced the recipient government’s capacity to mitigate the threat of terrorism, infectious disease, or natural disaster; protect lawful trade and travel; or enforce intellectual property rights.</p><p class="p1">The House passed the bill, which stalled in the Senate Foreign Relations Committee.</p><p class="p2"><br></p><p class="p1"><b>Sexual assault. </b>Congress established rights for sexual assault survivors that clarify what basic services sexual violence victims are entitled to.</p><p class="p1">Under the law (P.L. 114-236), victims may not be prevented from obtaining a medical forensic examination. They may not be charged for the examination. They have the right to have sexual assault evidence collection kits and their contents preserved—without charge—for the duration of the maximum statute of limitations or 20 years (whichever is shorter). They also have the right to be informed of any result of a collection kit if the disclosure would not impede or compromise an ongoing investigation.</p><p class="p1">Victims also have the right to be informed—in writing—of policies governing the collection and preservation of collection kits, and the right to receive written notification from officials no later than 60 days before their collection kit is to be destroyed or disposed of.</p><h4>Elsewhere in the Courts</h4><p class="p1"><b>POLICING. </b>The Massachusetts Supreme Judicial Court found that the behavior of a young, black, male suspect who tried to avoid the police did not justify law enforcement to stop and search him. “Rather, the finding that black males in Boston are disproportionately and repeatedly targeted for Field Interrogation Observations encounters suggests a reason for flight totally unrelated to consciousness of guilt,” the court explained in its ruling. “Such an individual, when approached by the police, might just as easily be motivated by the desire to avoid the recurring indignity of being racially profiled as by the desire to hide criminal activity.” (Commonwealth v. Warren, Supreme Judicial Court of Massachusetts, No. 11956, 2016)</p><p class="p1"><b>Excessive Force. </b>The U.S. Supreme Court did not take up a case where police officers challenged restrictions on the use of Tasers on individuals who are resisting arrest. The Court’s decision leaves in place a lower court opinion, which ruled that police should not use stun guns on individuals trying to evade custody if they do not pose a threat to officers or others. The decision stems from a court case brought after the 2011 death of Ronald Armstrong, a mentally ill man who was tased by police five times for refusing to let go of a sign post to avoid being taken to a hospital. The lower court found that police used excessive force because Armstrong did not pose a safety risk. (Estate of Ronald H. Armstrong v. Village of Pinehurst, U.S. Court of Appeals for the Fourth Circuit, No. 15-1191, 2016) </p><p class="p2"><br></p><p class="p1"><b>Sexual harassment. </b>The owner/operator and management company for a Columbus, Ohio, Texas Roadhouse restaurant will pay $1.4 million to settle a class sexual harassment suit filed by the U.S. Equal Employment Opportunity Commission (EEOC). The EEOC charged that East Columbus Host, LLC, and management company Ultra Steak, Inc., victimized a group of female employees by subjecting them to sexual harassment and then retaliating against them for complaining about it. The restaurant manager allegedly made humiliating remarks about victims and other females’ bodies and sexuality, and pressured them for sexual favors in exchange for employment benefits or as a condition of avoiding adverse employment action. The consent decree resolving the lawsuit requires the companies to offer reinstatement to injured women in agreed locations and positions. The companies are also prohibited from rehiring the offending manager. (EEOC v. East Columbus Host, LLC, U.S. District Court for the Southern District of Ohio, Eastern Division, No. 2:14-cv-1696, 2016).​</p>


​06 - 07 March 2017
CPP & PSP Review Program​ (Education, Boston MA)

06 - 09 March 2017
ASIS Assets Protection Course (Education, Boston MA)

23 - 25 April 2017
10th Annual CSO Summit ​​(Conference, Arlington, VA)

​08 - 09 May 2017
Active Shooter (Education, Las Vegas, NV)

08 - 09 May 2017
Executive Protection (Education, Las Vegas, NV​

​More Events>>​​​