Archives

Security Management Magazine Cover
​Beginning December 2016, Security Management will also be available as a PDF. View ​Issues available for Download

 February 2019

 

 

https://sm.asisonline.org/Pages/Top-Angst-Cyber-and-Travel.aspxTop Angst: Cyber and Travel2019-02-01T05:00:00Zhttps://adminsm.asisonline.org/pages/michael-gips.aspx, Michael Gips<p>​Now in its 33rd year, OSAC brought together thousands of security professionals from U.S. organizations to explore global security issues and challenges, hear from corporate and government thought leaders, and receive regional brief­ings from OSAC analysts in November 2018. Topics ranged from social media disinformation in India and emerging autonomous threats to creating a contemporary operations center and building a 21st century security program. But two topics stood out: cyberwarfare and travel risk management.</p><p><strong>Cyberwar.</strong> In the waning days of the Second World War, U.S. President Franklin D. Roosevelt, U.K. Prime Minister Winston Churchill, and Soviet Premier Joseph Stalin met in Yalta to demand Nazi Germany’s unconditional surrender. Stalin emerged from that conference with control over Eastern Europe. The Soviet Union’s collapse half a century later eviscerated Russia’s sphere of influence, but the country is dramatically reasserting its claim as a world power player largely through its vast cyberwarfare activities. Russia’s return to prominence, the diversification of nation-state hacking among new actors, and the cyberthreat to both governments and businesses emerged repeatedly as areas of grave concern at the OSAC 33rd Annual Briefing, held in Washington, D.C.</p><p>Russia is effectively out to create a “Yalta 2,” said Heather Conley, a senior vice president at the Center for Strategic and International Studies, during a session on new-generation warfare. Russian President Vladimir Putin’s objective is to “retain his power structure, restore Russia as the United States’ equal, and stave off long-term Russian decline,” Conley said.</p><p>Cyber activities are key to Russia’s reassertion of dominance in Eastern Europe and beyond, where it is deploying a combination of cyber activities, including economic investment, politicized nongovernmental organizations, proxy groups, and political patronage. For their cyber activities, “Ukraine is the lab,” Conley said. Putin is looking to not only identify which techniques are effective, but also to gauge the West’s reaction, she said. A main objective: “Get U.S. citizens to lose confidence in elections” and other democratic institutions.</p><p>Of course, Russia is far from the only combatant on this virtual battlefield. China and Iran are also prevalent sources of advanced persistent threats, with instances of unauthorized and stealthy access to a network for an extended period of time. Kevin Mandia, CEO of FireEye and the author of the groundbreaking 2013 report documenting the Chinese military’s cyberattacks on 141 Western organizations, noted in a separate OSAC session that Iran has been vastly improving and increasing its cyber aggression. Even Vietnam has joined the fray, he said.</p><p>“Eighty percent of breaches we respond to are corporations hacked by nation-states,” Mandia said. And almost every breach reflects geopolitical conditions or developments.</p><p>Given the vast resources of Russia, China, Iran, and countless other nation-state cyberwarriors, how can corporations mount their relatively meager resources in defense? Emily Heath, the CISO of United Airlines, who presented on Mandia’s panel, noted that the airline emphasizes sharing intelligence between its physical and cybersecurity departments. “Almost every incident has a cyber component today,” she said. Boeing Senior Director Scott Regalado added that security executives should be closely following the news and proactively reaching out to the C-suite, especially if a development might somehow involve their company or industry.</p><p>Panelists stressed that tabletop exercises are critical, as is creating an enterprisewide information security committee. “Consider preparedness for media response as well as internal response,” advised Heath. Preplanning is essential because breach-disclosure regulations put victimized organizations on the clock.</p><p>Defense starts with good cyber hygiene, security consultant Stevan Bernard told Security Management following the panel. He is in a good position to know: Bernard previously served as executive vice president for Sony Pictures Entertainment, which was the victim of a high-profile breach believed to have been committed by the North Korean government. The key is to change behavior, which is best accomplished through personalizing the message, he said.</p><p>For example, companies can encourage cyber vigilance by explaining how employees are personally at risk and how they have assets worth protecting. Good home habits transfer to the workplace. In addition, companies might consider providing employees with dedicated computers—that aren’t connected to the corporate network—for personal Internet browsing. Corporate cybersecurity basics should include 12-character passwords that must be changed every 90 days, two-factor authentication, regular encryption and purging of data, and phishing-education campaigns. Yet despite increasingly sophisticated attacks and the growing involvement of state actors, Bernard said, “the biggest vector is still email.”</p><p><strong>Travel.</strong> In early 2018, due to work commitments, a U.S.-based corporate executive was unable to join his wife and two teenaged daughters at a resort on the Riviera Maya in Mexico. He felt comfortable sending them, despite general travel warnings issued by the U.S. State Department and highly publicized media accounts about tourists caught in gang crossfires, because the incidents were remote and isolated, and he was familiar with the airport, the transportation, the travel route, and the resort. </p><p>Additionally, transportation to and from the resort had been set up in advance, his family followed good travel security practices, and the executive had assets on the ground to assist if necessary.</p><p>Happily, the family had a great time and returned safely. But during their stay an American tourist was killed only a few miles from their resort. In the aftermath, the CEO questioned the executive’s judgment, citing the murder, media reports, his recall of travel advisories for Mexico, and third-hand horror stories of trips gone awry. What the CEO lacked was an objective assessment of the risk.</p><p>Many organizations turn to travel risk management firms to drill down into specific locations, routes, times of year, and other factors to protect their traveling staff, students, and volunteers. But OSAC has recently introduced a free matrix tool available to its constituents that enables a nuanced view of travel risk for specific locations.</p><p>With the OSAC framework, a user selects a country and completes six modules related to risk—crime, terrorism, civil unrest, environment, health, and operational/information security. For each of these modules, companies answer a series of questions, typically with checkboxes or prepopulated answers contained in a pull-down menu. OSAC provides the links to objective data, such as the types of natural disasters that have occurred in the last 24 months, while companies answer many of the questions based on their interests in the country and their own risk tolerance.</p><p>For example, under the “civil unrest” module, a travel security manager might identify recent civil demonstrations and gauge the prospect for future incidents, as well as discern the underlying cause, average size, and participant makeup of demonstrations. The manager can also determine their frequency, location, and the frequency and nature of any attendant violence. In one possible example, the framework can help a travel manager conclude that demonstrations reflect opposition to host-country politics or practices, average between 500 and 1,000 participants, occur in areas where the company has significant operations, and spill over into looting and rioting that local security forces cannot control. That information would help inform the company’s security practices, for example choosing alternate travel routes or rescheduling visits.</p><p>At the end of the framework is a section on countermeasures and guidance. It includes space for travel security managers to enter risk summaries, travel requirements, traveler guidance, and transportation countermeasures.</p><p>Questions for the matrix were chosen based on their ability to provide clarity on the overall security picture, says OSAC Regional Analyst Morgan Dibble. For instance, to gauge crime, organizations frequently consult homicide rates, which most nations report. But homicide rates—which can be underreported, unavailable, or manipulated—do not truly reflect overall crime rates. Therefore the “crime” module also includes common crimes such as smash-and-grab theft and drink spiking, popular scams, discernible targeting patterns, and police response.</p><p>OSAC constituents can access the tool via the secure <a href="https://www.osac.gov/" target="_blank">OSAC website.​​</a></p>

 

 

https://sm.asisonline.org/Pages/Out-in-the-Open-Feature-.aspxOut in the Open: The Security Challenges of New Office SpacesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Five people were killed in a shooting at the <em>Capital Gazette</em> newsroom in Annapolis, Maryland, on June 28, 2018. The gunman walked into the building and barricaded the rear exit of the newsroom before he began shooting. The newsroom’s design was open-concept, a popular design choice for news organizations.</p><p>“There are glass windows all around the room,” Terry Smith, a columnist for the <em>Capital Gazett</em><em>e,</em> told CNN in an article released shortly after the tragedy. “There is nothing except for a few half-walls at the editors’ offices on the left to impede a shooter.” </p><p>In addition to the open-concept layout, which left victims exposed, there was no receptionist or access control system the shooter had to bypass to enter the newsroom. </p><p>“They had no access control in the front of the building,” notes Pete Blair, executive director of the Advanced Law Enforcement Rapid Response Training Center at Texas State University. “And that was a decision they had made, saying, ‘Look, it’s a community newspaper and we want people from the community to be able to come in and find reporters to tell stories to,’ and that’s how they got a fair amount of their information.”</p><p>Blair spoke on a panel at GSX 2018 that addressed the security of newsrooms in light of the <em>Capital Gazette</em> shootings. He tells <em>Security Management</em> that since the shooting, the Annapolis newspaper said it would change the location of the newsroom. “Now they have made the decision that they are not going to allow easy access to places,” Blair says. “A lot of places were starting to talk about moving their newsrooms up off the first floor to the second floor, or something like that, to make it more difficult to find them and access them.” </p><p>The Annapolis shooting has raised questions about the challenges of open-concept designs in the event of an active assailant situation. While these sleek office interiors may be pleasing to the eye, experts note their design make it harder to seek cover or lock down in emergencies. And the challenges don’t stop at active assailant situations. Cybersecurity and information protection can also be an issue in open office environments.</p><p>Open-concept office spaces aren’t just popular with newsrooms—the design choice is on the rise. A 2017 survey by office staffing firm Robert Half shows that about one in five companies switched to an open-office configuration in the last five years. Forty-eight percent of respondents said they believed the open concept helped productivity; 32 percent said it was hindering to productivity; and 20 percent believed there was no impact. </p><p>Other studies show more negative feedback on open spaces. According to a survey of self-identified “high-performance employees” by software strategist William Belk, 58 percent of these individuals “need more private spaces for problem solving.” His findings were published in a March 2017 article on CNBC. In addition, 54 percent of these employees said they found their office environments distracting. </p><p>Office design isn’t just critical for productivity considerations—it’s key to providing a safe and secure environment for employees, says Herbert Ubbens, CPP, PSP, president of Paratus Consultants Group and member of the ASIS International Commercial Real Estate Council. </p><p>“There are a lot of challenges within those open spaces where there are a lot of cubicles,” he says. In the open-concept office, there are fewer walls and office doors to close, potentially hindering employees’ responses in the event of an emergency. “When you have a reduction in hard surfaces… there’s some concealment but very little cover out there when a shooting does occur,” he notes. </p><p>Blair echoes Ubbens’ sentiment about active assailant situations. “The new designs look pretty—but they are not well designed for safety,” he says. </p><h4>Active Assailant<br></h4><p>In the event of an active assailant, transparent designs—from conference rooms to office walls—don’t provide any type of concealment when fleeing an attacker. “The attacker would be able to see where everybody is, and be able to guide themselves that way, so that’s a problem,” Blair says. He recommends film that goes on the glass, even if it is simply to provide concealment. </p><p>“The films that you can put on windows that are affordable tend to be ones that are designed to maintain the integrity of the glass, but not to stop bullets.” While bulletproof film is available, most organizations find it cost-prohibitive.</p><p>When it comes to active shooter training methods, the Advanced Law Enforcement Rapid Response Training Center teaches a three-step approach. “We teach ‘Avoid, Deny, Defend,’ which means you should avoid the attacker if you can and get out of there,” Blair says. “If you can’t, deny access to your location—close, lock doors, barricade, that sort of thing—and as a last resort, defend yourself.” </p><p>In cases where those three steps are difficult to implement, the casualties tend to be higher, he notes, such as the Aurora, Colorado, movie theatre shooting that claimed 12 lives. </p><p>Shopping malls, on the other hand, are designed to allow traffic to flow freely. “So very quickly people can hear the gunshot, know something bad is going on, and there are plenty of ways to move away from that and get out of the location,” he says.</p><p>For companies opting for the open-concept spaces, Hubbens recommends a saferoom for emergencies, a concealed and secure room not offered by many open-concept designs. “One thing we’re seeing is the use of saferooms, essentially secure areas that would be used for a tornado shelter, as well as an area for everybody to go into and lock,” he notes. “It would be located somewhere toward the core of the building.” </p><p>For example, one client he works with has a nine-floor building and decided to install a saferoom on every floor. “They wanted to make sure that all of their people have somewhere they can evacuate to, or a safe haven for a hurricane or other environmental incidents,” Ubbens notes. </p><p>While saferooms seem like a viable option at first glance, Blair points out there are considerations for security staff and management. “It could be that, depending on where the attack starts, the safe room is in a position that is totally wrong for you to get to,” he notes. “It’s just not reasonable for you to try, and yet if you’ve trained people to go to the saferoom they may try it anyway.” </p><p>Secondly, employees may have to keep others locked out of the saferoom, a difficult decision and scenario for anyone to be faced with. “Having a saferoom means getting your head around the idea that you could have coworkers outside the door banging trying to get in, and you’re not going to let them in,” Blair explains, “because you can’t be sure that it’s not the attacker pretending to be somebody, and if you open the door and the attacker’s right behind the person, then the attacker gets into the saferoom.” </p><p>Blair recommends designing an office layout that has clear escape routes and training employees on various points of egress in the event of an emergency. He says that all too often, in an emergency people get caught up on the idea of exiting the same way they entered a location. </p><p>“One of the examples we use a lot in our trainings is from the Station nightclub fire,” he says, referring to the deadly blaze in Rhode Island in 2003 that left 100 people dead. Many of those victims died at the front entrance to the club where they came in, trying to use that same route to escape. </p><p>“Why did everybody go to that exit? Well, when you get placed under stress you’re going to go where you know. So, people turned and they went to that place they came in from,” Blair notes. “And yet if you are in your calm state, your rational mind, you know that fire code says there have to be other exits here.” </p><p>With any open-concept office space, access control on the front-end is essential. “You might have an open office design in the back of your workplace, but in the front end you have an entry vestibule where people come in and they are screened there,” he says.</p><p>Newer technologies like weapon and gunshot detection systems are also valuable, according to Mike Neugebauer, CPP, a security and business development consultant for Johnson Controls. These are especially useful in environments with public spaces like courtyards or restaurants attached to the building.</p><p>“The beauty of the newer systems is they take a lot of the human interaction or response out of the equation and set in motion responses,” he notes. “The more steps that we can extract and make automated, the smoother that event is going to run.”</p><p>The “See Something, Say Something” mantra is also more difficult in any larger corporate environment without permanent workspaces, where workers cannot be acquainted with everyone else. “Now with this open space, where you may travel 20 floors to go to a conference room that’s been deemed a public conference room, you don’t know who’s supposed to be there and when,” Neugebauer notes. “And when you work at a building with two or three thousand employees you can’t possibly know every one of them. So, it makes that situational awareness even more valuable to a company.” </p><h4>​Information Security</h4><p>The financial sector has faced new security challenges as it modernizes branch offices, says Neugebauer. “With the picnic bench design, so-to-speak, where you sit in a different spot every day, you may be sitting next to someone who is working on a sensitive project on his or her laptop, and you have no need to see it,” he explains. “Banks used to be very mindful about separating employees that have customer information versus ones that have no access and no need for customer information, and those folks kind of mingle today so it really presents a lot of other security issues.” </p><p>Neugebauer, who spent several years as the security director for a large regional bank, explains that the security culture of the organization must be instilled and reinforced in employees, from where they store their computers to where they choose to have confidential conversations. “They don’t want to stand in a social area and have that confidential conversation, because in a large company you may not know everybody, and you may not know the person sitting three seats away from you, not knowing that person sitting there is just collecting data and information.” </p><p>Companies opting for open-concept designs should take clean-desk policies into consideration to keep information as well as business and personal assets, safe, according to Neugebauer. “The organization has to make sure it has lockers or somewhere in that space to put purses or briefcases, or your laptop if you’re not taking it home,” he says. “You don’t want to leave it out.” </p><p>If organizations have the chance to design the open-concept spaces from the ground up, Neugebauer says physical security teams should collaborate with IT to consider the holistic security picture. </p><p>“We’re moving from a hardwired environment, where you have a hardwired computer, to the laptop, so now you have open Internet available and more people—especially if you’re in a multitenant building,” he notes. “Someone may be able to pick up that signal and hack your network more easily, so that situational awareness has to be turned up a notch or two.” </p><p>To foster security awareness throughout a company, all departments—from human resources to legal to IT and beyond—must be involved. “It’s almost like a three-legged stool—you take one of the legs away and the whole thing collapses,” he says. “And the employee has to become more responsible for the holistic security of their environment.”</p><p>Regardless of design, Blair points out that there is a balancing act when it comes to any security plan. Providing an environment that makes employees comfortable can be just as critical as keeping them safe. </p><p>“We could have massive screening up front…then another screening to get into actual building, and make things very secure,” Blair explains. “But it would be very uncomfortable. So, there’s always that issue of finding the right balance.”  ​</p>
https://sm.asisonline.org/Pages/The-Intoxication-Issue.aspxThe Intoxication IssueGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It’s a typical affair. A company hosts a holiday party for employees and clients. It books a venue to handle the DJ, it hires a caterer to provide the food and wine, and it contracts with a security firm to make people feel safe while they celebrate.</p><p>But what happens if someone gets drunk at the party and gets into an argument with another guest? Or passes out? Or tries to drive home? What’s the security officer supposed to do? This exact predicament arose when a woman, who’d just been promoted at work, was attending a private event. She wanted to celebrate her new professional accomplishment and ended up drinking alcohol to the point that she was intoxicated. </p><p>When she went to leave the event, she stumbled and fell. A security officer, whose firm was contracted for the event, helped her up, sat her down in a chair, and got her some water. She reassured the officer that she was fine, and he escorted her to an elevator that went down to a sub-level parking garage.</p><p>The woman, however, was not fine. She got in to her car, drove up the wrong ramp to exit the parking garage, crashed into a drop gate, drove out onto the street, and ultimately killed a bystander.</p><p>A lawsuit was later filed against the security firm for allowing her to leave the venue in her vehicle while intoxicated. The suit was settled for a final amount that was not disclosed. </p><p>In a deposition, the security officer who had been on duty at the event was asked what training he had to handle interactions with individuals under the influence. The officer said he had never received any.</p><p>“If that guard had been trained, he’d have known better—that there are policies or something I have to do because this woman can’t drive,” says Russell Kolins, CEO of Kolins Security Group and an expert witness on security issues.</p><p>And, unfortunately, that lack of training is common for many security officers working for contract firms that provide services for special events, Kolins adds.</p><p>“The professionals who are the bartenders, servers, and security personnel who work at venues are trained—but in the private party arena, where you have contract guards who are assigned to protect the party, they are not trained because this is not something they would normally do,” he explains.</p><p>In the last two years, Kolins says he’s been contacted about five separate cases involving contract security agencies that were later sued because of their response—or lack of—to an intoxicated person at a private party.</p><p>Typically, contract agencies that are hired for events—like private parties—are focused on keeping uninvited people out of the venue, answering questions, and giving the presence of authority so people feel safe. </p><p>“But they normally don’t have discussions about whether or not alcohol is being served; it’s not something that would be in their normal course of operation,” Kolins says. “They are there for a specific purpose—to provide a deterrent to a crime or negative things that could occur. They don’t take into consideration how they are going to deal with intoxicated individuals.”</p><div><span style="white-space:pre;"> </span></div><h4>Side Effects</h4><p>Alcohol is a depressant and when consumed, it passes into the bloodstream to affect the brain, kidneys, lungs, and liver. Its most visible effects, however, are on the central nervous system, causing physical and behavioral changes like relaxed inhibitions, impaired judgment, slowed reaction time, and reduced motor coordination.</p><p>The amount of alcohol it takes to make a person intoxicated depends on a variety of factors, including weight, gender, age, metabolism, food intake, the strength and type of alcohol, and any medication that the individual is taking. Women are more likely to feel the effects of alcohol sooner because they have lower levels of the enzyme that breaks alcohol down—meaning it will stay in their system longer.</p><p>The legal blood alcohol limit to operate a motor vehicle in the United States, Malaysia, Mexico, New Zealand, Norway, Puerto Rico, Singapore, and the United Kingdom is .08 percent.</p><p>Many other Western and European countries have a .05 percent blood alcohol limit, including Australia, France, Germany, Italy, and Switzerland. Other countries, like China and Sweden, have a lower blood alcohol limit of .02 percent. </p><p>Employees who work in restaurants, bars, and nightclubs are trained to recognize changes in behavior due to alcohol consumption. Many establishments have this training in place due to U.S. dram shop statutes, which allow the venue and the individual serving the alcohol to be held liable for selling or serving alcohol to individuals who then cause injury or death due to intoxication.  </p><p>While security personnel are not engaged in serving people alcohol, by being employed directly—or indirectly via a contract—by a venue that does, they could be liable should an incident occur. Therefore, it’s critical for security personnel to receive Training for Intervention Procedures (TIPS), like bartenders and servers do, to recognize the signs that someone is intoxicated, Kolins says.</p><p>“The program teaches you how to handle people and how to interact with them, and gives you an understanding of how people might act if they are under the influence,” he explains. “People do stupid things when they are under the influence.”</p><p>Security managers also need to have policies in place that explain what security personnel are expected to do if someone is intoxicated. </p><p>“These policies could be as restrictive as necessary, but should at least say, ‘We will stop people, talk to them, notify the supervisor for the event, and turn this job over to the supervisor to handle if necessary,’” Kolins says.</p><p>He also recommends that clients hiring contract security firms for special events cover what the policies and expectations are for security staff when interacting with individuals under the influence.</p><p>“Have a clear understanding, in writing, requiring guards be trained to understand the effects of alcohol and how to deal with people who are intoxicated,” Kolins explains. This can then be used to demonstrate, should an incident occur, that the security firm took reasonable steps to prevent it.</p><h4>In Practice</h4><p>Darrell Clifton, CPP, has worked in casino security for almost 30 years. As the current executive director of security for Eldorado Resorts, Inc., which owns the Eldorado, Silver Legacy, and Circus Circus in Las Vegas, he works with a proprietary security team responsible for three casinos, six night clubs, and roughly 100 bars. And they interact with people under the influence every day.</p><p>“Being drunk, not only is it not a crime, it’s acceptable behavior at a casino and a nightclub—it’s what we market,” Clifton says. “Just because someone gets drunk doesn’t mean they are a bad person.”</p><p>This is the mindset that Eldorado Resorts starts with when teaching security staff how to interact with people who are under the influence. Even though individuals are intoxicated, security staff has a responsibility to treat them like valued guests.</p><p>“There are many states that have dram shop laws. Nevada does not, but it doesn’t excuse us from liability or moral responsibility of making sure somebody gets to where they are going safely,” Clifton adds.</p><p>In training, which involves role playing and then on-the-job training with a supervisor, security staff are taught how to recognize that someone is intoxicated, the policies in place to address that behavior, and that they are empowered to take action based on those policies. </p><p>For instance, security officers are taught to “work the line,” looking for minors who would not be allowed in, individuals who don’t meet the dress code, or those who are visibly intoxicated. </p><p>“We teach our staff that you have the power to keep those people out of the venue, because then they take it seriously,” says Clifton, adding that it helps prevent future incidents. </p><p>Clifton also stresses the importance of training security staff, and other employees like valets, to be on high alert when people leave the premises to ensure their safety. His staff is encouraged to engage people, especially those who show signs of intoxication, while they exit clubs, bars, or the casinos. </p><p>“You talk to them and get more information as to how intoxicated they are, and then decide if they are all right,” Clifton says.</p><p>If the security officer determines that that person is not safe to leave on his or her own, the officer is taught to ask if there is someone who can be called to pick them up. Other options include walking the person to their hotel room, if it’s part of the same venue, or calling a taxi or free shuttle service.</p><p>If the person has been driving, the officer and the valet can offer to hold the person’s keys and keep their car overnight. If the individual becomes resistant and insists on driving, security and the valet can tell them they will only surrender the person’s keys after the police have arrived on the scene.</p><p>“We tell people we don’t want to ruin your night, and that works 99 percent of the time,” Clifton says.</p><p>As a last resort option, security staff can call the police who will pick the individuals up and put them in a holding cell to sober up without being charged with a crime. This all goes back to duty of care, Clifton says. Security owes this care to people at the venues it is responsible for protecting.</p><p>“What we should do as good risk managers is realize the liability is out there, the danger is out there, and we have a responsibility to the customers to keep everybody safe,” Clifton says. “If we do the right thing, we should be okay.”  ​</p><p>___________________________________________________________________________________________________________________________________________________________________________________________________________<br></p><h2>How to Handle Intoxicated Customers​</h2><div><p>While security managers and officers are not engaged in serving alcohol, they could be found liable for incidents involving intoxicated individuals if they have not been trained to identify, interact with, and manage people under the influence.</p><p>In a session at GSX 2018 in Las Vegas, Russell Kolins, CPP, CEO of Kolins Security Group, and Darrell Clifton, CPP, executive director of security of Eldorado Resorts, Inc., walked attendees through the science of alcohol’s impact on the human body, as well as liability risks and best practices for security staff. </p><p>A recording of “Dealing with Customers Who Present Signs of Impairment or Intoxication” is available at <a href="https://learning.asisonline.org/diweb/catalog/item?id=2569397" target="_blank">https://learning.asisonline.org/diweb/catalog/item?id=2569397​</a>. It is free to all during February 2019. ​</p><br></div><p><br></p><p><br></p>
https://sm.asisonline.org/Pages/The-Cost-of-a-Connection.aspxThe Cost of a ConnectionGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Kevin Patrick Mallory served in the U.S. military, worked as a special agent for the U.S. State Department Diplomatic Security Service, and later as a CIA case officer--often stationed around the world to work with defense contractors and on U.S. Army active duty deployments.</p><p>He had a Top Secret security clearance and was fluent in Mandarin. He was also convicted of espionage​ for passing information to an agent of the People's Republic of China (PRC).​</p><p>How did Mallory and the agent initially connect? Via LinkedIn, when the operative—called Michael Yang—reached out to Mallory, posing as representative of a PRC think tank—the Shanghai Academy of Social Sciences—and requested to meet with him.</p><p>Mallory ended up traveling to Shanghai with eight classified documents, which he gave to Yang and his supervisor during a meeting. When Mallory returned to the United States, he was detained by U.S. Customs and Border Protection (CBP) for a secondary search and interview.</p><p>During the interview, Mallory claimed he had traveled to Shanghai for business and met with an individual he knew through his church to consult on anti-bullying and family safety development. He also checked on a form from CBP that he was not carrying more than $10,000 in U.S. or foreign currency.</p><p>Upon a search of his belongings, however, CBP found $16,000 in Mallory’s carry-on bags. The FBI later interviewed Mallory, who told agents that he had been contacted on social media by a Chinese recruiter, had phone interviews with that recruiter’s client, and traveled to Shanghai on two occasions to meet with the recruiter’s boss.</p><p>Mallory was ultimately arrested, charged, and convicted of conspiracy to deliver, attempted delivery, delivery of defense information to aid a foreign government, and making material false statements. </p><p>“This trial highlights a serious threat to U.S. national security,” Nancy McNamara, the FBI’s assistant director in charge of the Washington Field Office, said in a statement. “Foreign intelligence agents are targeting former U.S. government security clearance holders in order to recruit them and steal our secrets.”</p><p>U.S. Director of the National Counterintelligence and Security Center William Evanina went on record in the summer of 2018 to discuss what he—and the U.S. intelligence community—had been seeing on LinkedIn.</p><p>In an interview with Reuters, Evanina explained that China was conducting a campaign to target thousands of LinkedIn members at a time to recruit Americans with access to government and commercial secrets.</p><p>Evanina declined to say how many of these recruitment accounts U.S. intelligence had discovered or how much success China has had in using them. </p><p>While individuals and organizations have been using social media to target users for government secrets or corporate intellectual property, LinkedIn is especially attractive for social engineering, says James Carnall, vice president, customer support group, at LookingGlass Cyber Solutions.</p><p>“When you look at what the levers are for social engineering, you’re either appealing to authority, emotions, or logic,” he explains. “This platform appeals to a lot of that in an emotional way. We want to connect to our boss because we want to feel important. When we talk about community, we want to collect people and be seen as smart and clever.”</p><p>Nefarious actors can use LinkedIn for a honeypot attack, like they might use a dating site, to appeal to that feeling of being appreciated and wanting to connect with someone to obtain information about their business or level of access.</p><p>This is a tactic that Don Aviv, CPP, PCI, PSP, president at Interfor International—an investigation and corporate intelligence firm—says he sees others using against his corporate clients. </p><p>“When you break it down to its bare bones, utilizing LinkedIn is another attempt at using social media to engineer an attempt at fraud, theft of proprietary information, whatever the company does for a living,” Aviv says. “We work for Fortune 500 companies that have been hit by these attacks…and the goal is to figure out who is reaching out and why.”</p><p>Besides espionage, one of the most prevalent reasons malicious actors are targeting individuals on LinkedIn is to find out more information about a company’s financial protocols and procedures so they can carry out CEO or CFO spoofing attacks.</p><p>For instance, a fraudster might look to connect with various individuals in a company’s finance department to learn who is responsible for initiating wire transfers and when that individual might be traveling.</p><p>Aviv himself set up a test to teach Interfor employees and clients how this works. He created a fake profile for himself on LinkedIn, connected with other individuals, and shared his travel plans on the account.</p><p>Shortly after Aviv left on his fake trip, a fraudster sent an angry email that appeared to come from Aviv to Interfor’s finance director. The email had information about the company’s vendors, contained an invoice requesting payment, and contained a modified wire transfer code to use for the transaction.</p><p>Aviv says he sees roughly six or seven requests per month from companies that received similar emails and are looking to find out who is perpetuating the fraud and how to prevent it. </p><p>This type of fraud is also more prevalent in the Asia and Pacific regions, as opposed to the United States and Europe, where Aviv said there is more awareness of CEO and CFO spoofing.</p><p>“It has become much more publicized—a lot of the compliance departments are catching on,” Aviv says. “In Asia, there’s a demographic difference. A lower-level employee will be much more reluctant to not follow that transaction order.”</p><p><em>Security Management </em>reached out to LinkedIn to discuss the matter, but the company declined an interview. Instead, spokesperson Anne Trapasso sent over three blog posts by the company on cultivating trust, fake account detection, and reporting spam, inappropriate posts, and abusive content.</p><p>“When you’re on LinkedIn, you want to know that you’re talking to real people, you feel safe, and you’re engaging with professionally relevant content,” wrote Madhu Gupta, director of product management, trust, and security for LinkedIn in a post after Evanina’s statements. “One of the most important ways we do this is by empowering you to control your LinkedIn experience. From deciding whether to accept a connection request to displaying contact information on your profile, you control your interactions on LinkedIn.”</p><p>This control includes deciding how to present yourself on LinkedIn—the content of your profile, posts you make, and who can see this information is visible—and vetting your community of connections, Gupta explained.</p><p>“Examples of these features include filters for who you can receive messages from and invitation controls that allow you to accept, deny, or ignore a connection request,” she wrote.</p><p>Mark Folmer, CPP, vice president, security industry, TrackTik, is a robust social media and LinkedIn user who joined the network roughly 10 years ago.</p><p>He does not share a lot of personal information in his profile but does have his phone number and main business email posted. Folmer also regularly receives what he would call “fishy” connection requests from other LinkedIn users.</p><p>“It happens all the time—the standard no personalized message, just an invite from x, y, or z, with one connection or no connections in common,” Folmer says. </p><p>Other signs that a profile might be fake are connection requests from someone based in a country TrackTik does not do business in, an incomplete profile, titles that do not seem to line up with the general business market, or someone whose employment record jumps around.</p><p>“If it’s too good to be true, someone who sounds like they would be the perfect connection—why are they writing to me from Romania?” Folmer says. “Why are they interested in connecting with me?”</p><p>Instead, Folmer says he will likely connect with those who are in the same industry, have connections in common, are ASIS International members, or include a personalized message in their connection request.</p><p>“When I reach out to someone—especially someone I haven’t met yet—I try to put some context into the invite, such as, ‘Hey these are the people we have in common, certification, or I’ve seen you write about this and I’d like to meet,” Folmer explains. “It’s my way of saying I’m a real person and I’m not going to sell you something or try to skim something off of you.”</p><p>These are good rules to follow, and both Carnall and Aviv say employers should discuss best practices for Linked­In hygiene with employees to help prevent them—and the company—from being targeted by malicious actors.</p><p>For example, Carnall suggests creating guidelines that prohibit discussing secret projects on social media or posting about budgetary amounts.</p><p>“Looking from a criminal perspective, that provides too much information for people to socially engineer,” he says. </p><p>And if an employee is posting information online that could make the company vulnerable, Carnall says security and human resources should speak with the employee to use it as a teaching moment. </p><p>“HR should incorporate a conversation about social media as part of any onboarding for any new employee,” he adds. “It’s important for the organization to work with the employee; there’s a balance of promoting themselves as an individual to be proud of themselves and advertise to others the work they and the company are doing.”</p><p>LinkedIn has a process for reporting suspicious activity and fake user accounts, which Carnall says works well if you are able to establish that a malicious user is posing as a real user.</p><p>He also recommends that visible people, such as executives, create legitimate accounts on social media services in their own name to claim that name and “because it’s much easier to have a site take action” if you are a user.</p><p>And approach all connection requests with a certain level of skepticism, Aviv says.</p><p>“Look at their profile and ask why they are reaching out to you—and be willing to ask them via the message function,” he adds. “When you challenge it, they may go away. And the people who talk to you, you’ll be able to figure out if they’re up to no good.”</p>
https://sm.asisonline.org/Pages/Certification-Profile-Courtney-Klein,-PSP.aspxCertification Profile: Courtney Klein, PSPGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​A moment of professional pride for Courtney Klein, PSP, came in 2018, when her organization received an alarming threat via Twitter. After conducting online research, she uncovered an individual with a proclivity towards violence, a sense of extreme self-importance, and a budding martyr complex—a combination that added up to a potentially severe threat. Overall, Klein and a colleague analyzed nearly 14,000 posts and provided authorities with a comprehensive report.</p><p>When the suspect was apprehended by a Joint Terrorism Task Force, he insisted his threats were just a joke. He was released, but within hours, he began dismantling the violent culture he’d been building online.</p><p>“That felt great,” Klein reflects, “because it started with me, my friend, and our insatiable thirst for answers.”</p><p>To Klein, a security career requires a commitment to explore the aims of criminals, root them out, and proactively prevent their actions. “Not everyone is inclined to be naturally curious or has the ability to keep up on global trends, current events, and technological innovation,” she adds. “Those with the skill set, interest, and a desire to learn, however? I welcome them to our field.”</p><p>She was a graduate student at New York’s John Jay College of Criminal Justice when she first considered a career in security. She was invited to join the school’s Terrorism Victimization Assessment (TVA) program—an entry-level security assessment training with a focus on terrorism.</p><p>“I didn’t have much exposure to security infrastructure growing up,” she notes, “so the whole thing seemed rather bizarre at first. But I ended up loving everything about it—particularly the theory of security practice and the chance to get a glimpse into the micro-cultures of our clients.”</p><p>She was first introduced to ASIS International by an instructor and mentor at John Jay who sought to connect her with industry groups. Realizing the benefits of networking with security professionals, she joined the ASIS Young Professionals and Women in Security Councils.</p><p>“It’s rewarding to promote the benefits of membership to young professionals and women, and it’s rewarding to promote to security managers the benefits of hiring young professionals and women,” she says.</p><p>Immediately following the completion of her master’s program, she took on an internship helping stand up a security division for a multinational corporation. Her organization’s chief technology officer required all interns to earn a professional certification—so Klein selected the Physical Security Professional (PSP®), which most aligned with her professional goals. </p><p>Now a security consultant with T&M Protection Resources, she enjoys a dynamic work environment that can change at a moment’s notice. “Sometimes I’m in the field walking a client’s facility,” she explains, “or sometimes I’m researching or working on reports. Sometimes I’m co-running a client’s crisis response team. There really is no ‘typical’ day in this field.”</p><p>“It’s questionable whether I’d be where I am today without my PSP,” she says. “The ASIS organization and its certifications are highly respected marks of security knowledge. Through studying best practices and industry standards, the certification process helped catapult my professional capabilities.”</p>
https://sm.asisonline.org/Pages/The-Hard-Truth-About-Soft-Skills.aspxThe Hard Truth About Soft SkillsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​“Hard skills will get you the interview—soft skills will get you the job.” David Lammert, a 17-year veteran of security industry recruiting and current president of Pinnacle Placements, is a big believer in this adage. And he’s not the only one.</p><p>“We have all seen situations where the decision to hire—when two or more candidates present the same level of hard skills’ strength—is made with soft skills as the differentiator,” says recruiter Rebecca Bayne, the president of Bayne Consulting & Search Inc. who specializes in staffing the security integration space. “It triggers the gut-level instinct of the hiring manager and determines who will get the offer.” </p><p>“And soft skills,” Lammert adds, “will also determine how well you perform in the job, and how long you do it.” </p><p> Other recruiters are on the same wavelength as Lammert and Bayne when it comes to the importance of soft skills. Although hard skills like specialized security knowledge and technical expertise in an industry subsector are still essential, a successful leader needs a broad soft skill set to navigate different managing situations, recruiters say. </p><p>Given the importance of soft skills, <em>Security Management </em>asked five industry recruiters to discuss which skills they believed to be most crucial for security managers both current and aspiring. In these discussions, two broad soft skill sets—communication ability and emotional intelligence—came up time and again. Recruiters explained how these skills apply to specific managerial situations. They also shared some general employment trends and discussed the soft skills of the future. ​</p><h4>Communication</h4><p>For many recruiters, communication ability reigns supreme when it comes to soft skills. </p><p>“The most important soft skill is communication. It’s the foundation of every other soft skill,” says Jane Snipes, managing partner at NorthStar Recruiting.</p><p> “In my experience, communication skills are paramount to one’s capability to execute and deliver the day-to-day requirements of leadership and having oversight for a team, small or large,” Bayne says. </p><p>In Lammert’s view, communication skills are an umbrella that covers several individual talents that have many applications, both inside and outside the firm. </p><p>“It’s such an important skill set—there’s so much interaction internally [in a company],” he says. “It covers speaking, active listening skills, presentation skills, and more.” </p><p>For example, a security manager’s speaking and conversation skills will be a huge asset in working with vendors and external business partners outside the company, as well as technical staffers, C-suite executives, and the CEO within the firm. </p><p>“In this fast-paced business environment, the ability to communicate clear and concise messages is crucially important,” Lammert explains. </p><p>Another key asset under the communications umbrella is the ability to be an effective storyteller. For an aspiring security manager, the value of this skill begins in the interview—the ability to communicate and frame one’s career progression as a purpose-driven narrative that is gaining momentum is “critically important for a successful candidate,” Lammert says. </p><p>After the manager lands the job, storytelling continues to be an asset. “It also helps you become an influencer wherever you are in the organization,” he adds. </p><p>Communication skills are also crucial for a manager in working with direct reports, recruiters say. Successful managers have a desire to coach, facilitate, and develop talent, and this takes continual—and sometimes nuanced and sensitive—communication. </p><p>“In general, those who achieve the greatest success in their careers have a genuine interest in those around them and are skilled in communicating,” Snipes says. </p><p>For years, employee surveys such as the ones taken by the Gallup company have found versions of “I don’t like working for my boss” as the most common reason for people leaving a job. </p><p>Although there may be various reasons why a manager is disliked, a common one stems from the manager’s failure to adequately communicate how valuable an employee’s contributions are. The employee winds up feeling undervalued and unappreciated, Snipes says.   </p><p>“People don’t leave companies, they leave managers, and the common factor lacking in those managers who chase away great talent is the ability to genuinely appreciate the value an individual has to the company and to consistently communicate that value,” she explains. </p><p>For managers, the lesson here is not only that communication skills are vital, but that they need to be consistently used. Sometimes, otherwise articulate managers will fail to communicate due to being too self-absorbed—they are occupied with their own career advancement and impressing the organization’s senior leaders, rather than attentive to their direct reports. “Many managers focus on themselves instead of serving those they lead,” Snipes says. </p><p>Finally, there’s another communication-related skill that’s a key asset for security managers—the ability to establish a safe space for honest two-way communication, says Kevin Spagone, vice president of Reitman Security Search/Reitman Personnel, Inc. </p><p>This type of communication needs to be embedded in the company’s culture, so that employees feel comfortable in offering honest views without fear of reprisal or relationship damage, he explains. Not only will this help employee retention, it will also help the firm’s reputation among potential employees, which will help recruitment efforts. </p><p>“Leaders who foster a culture where open, honest two-way feedback is the norm,” he explains, “are savvy enough to realize that this gives them a competitive advantage in the marketplace.”</p><h4>Emotional Intelligence</h4><p>Recruiter Stephanie Campbell of Security and Investigative (SI) Placement, LLC, finds that, besides communication skills, emotional intel­ligence has become an important attribute for candidates in the current security management job market. “I am finding more and more interest in that skill set,” she says.  </p><p>Emotional intelligence (often abbreviated as EQ) is the ability to perceive another’s emotions, reactions, and perspective, and to handle interpersonal relationships judiciously and empathetically. In the world of the security manager, it has many applications, recruiters say.  </p><p>Campbell illustrates by relating a question she asks clients when trying to go beyond the job description to get a strong handle on what type of candidate would be a good fit. </p><p>“When we’re working with a client, we will sometimes ask, ‘What is it that’s not in the description that you are looking for?’” she says. “What’s that extra bit, that’s sort of between the lines?”</p><p>The answer is often “a lot of EQ skills.” These include working well as a teammate, empathetic listening, building consensus, and an ability to be persuasive and to motivate. </p><p>Security professionals are rarely required to answer the question, “Why are we doing this?” she says. Emotional intelligence is a huge asset for a manager who is trying to explain this in such a way that will motivate teams to embrace initiatives, she continues. </p><p>EQ is also an asset in the interview itself, because it helps candidates demonstrate their value, Snipes adds. </p><p>“The high EQ ones are fine-tuned to how they are perceived,” she says. “They’re not just leaning on their laurels. They have actively done the research on the company, and so they can give examples of potential contributions that are directly relevant…. They are making really good impressions.”</p><p>Lammert is also convinced of the value of emotional intelligence, and says it bolsters a manager’s communication skill set. </p><p>For example, managers with high EQ are aware of their audience; they know that different employees have different learning styles and interests, and they can tailor messages and delivery to fit each employee. </p><p>“One case may call for more of a visual message, another case more of a technical type of message,” he says.</p><h4>Skill Gaps</h4><p>While there is a near-uniform consensus on the importance of communication ability and emotional intelligence for security managers, these skills are hard to find in some candidates, recruiters say. Some observe that overreliance on technology is eroding person-to-person communication.</p><p>“Communication skills are becoming seriously lacking,” Snipes says. “We’ve become a society, a world, so focused on communicating electronically that the ability to strike up a conversation in person with another human being is becoming a lost art, particularly with the younger generations.”</p><p>“The more the younger generations communicate electronically,” she adds, “the less practice they’ll have communicating in person and the more often that lack of skill will be noticed.” </p><p>Bayne voices a similar view. “I believe that some of the technology we use on a daily basis has changed our approach to communication and made some of us a bit lazy,” she says. “This has most clearly affected younger generations who have learned to communicate more frequently with those tools, instead of using traditional verbal or written communication.”</p><p>And Snipes sees another communication-related issue that is becoming more common with younger professionals. As the use of LinkedIn becomes ubiquitous in the business and employment world, some younger candidates are using it as a social network instead of a professional network. </p><p>“These users are using profile pictures from social situations, with nary a thought as to how the picture might be perceived by a prospective employer,” Snipes says. </p><p>Her advice is simple: keep professional photos professional. “I suggest avoiding the 4 Bs in profile pictures—no beer, boats, baseball caps, or other people’s body parts (that is, no one else’s chin, arm, hair, or shoulder).”   </p><p>Communication gaps are not the only deficiency, recruiters say. In the area of emotional intelligence, self-awareness can be a subtle yet important attribute for a security manager to have, but some lack it, Lammert says. </p><p>“It’s that seeking of feedback, the willingness to admit mistakes and take responsibility for actions,” he says. </p><p>One possible reason for that lack is that, unlike other skills that can be linked to performance metrics, “self-awareness is not as easy to measure,” and not as frequently talked about, he adds. Still, it is a great quality to have, and self-aware managers often realize the importance of continuous growth. </p><p>“It can also drive a desire for development, and a desire to take on leadership roles,” he explains. </p><p>Another subtle-yet-valuable soft skill that seems to be lacking in many security managers these days is the ability to question assumptions, says Spagone. With technology and analytics developing at lightning speed, a successful manager can’t hold on to traditional ways of solving problems.  </p><p>“There is a key subtle difference in the ability to identify a challenge without assuming that it can be solved the same way it was a year or two ago,” Spagone explains.  </p><p>Take for example a security manager who has found that one component of the firm’s security program has fallen out of compliance. That manager should not assume that the traditional methods of addressing that problem are still valid. </p><p>“They must consistently question how decisions are reached, while still adhering to consistent standards, such as regulatory requirements,” he says. </p><h4>Skill Sets</h4><p>But while some security managers may need to fill skill gaps, others pulled together several soft skills to build a skill set that is especially effective in today’s industry.</p><p>For example, Bayne cites the common industry reality that companies continue to try to do more with less, even though the pace of business continues to speed up. </p><p>“Anyone in our industry who is good at what they do has more on their plate than ever, and is busier than they have ever been before,” she says. “Because of that, the job needs to be done right the first time, for efficiency in productivity and to maintain the highest level of customer retention.” </p><p>Security managers who can survive, and even thrive, in this environment usually combine communication skills with the ability to work under pressure, a knack for troubleshooting, and an insistence on maintaining integrity and a code of ethics so no corners are cut, Bayne says.</p><p>Spagone mentions another persistent reality in the industry—the view held by some company leaders that security is a cost center that is a distraction (albeit a necessary one) from the overall business goals and financial targets of the firm.   </p><p>In this environment, certain security managers have the right combination of business understanding, executive presence, and a focus on vision, goals, and transparency, and this skill set helps top executives think of security in a less limited way. </p><p>“It’s about breaking the mold,” Spagone says. </p><p>Bayne agrees, and adds that some of the soft skills in a desired skill set evolve over time. She offers the example of executive presence. </p><p>“The executive presence which now seems to garner the highest level of respect is very different than it was in previous decades,” she explains. “More than ever, leaders are expected to be transparent, approachable, and in the trenches with their teams, rather than delivering orders from above.”</p><p> Furthermore, Bayne cites another important relevant trend in the industry: an organizational focus on developing a strong and distinctive culture. In that environment, managers who have combined the soft skills of coaching, team building, and teaching are often sought after. </p><p>“Coaching, team building, and teaching often tie back to specific areas of corporate culture, and because they are being demanded from the most recent additions to the talent pool, they are in the spotlight more than ever,” she explains. “They are now considered critical by both candidates and companies.”</p><p>Finally, Spagone says it is important to keep in mind that the combination of soft skills needed will also depend on the circumstances surrounding the position being filled. </p><p>“Companies and cultures are unique. And all new hires are about addressing an organizational challenge of some kind,” he says.</p><h4>Skills of the Future </h4><p>Looking forward, the soft skill set of coaching, team building, and teaching will continue to be vital for the security managers of the future, but with a new twist, Spagone says. He illustrates this by explaining a recent trend in the recruiting industry. </p><p>“We used to struggle with candidates that were heavily institutionalized–leaders who had been successful inside of their own insular corporate cultures, but who were unable to adapt in a different environment,” he explains. “They were not agile enough to be effective in a new or different organization.”</p><p>But this is becoming less common, as businesses are more interconnected than ever. To compete, companies must be increasingly agile. </p><p>Team building will still be crucial, but in a more strategic and fluid way, so that interdependent teams are staffed with members possessing portable skills. They may trade members, interlock if necessary, and work at an increasingly rapid pace, and managers must be able to make strategic decisions on the fly and nimbly rearrange all the pieces.  </p><p>“Leaders must continue to understand where they need to add to their roster,” Spagone says, “and what skills can be groomed, what can be replaced or outsourced, or shared among their team—and themselves.”  ​</p>
https://sm.asisonline.org/Pages/Weapon-Weaknesses.aspxWeapon WeaknessesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>The U.S. Department of Defense (DOD) is planning to spend more than $1.5 trillion to develop its portfolio of major weapon systems. Although the investment may result in a state-of-the-art deterrence program in the future, the weapons currently have a glaring vulnerability–they are relatively easy to hack. <br></p><p>Officials from the U.S. Government Accountability Office (GAO), which was asked to review the state of DOD weapon systems cybersecurity, recently ran some tests to see if they could hack any of the Pentagon’s weapons.  </p><p>They could, without much difficulty. </p><p>“Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the GAO explains in its report, <a href="https://www.gao.gov/products/GAO-19-128" target="_blank"><em>Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities.</em></a></p><p>It’s likely that the testing revealed only a small number of the actual existing weaknesses. “In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats,” the report says. </p><p>It’s a disconcerting finding, considering that adversaries of the United States are developing increasingly sophisticated cyberespionage and cyberattack capabilities to target DOD weapons. The GAO found several reasons for these vulnerabilities.</p><p>One is that the Pentagon’s weapons systems are increasingly dependent on IT. The amount of software in today’s weapons systems is growing exponentially and is embedded in numerous subsystems. But this dependence on software increases the weapons’ attack surface. </p><p>Similarly, DOD weapons systems are more networked and interconnected than ever before, and they are also connected to some external systems, such as GPS. These factors further increase vulnerability. </p><p>In addition, DOD has only recently made weapon systems cybersecurity a priority. Instead, for many years, DOD focused its cybersecurity efforts on protecting traditional networks, such as accounting systems. “Until around 2014, there was a general lack of emphasis on cybersecurity throughout the weapon systems acquisition process,” the report says. </p><p>This late-to-the-game approach will have long-term consequences, the GAO found. “Numerous officials we met with said that this failure to address weapon systems cybersecurity sooner will have long-lasting effects on the department,” the report explains. “Due to this lack of focus on weapon systems cybersecurity, DOD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity.” </p><p>In the last few years, however, DOD has made progress on some new weapon cybersecurity initiatives and policies. Given this, GAO urged the DOD to press forward with these efforts. “To improve the state of weapon systems cybersecurity, it is essential that DOD sustain its momentum in developing and implementing key initiatives,” the report says. Finally, GAO pledged to continue to evaluate the issue.</p>

 

 

https://sm.asisonline.org/Pages/Top-Angst-Cyber-and-Travel.aspx2019-02-01T05:00:00ZTop Angst: Cyber and Travel
https://sm.asisonline.org/Pages/Out-in-the-Open-Feature-.aspx2019-02-01T05:00:00ZOut in the Open: The Security Challenges of New Office Spaces
https://sm.asisonline.org/Pages/The-Intoxication-Issue.aspx2019-02-01T05:00:00ZThe Intoxication Issue
https://sm.asisonline.org/Pages/The-Cost-of-a-Connection.aspx2019-02-01T05:00:00ZThe Cost of a Connection
https://sm.asisonline.org/Pages/Certification-Profile-Courtney-Klein,-PSP.aspx2019-02-01T05:00:00ZCertification Profile: Courtney Klein, PSP
https://sm.asisonline.org/Pages/The-Hard-Truth-About-Soft-Skills.aspx2019-02-01T05:00:00ZThe Hard Truth About Soft Skills
https://sm.asisonline.org/Pages/Weapon-Weaknesses.aspx2019-02-01T05:00:00ZWeapon Weaknesses
https://sm.asisonline.org/Pages/An-Amenity-of-Necessity.aspx2019-02-01T05:00:00ZAn Amenity of Necessity
https://sm.asisonline.org/Pages/Book-Review-Corporate-Security.aspx2019-02-01T05:00:00ZBook Review: Corporate Security
https://sm.asisonline.org/Pages/Book-Review-Digital-investigations.aspx2019-02-01T05:00:00ZBook Review: Digital investigations
https://sm.asisonline.org/Pages/Book-Review-Serial-Killers-and-The-Aftermath.aspx2019-02-01T05:00:00ZBook Review: Serial Killers and The Aftermath
https://sm.asisonline.org/Pages/Smarter-Access-At-The-State.aspx2019-02-01T05:00:00ZSmarter Access At The State

 

 

https://sm.asisonline.org/Pages/A-Return-on-Your-Educational-Investment.aspx2019-03-01T05:00:00ZA Return on Your Educational Investment
https://sm.asisonline.org/morning-security-brief/Pages/Termination-Leads-to-Tragedy.aspx2019-02-19T05:00:00ZToday in Security: Termination Leads to Tragedy
https://sm.asisonline.org/national-security
https://sm.asisonline.org/physical-security
https://sm.asisonline.org/security-by-industry
https://sm.asisonline.org/cybersecurityCybersecurity

- Issues

February 2019 January 2019 December 2018 November 2018 October 2018 September 2018 August 2018 July 2018 June 2018 May 2018 April 2018 March 2018 February 2018 January 2018 December 2017 November 2017 October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017 February 2017 January 2017 December 2016 November 2016 October 2016 September 2016 August 2016 July 2016 June 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 July 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 August 2013 July 2013 June 2013 May 2013 April 2013 March 2013 February 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 June 2002 May 2002 April 2002 March 2002 February 2002 January 2002 December 2001 November 2001 October 2001 September 2001 August 2001 July 2001 June 2001 May 2001 April 2001 March 2001 February 2001 January 2001 December 2000 November 2000 October 2000 September 2000 August 2000 July 2000 June 2000 May 2000 April 2000 March 2000 February 2000 January 2000