More Headlines

 

 

https://sm.asisonline.org/Pages/Speak-the-Language-of-Payroll.aspxSpeak the Language of PayrollGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><p></p><p>Payroll in the security service business is not rocket science, but that does not mean it is easy. Paying people for the hours that they work ties into scheduling, time and attendance, industrial relations, human resource management, and billing. </p><p>There are rules to follow, and these rules are not followed just once. Add tens, hundreds, and even thousands of guards to the equation, then mix in tens, hundreds, and even thousands of sites. Each of these sites has rules, realities, regulations, certification requirements, and particularities—as do the respective guards. The potential for errors and pitfalls is huge, and comes with real consequences.</p><p>A well-designed back-office system can help you handle all these variables efficiently and prepare your employees' attendance data so that it integrates easily with your payroll system.</p><p>Still, those who work in sales, operations, training, and human resources should be aware of certain key payroll terms and realities in order to avoid costly pitfalls and better understand costs--even if there is a payroll specialist on staff. Employee pay rate is just a piece of the puzzle, so let's call it the top line. </p><p>Think of the table below as one of those pocket language guides you might carry in a foreign country. My company has clients in both the United States and Canada, so we must be aware of forms and regulations for both countries. </p><table width="100%" class="ms-rteTable-default ms-rte-paste-settablesizes" cellspacing="0"><tbody><tr><td class="ms-rteTable-default"><strong>Term</strong></td><td class="ms-rteTable-default"><strong>Explanation</strong></td></tr><tr><td class="ms-rteTable-default">T4 (Canada)</td><td class="ms-rteTable-default">Employers (resident or non-resident) need to complete form T4, Statement of Remuneration Paid, for employees to whom they have paid "employment income, commissions, taxable allowances and benefits, or any other remuneration."</td></tr><tr><td class="ms-rteTable-default">W-2 (U.S.)</td><td class="ms-rteTable-default">Every employer who pays an employee $600 or more for the year and withholds taxes for services performed must file a Form<strong> </strong>W-2, Wage and Tax Statement, for each employee.</td></tr><tr><td class="ms-rteTable-default">T4A (Canada)</td><td class="ms-rteTable-default">In a calendar year, you may make payments relating to employment, like fees, allowances, or pensions, that total over $500. Or, you may have deducted taxes from such payment. In either case, you must fill out form T4A,<strong> </strong>Statement of Pension, Retirement, Annuity, and Other Income<strong>. </strong>Note that there are exceptions to these rules.</td></tr><tr><td class="ms-rteTable-default">ACA (U.S.)</td><td class="ms-rteTable-default">The Affordable Care Act, or healthcare law, details employer benefits and responsibilities, which vary according to the size and structure of your workforce.​</td></tr><tr><td class="ms-rteTable-default">1099 (U.S.)</td><td class="ms-rteTable-default">The Internal Revenue Service's (IRS) Form 1099-MISC, Miscellaneous Income, needs to be filed for each person who is not an employee and to whom you have paid at least $600 for services performed.</td></tr><tr><td class="ms-rteTable-default">Workers' Compensation (Canada) </td><td class="ms-rteTable-default">Employees who suffer an occupational injury or illness are eligible for workers' compensation benefits. Each province and territory has a board that makes decisions on such claims. (In the United States, workers' compensation is generally handled through private insurance.)</td></tr><tr><td class="ms-rteTable-default">Overtime</td><td class="ms-rteTable-default"><p>Overtime pay (OT) refers to employee wages that need to be paid at higher than the normal rate because the hours worked exceed "the number of hours deemed to constitute a normal workweek or workday."</p><p>OT varies based on jurisdiction, but in general OT can be 1.5 or 2 times a regular wage rate.</p><p>In the United States, salaried people can be entitled to OT if they earn less than the threshold, which is currently $913 per week; however, there are other conditions.</p></td></tr><tr><td class="ms-rteTable-default">Federal Holiday (U.S.) Statutory Holiday (Canada)</td><td class="ms-rteTable-default">This is a holiday authorized by the U.S. federal or Canadian federal and provincial governments, respectively. In addition to government organizations, other business entities may also observe the holiday. Employees required to work on such a holiday may receive wages above their normal rate.</td></tr><tr><td class="ms-rteTable-default">Break/Meal Periods</td><td class="ms-rteTable-default">Break and meal periods are obligatory pauses from work at defined intervals.</td></tr><tr><td class="ms-rteTable-default">Callback/Report-in Pay</td><td class="ms-rteTable-default">If, due to an emergency, an employee is asked to return to work after leaving work or during a paid leave, they earn callback or report-in pay.</td></tr><tr><td class="ms-rteTable-default">Direct Deposit</td><td class="ms-rteTable-default">A direct deposit is a free electronic deposit of funds into one's bank account.</td></tr><tr><td class="ms-rteTable-default">Final Paycheck</td><td class="ms-rteTable-default">When an employee leaves a firm, the final paycheck includes regular wages as well as any unused accumulated annual leave, calculated at the employee's former regular pay rate.</td></tr><tr><td class="ms-rteTable-default">Minimum Wage</td><td class="ms-rteTable-default">The lowest wage rate an employer can legally pay an employee is called the minimum wage.</td></tr><tr><td class="ms-rteTable-default">Minimum Wage - Exemptions</td><td class="ms-rteTable-default">Certain employees, under certain conditions, may not be covered by certain parts of the minimum wage legislation in your jurisdiction. Or, special rules may apply to these employees. Consult your local authority.</td></tr><tr><td class="ms-rteTable-default">Payout of Vacation/Sick Pay</td><td class="ms-rteTable-default"><p>Vacation pay is a supplemental wage payment based on length of service to the company and a percentage of annual wages.</p><p>Sick pay is any amount you pay under a plan to an employee who is unable to work because of sickness or injury. These amounts may be paid by a third party.</p><p>Both payouts are subject to withholding taxes, as if they were regular wage payments.</p></td></tr><tr><td class="ms-rteTable-default">Payroll Deductions</td><td class="ms-rteTable-default">Whether mandatory or voluntary, payroll deductions<strong> </strong>are amounts withheld from an employee's gross wages.​</td></tr></tbody></table><img src="file:///C:/Users/FLORA~1.SZA/AppData/Local/Temp/50/msohtmlclip1/01/clip_image002.png" alt="" style="margin:5px;width:624px;" /><p> </p><p>Considering how much the security service sector depends on quality talent, it is important to get the details of payroll right--first time and every time. </p><p><em>Mark Folmer, CPP, is vice president for the security industry at TrackTik. He is a member of the ASIS Security Services Council and ASIS senior regional vice president for Region 6, Canada. He also serves on the PSC.1 Technical Committee and Working Group.​</em></p><p>​</p>
https://sm.asisonline.org/Pages/Put-Training-to-the-Test.aspxPut Training to the TestGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The classroom door flies open. An emotionally distraught student rushes into the doorway, produces a semiautomatic pistol, presses the muzzle of the gun to his temple with his finger on the trigger, and proclaims, "I can't take it anymore."</p><p>How will the teacher respond to this stressful, high-stakes situation? Will she intervene with verbal tactics or physical ones? Will she inadvertently put other students in danger by reacting too quickly? </p><p>An analysis by school security firm Safe Havens International found that teachers and administrators who had undergone traditional active shooter training were more likely to react to this situation by opting to attack the student or throw things at him, rather than taking the action steps outlined in the school's policies and procedures, such as calling 911 or instigating a lockdown. In other scenarios, trainees reacted in a similar manner that could intensify and aggravate the situation when time allowed for safer policies and procedures to be applied.</p><p>In the wake of high-profile massacres at schools and college campuses, institutions are preparing themselves for the emergency situations with scenario-based training programs. </p><p>The percentage of U.S. public schools that have drilled for an active shooter scenario rose from 47 to 70 percent from 2004 to 2014, according to a study by the National Center for Education Statistics. But the intensive search for solutions to these deadly events can lead to hasty planning and decision making, ultimately resulting in an ineffective response. </p><p>The number of teachers and administrators who opt to attack or otherwise approach the armed perpetrator indicates that current active shooter programs may be overwhelming for participants, causing them to respond to threatening scenarios in a dangerous way. Schools have also become narrowly focused on active shooter scenarios, when most deaths and accidents on campuses do not involve an active shooter. </p><p>Taking these factors into consideration, an all-hazards approach to scenario-based training allows schools to prepare for a range of incidents, including bullying, sexual harassment, and natural disasters. Fidelity testing then allows administrators and teachers to put those plans to the test and see how participants apply the training under stressful scenarios. </p><p>School leaders can then learn to rely on the solid foundational principles of policies and procedures, as well as communications and emergency plans, to diffuse potentially hazardous situations. Using these basic elements of active threat response and evaluating training programs to identify gaps could save lives.​</p><h4>Evaluations</h4><p>During the stress of an actual crisis, people often react differently than they have been trained to do. Fidelity testing of a training program can help determine if there are gaps between what the trainer thinks the trainees will do, and what actions trainees will take in real life. This was the aim of evaluations completed by campus security nonprofit Safe Havens International of Macon, Georgia. </p><p><strong>Methodology.</strong> Analysts conducted the evaluations at more than 1,000 K-12 public, faith-based, independent, and charter schools in 38 states. More than 7,000 one-on-one crisis scenario simulations were conducted by Safe Havens International in a series of school safety, security, and emergency preparedness assessments over the last five years. The participants were observed and scored by analysts who had completed a 16-hour formal training program and one day of field work. </p><p>Prior to running the scenarios, analysts came up with several action steps that should be taken in each scenario. These steps included initiating a lockdown, calling 911, sheltering in place, or pulling the fire alarm, for example. Based on those steps, the analysts developed a standardized scoring system to keep track of participant performance in the scenarios. </p><p>This type of training is known as options-based active shooter training because it gives the participants various responses to choose from. Many popular options-based programs are based on the U.S. Department of Homeland Security's Run. Hide. Fight. approach.  </p><p>Drawing from Safe Havens International's repository of more than 200 audio and video crisis scenarios, analysts ran the simulations and let administrators, support staff, and teachers respond accordingly. These simulations covered a range of scenarios, which were presented in several formats. </p><p>For example, some participants were guided through an audio narration of a school bus taken hostage by an armed student. The audio was paused, and the trainees were asked what they would do next in that situation. </p><p>Similarly, video scenarios depicted potentially violent situations that left participants with a number of choices on how to react. </p><p>In one scenario, a woman screams at staff in the school office while brandishing a claw hammer. In another, a student on a school bus jumps up with a gun and yells, "Nobody move, and nobody gets hurt!" The video is stopped and trainees are prompted to say how they would react. </p><p>Based on action steps that were predetermined to be ideal, analysts then scored the trainees' responses on tablet devices. The scoring was be tailored to individual clients. For instance, if analysts were training a school district that has a police officer on every campus, its response would be different from that of a rural district that does not have a law enforcement officer within 20 miles.</p><p><strong>Results. </strong>The results of the evaluations consistently showed that participants who were provided with options-based active shooter programs had lower scores than those who had not completed any type of training. </p><p>This outcome shows that current active shooter training methods may be overwhelming for administrators and teachers because they provide too much information—prompting them to attack when it is not necessary.</p><p>In an assessment in the northeastern United States, test subjects completed an options-based active shooter training program that was three and a half hours long. Evaluators found that the 63 administrators and staff members from 28 schools missed 628 out of 1,243 critical action steps that should have been implemented. That's more than 50 percent.</p><p>For example, participants failed to initiate or order a lockdown when it was appropriate 70 percent of the time. More than 55 percent of participants failed to call 911 or the school resource officer in scenarios depicting a person with a weapon, and 39 percent of participants failed to pull the fire alarm in situations involving fire. </p><p>During an assessment of a school district in the southwestern United States, 32 people from two groups participated in scenario simulations. One group completed a five-hour live training program based on the Run. Hide. Fight. video, developed by the district's school resource officers. The second group did not receive the training or view the video. </p><p>The simulation results revealed that none of the top five scoring participants had received any type of active shooter training. All five of the lowest scoring participants, on the other hand, had completed the training program. </p><p>The overall score was also significantly lower for the group that had completed training than it was for the untrained group. The lower scoring participants often opted to attack in situations where it was not the best option. </p><p><strong>Opting to attack. </strong>For the scenario described in the beginning of the article, where a student is potentially suicidal, analysts found that in one out of every four incidents, a school employee who had completed an options-based active shooter training would try to throw an object at or attack the student armed with a weapon. </p><p>Many of the participants in the simulations responded by opting to use force for almost any scenario involving a subject depicted with a gun. If the student in question was suicidal, such a reaction could be deadly, possibly leading to the student to shoot himself or others. </p><p>Participants who had not received formal training began talking to the student, encouraging him to put the gun down, and asking if it was okay for the other students in the classroom to leave. These basics of communication are essential in an active suicide threat situation and can help defuse possible violence.  </p><p>Another scenario featured a drunk man who was 75 yards away from a school at the same time that a teacher and her students were 25 yards from the school building at recess. The analysis found that 30 percent of participants playing the teacher chose to approach—and even attack the drunk man—even though he was three-quarters of a football field away from the school.</p><p>The best option in this scenario is for the teacher to instruct the students to go into the school and put themselves in lockdown, then go into the building and ask the office to dial 911. </p><p>In November 2017, a school in Northern California initiated its lockdown procedure when the school secretary heard gunshots nearby. The gunman tried to enter the campus but could not find an open door. Because school faculty followed policies and procedures, countless lives were saved.</p><h4>Active Threat Approach</h4><p>The narrow focus on active shooter incidents has left many schools ill-prepared for other active attacker methods, including edge weapons, acid attacks, and fire. Relying on active shooter training also neglects response to incidents that often go undetected, such as bullying and sexual harassment. </p><p>The Safe Havens International assessments revealed that many K-12 schools lack written protocols for hazardous materials incidents or do not conduct any training or drills for these easy-to-orchestrate, devastating types of attacks. Evaluations also revealed an unwillingness among some school staff to report incidents of sexual harassment.</p><p>Policies and procedures. Edu­cational institutions have written policies and procedures on a range of issues, including bullying, sexual misconduct, signing in visitors, and traffic safety. Scenario-based training will help demonstrate whether staff are prepared to apply those policies appropriately. All staff should be included in this training, including bus drivers, cafeteria employees, and custodial workers.</p><p>Scenario-based training can reveal the gaps between what procedure dictates and what staff would actually do when confronted with a threat. </p><p>For example, in one simulation conducted by Safe Havens International, a student sat in a classroom with a teacher after hours. The teacher stroked the pupil's hair inappropriately and used sexually explicit language. Some custodial staff faced with this scenario responded that they did not feel comfortable reporting what they saw to school administrators. Janitors, who may be more likely to witness such incidents, said they felt an imbalance of power among the staff, leaving them unwilling to speak up. </p><p>Administrators should address such issues by using multiple scenarios related to sexual misconduct to demonstrate to employees that they are not only empowered but required to report these situations. Reviewing these policies and procedures as part of scenario-based training, and incorporating possible threats other than active shooter, will bolster preparation among staff. </p><p><strong>Attack methods. </strong>While mass shootings garner the most media attention, most recent homicides at schools were caused by attacks that did not involve active shooter events, according to Relative Risk of Death on K12 Campuses by school security expert Steven Satterly. </p><p>The 2014 study revealed that of 489 victims murdered on U.S. K-12 campuses from 1998 to 2013, only 62 were killed by active shooters. The Columbine, Sandy Hook, and Red Lake Reservation School shootings made up 74 percent of those 62 deaths.</p><p>Several weapons possibilities exist, and should be acknowledged in training programs, including edged weapons, explosive devices, and fire. </p><p>There have been dozens of mass casualty edged weapons attacks in schools, and serious damage can occur in a matter of minutes. A mass stabbing and slashing incident in Franklin, Pennsylvania, in April 2014 left 21 victims injured when a sophomore began attacking other students in a crowded hallway. Similar attacks have occurred in China, Japan, and Sweden that have killed and seriously injured students and school employees.  </p><p>Acid attacks are occurring more frequently in the United Kingdom, as well as in India, East Africa, Vietnam, and other regions. </p><p>For example, in September 2016, a student rigged a peer's violin case with acid at a high school in Haddington, Scotland. The victim's legs were disfigured as a result.  </p><p>These types of attacks are relatively easy to carry out because acid is inexpensive and can be concealed in bottles that appear harmless. The injuries sustained in these attacks are gruesome and irreversible, and there are concerns that this attack method may become more common in the United States. </p><p>Many active shooter training approaches also fail to address combination attacks, in which the perpetrator uses two or more attack weapons, such as firearms and explosives, firearms and fire, and so forth. </p><p>In the 2013 attack at Arapahoe High School in Colorado, a student shot his classmates and a staff member several times before throwing three Molotov cocktails that set part of the library ablaze. The student then shot himself. </p><p>Combination attack methods can present complications for first responders who may have to decipher where each threat is located and which one to deal with first. These campus attacks demonstrate the danger of training concepts that focus intently on active shooter incidents, while not offering viable options for other extreme attack methodologies.</p><p>There are ways to better prepare school staff to react to violence and reduce the chance of unintended consequences. Scenarios that present a range of threats and situations help trainees learn to react in the most effective manner, and remind them to rely on existing policies. </p><p>Fidelity testing that includes a scoring system for action steps will help determine whether active shooter and active threat training concepts have been received by the faculty. Including all staff members who have contact with students creates an inclusive environment where everyone feels empowered to report misconduct. </p><p>Putting a mirror to current school emergency preparedness will reflect where changes need to be made. If there are significant gaps between the training concept and application of those concepts when reacting unscripted to scenarios, improvements are in order. By applying these principles, schools can prepare themselves for the common emergencies, the worst-case-scenarios, and everything in between.  </p><p>-- </p><h4>​Sidebar: keeping simulations safe<br></h4><p>​Even the most well-intentioned scenario-based training can result in injuries. Training programs that teach throwing of objects, taking people to the floor, punching and kicking, or similar uses of force can wind up hurting trainees and trainers alike.</p><p>At least one popular active shooter training program has resulted in high rates of serious injuries among trainees, according to Jerry D. Loghry, CPP, loss prevention information manager for EMC Insurance.</p><p>Loghry verified that EMC Insurance has paid out more than $1 million in medical bills to school employees for injuries sustained in trainings from one active shooter program over a 22-month time period. In addition, one police department is being sued due to those injuries. </p><p>Instructors can be trained on how to engage participants in use-of-force in a safe way. Reasonable safety measures should be put into place, such as floor mats, and participants should wear protective padding, goggles, and even helmets if necessary. </p><p>Safety rules should be written in advance and observed during training simulations. </p><p>Local law enforcement can be a valuable resource for simulating active threat situations in a safe manner, because police officers complete similar close-quarters combat training on a regular basis. Observing these best practices can help prevent litigation and liability issues, as well as enhance the overall experience of participants and instructors.​</p><h4>sidebar: fidelity Testing<br></h4><p></p><p>For stereo systems, fidelity means that the sound generated by the speakers is nearly identical to the sound of the music that is recorded. In marriage, fidelity means that a person will be faithful to their promises to another.</p><p>In the world of school safety, fidelity indicates a close alignment between what is intended by safety policies, plans, drills, and training, and what people do in reality. Fidelity testing is the best way to verify the level of alignment between intentions and reality.</p><p>In the case of active shooter preparedness, fidelity testing involves efforts to measure whether there is a close match between theory and what people will actually do under the stress of a violent incident.  </p><p>With properly designed active shooter preparedness approaches, practical application under extreme stress should mirror, to a reasonable extent, the theoretical expectations of the approach. If people cannot correctly apply the active shooter survival options they have been provided under simulated conditions, their performance will likely not improve when they are placed under extreme stress. </p><p>A high degree of fidelity helps reduce the distance between what people ideally do under stress and what they are likely to do. A reasonable level of fidelity testing of active shooter survival concepts should document that people are able to:</p><p> </p><p>•             Demonstrate the ability to identify when they are in an active shooter situation.</p><p>•             Apply each option they are taught in an appropriate fashion when tested with scenarios they do not know in advance.</p><p>•             Apply each option under limited time frames with incomplete information.</p><p>•             Demonstrate knowledge of when applying each option would increase rather than decrease danger.  </p><p>•             Demonstrate the ability to identify when they are in a situation involving firearms that is not an active shooter event.</p><p>•             Demonstrate the ability to properly address a wide array of scenarios involving weapons other than firearms.​</p><p>​<br></p><p><em><strong>Michael Dorn </strong>is the CEO of Safe Havens International. He has authored 27 books on school safety and emergency preparedness, and his work has taken him to 11 countries. He has provided post-incident assistance for 12 active shooter incidents at K-12 schools, and helped coauthor a u.s. government IS360 Web training program on active shooter events. He can be reached at mike@weakfish.org ​</em></p>
https://sm.asisonline.org/Pages/How-to-Hack-a-Human.aspxHow to Hack a HumanGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It all started innocuously with a Facebook friend request from an attractive woman named Mia Ash. Once her request was accepted, she struck up a conversation about various topics and showed interest in her new friend's work as a cybersecurity expert at one of the world's largest accounting firms.</p><p>Then, one day Mia shared her dream—to start her own company. She had one problem, though; she did not have a website and did not know how to create one. Surely her new friend could use his expertise to help her achieve her dreams by helping her make one? </p><p>Mia said she could send him some text to include on the new site. He agreed, and when he received a file from Mia he opened it—on his work computer. That simple act launched a malware attack against his company resulting in a significant compromise of sensitive data.</p><p>Mia was not a real person, but a care- fully crafted online persona created by a prolific group of Iranian hackers—known as Oilrig—to help this elaborate spear phishing operation succeed. </p><p>Due to his role in cybersecurity, the target was unlikely to have fallen for a standard phishing attack, or even a normal spear phishing operation. He was too well trained for that. But nobody had prepared him for a virtual honey trap, and he fell for the scheme without hesitation.</p><p>This case is a vivid reminder that when cybersecurity measures become difficult to penetrate by technical means, people become the weakest link in a cybersecurity system. It also illustrates how other intelligence tools can be employed to help facilitate cyber espionage.</p><p>While many hackers are merely looking to exploit whatever they can for monetary gain, those engaging in cyber espionage are different. They are often either working directly for a state or large nonstate actor, or as a mercenary contracted by such an actor tasked with obtaining specific information.</p><p>This targeted information typically pertains to traditional espionage objectives, such as weapons systems specifications or the personal information of government employees—like that uncovered in the U.S. Office of Personnel Management hack. </p><p>The information can also be used to further nondefense-related economic objectives, such as China's research and design 863 program, which was created to boost innovation in high-tech sectors in China. </p><p>Given this distinction and context, it is important to understand that hacking operations are just one of the intelligence tools sophisticated cyber espionage actors possess. Hacking can frequently work in conjunction with other intelligence tools to make them more efficient.</p><p>Hacking into the social media accounts or cell phone of a person targeted for a human intelligence recruitment operation can provide a goldmine of information that can greatly assist those determining the best way to approach the target. </p><p>For instance, hacking into a defense contractor's email account could provide important information about the date, time, and place for the testing of a revolutionary new technology. This information could help an intelligence agency focus its satellite imagery, electronic surveillance, and other collection systems on the test site.</p><p>Conversely, intelligence tools can also be used to enable hacking operations. Simply put, if a sophisticated cyber espionage actor wants access to the information contained on a computer system badly enough, and cannot get in using traditional hacking methods, he or she will use other tools to get access to the targeted system. A recent case in Massachusetts illustrates this principle.</p><p>Medrobotics CEO Samuel Straface was leaving his office at about 7:30 p.m. one evening when he noticed a man sitting in a conference room in the medical technology company's secure area, working on what appeared to be three laptop computers.</p><p>Straface did not recognize the man as an employee or contractor, so he asked him what he was doing. The man replied that he had come to the conference room for a meeting with the company's European sales director. Straface informed him that the sales director had been out of the country for three weeks.</p><p>The man then said he was supposed to be meeting with Medrobotics' head of intellectual property. But Straface told him the department head did not have a meeting scheduled for that time. </p><p>Finally, the man claimed that he was there to meet the CEO. Straface then identified himself and more strongly confronted the intruder, who said he was Dong Liu—a lawyer doing patent work for a Chinese law firm. Liu showed Straface a LinkedIn profile that listed him as a senior partner and patent attorney with the law firm of Boss & Young. </p><p>Straface then called the police, who arrested Liu for trespassing and referred the case to the FBI. The Bureau then filed a criminal complaint in the U.S. District Court for the District of Massachusetts, charging Liu with one count of attempted theft of trade secrets and one count of attempted access to a computer without authorization. After his initial court appearance, Liu was ordered held pending trial.</p><p>Straface caught Liu while he was presumably attempting to hack into the company's Wi-Fi network. The password to the firm's guest network was posted on the wall in the conference room, and it is unclear how well it was isolated from the company's secure network. It was also unknown whether malware planted on the guest network could have affected the rest of the company's information technology infrastructure.</p><p>The fact that the Chinese dispatched Liu from Canada to Massachusetts to conduct a black bag job—an age-old intelligence tactic to covertly gain access to a facility—indicates that it had not been able to obtain the information it desired remotely.</p><p>China had clear interest in Medrobotics' proprietary information. Straface told FBI agents that companies from China had been attempting to develop a relationship with the company for about 10 years, according to the FBI affidavit. Straface said he had met with Chinese individuals on about six occasions, but ultimately had no interest in pursuing business with the Chinese.</p><p>Straface also noted that he had always met these individuals in Boston, and had never invited them to his company's headquarters in Raynham, Massachusetts. This decision shows that Straface was aware of Chinese interest in his company's intellectual property and the intent to purloin it. It also shows that he consciously attempted to limit the risk by keeping the individuals away from his facilities. Yet, despite this, they still managed to come to the headquarters.</p><p>Black bag attacks are not the only traditional espionage tool that can be employed to help facilitate a cyberattack. Human intelligence approaches can also be used. </p><p>In traditional espionage operations, hostile intelligence agencies have always targeted code clerks and others with access to communications systems. </p><p>Computer hackers have also targeted humans. Since the dawn of their craft, social engineering—a form of human intelligence—has been widely employed by hackers, such as the Mia Ash virtual honey trap that was part of an elaborate and extended social engineering operation.</p><p>But not all honey traps are virtual. If a sophisticated actor wants access to a system badly enough, he can easily employ a physical honey trap—a very effective way to target members of an IT department to get information from a company's computer system. This is because many of the lowest paid employees at companies—the entry level IT staff—are given access to the company's most valuable information with few internal controls in place to ensure they don't misuse their privileges.</p><p>Using the human intelligence approaches of MICE (money, ideology, compromise, or ego), it would be easy to recruit a member of most IT departments to serve as a spy inside the corporation. Such an agent could be a one-time mass downloader, like Chelsea Manning or Edward Snowden. </p><p>Or the agent could stay in place to serve as an advanced, persistent, internal threat. Most case officers prefer to have an agent who stays in place and provides information during a prolonged period of time, rather than a one-time event.</p><p>IT department personnel are not the only ones susceptible to such recruitment. There are a variety of ways a witting insider could help inject malware into a corporate system, while maintaining plausible deniability. Virtually any employee could be paid to provide his or her user ID and password, or to intentionally click on a phishing link or open a document that will launch malware into the corporate system. </p><p>An insider could also serve as a spotter agent within the company, pointing out potential targets for recruitment by directing his or her handler to employees with marital or financial issues, or an employee who is angry about being passed over for a promotion or choice assignment.</p><p>An inside source could also be valuable in helping design tailored phishing attacks. For instance, knowing that Bob sends Janet a spreadsheet with production data every day, and using past examples of those emails to know how Bob addresses her, would help a hacker fabricate a convincing phishing email.</p><p>Insider threats are not limited only to the recruitment of current employees. There have been many examples of the Chinese and Russians recruiting young college students and directing them to apply for jobs at companies or research institutions in which they have an interest.</p><p>In 2014, for instance, the FBI released a 28-minute video about Glenn Duffie Shriver—an American student in Shanghai who was paid by Chinese intelligence officers and convicted of trying to acquire U.S. defense secrets. The video was designed to warn U.S. students studying abroad about efforts to recruit them for espionage efforts.</p><p>Because of the common emphasis on the cyber aspect of cyber espionage—and the almost total disregard for the role of other espionage tools in facilitating cyberattacks—cyber espionage is often considered to be an information security problem that only technical personnel can address. </p><p>But in the true sense of the term, cyber espionage is a much broader threat that can emanate from many different sources. Therefore, the problem must be addressed in a holistic manner. </p><p>Chief information security officers need to work hand-in-glove with chief security officers, human resources, legal counsel, and others if they hope to protect the companies and departments in their charge. </p><p>When confronted by the threat of sophisticated cyber espionage actors who have a wide variety of tools at their disposal, employees must become a crucial part of their employers' defenses as well. </p><p>Many companies provide cybersecurity training that includes warnings about hacking methods, like phishing and social engineering, but very few provide training on how to spot traditional espionage threats and tactics. This frequently leaves most workers ill prepared to guard themselves against such methods. </p><p>Ultimately, thwarting a sophisticated enemy equipped with a wide array of espionage tools will be possible only with a better informed and more coordinated effort on the part of the entire company.  </p><h4>Sidebar: The Mice and Men Connection</h4><p> </p><p>The main espionage approaches that could be used to target an employee to provide information, network credentials, or to introduce malware can be explained using the KGB acronym of MICE.</p><p>M = Money. In many cases, this does equal cold, hard cash. But it can also include other gifts of financial value—travel, jewelry, vehicles, education, or jobs for family members. Historic examples of spies recruited using this hook include CIA officer Aldrich Ames and the Walker spy ring.</p><p>A recent example of a person recruited using this motivation was U.S. State Department employee Candace Claiborne, who the U.S. Department of Justice charged in March 2017 with receiving cash, electronics, and travel for herself from her Chinese Ministry of State Security handler, as well as free university education and housing for her son.</p><p>I = Ideology. This can include a person who has embraced an ideology such as communism, someone who rejects this ideology, or who otherwise opposes the actions and policies of his or her government.</p><p>Historical examples of this recruitment approach include the Cambridge five spy ring in the United Kingdom and the Rosenbergs, who stole nuclear weapons secrets for the Soviet Union while living in the United States.</p><p>One recent example of an ideologically motivated spy is Ana Montes, who was a senior U.S. Defense Intelligence Agency analyst recruited by the Cuban DGI, who appealed to her Puerto Rican heritage and U.S. policies toward Puerto Rico. Another ideologically motivated spy was Chelsea Manning, a U.S. Army private who stole thousands of classified documents and provided them to WikiLeaks.</p><p>C = Compromise. This can include a wide range of activities that can provide leverage over a person, such as affairs and other sexual indiscretions, black market currency transactions, and other illegal activity. It can also include other leverage that a government can use to place pressure on family members, like imprisoning them or threatening their livelihood.</p><p>Historic examples of this approach include U.S. Marine security guard Clayton Lonetree, who was snared by a Soviet sexual blackmail scheme—a honey trap—in Moscow, and FBI Special Agent James Smith who was compromised by a Chinese honey trap.</p><p>More recently, a Japanese foreign ministry communications officer hung himself in May 2004 after falling into a Chinese honey trap in Shanghai.</p><p>E = Ego. This approach often involves people who are disenchanted after being passed over for a promotion or choice assignment, those who believe they are smarter than everyone else and can get away with the crime, as well as those who do it for excitement.</p><p>Often, ego approaches involve one of the other elements, such as ego and money—"I deserve more money"—or ego and compromise—"I deserve a more attractive lover."</p><p>A recent example is the case of Boeing satellite engineer Gregory Justice, who passed stolen electronic files to an undercover FBI agent he believed was a Russian intelligence officer. While Justice took small sums of money for the information, he was primarily motivated by the excitement of being a spy like one of those in the television series The Americans, of which he was a fan.​</p><p>​<br></p><p><em><strong>Scott Stewart</strong> is vice president of tactical analysis at Stratfor.com and lead analyst for Stratfor Threat Lens, a product that helps corporate security professionals identify, measure, and mitigate risks that emerging threats pose to their people, assets, and interests around the globe.</em></p>
https://sm.asisonline.org/Pages/New-Technology-with-a-Personal-Touch.aspxNew Technology with a Personal TouchGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​As a financial services organization, Northwestern Mutual helps clients plan now to prepare for the future. And at the end of 2014, the Milwaukee-based company took that goal to task when planning a security strategy for a new building in the heart of the city. The 32-story, 1.1 million-square-foot Northwestern Mutual Tower and Commons houses about 2,400 Northwestern Mutual employees and signals a shift in the organization's approach to business.</p><p>"In essence, it was revolutionizing our organization from an insurance and financial investment company into a financial tech-savvy organization," explains Bret DuChateau, corporate security consultant at Northwestern Mutual. "How do we position ourselves over the next few years to build this brand new state-of-the-art building to attract the workforce of the future, and how leading up to that do we design and integrate systems into that building that will set us up for the future?"</p><p>DuChateau has been on Northwestern Mutual's security team since 2004, and the new building presented an opportunity to not only update the technology but position the organization's security approach as one that will be cutting-edge for years to come. </p><p>Key to this concept was considering how technology could augment a physical security presence through digital guest registration systems, data analytics, and streamlined command center protocols. First, however, DuChateau had to get the entire campus on the same security platform.​</p><h4>COME TOGETHER</h4><p>"The tower is a learning center for all of our financial representatives and employees, designed in a very open and collaborative way from an organizational and customer experience standpoint," DuChateau says. "It certainly positions us where we want to be in the future, but is also designed to connect better with the community here in Milwaukee."</p><p>The new facility connects to three existing Northwestern Mutual buildings via skywalk and also boasts a public commons area featuring gardens, restaurants, and coffee shops, and an interactive museum of the organization's history. With the combination of old and new buildings, as well as public and private areas, it was critical for the campus's access control to work as a unified solution.</p><p>"We had multiple campuses all under one corporate security team, but we were talking two different languages," DuChateau explains. "You would have one system and one set of rules at one campus, and one system and set of rules at the other, and there was no data exchange, so you were always trying to manually keep databases in sync. If someone leaves one site, we have to manually take them out of the other site. Just onboarding and offboarding people, manually entering their first name, last name, and employee number in one system, assigning them access, and then turning to the next computer and entering them in another system. I could go on and on."</p><p>Northwestern Mutual chose AMAG Technology for its Symmetry access control enterprise system and Symmetry GUEST visitor management system to streamline the flow of employees and visitors alike throughout the campus. Now with all buildings on the same platform, and the ability to automate several of the processes that had previously been manual, Northwestern Mutual estimates it saves about 14 hours a month when it comes to managing the access control system.</p><p>"You're not only looking at a security process efficiency, but a support process," DuChateau explains. "Now we have dedicated IT teams that help us from an infrastructure standpoint—they don't have to remember which system they are working on, because we're all working on one system across the enterprise. We're in a virtualized server environment so everyone is seeing and touching the same thing, and just from a staffing standpoint, we have people who can bounce between multiple campuses and they are not having to relearn everything."</p><p>Comparing the response to a standard door alarm before and after the technology upgrade shows the efficiency of the new system, DuChateau points out. When multiple security systems were in place, a door alarm would be automatically logged into a database and a patrol officer would be dispatched to where the alarm went off. Employees in the command center would open up an Excel spreadsheet and document the date, time, and location of the alarm and how it was resolved. At the same time, the responding officer would record the same information into his or her own response log.</p><p>"We'd have this incident documented in five or six places," DuChateau notes. "In our traditional mindset a few years ago, we just kept doing it because it was the process. None of the documentation was coalesced into a common system, it was just out there."</p><p>After the AMAG upgrade, the process has become more streamlined. The access control system will register the door alarm and immediately display a notification on video monitors in the command center. The situation can often be resolved just by looking at the video of what is going on, and the system allows employees to document the alarm in the system itself. </p><p>"It's pretty hands-off, we put a heavy lift into the programming," DuChateau says. "We went from logging 1,400 different entries on a shift down to 200 just by taking a step back. When you're saving 800 steps from a shift, that equates to time, so we gained about six hours out of an eight-hour shift by freeing someone up from documenting everything." ​</p><h4>WATCHFUL AND WELCOMING</h4><p>Northwestern Mutual's corporate security team is blended, with about 40 in-house employees and another 40 contracted officers. The organization switched from another contract security provider to G4S at the end of 2016 due to its familiarity with the AMAG systems—AMAG is a subsidiary of G4S.</p><p>"That was a factor in identifying this relationship," DuChateau says. "We could have the benefit of G4S folks coming to us that have familiarity with their own products already, so we don't have to spend as much time as we normally would with someone coming in cold and having to train them on the solutions."</p><p>DuChateau points out that, despite the addition of the tower and commons to the campus, Northwestern Mutual did not need to bring on any additional in-house or contracted security personnel, thanks to the augmented technology.</p><p>"When you talk about opening a 1.1 million-squarefoot addition, you would think that it's a given that we'd need extra security people, but we didn't because we became more efficient," DuChateau says.</p><p>G4S officers have become a more integral part of Northwestern Mutual's security approach and are primarily in charge of the visitor management system, which is critical for the new facility—employees from all over the country flock to the Milwaukee campus every week for training. The increase in traffic required DuChateau to rethink the visitor registration process.</p><p>"We had five buildings that were all interconnected, but we had five separate lobbies, five separate ways to process visitors, five separate ways to get employees in and out, so we wanted to make some conscious decisions on where to direct people," DuChateau explains. "We just built this brand new beautiful tower and connecting commons and training space. Do we have to process visitors at every single building or can we direct them to the tower lobby? If we direct them to one main entry point, then we can deploy technology in these other lobbies and move resources where they're needed. We changed a little bit of behavior and moved some of the operations more towards a centralized location than doing everything everywhere."</p><p>AMAG's visitor management system allows guests to preregister, making it easy for officers to look up the guest and print a barcoded badge that permits visitors access to specified areas. The system also runs guests' names against a list of restricted visitors. DuChateau says that in the future the system will allow preregistered guests to print off a QR code that would produce a badge upon being scanned at the facility. "There are some cool things on the horizon as far as the efficiency standpoint goes," he says.</p><h4>ALL IN THE NUMBERS</h4><p>While DuChateau is glad to have a 21st century, enterprise-level security system in place, he says he is most looking forward to what the system can do for Northwestern Mutual in years to come. Already, data mining has made the security approach more efficient and intuitive.</p><p>"We have two cafeterias on our Milwaukee campus, so we can start gathering access control data and say at 9:30 a.m. here's a snapshot of the number of people on campus, give that to the restaurant team, and they can use it and plan to feed that many people for lunch that day," DuChateau says. "We want to use this data to say, 'okay, are we using our facilities how we had intended three years ago?' We start looking at singular systems, gathering data, and making that data actionable in a business sense. Data is data, but if you don't use it, what good is it for besides investigations?"</p><p>Preregistration data also helps the security team manage the flow of visitors each day. Employees can look at the guest database and estimate when and where large groups of visitors will arrive, and plan accordingly. "We get a couple more laptops, badge printers, and patrol people to help process visitors, versus having a bad customer experience and having 200 people lined up out the door just to get in to a training event that we're hosting," DuChateau explains. </p><p>That's just the tip of the data-mining iceberg, and the more Northwestern Mutual's security arm works with the rest of the organization, the more the data can be employed to the organization's benefit. "Our information resource management and cybersecurity folks look at it from a different perspective, and maybe our privacy people ask how the data is going to be used and what kind of data is gathered," DuChateau says. "Now that we're standardized on an enterprise-class solution, how can that data benefit the business? How can we slice and dice that data down the road? Maybe we can take snapshots of our environment across all of our facilities, not only in Wisconsin but in Arizona and New York—can we feed that information to our workforce planning people?"</p><p>DuChateau says he wants Northwestern Mutual's intelligent security control centers to take the heavy lift off of employees and use built-in analytics to proactively identify strange behavior, and instead use security personnel to respond to exceptions.</p><p>"For the longest time, our control centers had this big screen up with all card access activity in the environment, thousands and thousands of people badging in and out—all of this data is scrolling by and it's just noise," DuChateau says. "Why do we even care what these people are doing in real time? Let's care about the people who are badging into areas that they aren't supposed to be badging into, or someone who has a multifactored device and is putting in the wrong PIN code, and start dealing with the smarter security approach to a secure environment."</p><p>While the new technology and data augment Northwestern Mutual's security posture and reduce the workload on guard services, DuChateau says that does not mean technology will replace people. "Maybe we want to pull some people because we've deployed technology, but we will direct them to a different part of the operation that looks at metrics, or quality assurance, or all of these things that really build up those parts of the program, because we don't have to be so labor intensive on physical access control or checking IDs or things like that—we can look at resource management in a different lens."</p><p>For now, DuChateau says the security team is still getting used to the new facilities and platforms at Northwestern Mutual's Milwaukee campus and is learning to rely on the data the systems collect. But within a few years, he foresees a "phenomenal expansion" of leveraging the platforms to guide the team's efforts.</p><p>"We've really begun to scratch the surface on the potential of all of this technology," DuChateau says. "We're in a good spot because we did it early enough and we have people familiar enough with the technology. Now we can ask, okay, what else can we do and how else can we move the vision of our company forward?" ​</p>
https://sm.asisonline.org/Pages/January-2018-ASIS-News.aspxJanuary 2018 ASIS NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Shifting into High Gear</h4><p>Enterprise security risk management (ESRM) activity at ASIS is moving into high gear. The ASIS Board of Directors approved a plan for ESRM principles to be infused into the DNA of the Society. Designating ESRM a priority strategic initiative, the ASIS Board created the ESRM Commission in July 2016. In the year plus since, the commission inventoried ESRM content, identified subject matter experts, developed a primer, and interviewed members on how ESRM should be worked into ASIS's activities.</p><p>For the first time, in 2017, the ASIS Annual Seminar & Exhibits featured a full track of sessions devoted to ESRM. Sessions included a preseminar program on IT security for physical security professionals and an intensive interactive two-hour tabletop exercise in which attendees represented various departments of an organization and used ESRM principles to deal with an evolving crisis scenario. Earlier in the year, ASIS Europe 2017 focused on enterprise-level risks and featured master classes on implementing integrated enterprisewide security teams. </p><p>On November 15, the board approved the commission's request to transform into four workstreams that will develop appropriate ESRM material for their particular areas. The workstreams cover standards and guidelines, education and certification, marketing and branding, and creation of a digital maturity model tool. Each workstream includes a board member sponsor, an ASIS staff member, an ESRM subject matter expert, and a team of member volunteers.</p><p>Are you an avid ESRM advocate? Have you put ESRM into practice? There's still room in the workstreams for your expertise. Please contact Chief Global Knowledge and Learning Officer Michael Gips at <a href="mailto:michael.gips@asisonline.org">michael.gips@asisonline.org</a>.​</p><h4>Adams to Lead 2018 Professional Certification Board</h4><p>The ASIS Professional Certification Board (PCB) will be led in 2018 by Dana Adams, CPP, director of corporate security for TELUS, a telecommunications company headquartered in Vancouver, Canada. Adams has served on the PCB for six years and was the board's vice president in 2017. William Moisant, CPP, PSP, will assume the role of vice president in 2018.</p><p>The PCB oversees the ASIS board certification program and ensures that the domains of knowledge and the exams reflect the duties and responsibilities of security professionals. Adams succeeds 2017 President Per Lundkvist, CPP, PCI, PSP. </p><p>"I would like to thank Per for his able leadership of the PCB, as well as for his guidance, support, confidence, and friendship," Adams says. "In 2018, priorities include continuing the work to establish an entry-level certification, maintaining the leadership role of ASIS board certifications across our profession, and ensuring global representation and diversity of the PCB."</p><p>New to the PCB in 2018 are Kevin Peterson, CPP, president, Innovative Protection Solutions, LLC; Jeffrey Leonard, CPP, PSP, area vice president, Securitas Critical Infrastructure Services, Inc.; and Vasiles Kiosses, CPP, PSP, physical security services manager, Schlumberger Oilfield Services. ASIS extends its thanks to departing PCB members, James Bradley, CPP, PCI, and Ann Trinca, CPP, PCI, PSP.​</p><h4>ASIS Europe 2018: From Risk to Resilience</h4><p>Now is the time to register for ASIS Europe 2018, taking place 18-20 April in Rotterdam, The Netherlands. The event focuses on securing organizations in the era of IoT and highlights how enterprise security risk management approaches can protect an organization's full range of physical, digital, and human assets.</p><p>The "From Risk to Resilience" event format, launched in Milan in March 2017, will be repeated, with its mix of conference, training, technology and solutions, exhibition, career center, and exclusive networking.</p><p>At the conference, themed "Blurred Boundaries—Clear Risks," attendees will tackle the impacts of Big Data and artificial intelligence, and examine up-to-date risk outlooks, case studies, and analysis across the full range of key security management issues. </p><p>ASIS Europe will help attendees navigate a broad sweep of risks, from the malicious use of the latest emerging technologies to the threat of low-tech attacks, particularly on soft targets in public spaces. </p><p>Conference highlights include:</p><p>•             Opening keynote on Big Data, automation, and artificial intelligence from a business perspective</p><p>•             Digital asset valuation and risk assessments by Carl Erickson, CPP, and Gal Messinger of Philips Lighting</p><p>•             The EU General Data Protection Regulation (GDPR) by Axel Petri of Deutsche Telekom and Christoph Rojahn of PricewaterhouseCoopers</p><p>•             Jihadi terrorism trends in Europe by Glenn Schoen of Boardroom@Crisis </p><p>•             Virtual security operation center transformation by Michael Foynes of Microsoft</p><p>•             Public spaces as the front line against extremist violence by Thomas Vonier, CPP, of the American Institute of Architects</p><p>•             Understanding business resilience by Laura Poderys of Danske Bank</p><p>The conference is geared towards professionals who need to understand the full spectrum of physical and cyberthreats. Both established and aspiring security leaders can create learning paths through the program.</p><p>Register at www.asiseurope.org. Advance rates are available until March 8, and group packages are also available. Contact europe@asisonline.org directly for more information.​</p><h4>New ASIS Website, Community</h4><p>Digital transformation is at the forefront of many organizational discussions, and the need for innovation has never been greater. Remaining relevant in today's on-demand, content-driven world means that associations must be hyper-connected and agile. </p><p>With a clear directive to transform the organization through the strategic use of technology, ASIS is currently engaged in a broad range of innovative projects—including a major redesign of its primary website, www.asisonline.org, and the underlying technologies that support online and mobile experiences.</p><p>This month, ASIS launches Phase One of a multiyear project focused on improved and personalized content access, user-centric search and commerce, online community, and integrated systems for learning and certification. </p><p>One of the key strategies driving the new site is to create a powerful search function that will unify content from a variety of ASIS sources, including Security Management offerings and Seminar sessions. By creating a search-centric site that allows users to filter results, ASIS will meet its goal of helping members at their "moment of need." The website facelift includes a more graphical and modern interface for both desktop and mobile devices.</p><p>It is important to understand that this is just Phase One of the process. With a critical emphasis on design, taxonomy, search, and commerce, both functionality and content are priorities. Additionally, some functionality will be moving to other platforms, such as the new community site, launching in February. Two other phases are planned for 2018.</p><p>ASIS is also upgrading the membership database, including new functionality for engagement, certification, profile management, and data analytics. The system will be tightly integrated with the website to ensure a seamless user experience across platforms. As a part of the new launch, ASIS will be engaging members to fully update their online profiles, both to help drive online personalization and to comply with the EU General Data Protection Regulation in 2018. </p><p>When the online community is launched, ASIS will provide security professionals with a secure platform to network, share ideas, access resources, and stay connected with peers, chapters, ASIS staff, and industry thought leaders.</p><p>Get ready, the launch of a new digital ASIS will be here soon!</p><p>Note: The ASIS website may be inaccessible for a few days at the end of January to facilitate the launch.​</p><h4>MEMBER BOOK REVIEW</h4><p><em>The Manager's Handbook for Corporate Security</em>, Second Edition. By Edward P. Halibozek and Gerald L. Kovacich. Butterworth-Heinemann; Elsevier.com; 498 pages; $120.</p><p>Whether the reader is an aspiring security management student or a seasoned veteran, the second edition of <em>The Manager's Handbook for Corporate Security </em>provides a comprehensive look at the past, present, and future of the security industry—a world that experiences both operational and functional changes at light speeds. Using a mythical organization called International Widget Corporation to illustrate problems and solutions, it creatively brings theory to life as it transforms the difficult concepts of "what should be" into "what is." Throughout the book, risk management is enlisted to transform security from a reactive process to a dynamic proactive endeavor.  </p><p>The authors do a masterful job of taking the reader on a journey through various contingencies, and stress the importance of being proactive through key loss prevention programs, security awareness training, and developing strategic, tactical, and annual plans to combat risk and mitigate losses. Chapter after chapter, the authors emphasize that planning and preparedness strengthen the organization's overall security program and keenly integrate all layers within the organization. This approach helps solidify the security department's role in asset protection and keeps the security department where it should be—leading the effort. Adding value to an already solid effort, the authors consider new elements such as background checks, insurance, training, and cybersecurity—functions that are increasingly becoming part of the security department's portfolio. </p><p><em>The Manager's Handbook for Corporate Security</em> is a must for any serious security professional and would be a valued addition to any security leader's professional bookshelf.  </p><p>Reviewer: Terry Lee Wettig, CPP, is an independent security consultant who served 10 years as director of risk management with Brink's Incorporated. A retired U.S. Air Force chief master sergeant, he is currently a doctoral candidate specializing in organizational psychology. He is an ASIS member.</p>
https://sm.asisonline.org/Pages/Find-the-Fire.aspxFind the FireGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The University of Hawaii at Hilo (UHH), founded in 1941, is located on the largest island of the Hawaiian archipelago, Hawaii–also known as "the Big Island." The school offers 38 undergraduate areas of study, including a renowned astronomy program, to approximately 3,600 students.</p><p>The Hawaiian skies over the central Pacific Ocean offer a spectacular view of the heavens. </p><p>But despite the campus's magnificent panoramas, the university's security staff found itself gazing too often at fire panels that weren't functioning properly, says Ted LeJeune, project manager at UHH. </p><p>When the campus began major renovations about five years ago, the security department ran into challenges with the fire panels, which worked via radio signal. "We were starting to experience issues with the reflectivity and the inconsistencies of the radio system," LeJeune says, "so we were having trouble passing our final fire inspections with the fire marshal."</p><p>The institution's fire system includes panels that intermittently report back to a central station in the campus security office. "On a regular basis, the panels transmit signals that say, 'Hey, I'm here, I'm doing fine,'" LeJeune explains. "And as long as we get that heartbeat notification, the security office knows that we don't have any problems."</p><p>The fire panels report any issues to the central station, including triggered smoke detectors, pulled fire alarms, and offline panels. When any of these alarms are triggered, "we get an immediate notification to our campus security office that we have an issue with a building, and we need to dispatch somebody to investigate," LeJeune notes.</p><p>In the campus security operations center, which is staffed around the clock, security staff members monitor a large screen that displays the fire life safety system's current status, as well as active alarms. The screen allows operators to scroll through notifications and keep an archive of reports. In case of fire or another life-threatening hazard, the fire department is contacted. </p><p>The campus roofs are made of corrugated steel. But whenever the Hawaiian sun would hit the metal rooftops, the signals could get diffused or jammed, causing the radio-based fire alarm systems to report inconsistently, or not at all. This led to a host of issues for the campus security department. </p><p>"We were having intermittent connectivity and even losing connectivity to some of the locations because of the radio signal reflectivity of our roof systems," LeJeune says. </p><p>Besides the connectivity and transmission issues, the old radio units were burdensome to maintain, and an outside engineer had to travel to the campus to service the units. </p><p>These challenges led to a conversation with Digitize, which provides several aspects of the campus's fire life safety system. In the fall of 2016, Digitize suggested land-based radio units that connect into the university's existing fiber optic cable and Ethernet system. "We've done several upgrades over the last few years to standardize and stabilize our Internet," LeJeune explains, "and it was just a natural extension to add Digitize to the land system because we already had the existing backbone."</p><p>The land-based radio units allow the end user to remove the frequency transmitter on the fire panels, and connect into either the Ethernet or fiber connections in the buildings. This landline connection enables the panels to report back to the central station within seconds. </p><p>UHH launched a pilot project in the spring of 2017 to test the new product on its recently renovated College of Business and Economics building. The university upgraded its base unit in the campus security office to accommodate both the radio frequency and the land inputs. </p><p>During the testing, the land-based units successfully and accurately reported all issues to the central station. "Our pilot project went fantastically," LeJeune says. "We were able to retrofit the remote unit [with the landline], and we were able to clearly communicate and program the base unit," he says. The school also brought the fire department in to observe the new system. "They were thrilled that we were getting a more stable network and that we were able to more clearly manage and supervise our system." </p><p>Since installing the new system, the campus has not experienced any issues with fire alarm panel reporting. Over the next several months, the campus plans to add additional land-based units to at least 25 buildings. Some of the larger buildings will have their own unit while groups of smaller buildings can share units, LeJeune adds. </p><p>With the new system, UHH security staff can service the panels themselves, rather than relying on an outside engineer. "Digitize has given us in-house training, so that we can not only diagnose but also put new systems online, and program them at both ends to communicate consistently and properly," he notes. "The ability to work on them internally…and the training that we've been able to get from Digitize has just been a real major step forward for us." </p><p>He adds the new system allows security to fully focus on the issues that deserve attention. "It's about having confidence that we have consistent communications, and that we're not getting dropouts or false alarms," he says. "This allows the security office folks to focus on their assigned tasks rather than chasing ghosts and false alarms."</p><p>For more information: Abe Brecher, Digitize, www.digitize-inc.com, abeb@digitalize-inc.com, 973.219.2567 ​</p>
https://sm.asisonline.org/Pages/Q-and-A-Event-Security.aspxQ&A: Event SecurityGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The ASIS 2017 Book of the Year is <em>Managing Critical Incidents and Large-Scale Event Security</em> by Eloy Nuñez and Ernest G. Vendrell. The authors spoke to <em>Security Management </em>about security trends and challenges in the event industry.</p><p><em><strong>Q. </strong>What are some of the biggest challenges facing the event security industry today?</em></p><p><strong>A. </strong>An overreliance on technology is a major challenge. We tend to think that a wall or a fence will keep the bad guys out, and it does help a lot, but in and of itself it's not going to solve our problems. We know that every fence and wall can be breached, and every technology that one can think of can be counteracted. It takes an active observation of the technology and how it's working. Another challenge is a sense of complacency–the idea that someone else is watching. That tends to make us less alert. Communication also becomes so important, especially when you're dealing with a variety of participants. It's essentially impossible to achieve requisite levels of coordination and collaboration without that effective communication.</p><p><em><strong>Q. </strong>How has the event security space evolved over the last few decades?</em> </p><p><strong>A. </strong>Three factors have made us more effective and efficient than in the past: computer processing speed, the miniaturization of technology, and the interconnectedness of people via devices. The improvements to technology have been outstanding. We're now able to process information more quickly. The interconnectedness allows us to communicate, collaborate, and crowdsource for information. There are so many different people from disparate backgrounds and agencies. We all get together and plan things out, and the byproduct is that we learn from each other.</p><p><em><strong>Q. </strong>Your book draws on lessons learned from past events. What are some of the overarching themes in those lessons?</em></p><p><strong>A.</strong> Given the complexities of critical incident management and large-scale event planning, we try to simplify things as best we can so that everyone is able to execute those plans. It takes a well-trained, diversified, and committed team that has clear goals and objectives. Have the team that you put in place practice as much as possible, and institute training that's relevant, realistic, and replicates the environment that you're working in. </p><p><em><strong>Q. </strong>Given the range of threats to the live event industry, how can security professionals share information to help mitigate those challenges?</em></p><p>A. Networking is so critical. One thing we wrote about was that, in the public safety arena, we were great at identifying lessons learned, but the problem was that we weren't applying those lessons. Conferences like the ASIS annual seminar and exhibits), where you have professionals sharing lessons learned and how they applied them, are so important in terms of professionalization and collectively doing a better job moving forward. Identifying contacts ahead of time and getting to know them before there's a problem is critical. That way when an unforeseen incident occurs, you have the right parties on speed-dial.</p>
https://sm.asisonline.org/Pages/Disaster-Dominoes.aspxDisaster DominoesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​"I've been doing this close to 40 years, and there has not, in my career, been a hurricane season anything like this," disaster response expert Jerome Hauer explains in a recent interview regarding the unprecedented 2017 Atlantic hurricane season.  </p><p>Given his experience base, that is saying something. Hauer has led the homeland security and emergency services department for the state of New York, the office of emergency management in New York City, and Indiana's department of emergency management. On the federal level, he has served as assistant secretary for the U.S. Office of Public Health Emergency Preparedness (OPHEP). He is also a longtime member of ASIS International, and is now a professor at Georgetown University's Center for Security Studies. </p><p>But despite all those years in the field, Hauer cannot recall a storm season like the one that just passed. Starting with Hurricane Franklin and ending with Hurricane Ophelia, the 2017 season featured 10 consecutive hurricanes—the greatest number in the satellite era, all of which were marked by winds of at least 75 miles per hour. It may also have been the costliest season on record, with a preliminary total of more than $186 billion in damages, nearly all of which resulted from the three most devastating hurricanes: Harvey, Irma, and Maria. </p><p>Each of these massive hurricanes had its own profile. Harvey, for example, came with flooding of biblical proportions, and Irma devastated portions of Florida's power grid. Experts like Hauer say that these two hurricanes illustrated some lessons for emergency preparedness and response. (Experts interviewed for this article did not focus on Hurricane Maria, because the response to that storm was complicated by political and geographic factors.) </p><p>For example, while emergency management leaders in localities and states understand the importance of planning, they do not have the time nor resources to plan for every possible scenario, and so they normally do not plan for the unprecedented—such as three Category 4 hurricanes that make landfall within the span of four weeks. </p><p>"This many hurricanes that impact the United States and its territories in a single year is something that you couldn't contemplate," Hauer says. "Particularly since the hurricanes were catastrophic. The strength of the hurricanes, the volume of rain in some areas—we haven't seen anything like this that I can remember."</p><p>And even if a sole visionary emergency manager formulated a plan to protect all affected places from an unprecedented hurricane season, in the real world no jurisdiction or state government would have the billions needed to actually implement and fund the required costs of reinforcing, rebuilding, or replacing the various infrastructure systems that would be affected, says emergency management expert Harry Rhulen. Rhulen is CEO of the crisis management firm Firestorm and a member of the ASIS International Crisis Management and Business Continuity Council.</p><p>Nonetheless, the series of devastating hurricanes did illustrate another emergency management lesson, Rhulen says: proper disaster preparedness and response means planning for multiple disasters, not just one. "It's one of the most important things to account for—when you are doing business continuity and disaster planning, in general, you should assume multiple events," Rhulen says.  </p><p>Indeed, Hauer says that's a critical element of disaster response management—planning for the potential second- and third-level disasters. "We did that on a regular basis, both when I was in federal government and on the city level," Hauer says. "You can't just say we have flooding, and say how you deal with the flooding, but also how you will deal with the secondary effects, such as the health effects." </p><p>For example, during Hurricane Sandy, mosquitoes used overflowing reservoirs as a breeding ground, running the risk of the spread of West Nile virus. Similarly, after Hurricane Harvey, flooding in Houston raised the risk of health issues stemming from human contact with floodwater, which can harbor bacteria, viruses, and fungi.</p><p>Potential health risks like this mean that environmental experts from groups like the U.S. Army Corps of Engineers should be "part of the process" in disaster preparation, Hauer says. It is also important that hospitals take seriously the requirement to hold emergency exercises and drills. "Some take it seriously, but some don't, and they just go through the motions," he explains. And whether it be a locality or a state, drills by emergency personnel should be critiqued by elected officials who should ask some "tough questions" afterward, he adds.  </p><p>Another challenge in dealing with cascading disasters is that "the first crisis lowers your ability to perform all of the functions that you normally perform," Rhulen says. For example, a fire that destroys some computer hardware can hinder a company's efforts to protect itself from cyberattacks. And storm damage can increase vulnerability to thievery or other types of criminal activity. "You automatically have to bump up security," Rhulen says. </p><p>In addition, resources are finite, so in the case of responding to Hurricane Harvey's effects in Texas, "it stretches resources to the point where you are way behind, and near the breaking point," Rhulen explains. This could hamper the response to any disaster that happens in the near future. "It makes their overall exposure for the next year go up dramatically," he says.   </p><p>Given that government resources were stretched thin by the double blow of Harvey and Irma, the active volunteer response during the storms was especially critical and "really impressive," Rhulen says. These volunteers, ranging in scope from formal groups to neighbors helping neighbors, beefed up a responder workforce that would have been inadequate without them. "People need to understand—you're really your own first responder," he says.  </p><p>In the future, the unprecedented hurricane season of 2017 may be looked upon for another historically significant feature. It elicited an unusual type of response—and one that may serve as a closely watched model of resiliency planning in the future—by the island nation of Dominica.</p><p>Maria was the worst natural disaster in the country's recorded history. With sustained winds of nearly 160 miles per hour, the storm made landfall on September 19, 2017, as a Category 5 hurricane, forcing the majority of the country's 72,000 residents into homelessness and leaving the island without communication for more than 30 hours. More than 90 percent of the population was left without food, power, or shelter.</p><p>In the wake of this devastation, Prime Minister Roosevelt Skerrit said that he does not want to build on old vulnerabilities, but instead develop a targeted resilience strategy so that Dominica becomes the first "climate resilient" nation. "Our desire [is] to be the captains of our fate, and to choose the shape of our recovery," Skerrit said in a statement after the storm.  </p><p>To do so, Dominica would have to rebuild so that its infrastructure could withstand the type of extreme weather events that may become more common due to climate change. Exactly how the country would do that, and how it could fund such an undertaking, is not yet clear. But Dominican officials are appealing to global organizations for future assistance, and they say that they may have some international partners in their venture. </p><p>"The World Bank and European Development Agency have pledged considerable sums to back our vision as the first climate resilient nation of the climate change era," Skerrit said in a recent address to the United Nations General Assembly. "To deny climate change is to procrastinate while the earth sinks." ​</p>
https://sm.asisonline.org/Pages/Whistleblowing---Money-v-Motivation.aspxWhistleblowing: Money v. Motivation.GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Let's say, as a hypothetical, that a U.S. Internal Revenue Service (IRS) employee blows the whistle on a fraud scheme, which allows the agency to recover $3.4 million in revenue that would have otherwise been lost. Under the agency's Whistleblower Informant Award program, that employee may be entitled to receive a cool $1 million reward.</p><p>Other U.S. federal agencies, as well as some private sector companies, offer similar financial rewards in their whistleblowing programs, although the amounts and eligibility conditions differ. Some of them have a minimum threshold. For example, the Whistleblower Informant Award program at the IRS requires that the amount in dispute must be at least $2 million before a reward is paid. </p><p>The goal of these financial in­centives is to encourage the reporting of unethical and illegal activity, and the financial rewards may seem like an attractive incentive. But a group of academics wondered if the incentives could lead to unintended consequences, in accordance with the behavioral theory of motivation­al crowding.</p><p>Motivational crowding describes how, in certain contexts, extrinsic motivators can also act as disincentives by hijacking one's intrinsic motivation. Under this theory, a sizable financial reward can shift a whistleblower's motivation—instead of reporting on fraud because it's the right thing to do morally, the whistleblower becomes motivated primarily by the financial gain of the reward. Although there may be nothing wrong with that type of motivation per se, in situations when reporting wrongdoing will not result in a financial reward, a potential whistleblower motived by money might be less likely to report.</p><p>And so, in <em>Hijacking the Moral Imperative: How Financial Incentives Can Discourage Whistleblower Reporting</em>, researchers Leslie Berger, Stephen Perreault, and James Wainberg conducted a study of 166 graduate accounting students, presenting them with various scenarios and vignettes. The responses were measured and studied.   </p><p>The results were consistent with the researchers' predictions. Study participants assessed a higher likelihood that fraud would be reported in situations where the whistleblower would receive a financial reward. This result suggested that financial rewards can be an effective mechanism to encourage whistleblowing in certain contexts.</p><p>But the study also found that when the size of the fraud was less than the prescribed minimum threshold in the whistleblower program, participants assessed a lower likelihood that the fraud would be reported in a timely manner. "As such, we demonstrate that including a minimum threshold feature in whistleblower reporting programs can unwittingly inhibit the timely reporting of smaller frauds," the authors write.  </p><p>This is not good news, the authors conclude. "This finding is especially problematic since the early detection of fraud is a critical factor in minimizing potential damages and securing access to evidence," the authors write. ​</p>
https://sm.asisonline.org/Pages/Evolving-Biothreats.aspxEvolving BiothreatsGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Chikungunya. Enterovirus. Cyclosporiasis. MERS. Ebola. Zika. Those are just a few of the outbreaks the United States has experienced over the past five years, according to the U.S. Centers for Disease Control and Prevention (CDC). And that doesn't include the dozens of foodborne outbreaks or diseases affecting pets and livestock that spread across the country each year.</p><p>These diseases not only take a toll on public health, the global food supply, and the agricultural sector, but they can be a threat to national security, according to the U.S. Government Accountability Office (GAO). Infectious diseases are spreading faster and emerging more rapidly than ever before, and nonstate actors continue to advocate for the use of biological weapons. </p><p>Despite being more than 15 years removed from the anthrax attacks that advanced the United States' biodefense posture, nat­urally occurring and manmade biological threats continue to pose a "catastrophic danger" to the count­ry. But the national biode­fense approach has not evolved with the emerging threats, according to a new GAO report.</p><p>"Biodefense is fragmented across the federal government, and we've reported in the past that there are more than two dozen presidentially appointed individuals with biodefense responsibilities," says Christopher Currie, director of emergency management, national preparedness, and critical infrastructure protection at GAO. Currie was the lead author of the recent GAO report, Biodefense: Federal Efforts to Develop Biological Threat Awareness. </p><p>GAO has reported on the agencies and programs that oversee the nation's biodefense for years, tracking programs such as BioWatch and laboratories containing hazardous pathogens. Currie acknowledges that the country's biodefense landscape is complex due to the number of agencies involved and the breadth of threats. </p><p>"Each federal department has its own appropriations, own congressional oversight, and frankly its own world of stakeholders it deals with," he tells Security Management. "It's very difficult to make decisions across all of those on priorities when they are so separated. And everyone is involved to a different extent."</p><p>The GAO report takes a detailed look at the role of each of the key biodefense agencies—the U.S. Departments of Homeland Security (DHS), Defense (DoD), Agriculture (USDA), Health and Human Services (HHS), and the Environmental Protection Agency (EPA)—and how they develop and report biological threat awareness. </p><p>"Part of the reason we did this was just to show and describe to people what is going on, because it's difficult to understand across all these agencies who does what and why," Currie says. "The goal of this was to get in there and understand behind the scenes what all the federal departments are doing to identify the risks and threats that would lead on to next steps of prevention and protection. That might inform what countermeasures you develop, what detection technologies you develop, and so on."</p><p>While each of the agencies plays an important role in managing biothreats in their sector, the lack of an overarching strategy makes it more difficult to get a well-rounded picture of emerging threats and how the agencies plan to respond.</p><p>"One of the things we talk about in this threat report is that clearly there's a lot of formal and informal coordinating and communication between these departments," Currie says. "The problem is, how does that translate into an overall prioritized strategy? That's where I think the efforts kind of stop, and it's vague what the government's overall strategy and goals are."</p><p>Currie points to the spread of Ebola to the United States in 2014 as illustrative of the lack of a united strategy. After a series of missteps at a Dallas hospital left one man dead of the disease and two nurses infected, the federal government called for procedural reviews and the CDC promised to deploy rapid response teams to future possible Ebola cases.</p><p>"You saw this with Ebola—the White House counsel tends to get very involved when these kinds of instances and crises happen. They immediately stand up these ad hoc groups to coordinate the response effort, but those quickly go away once the paranoia and panic dies down and we go back to the status quo," Currie explains. "That's a great example of why we're asking these questions about who's in charge. Is it CDC? DHS? The White House? Who's in charge of communicating to the public?"</p><p>GAO asked this question in a 2015 report on the fragmented biodefense enterprise, but not much has changed since then. The Blue Ribbon Study Panel on Biodefense, which is made up of former government officials and academic experts and analyzes the country's defense capabilities against biological threats, also came out with a 2015 report condemning the lack of federal leadership in the biodefense sector. The panel's primary recommendation was for the U.S. president to appoint the vice president as the leader of federal biodefense efforts. "This is the single best action the Administration can take to resolve the continued challenges in biodefense," the panel states. "The ad hoc implementation of our other recommendations in the absence of this leadership will only result in more of the same uncoordinated effort."</p><p>The panel continues to call for implementation of its action items, noting the "limited progress" that has been made since the 2015 report. "The federal government could have—and should have—completed 46 of the action items associated with our recommendations within one year," the panel states in a December 2016 assessment of federal efforts. "In the year since we published the Blueprint for Biodefense, the government made some progress on 17 of these, but only completed two."</p><p>Currie says he has not spoken directly with the current administration on whether it intends to make any changes in how biodefense is approached, but notes that the 2017 National Defense Authorization Act requires the key agencies to develop a national biodefense strategy. Currie says he's optimistic that the requirement will encourage the DoD, HHS, DHS, and USDA "to actually do what we've been saying for a few years now." The strategy was due to congressional committees in September 2017, but as of mid-November Currie says the process was still under way within the government. GAO will review the strategy once it is available and determine whether it addresses shared threat awareness.</p><p>"I know they are working on it, clearly there is someone in the administration that's focused on it, but I don't know a lot about where this falls in terms of priority for this administration versus other threats like cybersecurity or countering violent extremism," Currie notes. "That's the part that is unknown."</p><p>Currie acknowledges that President Trump has proposed budget cuts within the different key agencies that may affect biodefense research and preparedness, but it is unclear whether Congress will approve those cuts. He points out that without an overarching strategy, it is more challenging to make sure the right agencies have the right funding.</p><p>"It does raise questions about how big a priority the biothreat part is for each of these agencies," Currie says. "What does the administration think about DHS's role in this versus what other agencies are doing? That's part of the problem with this, we really don't know how eliminating what one organization or department does will affect the entire enterprise because it's so fragmented."</p><p>Meanwhile, biological threats continue to spread, and there is no singular platform to track them all. The CDC and USDA websites each have different lists of foodborne outbreaks and recalls. The description of DHS's role in biological security is found under a "Preventing Terrorism" section and does not list any current threats or prevention activities. A search for DoD biological security efforts leads to an acronym-heavy webpage that was last updated in 2014. And, in other parts of the world, European Union member states are seeking funding to study the rapidly spreading African swine fever, which is infecting livestock, by declaring it a global health security threat. </p><p>"Ultimately, we've seen a lot of different strategies come out over the years about pieces of biodefense and surveillance," Currie says. "It's one thing to have a strategy, but you have to have the execution and implementation plan for the strategy. Departments have to be clear about what they are supposed to be doing, and there has to be some sort of accountability, and that's a big question: Who's going to be ultimately accountable and who are the departments going to answer to in actually implementing and executing the strategy? I'm hopeful that the strategy will address that issue, because without that it's going to be difficult across such a big enterprise to implement." ​</p>
https://sm.asisonline.org/Pages/Chase-Leading-Through-Change.aspxChase: Leading Through ChangeGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em><strong>​Q. </strong>How did your career aspirations lead you to the security industry?</em></p><p><strong>A. </strong>Post 9/11, I was asked by the U.S. Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF), a law enforcement agency within the U.S. Department of Justice, to lead an effort to centralize the various security functions within the organization. At the time, these disciplines were spread throughout the different divisions with several of the programs requiring a more robust application. I came into this new role with more than 20 years of law enforcement experience and I thought I knew all there was to know about security management. A presumption that was quickly brought to rest!</p><p>To increase my knowledge base, I began to engage with other members of ASIS International to learn more about the private security sector and evaluate the efficacy of security systems and processes within the ATF. My experiences led to changes at the ATF. The agency's new headquarters building was the first to incorporate the new U.S. General Services Administration's security requirements resulting from the Oklahoma City Bombing. The ATF also adopted the new Chief Security Officer (CSO) construct within the executive management team. </p><p><strong><em>Q. </em></strong><em>Why did you decide to volunteer some of your personal time to assist ASIS?</em></p><p><strong>A.</strong> I wish I could say that I give back to the organization more than I receive, however that has not been my experience.</p><p>ASIS International has always been at the center of my individual development, as both a security practitioner and a manager. From the training seminars where I learned valuable information and met security professionals who were willing to share their experiences and best practices, to the rigorous preparation for the board certifications, this has always been true. All have profoundly influenced my ability to contribute to all aspects of my company's operations and, most importantly, the organization's overall growth and profitability.</p><p><strong><em>Q. </em></strong><em>What are a few of ASIS's current strong points as a professional society?</em></p><p><strong>A. </strong>The Society's greatest strengths continue to be the technical and geographical diversity of our membership and the "can do" attitude of our vast network of volunteer leaders.     </p><p>Although ASIS represents a variety of different industries and countries, we still tend to speak the same security language while nurturing and promoting the value of professional expertise. Our volunteer leaders throughout the world are second to none and represent a critical resource that has yet to be fully harnessed.</p><p>The annual seminar is also one of ASIS's great assets. Last year's event in Dallas was proof that participants will return home smarter, with a more substantial peer network and more exposure to the industry's most current product and service innovations. It will be the most important week of the security professional's year.  </p><p><strong><em>Q.</em></strong><em> How do you hope to see ASIS evolve in the next few years?</em> </p><p><strong>A.</strong> In an environment where the business topography is constantly changing, our success as an organization is directly aligned with our continuous ability to provide cutting-edge products and services that add a high value and a broad application to the membership.  </p><p>As we all routinely experience in both our professional and personal lives, success is not something that just happens; it requires a plan and sound execution. Simply stated, my hope as we progress forward is that you will see a more agile and adaptable organization grounded by a strategic planning process—a process that fosters initiatives that are designed to identify the risks to our industry, assess their impact, contrast that to the cost of prevention, and then develop appropriate strategies for the future.</p><p>Fortunately, 2017 President Tom Langer, CPP, made that construct the centerpiece of his tenure on the Board. CEO Peter O'Neil, CAE,  provided experience and leadership around staff implementation to support Tom's vision, so the Society is better positioned to identify and forecast the next opportunities on the horizon.</p><p>Those opportunities are already emerging, with the rebranding of our premier event, the Annual Seminar and Exhibits. For more than 60 years, ASIS has provided education, networking, and access to cutting-edge technologies through the seminar. It is gratifying to see such a respected event move to the next level. This year's event in Las Vegas, Nevada, from September 23 to 27 will embody ASIS's commitment to bringing thousands of industry leaders from across the globe together for the most comprehensive security event i​n the world.</p><p><strong><em>Q. </em></strong><em>ASIS currently has inter­national members, but how can it grow into a truly global organization?</em></p><p><strong>A.</strong> The Board and staff recognize that our prevailing operating model is obsolete and no longer aligns with the structural changes that have taken place in the global en­vironment. Through O'Neil's leadership, much has been accomplished this past year in the area of organizational development in an effort to enhance the alignment of ASIS functions and services to meet the challenges of current and emerging membership markets. </p><p>Additionally, the findings and rec­ommendations of an ad hoc working group, led by board member John Petruzzi, CPP, which focused on the expansion of the Society's international presence, have been incorporated into the latest ASIS International stra­tegic plan. </p><p><strong><em>Q. </em></strong><em>Will security managers of the future primarily be risk managers, business drivers, or something else?</em></p><p><strong>A. </strong>The security professional of the future will be well versed in all of the above and then some!</p><p>Hopefully by now you have started to hear the buzz around enterprise security risk management (ESRM), a philosophy and practice that leverages a comprehensive management process to effectively address security risks across the enterprise.  </p><p>By leveraging the expertise of our volunteer leaders, ASIS International is now strategically positioned to be at the forefront for the promulgation of ESRM training and guidelines. I would encourage the members to take advantage of the various ESRM training deliveries during the annual seminar and exhibits.</p><p>ASIS International and the cadre of volunteers continue to provide the framework for success—now and into the future. Take advantage of this great opportunity and get involved!</p>
https://sm.asisonline.org/Pages/Happy-Holidays-from-Security-Management.aspxHappy Holidays from Security ManagementGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The <em>S</em>ecurity Management team wishes you a happy holidays! Our office is closed from Monday, December 25 through Monday, January 1. Come back January 2nd to see new updated content. </p>
https://sm.asisonline.org/Pages/EVACUACIONES-EN-EMBAJADAS.aspxEVACUACIONES EN EMBAJADASGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>No hay ninguna escasez de amenazas en las 307 embajadas que tienen los Estados Unidos de América alrededor del mundo. Durante el período fiscal de cuatro años 2013-2016, el Departamento de Estado (en inglés, DoS) evacuó a personal y a sus familias de 23 embajadas a causa de episodios de disturbios civiles, terrorismo, y desastres naturales, según un informe reciente de la Oficina de Contabilidad Gubernamental (GAO).</p><p>Dos de estos 23 puestos de ultramar fueron evacuados tres veces durante este período: Adana, Turquía; y Bamako; Malí. Cuatro fueron evacuados dos veces: Buyumbura; Burundi; Yuba, Sudán del Sur; Saná, Yemen; y Trípoli, Libia. El resto fueron evacuados una sóla vez.</p><p>Con el fin de prepararse para estas crisis, a las embajadas se les ordena actualizar un Plan de Acción ante Emergencias (EAP) y conducir nueve tipos de simulacros durante cada año fiscal, incluyendo respuestas ante tiroteos, amenazas de bomba, e incidentes químicos y biológicos.</p><p>Pero, según el informe, en español Evacuaciones en Embajadas: el Departamento de Estado debe Tomar Medidas para Mejorar la Preparación ante Emergencias, estos requisitos no siempre son satisfechos. "Encontramos grietas significantes en la preparación ante emergencias", dice el reporte.</p><p>En promedio, la GAO halló que los puestos de ultramar sólo completaron alrededor del 52% de los simulacros requeridos. Y una revisión de los EAP en 20 puestos concluyó que sólo dos habían actualizado las secciones claves del plan.</p><p>"La GAO también descubrió que los EAP son vistos como documentos interminables y engorrosos que no resultan inmediatamente útiles en situaciones de emergencia", explica el informe. "Juntas, todas las grietas en la preparación de evacuaciones y ante crisis del Departamento de Estado incrementan el riesgo de que el personal en las embajadas no estén lo suficientemente preparados para manejar situaciones de emergencias o de crisis."</p><p>Dados estos hallazgos, la GAO recomendó al Secretario de Estado de los Estados Unidos de América:</p><p>• Tomar medidas adicionales para asegurarse de que las embajadas completen anualmente actualizaciones de sus Planes de Acción ante Emergencias dentro de los períodos de tiempo requeridos, tales como identificar aquellos puestos que están atrasados y realizar un seguimiento hasta que cumplan.</p><p>• Establecer un proceso de monitoreo y seguimiento para asegurarse de que el DoS evalúe y documente la revisión de las secciones claves de los EAP.</p><p>• Llevar a cabo acciones para hacer que los EAP sean útiles de forma inmediata durante situaciones de emergencia. Por ejemplo, podría desarrollarse una versión simplificada de los planes que pueda ser usada por los puestos en el extranjero.</p><p>• Tomar medidas para asegurarse de que los puestos de ultramar completen e informen la compleción de los simulacros requeridos durante los plazos establecidos.</p><p>• Actuar para asegurarse de que los puestos en el extranjero completen y entreguen informes sobre lecciones aprendidas y seguimiento de evacuaciones al Departamento de Estado para que sean analizados.</p><p><em>The translation of this article is provided as a courtesy by Ari Yacianci. </em>Security Managemen<em>t is not responsible for errors in translation. Readers can refer to the</em><a href="/Pages/Employee-Theft.aspx" target="_blank"><em> </em></a><a href="/Pages/Embassy-Evacuations.aspx" target="_blank"><em>original English version here​.</em><br></a></p>
https://sm.asisonline.org/Pages/European-Salary-Survey-2017.aspxEuropean Salary Survey 2017GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>SSR Personnel annually surveys as many as 12,000 security professionals in Asia, Europe, and the Middle East to uncover trends in the field. This year, with support from ASIS Europe, SSR organized direct online mailing to more than 5,000 security professionals in Europe, with a higher-than-expected 10 percent return rate. In this year's European sector, 70 percent of respondents held a regional security role, and respondents represented a broad slice of the private sector such as financial services, manufacturing, pharmaceuticals, retail, leisure, and logistics.   </p><p>Taking into account the diversity of countries in Europe, SSR analysts then undertook a review of all client-submitted salary grades and total compensation (TC) schemes. For a number of companies, these provide a variable cash alternative that employees can opt to take. </p><p>This is especially important because up to 4 percent of TC can be in the form of car/travel allowances in some countries, while in others this is not a recognized component of TC. In Northern Europe employer pension contributions are considered a key TC factor, as are share options and company performance bonuses. At the senior grades the individual wealth generation will be contained within an executive long term incentive plan (LTIP). Reflecting the growing importance of the security profession, leadership grades have increasingly over the past five years obtained a level of management seniority so as to be included; this can increase TC by an average of 50 percent.     </p><p><strong>Background</strong></p><p>In the 28 countries of the European Union, the average hourly labor rates are $29.80 in U.S. dollars, yet this average masks the great disparity in pay from country to country. Pay rates can be $3.80 in Romania, Hungary, and Bulgaria, while in Macedonia, average hourly pay falls to less than $2.50. </p><p>A 2016 report from the Organization for Economic Co-operation and Development stated that real wages—income from work adjusted for inflation—in the past 10 years had grown by 23 percent in Poland, 13.9 percent in Germany, and 6.4 percent in the United States. Earnings in the United Kingdom had fallen 10 percent in real terms, a larger decline than any other advanced country apart from Greece. </p><p>Over the past six years, near-shoring of back-of-house roles to countries such as Hungary, Romania, and Bulgaria has overtaken the previous thrust of corporate off-shoring to India. Turkey is forecast to experience pay increases of up to 9.0 percent. However, workers will still feel a squeeze on income because local inflation is predicted to be 8.9 percent due in part to the failed coup. </p><p>The outlook for 2017–18 remains positive for workers in France and Germany with a real wage increase of 1.7 percent and 2.7 percent, respectively. The picture is similar in Greece, where despite economic issues, salaries are set to increase 2 percent, with deflation leading to real wage rises. In the United Kingdom, the Retail Price Index inflation since Brexit nearly doubled to 3.4 percent, causing a reduction in workers' take-home pay.  </p><p><strong>Results</strong></p><p>Wages increased across European security management roles by 3.4 percent in the past year in most of the larger economies (Germany, Nordics, France, and the United Kingdom). In general terms, salary increases in the private security sector across Europe are above the average increases for workers, with noticeable increases for cyber professionals, linguistic analysts, and forensic data roles. Based on five bespoke security salary reviews undertaken by the SSR Consultancy for major corporations in 2016–17, the company has seen an outcome that recommended on average a 20-percent salary increase as result of existing workers' skills evaluations. </p><p>More than 16 percent of respondents reported they had achieved pay increases of more than 20 percent by changing their jobs in the past year. Of the respondents, the 24 percent with double-digit salary increases had been repositioned due to the increased risks that they were now managing. </p><p>Since 2011, companies have in general invested in their in-house security management teams. Recruitment freezes have meant fewer people are undertaking more complex tasks. So although costs were being trimmed, talent development budgets were maintained, allowing for the ongoing training of employees. An example of savings generated by this approach was one corporation's reduction in external legal support—it cross-trained its security executives as legal executives, so they could manage prosecution case reviews before handing them over to lawyers for court. </p><p>Within the European Union, average annual earnings can be as low as $5,000 per year; yet 300 miles away, an average middle management annual salary can be more than $95,000. In 2011, a security manager's pay in Poland would have been about 45 percent of one based in London or Berlin, but through consistent year-on-year pay inflation, the Polish professional's cost would now be 75 percent of the comparable British or German worker's. </p><p>In general workforce surveys, the number of people looking for or considering looking for another job has tripled over the past 10 years. Much of this is driven by workers from the millennial generation, who are comfortable with a matrix management hierarchy. They are working in roles that manage security within complex knowledge-based economies. This population generally has fluency in English or German.  </p><p><strong>Convergence </strong></p><p>Corporate boards of directors believe that convergence will save their companies many dollars. This is a great disservice to those employees who are opening, closing, and barricading doors against an army of risks from outside the corporation and by the insider. In the security profession there is competition, in some organizations, between the information and physical aspects of the function. According to the majority of survey respondents, the physical security executives, speaking the language of the business, could articulate threats to the C-suite. Organizations that lacked that continuity, or perhaps did not have a significant security leader, have filled the gap with a third-party vendor. </p><p>While digital transformation fuels the focus for investment, security of information is evolving faster than ever before. The Alpha workforce—the children of today—will be tech savvy. New and disruptive technologies will reach a maturity not seen to date, and the rapid growth in the use of outsourced services may also add to corporate vulnerabilities. </p><p>Contracts for third-party information security vendors in 2016 was approximately $10 billion, and governments were major purchasers. Predicted growth for this market segment is expected to reach $33 billion by 2025. Another area of burgeoning growth is the compliance sector, which costs corporations $20 billion per year. </p><p>The Hiscox Cyber Readiness Report 2017 estimated that "cybercrime costs the global economy over $450 billion…and yet 53 percent of businesses in the U.S., U.K., and Germany are not prepared." Hence in the past five years, cybersecurity jobs have greatly increased, and entry-level talent starts at salaries from $35,000.  </p><p>In enlightened corporations, security is seen as an important lead in business operations, a profit protector, a resilience leader, an enabler, and a partner to the enterprise. In Europe the CSO role can attract total packages (including an LTIP) of more than $650,000, an increase of 27 percent in the last five years.  <em> </em></p><p><em><br></em></p><p><em><img src="/ASIS%20SM%20Article%20Images/chart1.jpg" alt="" style="margin:5px;width:930px;" /><br></em></p><p><em><img src="/ASIS%20SM%20Article%20Images/chart2.jpg" alt="" style="margin:5px;width:930px;" /><br></em></p><p><em><img src="/ASIS%20SM%20Article%20Images/chart3.jpg" alt="" style="margin:5px;width:930px;" /><br></em></p><p><em><img src="/ASIS%20SM%20Article%20Images/chart4.jpg" alt="" style="margin:5px;width:930px;" /><br></em></p><p><em>Peter French, CPP, MBE (Member of the British Empire), is managing director of SSR Personnel, a recruitment consultancy dedicated to the security, fire, health, and safety sectors that operates in 20 countries around the world. French was chair of the European Advisory Council for ASIS International from 2008 to 2016 and now co-chairs the EU Liaison subcommittee.</em><br></p><p><em><br></em></p>
https://sm.asisonline.org/Pages/SESION-DE-PREGUNTAS-Y-RESPUESTAS-ROBO-INTERNO-ESPANOL.aspxSESIÓN DE PREGUNTAS Y RESPUESTAS: ROBO INTERNOGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p style="text-align:justify;">​Marianna Perry, CPP, consultora de seguridad en <em>Loss Prevention and Safety Management LLC</em>, conversa sobre cómo las empresas pueden prevenir el robo interno de sus activos físicos y digitales.</p><p style="text-align:justify;"><strong>P.</strong> <em>¿Qué pasos pueden tomar los empleadores para prevenir el robo interno?</em></p><p style="text-align:justify;"><strong>A.</strong> Dentro de lo más importante que un empleador puede hacer, está contratar la gente adecuada: empleados honestos. Ésto suena muy simple, pero muchas veces se acortan algunos pasos dentro del proceso de contratación. Además de múltiples entrevistas, los empleadores deben realizar investigaciones de antecedentes minuciosas, que pueden incluir la comprobación de antecedentes penales, así como los educativos, y las referencias. Algunas pruebas de personalidad pueden indicar si el postulante podría encajar bien en la compañía. Todo empleador debe contar con políticas claras para disuadir robos, y los empleados deben saber que si roban, serán llevados ante la justicia. También es una buena idea disponer de una línea directa a través de la cual los empleados pueden informar de forma anónima comportamientos sospechosos o robos en sí por parte de otro empleado.</p><p style="text-align:justify;"><strong>P.</strong> <em>¿Qué hay sobre las prácticas de seguridad?</em></p><p style="text-align:justify;"><strong>A.</strong> Tradicionalmente, las tiendas han utilizado prácticas comunes como comparar el inventorio físico con los registros de recepción y de ventas, realizar auditorías de las anotaciones relacionadas con el efectivo y la nómina, trabar las puertas de las salidas de emergencia, instalar sistemas de videovigilancia, y emplear dispositivos de seguridad para marcar y etiquetar el inventorio. Entrenar a los empleados para que reconozcan características del comportamiento típico de los ladrones también es fundamental para disuadir el robo. Las políticas y los procedimientos del negocio deben ser reevaluados de manera regular y comunicados al personal. Las mejores prácticas incluyen depósitos bancarios diarios realizados por dos empleados, la inspección de los documentos de envío y entrega, un inventario gestionado por un proveedor externo, la verificación del tiempo trabajado en contraste del registro de nómina, el cotejo de depósitos bancarios y recibos de efectivo, y la reconciliación del resumen bancario mensual.</p><p style="text-align:justify;"><strong>P.</strong> <em>¿Cómo pueden los empleadores prevenir la alteración de información personal por gente de adentro?</em></p><p style="text-align:justify;"><strong>A.</strong> Un análisis de riesgos puede ayudar a identificar vulnerabilidades potenciales en el sistema informático, ya se trate de estudiar amenazas por empleados que saben perfectamente que tienen acceso a la mina de oro que es la identificación personalmente identificable (en inglés, PII), o de algún robo involuntario que puede ser causado por una política de "trae tu propio dispositivo" (BYOD). Muchos trabajadores pueden acceder a PII sin evidencia de intrusión en los sistemas de información de su compañía. Un alto nivel de facturación y la presencia de personal que no atraviesa procesos efectivos de escrutinio aumentan la probabilidad de un robo interno. El acceso a archivos de datos debe ser restringido, controlado y monitoreado. La alta dirección debe contar con la información de inicio y las contraseñas de todos los empleados. Las organizaciones necesitan aplicar un enfoque holístico a la seguridad, integrando la seguridad informática con la seguridad física.</p><p style="text-align:justify;"><strong>P.</strong> <em>¿Debería un empleador confrontar a un empleado sobre un robo? ¿Existe alguna preocupación legal?</em></p><p style="text-align:justify;"><strong>A.</strong> Si un empleado va a ser confrontado sobre un robo, hay que asegurarse de que se cuenta con la suficiente evidencia para respaldar las sospechas. Nunca se deben emplear técnicas de inducción para persuadir a un trabajador a que robe. Es importante no amenazarlo cuando está bajo sospecha y tener un testigo presente (preferiblemente, un miembro de la dirección) mientras se le habla. Pregúntale al empleado cómo ocurrió el robo, si otro integrante del personal está involucrado, y si el dinero o la propiedad puede ser devuelta. Todo robo que ocurra debe ser informado a los cuerpos y fuerzas de seguridad con documentación de apoyo por parte de la empresa.</p><p><em>The translation of this article is provided as a courtesy by Ari Yacianci. </em>Security Managemen<em>t is not responsible for errors in translation. Readers can refer to the</em><a href="/Pages/Employee-Theft.aspx" target="_blank"><em> original English version here​</em></a><em>.</em><br></p>
https://sm.asisonline.org/Pages/Held-Hostage-.aspxHeld HostageGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Most ransomware demands lean towards the lower end of the scale to encourage victims to pay. But that was not the case when cyber criminals targeted South Korean Web-hosting company Nayana and demanded an initial ransom payment of roughly $4.4 million.</p><p>The attackers had leveraged a variant of Erebus ransomware that exploits a flaw in the Linux operating system, which Nayana used, according to a blog post by security firm Trend Micro. After assessing the ransomware, Nayana was able to negotiate with the attackers to lower the ransom to decrypt its files to approximately $1 million—still an astronomical amount in the world of ransomware payments.</p><p>"It was a huge sum of money; you normally get $200 to $2,000 per machine being asked for," says Michael Marriott, a research analyst at Digital Shadows. "The chief actor really targeted its approach to this organization."</p><p>And this is a trend that organizations can expect moving forward as ransomware continues to be the most prevalent form of malware spreading across the globe—because people continue to pay ransoms. </p><p>Organizations make their own decisions based on what makes sense for them, Marriott explains. "In the Nayana case, it really makes you think, if threat actors see that, they're going to be quite spurred on to target specific organizations."</p><p>Ransomware, sometimes called cryptoware, is the process of encrypting a user's files and then demanding payment to decrypt them. It is not new to the scene and gained widespread awareness following a string of highly visible campaigns in early 2017 with the WannaCry and NotPetya ransomware attacks.</p><p>In fact, EUROPOL considers ransomware to be the "most prominent malware threat," surpassing data stealing malware and banking Trojans, according to its 2016 Internet Organised Crime Threat Assessment. </p><p>"Whereas each variant has its own unique properties, many are adopting similar anonymization strategies, such as using Tor or I2P for communication, and business models offering free test file decryptions to demonstrate their intentions," the assessment said. "While most traditional and 'commercially available' data stealing malware targets desktop Windows users, there are many more applicable targets for ransomware, from individual users' devices, to networks within industry, healthcare, or even government."​</p><h4>Ransomware Basics</h4><p>On an average day in 2016, more than 4,000 ransomware attacks occurred—a 300 percent increase over the approximately 1,000 attacks per day in 2015, according to a U.S. government interagency report issued early in 2017.</p><p>The report, Protecting Your Networks from Ransomware, was crafted by several government agencies—including the U.S. National Security Agency (NSA), the U.S. Department of Homeland Security (DHS), the FBI, and the CIA—to inform CIOs and CISOs at critical infrastructure entities about ransomware and how to best respond to it.</p><p>"Since 2012 when...ransomware variants first emerged, ransomware variants have become more sophisticated and destructive," the interagency report said. "Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives, externally attached storage media devices, and cloud storage services that are mapped to infected computers."</p><p>Ransomware authors also continue to improve ransomware by using Tor—a free software for anonymous communication—and Bitcoin to collect ransom payments. In March when the report was released, the top five ransomware variants targeting U.S. companies and individuals were CryptoWall, CTB-Locker, TeslaCrypt, MSIL/Samas, and Locky.</p><p>CryptoWall, for instance, was the first ransomware that accepted ransom payments only in Bitcoin, with ransoms ranging from $200 to $10,000.</p><p>"Following the takedown of the CryptoLocker botnet, CryptoWall has become the most successful ransomware variant with victims all over the world," the report said. "Between April 2014 and June 2015, [the Internet Computer Crime Center] received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million."</p><p>While these were the top ransomware variants at the time the report was compiled, new variants are being created on a regular basis. </p><p>One of those is the WannaCry ransomware, which spread across the globe by leveraging a vulnerability allegedly discovered and used by the NSA to infiltrate targets. The vulnerability, called EternalBlue, exploited a component within Microsoft Windows, says Eldon Sprickerhoff, founder and chief security strategist at cybersecurity firm eSentire.</p><p>A group of hackers, dubbed the Shadow Brokers, claimed that it stole EternalBlue from the NSA and leaked it online in the spring of 2017. In response, Sprickerhoff says Microsoft issued a "megapatch to close up the hole." </p><p>But not everyone who should have patched did, and in May 2017 hackers exploited that vulnerability on unpatched systems to spread WannaCry ransomware across the globe to infect approximately 200,000 computers. </p><p>"I call it Amazonian evolution," Sprickerhoff says. "There's nothing that is propagating and evolving as quickly as the ransomware category. There's no chance this will stop. We're seeing, I think, the biggest threat from a malware perspective."</p><p>While ransomware is a threat to all businesses, it hits small and medium-sized businesses especially hard. In its second annual survey, cybersecurity firm Malwarebytes Labs surveyed 1,054 small to medium-sized businesses in Australia, France, Germany, Singapore, the United Kingdom, and the United States about their experiences with ransomware.</p><p>"Among small to mid-sized organizations that have experienced a successful infiltration of the corporate network by ransomware, 22 percent reported that they had to cease business operations immediately, and 15 percent lost revenue," the survey said. "In a similar study conducted last year among businesses of all sizes, only 19 percent of enterprises had to cease operations immediately."</p><p>It's not the ransom, however, that is so devastating for smaller organizations—it's the downtime. Malwarebytes found that most ransoms were $1,000 or less, but that "for roughly one in six impacted organizations, a ransomware infection caused 25 or more hours of downtime, with some organizations reporting that it caused systems to be down for more than 100 hours," the survey explained. Nine percent of those surveyed reported only up to one hour of downtime.</p><p>Adam Kujawa, director of malware intelligence for Malwarebytes, says that ceasing their operations has a major impact on small to medium-sized businesses, and that downtime can make recovering from a ransomware attack more expensive for them. </p><p>"Larger enterprises should have some kind of redundancy, so downtime isn't a huge factor," he explains. "But when you think about big organizations that deal with millions of customers, they plan for things like power outages, natural disasters; they should have something in place to make sure their operations don't completely shut down because there's bad weather in the area."</p><p>But many smaller businesses don't have the resources—financial or staff—to put such contingency plans in place. Small to medium-sized businesses "don't have the resources to protect themselves as well as large organizations do, or to recover from an attack," Kujawa adds. </p><p>"A small business that deals with health records or financial information could not only lose face with customers but could also end up dealing with government penalties for allowing their data to be stolen, as the result of a ransomware attack."​</p><h4>The Hackers</h4><p>Ransomware was first used in 1989. In 2016 Symantec detected a 36 percent increase from 2015 in ransomware infections with the number of new ransomware families uncovered more than tripling to 101, according to its Internet Security Threat Report.  </p><p>"Attackers are demanding more and more from victims with the average ransom demand in 2016 rising to $1,077, up from $249 a year earlier," the report said. "Attackers have honed a business model that usually involves malware hidden in innocuous emails, unbreakable encryption, and anonymous ransom payment involving cryptocurrencies. The success of this business model has seen a growing number of attackers jump on the bandwagon."</p><p>However, that doesn't mean that all attackers are created equal, Marriott says.</p><p>"A lot of it comes down to people's level of skill," he explains. Open source ransomware is widely available and doesn't cost anything "and you might see people releasing a variant based off that and they've tweaked a few things, but it's largely based on stuff that's already out there so it's not massively innovative."</p><p>Then you have the attackers who use ransomware as a service model. These attackers can't create their own infrastructure to support the ransomware and collect ransom payments.</p><p>"It's not quite as simple as getting ransomware into a computer and then you make money," Marriott says. Instead, attackers need to have the ransomware, somewhere to host their payment site that's resilient to attacks, and a way to cash out the money after a ransom is paid.</p><p>Attackers using ransomware as a service pay someone else to set this infrastructure up for them, to make it a more affordable criminal enterprise. And the service models have drastically improved over the past few years to make them more attractive and easier to use.</p><p>"You've got pre-filled fields, so you can say, 'I want this message. I want to charge this amount of money,' and the more advanced ransomware as a service will even let you specify where you want to send it," Marriott says. "You can see which targets you've hit, your successes, and your payouts all in one savvy dashboard, with customer support."</p><p>The elite ransomware attackers, such as those behind the Serba or Spora ransomware variants, have their own infrastructure. These attackers operate their own campaigns and sell their versions of ransomware as a service to other attackers. </p><p>"It's not just your traditional ransomware," Marriott says. "You're also making it available as ransomware as a service, and you've got a nice user interface, customer support. It's very appealing to people because it's all in one place, and it's backed by a team that is constantly developing and improving the variants to get ahead of the people who are creating decryption keys."</p><p>These attackers are also agile at incorporating new exploits as they are released to target new victims and generate more revenue. </p><p>"What makes a really good ransomware variant is how quickly you have ways to deploy it," Marriott explains. "If you can have it all in one, not only will it be a type of encryption that's very hard to break but you've got a large array of people to send spam emails to, exploit kits you can use to get into networks, and all those things will make it a more successful variant."</p><h4>Motivations</h4><p>Cyber criminals who use ransomware can turn a profit, which is a major incentive to use the malware on targets. Some hackers are also using ransomware as another method to monetize data that's being breached for a separate purpose.</p><p>One example of this was a banking Trojan called GameoverZeus. Its primary purpose was to find financial information on a victim's computer to gain access to his or her bank accounts. If the Trojan didn't find that information, however, it would install CryptoLocker to encrypt the victim's computer files and then demand a ransom for them.</p><p>The hackers took the approach of "can I make money this way? If not, let's just encrypt stuff and see what happens, we can maybe get a bit of money out of it," Marriott explains. "Criminals want to make money from data, and it's not necessarily siloed into one tactic. They'll take different tactics to monetize that data."</p><p>There are also cyber criminals who aren't interested in making money, but in sowing disruption. For instance, RamScam and Hitler-Ransomware just encrypt files and then delete them. </p><p>"They're basically encrypting people's files just for the fun of it," Marriott says. "They didn't want any money. They were just people who were a bit bored and wanted to cause a bit of mayhem."</p><p>Politics can also motivate; some cyber criminals encrypted files of Israel-based firms and organizations, demanding a free Palestinian state in return for file access. </p><p>"It was not a particularly sophisticated variant, as I understand, but it's interesting that it's not always about the money—just disruption is also a valid motivation for cyber criminals or malicious actors," Marriott says.</p><p>And while financially motivated ransomware campaigns will continue to operate at the forefront, Marriott says that it is feasible that ransomware will be used as a disruption or hacktivism method in the future. </p><p>One possible recent example of this might be the NotPetya ransomware campaign, which did not generate high profits for the cyber criminals behind it and appeared to target numerous Ukrainian organizations. </p><p>"One theory and hypothesis was that because it was heavily Ukrainian in the targeting and the timing was around the Ukrainian independence holiday…it lent itself towards the conclusion that it could have been a nation-state that wasn't particularly fond of Ukrainian independence," Marriott says.</p><p>But because no one has claimed responsibility for the ransomware attack, there's no guarantee that it was politically motivated.</p><p>"There are so many kinds of smoke and mirrors using ransomware and propagation worldwide to distract people," Marriott says. "NotPetya could be that, but at the same time, it could just be cyber criminals that aren't very good—that make mistakes."</p><h4>Response</h4><p>None of the experts <em>Security Management </em>spoke to expect ransomware to go away any time in the near future, and EUROPOL says ransomware is likely to morph into new variants used to target mobile devices, as well as computer files. </p><p>"Now firmly established as a daily desktop malware threat, the profile of ransomware as a threat on mobile devices will grow as developers hone their skills in attacking those operating systems and platforms," the EUROPOL report said. "Given the scale of mobile device ownership (with many more mobile devices than people) there is no shortage of fertile ground for the proliferation of ransomware."</p><p>EUROPOL also predicts that ransomware is likely to spread to other smart devices, including smart televisions. </p><p>"Following the pattern of data stealing malware, cryptoware campaigns will likely become less scattergun and more targeted on victims of greater potential worth," according to the EUROPOL report.</p><p>In an attempt to make it more difficult for attackers to infiltrate systems and spread ransomware, international law enforcement has focused on raising awareness about the threat and encouraging companies to adopt proactive defense measures.</p><p>For instance, the U.S. interagency report recommends a series of preventive measures for organizations to take—including implementing awareness and training programs for employees, enabling strong spam filters to prevent phishing emails from reaching users, scanning all incoming and outgoing email, managing privileged accounts, configuring firewalls to block known malicious IP addresses, and patching operating systems.</p><p>Regularly patching systems is critically important, as shown with the WannaCry ransomware attack, but it is something many organizations continue to struggle with, Sprickerhoff says. </p><p>"It's a sad sort of situation—it isn't sexy. Nobody brags about how awesome their patch rigor is," he adds. "It's not very interesting, but it is so necessary."</p><p>One reason that companies struggle with staying up to date on patching is that it's impossible to be proactive. A company's IT team has to wait for a vendor, such as Microsoft, to release a patch to fix a vulnerability in its system. The team then has to test the patch to ensure that it doesn't disable other features in the system, and then it has to be installed. </p><p>"And it's a monthly occurrence where Microsoft has Patch Tuesday," Sprickerhoff says. "They release some big patch bundle and you have to do it all over again, every month. Rinse, repeat. And so a lot of people say 'I'm going to do it once a quarter unless things are really crazy and I feel like I need to do this.'"</p><p>In addition to taking preventative cybersecurity measures, organizations should also have a response plan in place for if they are infected with ransomware. And while experts don't recommend paying the ransom to get data back, if an organization is going to pay, Kujawa says it should negotiate with the hackers for a better rate.</p><p>"With ransomware, you're dealing directly with the victim," he explains. "The payment goes straight to you; there's no middle man. The problem, for the criminals, is that if they don't get paid by the victim, they're not getting paid at all. There's no guarantee of value for the criminals, so it's in their best interest to make sure that people can pay."</p><p>One example of this was when Hollywood Presbyterian Medical Center in California paid a ransom to get some of its data back after being hit by a ransomware attack. The original ransom amount was more than $1 million, but the hospital needed just one endpoint decrypted.</p><p>The hospital negotiated with the criminals and was able to decrypt the information it needed for just $17,000 to get operations back up and running.</p><p>"At the end of the day, criminals want to ransom stuff to you," Kujawa says. "You can say, 'No, you're not getting any money,' and then they're left out to dry. If you say, 'We'll give you a little bit of money,' they may be a little more interested in following along because at least they're getting something."  </p>
https://sm.asisonline.org/Pages/Leading-While-Female.aspxLeading While FemaleGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Team leaders are usually managers and occupy a position of leadership in their respective companies. But even though women have made significant gains in obtaining leadership positions in the U.S. workforce, there remains a gender imbalance: women represent only 4.8 percent of CEOs in Fortune 500 companies. Women have faced challenges in this area that men generally have not.</p><p>In the field of corporate security—traditionally a male-oriented industry—women have made some progress in advancing to leadership levels. Still, there are considerably more men than women in the field of security, and fewer female role models or mentors. This is disconcerting for women when they look to other successful women forsupport, guidance, and sponsorship in advancing their careers. </p><p>A study I conducted for my doctorate in organizational leadership management at the University of Phoenix explored this issue. The study's intent was to identify themes in the stories of women leaders in the corporate security field, to better understand the factors that compelled them to enter the field, and the challenges, obstacles, opportunities, and enablers they encountered in reaching the ranks of leadership. The sample included 16 female corporate security leaders who had attained positions of leadership in the field of corporate security. The women were selected from a cross-section of industries so we could draw on different areas of business for insights.​</p><h4>STUDY RESULTS</h4><p>In the study, four major themes emerged from participants' descriptions of their experiences as security leaders: opportunities to succeed, gender diversity as a differentiator, breaking through in a male-oriented industry, and the importance of relationships and mentorships. </p><p><strong>Opportunity to succeed. </strong>The most overarching theme to emerge was that, when given the opportunity, women were able to demonstrate their value and worth to their organizations when they pursued that opportunity. </p><p>Some participants pursued security as a natural progression from law enforcement or the military; others entered the field right after college. Once in the field, opportunities to try new roles, to do more by learning new skills, to step out of a comfort zone, or to take on a new project in a familiar role helped these women expand their knowledge, experience base, and leadership skills. </p><p>In many circumstances, these women took on opportunities when they were not sure they could succeed at them. They recognized that their performance was not going to be perfect, but that they would learn. They learned to be curious, ask questions, listen more, and speak less.</p><p><strong>Gender diversity.</strong> Although these women felt a disconnect at times from their male counterparts, being a woman in a male-oriented field was a differentiating factor in their role and sometimes helped them be successful. </p><p>For example, women were able to bring to bear skills and talents that were different from those of their male counterparts, which demonstrated the benefits of gender diversity in the security field as well as in organizations. For example, one participant said: "I feel that women can be efficient in investigations and people matters. Women are good conversationalists and developers of relationships and descend into all aspects of the job. These skills are highly valued by our leadership." </p><p>From another: "We deliver messages differently and passionately. By nature, we are very good listeners and come with solutions to fixing problems."</p><p><strong>A male-oriented industry.</strong> Female security professionals' feelings of belonging influenced decisions that were made throughout their journey. Study participants felt that they had to consistently demonstrate their skills and talents to continually prove themselves and fit in in a way that was different from their male counterparts. Still, each one of the participants expressed a high level of satisfaction with a rewarding career in the security industry. None of the participants felt that the challenges were so great that they would have to give up; instead, they felt empowered to do more.  </p><p><strong>Relationships and mentorships. </strong>All participants expressed the importance of relationships and mentorships, experiences that gave them a major boost in pursuing their security careers. Identifying the right mentors was absolutely influential in shaping their security careers. An interesting finding was that almost all participants had male mentors who were advocates of career growth for women in security. </p><h4>RECOMMENDATIONS</h4><p>The following recommendations are organized around the four emergent themes of the findings. For many of these recommendations, the most ideal time for implementation is when young women leave academia to pursue a career opportunity in either public or private security. The path for growth for these young people should be better outlined to address organizational culture, inclusion, career development, and perceptions of equity surrounding issues of pay.</p><p>Leadership programs. Organizations should institute a leadership development program that sets out succession planning goals and career paths for young professionals. Additionally, they should align young professionals with a coach and mentor. Young women who will be the future leaders in these fields will need a better system for identifying role models and advocates.</p><p>Dedication to diversity. Organizations usually reap strategic and financial benefits from gender-balanced leadership. Given this, organizations should cultivate women right out of college and continue to do so throughout their careers. Management must recognize the importance of including women and minorities in key leadership positions, and maintaining a diverse leadership slate of qualified candidates. </p><p>Retention strategies. Organizations should build a retention strategy within their recruitment process that includes identifying key talent, including female employees, early on in their careers and then follow them through their career progression. Organizations should consider that promoting a woman to a key leadership role sends a message to the rest of the firm and to the security industry at large that women can fill the roles that were once predominantly filled by men.</p><p>Mentoring programs. Organizations should adopt a mentoring program to create an environment in which new talent can navigate a large organization. At the very least, each new employee should be assigned a relationship partner upon joining the firm, and that person can help the employee find her way during the first year or two of starting a new role. </p><p>Female leaders should never give up, no matter their perceptions of the odds. This was confirmed by the recurring stories about the challenges and opportunities that helped to shape these women who became leaders in the security field. And leaders interested in furthering their careers should invest in developing others. It is through the act of giving back that the true learning of leadership takes place. </p><p><em>Rose Littlejohn is managing director of business services at PricewaterhouseCoopers.</em></p>
https://sm.asisonline.org/Pages/A-New-Social-World.aspxA New Social WorldGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​While a senior executive was on a business trip to Europe, someone took intimate photographs of the businessman and posted them on Twitter and Reddit. In the photos, the married executive is not clothed and he is not alone.</p><p>Within hours, the tweets start. They include the company's name. The executive reaches out to the security department for help because the company's new quarterly earnings are set to be announced within days. There's also a merger under discussion. Who does security call first—IT or legal?</p><p>Fortunately, that case never came out in the news because the security team kept it under wraps internally and had the Twitter posts removed. </p><p>But the potential crisis raises several questions: What legal responsibility did the organization have to the employee, if any? What rights did the employee have? Were any of these spelled out in a company social media policy?</p><p>The adoption phase of social media is over. Now the scary part is beginning—the rapid development of new innovations in social media to keep users engaged. Social media is a communications tool of convenience. This makes it potentially detrimental to companies.</p><p>In 2016, public consumers were nearly twice as likely to recall a company's social media campaign as to recall a print advertisement. That's good news for social media, but bad news for any organization experiencing a crisis there.</p><p>Lululemon and the NFL are just two organizations that had to invest significant resources to manage social media-fueled scandals in recent years.</p><p>After Lululemon company founder Chip Wilson told Bloomberg TV that "some women's bodies just actually don't work" with Lululemon pants, social media outrage from customers led him to step down.</p><p>To protest the way NFL Commissioner Roger Goodell  handled former running back Ray Rice's domestic abuse scandal, an activist group hired an airplane to fly a banner over the stadium with the hashtag "#GoodellMustGo" printed on it. The hashtag was widely shared on social media, and more than 50,000 people signed an online petition demanding that the NFL change its policies—which it later did.</p><p>Workplace sexual harassment accusations are increasingly being made on blogs and other digital publishing platforms, then amplified on Facebook, Twitter, and Snapchat. A blog post and an iPhone video recently sparked such a massive crisis at Uber that its biggest investors insisted that Uber's cofounder and CEO Travis Kalanick resign, which he did. </p><p>"Social media is a part of everyone's life, and while using social media, the line between one's personal and work activities can sometimes be blurred," says Nancy L. Gunzenhauser, an associate in the employment, labor, and workforce management practice in the New York office of Epstein Becker & Green. "Social media allows employees to network, support their employer's recruiting, and build a company brand.</p><p>"A strong social media policy will set parameters to help employees use social media effectively while protecting the company's confidential information and the reputation of its products and services." </p><p>Accessibility to social media at work may lead to various forms of workplace misconduct, says Scott L. Vernick, a partner at Fox Rothschild LLP who specializes in technology. For instance, employees could use social media to violate privacy laws (such as the U.S. Computer Fraud and Abuse Act), disclose trade secrets, open the company to Title VII exposure, violate labor laws, authorize deceptive endorsements, or violate workplace policies.</p><p>To reduce the risk of employer liability, Vernick recommends that organizations create clear employee guidelines and policies that set forth parameters of proper social media use.</p><p>For instance, employers should consider whether employees should be allowed to use social media at all, and if so, when. If employees are allowed to use social media at work, employers should consider what limitations to impose on posts.</p><p>"An effective social media policy will be updated regularly, enforced uniformly, and will clearly state what is expected of employees and what the consequences will be for any violation of that policy," says Christine Rafin, a partner in the law firm of Kent, Beatty & Gordon, LLP, who specializes in technology-related legal issues. </p><p>Additionally, employers should define what is prohibited conduct on social media—such as offensive, demeaning, defamatory, discriminatory, harassing, abusive, inappropriate, or illegal remarks, as well as personal gripes. </p><p>And employers should create limitations on the use of company names in postings or identities, such as limiting the use and mention of competitors, employees, or clients in postings, as well as prohibiting the unauthorized dissemination of company material.</p><p>For example, adidas has a two-page social media policy for employees that includes a variety of requirements.</p><p>"Do not comment on work-related legal matters unless you are an official spokesperson, and have the legal approval by the adidas Group or its brands to do so," the policy says. "In addition, talking about revenues, future products, pricing decisions, unannounced financial results, or similar matters will get you, the company, or both, into serious trouble. Stay away from discussing financial topics and predictions of future performance at all costs."</p><p> Employers should be clear that violations of prohibited conduct will result in disciplinary action. However, employers must avoid prohibiting protected activity under the U.S. National Labor Relations Act, which allows employees to post or engage in conversations on social media about wages and working conditions.</p><p>"Employers should be careful not to craft their policies in a way that may be seen as attempting to chill employee speech entirely," Rafin says. "Policies that prohibit employees from posting statements online that may be harmful to the company's reputation have been held to be overbroad and unlawful by the National Labor Relations Board."</p><p>Employers should also be clear that employees should have no expectation of privacy in the use of social media or communications prepared on a company computer, even if those communications are deleted. Employers should also have a program in place to monitor employee use of social media. </p><p>"This is not always an easy or inexpensive task, however," Rafin says. "It may impact employee morale and lead some employees to find creative ways to get around the monitoring, including by setting up dummy profiles and enhancing the privacy settings on their posts."</p><p>Employers should be mindful, Rafin adds, that several U.S. states have enacted laws that prohibit employers from requesting employees' usernames and passwords to their personal social media accounts, or requiring employees to log in to those accounts in the employer's presence.</p><p>"Of course, exceptions may apply in certain situations—such as when the employer has reason to believe that the employee violated the law," Rafin says.</p><p>Employees who blog should also be reminded that they need to comply with the terms of use for their sites and refrain from exercising their personal opinions in a way that can be construed to be the company's opinion.</p><p>Whether employees are the cause, source, or target of such issues, understanding and amplifying your organization's social media policy is as essential as having both IT and legal on speed dial.</p><p><em>Don Aviv, CPP, PCI, PSP, is president of global corporate intelligence and security consulting firm Interfor International and vice-chair of the ASIS Security Services Council. Shannon Wilkinson is CEO of online reputation management firm Reputation Communications and a contributor to </em>The Wall Street Journal'<em>s "Crisis of the Week" column. She is an expert presenter on reputation management in The Hetty Group's Coptics: The Optics of Policing in the Digital Age initiative and a member of the ASIS Women in Security Council.</em></p>
https://sm.asisonline.org/Pages/Looking-Back-A-Year-of-Change.aspxLooking Back: A Year of ChangeGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p></p><p>It's hard to believe that 2017 is coming to a close and, with it, my term as president of this great member association. Dick Chase, CPP, PCI, PSP, will assume the role of president on January 1, 2018, and I know his commitment to the success of our Society is solid and unwavering. So as I step aside, I want to take a moment to reflect on the changes I have seen, and the promises I see materializing in the years to come. </p><p>First, we are lucky indeed to have such a committed headquarters team. As many of you may have noticed during the annual seminar and exhibits in Dallas, the staff personnel seemed to be literally everywhere at once, making the attendee and exhibitor experience a great one. They are at the forefront of many initiatives around our promise of member value and experience, and I encourage you to reach out and introduce yourself to a staff member any chance you get. They are here to serve us all and you'll easily see that in their dedication. </p><p>The strategic plan is the bedrock of all we do at ASIS International, and we have spent 2016 and 2017 driving the plan all the way down into the organization. When we do anything, we must be able to see its genesis in the plan, and members must to be able to see the value to them. We have work to do translating the strategic plan for the chapters and councils, but I know that's an objective for 2018.</p><p>Diversity and inclusion remain priorities for 2018 and beyond. Because we are a membership association, our leadership must reflect the diversity of our members. Not only is it at the foundation of our global success, is it just good business to gather opinions and ideas from all walks of life. I want everyone who is looking for a professional association to see themselves in ASIS International more than in any other organization.</p><p>On a seemingly mundane but crucial project, I am excited about the Web redesign and launch slated for early 2018. As a global association, we must be able to deliver content and value on platforms that are device agnostic and responsive to our membership. We believe we have that platform now. Improved search, better cataloging, and an overall intuitive experience await you.</p><p>Even more advancements and enhancements are planned for the membership, as a variety of work streams come to fruition in 2018 and beyond. As I noted, member value sits at the epicenter of everything we design or overhaul, so hopefully you will see even more results in the months to come. Again, it has been my professional privilege to serve you in this capacity and I look forward to supporting Dick Chase, the board, and you, my colleagues, in 2018.​</p><h4>MEET YOUR 2018 LEADERSHIP TEAM</h4><p>ASIS International announced that Richard E. Chase, CPP, PCI, PSP, will serve as its 2018 president. Chase will be the Society's 63rd president, succeeding Thomas J. Langer, CPP, who will transition into the role of chairman of the board. Christina Duffey, CPP, will assume the role of president-elect, and Godfried Hendriks, CPP, will serve as treasurer.</p><p>The results of the board election were announced at September's 63rd Annual Seminar and Exhibits in Dallas. ASIS members reelected incumbents Jaime P. Owens, CPP, and John A. Petruzzi, Jr., CPP, and elected Ann Trinca, CPP, PCI, PSP, and Darren Nielsen, CPP, PCI, PSP, to the 17-member board. Petruzzi was elected to serve as secretary of the board.​</p><h4>MEMBERS DESCRIBE ASIS 2017 EXPERIENCES</h4><p>Special thanks to ASIS members Larissa Lindsay and Doug Powell, CPP, PSP, who served as roving reporters at ASIS 2017, sharing their thoughts about various events, exhibits, and education sessions for the event website. </p><p>Lindsay, who contributed articles all week long, observed that Texas hospitality was "in full swing" and that innovations on the show floor demonstrated "game-changing applications…advances in security that are exciting as the industry is moving forward with new technology."</p><p>In his recap, Powell noted, "The Annual Seminar and Exhibits in Dallas felt like renewal to me. It was rich, it was fun, and it gave me a total immersion in the information and resources I need to develop as a security professional. I cannot wait for the 2018 conference in Las Vegas!"</p><p>Read all their contributions at securityexpo.org/rovingreporters.​</p><h4>PARTNERS IN CERTIFICATION</h4><p>In law enforcement, a person is more likely to try breaking out of a police station than to break in. That ideology is what Laura Meyers faced in 2009 when she joined the Security Assessment Unit (SAU) as a provincial police constable with the Ontario Provincial Police (OPP). Eventually someone broke into a detachment and assets were compromised. "That was a big turning point," she says, and it set the stage for how the SAU functions today.</p><p>The OPP is one of North America's largest deployed police services with more than 6,200 uniformed officers, 3,100 civilian employees, and 800 auxiliary officers. Meyers' unit is part of the Justice Officials Protection and Investigations Section, which manages threats associated with justice officials such as judges, police officers, crown attorneys (prosecutors), and corrections staff, as well as provincial facilities. </p><p>When the unit was formed in 2007 under the leadership of now-retired Sergeant Joey Gauthier, PSP, police officers assigned to the unit obtained the ASIS certification for the Physical Security Professional® (PSP). The interest in certification stemmed from "ensuring that we were subject matter experts in the physical security field," says Meyers.</p><p>As the unit became busier, Meyers earned her PSP and was promoted to sergeant, managing the daily operations of the SAU, and she continued to support ASIS certification for SAU members. But if a member with a PSP certification moved on or up in the ranks, "we lost that education, experience, and certified person," she says. Meyers suggested an alternative method to her managers: recruiting security consultants in the private sector who were already certified and bringing them into the law enforcement pool. </p><p>As a result, Patrick Ogilvie, CPP, PSP; Gregory Taylor, CPP, PSP; and Michael Thompson CPP, PCI, PSP, were contracted as full-time security consultants to provide their security and risk assessment expertise to the OPP.           "When the message went out that Sergeant Meyers was looking for persons that had professional certification, the three of us saw an amazing life opportunity," says Ogilvie. A longtime ASIS member, Ogilvie had chaired the Ontario Chapter for the previous four years. He recalls that police officers who were planning to retire came to chapter meetings to learn about the corporate security world. But in this instance, OPP was looking for certified civilians to go from the private sector into policing. "It was an about face," he says. "It had never been done before."</p><p>Meyers initially faced some challenges with bringing in civilians to conduct security assessments. As a test, the new team completed a project dealing with courthouse security. They assessed gaps in security that needed to be brought to the attention of the command staff. Once their professionalism and expertise were demonstrated, the benefits of their experience and certification were fully embraced by all members of the OPP. The project was well received around the province. "People recognized that the civilian security consultants were assessing what the security issues were, putting them on paper, and assisting in taking steps to get them addressed," she adds.</p><p>The security consultants offer alternatives that may not have been considered previously. When making recommendations, "we refer back to the Protection of Assets reference guides, the ASIS standards and guidelines, and the asset protection courses," says Ogilvie. Whether those recommendations are enacted depends on a multitude of factors, including available funding. Meyers adds that the recommendations are on paper so the operational manager at the facility can assess the cost. And the fixes are not always big ticket items—sometimes they might be changing a procedure or adjusting training. </p><p>Recently, Meyers was called to testify at a hearing and was cautious about giving evidence on why she had or had not recommended a physical security action. "Having the board-certified consultants within the SAU adds a lot more credibility," she contends. "We would never have the reputation and expertise that we have today and produce the products and deliverables that we do if we had not brought in the consultants." As a result, the unit's staff sergeant and superintendent are applying for the Certified Protection Professional® (CPP) credential themselves.</p><p>The OPP has also created a chief security office within the security bureau, which will affect how the SAU operates in the future. The unit is creating a database of security incidents so members can see what's happened in the past and anticipate what could happen in the future. "There are still some barriers to break through, some silos," says Meyers. "But as the world changes, this unit gets busier and gets called more frequently to see where gaps lie or what could be done to mitigate a situation."</p><p>Other police services are actively considering new approaches to integrating asset protection and security best practices into their daily operations and to increase collaboration. To that end, the SAU convened the Ontario Security Policing Network Group. "We have groups galore in for-profit businesses such as retail, hotels, and attractions," says Ogilvie, where security professionals can collaborate and talk about what they are doing individually and collectively. Ogilvie proposed forming a similar group among the larger police services around the province. "We all need to be on the same page," he observes.</p><p>On his first day on the job, Ogilvie joined a security briefing by the staff sergeant. "I kind of held back," he recalls, "but the staff sergeant drew me in, saying 'you're a part of this.'" Because Meyers "sold the value of certified consultants and the benefit they bring to the OPP, over time people saw the value and welcomed us with open arms."</p><p>"I tip my hat to Laura for her amazing insight," says Ogilvie. "It was so out of the box."​</p><h4>LIFE MEMBER</h4><p>Krishnamoorthy Arunasalam, CPP, was granted Life Membership by ASIS. He has served ASIS as a regional vice president, assistant regional vice president, chapter chair, senior regional vice president, and a dedicated member of the Singapore Chapter for more than 20 years.​</p><h4>LIFETIME CPP</h4><p>Congratulations to these certificants who have achieved lifetime certification.</p><p>•             Neil F. Westgarth, CPP</p><p>•             Andrew G. Wyczlinski, CPP</p><p>•             Joseph P. Hebert, CPP</p><p>•             Richard J. Tofani, CPP</p><p>•             Ralph D. Chiocco, CPP</p><p>•             Clifford R. Baugh, CPP</p><p><em>By Peggy O'Connor, ASIS director of communications. ​</em></p><h4>MEMBER BOOK REVIEW</h4><p><em>Maritime Security: An Introduction, Second Edition.</em> By Michael A. McNicholas. Butterworth-Heinemann, Elsevier.com; 514 pages; $125.</p><p>The second edition of <em>Maritime Security: An Introduction</em> is the very best kind of security book. It is broad in scope and deep in detail. Its description of the maritime environment and seafaring culture is so comprehensive the reader can almost smell the salt air and hear the cries of the seagulls. Author Michael McNicholas is an experienced practitioner of maritime security, and it shows. Other contributors are from the U.S. Coast Guard, Navy, and law enforcement, so the base of knowledge is wide.  </p><p>Written in the style of a textbook, with learning objectives and other educational tools, it is highly readable. The detailed table of contents helps readers find specific topics, which include everything from international maritime law to port security assessments. The author begins with an overview of the maritime environment, then turns to specific security problems—such as supply chain vulnerabilities, piracy, stowaways, drug smugglers, cybersecurity, and terrorism—as well as broader challenges including threat mitigation, security management, high-level security strategy, and response.</p><p>Each chapter has a clear purpose. For example, one explains the various documents and forms used in the industry and how shipping orders are placed. This chapter would be essential to someone conducting an investigation related to the shipment of goods or who needs to learn how information and money flow in this industry. Other useful chapters explain international and U.S. maritime security regulation, assess piracy risk, and look at irregular migration worldwide. The chapter on cybersecurity would be applicable to any industry, but it drills down into the reasons that this sector is particularly vulnerable to attack.</p><p>"Security Management and Leadership in Seaports" is a chapter that discusses everything from leadership to ISO certifications and security metrics, plus essential training for port security personnel. It is a good example of the thoroughness of this book.</p><p>While the title suggests it is an introductory work, the level of detail inside would be appropriate for the full range of users—new security professionals to advanced practitioners and experienced consultants working on projects related to maritime or port security. This is the kind of book that will get a lot of use as a reference guide for security professionals engaged in protecting this vital industry.</p><p><em>Reviewer: Ross Johnson, CPP, is the senior manager of security and contingency planning for Capital Power and infrastructure advisor for Awz Ventures. He previously worked as the security supervisor for an offshore oil drilling company in the Gulf of Mexico and overseas. Johnson is the author of Antiterrorism and Threat Response: Planning and Implementation. ​</em></p>
https://sm.asisonline.org/Pages/Call-for-Help.aspxCall for HelpGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​With more than 420,000 annual visits from patients from four states, Seattle Children's Hospital serves the largest region of any children's hospital in the United States.</p><p>The organization, made up of a research arm, a foundation, and the hospital, strives to provide robust security while making its stakeholders feel welcome and cared for.  </p><p>"As a security team, our goal is really to ensure the mission of our hospital, which is to treat patients and find cures for diseases," says Dylan Hayes, CPP, manager of the physical security program at Seattle Children's. "We do that by interfacing with our families and our patients…we're a customer-service oriented team." </p><p>A security officer staffs the emergency department around the clock, and officers also operate a security operations center for the entire hospital that is open from 6:00 a.m. to 10:00 p.m.</p><p>Visitor management is important to Seattle Children's, and the security team screens everyone who walks through the door to ensure that they have a purpose to their visit. Visitor identification is processed by a database that checks for sexual offenses and other criminal records. </p><p>"We have security teams at five different entrances during the day that greet people as they come in, find out where they are going, give them directions, and make sure that they are badged to do so," Hayes says. In addition to the daily pass, family members and loved ones who make frequent patient visits are given weekly passes. </p><p>Seattle Children's trains its employees on active shooter protocols, and has lockdown procedures in place in the event of an emergency. </p><p>"Our entrances are actually equipped to scan a badge that will lock that specific entrance, or a different badge can lock down all the entrances at the hospital," he says. "We're using a lot of security technologies these days to improve our business operations." </p><p>One of those technologies is a call tower intercom model from Vingtor-Stentofon by Zenitel, which allows anyone in distress to contact the hospital's security desk with the push of a button. In addition to contacting the security desk via a speakerphone, a flashing light is activated on the top of the tower. ​</p><p>The hospital uses call tower boxes from Talkaphone and Code Blue, which used to work over a standard telephone line. Zenitel works over an IP network, and integrates with the organization's access control system, OnGuard by Lenel. </p><p>Seattle Children's originally installed the towers in 2012, and it upgraded to a newer model of the intercom technology, called Turbine Intercoms, in May 2017. There are approximately 55 towers located around the hospital grounds, mainly situated in parking lots and other outside public areas. </p><p>"We've upgraded about a third of our phones and we're in the process of upgrading the rest of them," Hayes says, noting that the Turbine model provides a clearer connection from the tower to the emergency operator. "With the older equipment the clarity is not there—you can't make out what's going on," he says. "The Turbine stations really allow for clear communication when you're in critical situations." </p><p>As far as incident types, "anything goes with these towers," Hayes says. When security receives a call, it assesses the situation and decides how to respond, usually either deploying a security officer or contacting law enforcement. Hayes adds that it's rare that police have to get involved. </p><p>"People report their cars have been damaged, or we've had reports of fires in the garage," he says. "There are so many great uses of those towers, it's just open-ended."</p><p>The integration with Lenel allows any cameras in the area to pan, zoom, and tilt toward the call tower's location, allowing security to view the scene live via monitors. Lenel also displays a map in the alarm monitoring screen that shows which tower and where the incident occurred. </p><p>Hayes says he welcomes the opportunity to improve business operations via security technology, and he was delighted when the hospital's emergency department wanted to collaborate with security by responding to any medical incidents from the call towers. </p><p>"If somebody pushes one of those buttons, our plan is to send out a security person with a respiratory therapist and an emergency department nurse if they need medical care," Hayes says. </p><p>Recently, for example, a woman fell down a flight of stairs and was injured. "The emergency call station was activated and a hospital response team, including security, responded," Hayes explains. Security brought a wheelchair and assisted the woman to the emergency room for follow-up care. </p><p>"When our emergency operations team comes to us and says, 'We want to use your technology to better serve our people,' that's a great thing to hear," he notes. "We do have an expectation to provide care because we are a hospital." </p><p>Another benefit of the Vingtor-Stentofon network is the ability to push prerecorded audio messages over the security team's two-way radios, alerting officers to any alarms such as panic buttons or door-forced-open alerts.</p><p> "When we're out in the field, we don't have that ability to do extensive alarm monitoring, and we didn't have a way to quickly get a message to our security team in an automated fashion," he says. "So, we set up Stentofon to be configured with our Motorola MOTOTRBO radio system." </p><p>Because alarm locations are preset in Lenel, the prerecorded message that goes out indicates the type of alert and where it occurred. The responding officer alerts the rest of the team that the situation is being handled. </p><p>"We could have alerts go to a pager, but then there's a two-minute delay," he says. "If we have it go to the radio, then it's instantaneous." </p><p>Hayes adds that the many uses of the call towers, along with the radio and alarm integration, have all helped improve the security team's ability to respond to incidents rapidly and effectively.</p><p>"Having that crystal-clear communication is so important to be able to deploy the right emergency response team," he says.</p><p> For more information: Kelly Lake, EndingBadAudio@Zenitel.com, https://www.zenitel.com, 800.654.3140</p>
https://sm.asisonline.org/Pages/An-Identity-Crisis.aspxAn Identity CrisisGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​It was "A Case of Identity." Mary Sutherland's fiancé, Mr. Hosmer Angel, had disappeared on what was to be their wedding day, and she needed Sherlock Holmes's help to find him.</p><p>Angel, however, was a bit of a mystery. Sutherland knew very little about him, just that he worked in an office on Leadenhall Street and sent her letters that were typewritten via a post office box. He also only visited Sutherland in person when her stepfather, James Windibank, was out of town.</p><p>Through logical reasoning, and some minor investigatory work, Holmes deduced that Angel was not who he claimed to be. Based on in-person observations in the physical world, Holmes deduced that Angel was Windibank in disguise, and could not marry Sutherland.</p><p>The same circumstances surrounded the verification of an individual's identity for most of the 20th century. Most transactions, legal actions, and meetings occurred in the physical world. People saw those they were doing business with, looked at physical copies of their driver's license or passport, and used that to verify their identity. </p><p>They could also use an individual's Social Security number—the most common numbering system in the United States—to help ensure that the person was the person they claimed to be, based on all the information associated with that specific number.</p><p>And to steal sensitive data that could verify identity in the physical world from millions of people would have required a network of people willing to break into businesses that store that information. Their odds of getting caught would have been high.</p><p>But in today's digital world, it's much simpler to carry out a major heist of sensitive information. And the building blocks that are used to create an identity online and verify it are regularly being compromised, making it more difficult than ever before to prove who anyone is online.</p><p>The latest example of this is the mega data breach of credit reporting agency Equifax, in which hackers accessed and stole data on 145.5 million people—mostly U.S. citizens but individuals from Canada and the United Kingdom, as well.</p><p>Along with names and telephone numbers, the hackers gained access to Social Security numbers and the extensive information the agency collects on individuals and uses to verify their identities, such as previous residences, relationship and employment history, and financial histories.</p><p>This information is often used to compile a credit report, which can be shared with employers, leasing institutions, and others, to verify an individual's identity as part of a screening process.</p><p>"The Equifax hack is highly disturbing not only because of its massive scope, but also because of the specific type of personal data that was stolen," wrote U.S. Representative Ted Lieu (D-CA) in an op-ed for Slate. "Credit reporting agencies are supposed to be one of our lines of defense in data security and privacy protection—and Equifax failed in its core mission."</p><p>No one has claimed responsibility for the Equifax breach, and experts expect an increase in fraud using the information that was stolen, especially during the upcoming holiday season.</p><p>"We're going to see an uptick in fraud, synthetic IDs, and accounts being compromised—busting out credit cards, taking fraudulent loans across multiple channels of products," according to James Heinzman, senior vice president of financial services solutions for ThetaRay. </p><p>In addition to fraudsters, nation-state actors are also likely to acquire the information compromised in the Equifax breach, says Rick Holland, vice president of strategy at cybersecurity firm Digital Shadows. </p><p>China, for instance, would find the data very valuable combined with what it allegedly stole in the U.S. Office of Personnel Management (OPM) breach, Holland explains, because it would allow China to create a broader data set on individuals it might already be targeting.</p><p>"You could see [China] leveraging and purchasing this sort of data for types of activity that it would conduct, such as social engineering," Holland says. "I would expect nation-states across the board to try to acquire this data, as well as the defenders. I wouldn't be surprised to see the U.S. government try to acquire this data to understand the implications of it from a counterintelligence perspective."</p><p>Those implications could be widespread because the information compromised in the Equifax breach is not ephemeral—Social Security numbers and personal histories do not change—creating a serious problem with how identity is constructed and verified online.</p><p>Because of this, Lee Munson, a security researcher and blogger with Comparitech and senior associate, information security training and awareness at Re:Sources UK, says he now thinks there is no way for a victim of identity theft to 100 percent prove they are who they are over the Internet.</p><p>"The ironic thing for me is that one of the first bits of advice you give to identity theft victims is to go get copies of their credit report from people like Equifax," Munson says. "Now you've got to ask, 'Can you trust them?'"</p><p>Victims have "the option of sending emails, copying documents and sending copies of their Social Security numbers and passports, but those could easily be faked," he explains. Victims can also go to their local police department to get documents saying they're a victim of identity theft, but this places the onus on victims to prove their identity after it's already been stolen.</p><p>Instead, organizations might need to rethink what kind of data they collect on people to uniquely identify them and consider no longer using Social Security numbers as identifiers. Almost every legal U.S. resident has one issued on a card from the Social Security Administration that is then shared with financial institutions, employers, healthcare providers, and more to connect the resident's documents with that number. </p><p>"Which in retrospect seems like the worst idea ever," says Lance Cottrell, chief scientist of Ntrepid. "Here's this piece of paper. It's got a number printed on it. You're going to give it to everyone, and yet, keeping it secret is the key to security. It's an inherently paradoxical approach to things."</p><p>Instead of using Social Security numbers and other static information, Cottrell says he thinks we'll begin to see a push for greater use of biometrics to identify individuals. Prior to the Equifax breach, Apple debuted new facial recognition technology that iPhone users will soon be able to take advantage of to unlock their devices.</p><p>"Things like the iPhone are showing how a lot of this is going to move," Cottrell says. "The biometrics and the secure enclaves in these locked down physical devices are allowing for authentication."</p><p>Biometrics are not a silver-bullet solution, however. Apple has announced that its facial recognition technology is only 98 percent accurate.</p><p>"That means one in 50 people in the population could unlock your phone," Munson says. "And previous facial recognition systems that are more mature have been tricked by high-resolution digital photographs. Even though it's theoretically sound, in practice it may still not prove that the person on the other end of that device is who they say they are."</p><p>Despite a possible increase in the use of biometrics, however, Cottrell says that the United States is not ready for what some call smart IDs—a form of identification card that contains biometric data, such as a DNA sample, to identify the carrier. </p><p>He also thinks it's likely that for some interactions with government agencies or businesses online, there will be a renewed emphasis on using notaries. For instance, to interact with a business online a person would physically have to go to a notary, show ID, and get a document notarized that will then be sent to the business to verify the individual's identity.</p><p>"Not that you can't fake physical documents, but it doesn't scale," Cottrell says. "It's a lot more work. It needs to be done in person in the United States. And one of the characteristics of Internet-based attacks is that they can be launched outside your jurisdiction at scale."</p><p>And focusing on scale is what's important because limiting the number of people that can be compromised per attack helps keep fraud at a manageable rate so it can be identified and mitigated, much like the Sherlock Holmes case.</p><p>"The goal doesn't need to be eliminating fraud and eliminating these kinds of crimes; it's making sure that the fraud rates are manageable," he explains. "I think, unfortunately, the Equifax breach may be pivoting things towards fraud and attacks that can be launched at scale, and that's a problem." ​</p>
https://sm.asisonline.org/Pages/Editor's-Note-Grudges.aspxGrudgesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Ravens, it appears, can hold a grudge.</p><p>Research published by scientists in Austria and Sweden in the June 2017 edition of the journal Animal Behaviour indicates that ravens can remember the faces of the trainers who cheated them out of treats. The authors write that "the results show that ravens with first-hand experience were more likely to interact with experimenters with whom they had had a positive previous experience, and that this memory lasted at least one month."</p><p>The research suggests that—along with humans, most primates, and crows—ravens are aware of whether people are trustworthy and can base future decisions on past experience. In an article on the topic for Quartz, Lila MacLellan writes that "the ravens who previously dealt with the devious researchers demonstrated that they preferred the people who had followed the established rules…by choosing to interact with the cooperative humans more often."</p><p>In the study, the ravens who had been previously cheated were also more likely to recognize trainers who had cheated other birds. MacLellan writes that "those ravens who had first-hand experience of being conned by other trainers were slightly more likely to recognize the scoundrels in the group they had only observed." She notes that "witnessing another bird get cheated, at least in some cases, appeared to reopen their own wounds."</p><p>There is no debate over the fact that humans are exceedingly good at remembering people who have wronged them. They are also skilled at becoming indignant on behalf of wronged members of their tribe. Humans can remember these transgressors because we are incredibly good at recognizing the patterns inherent in the human face. </p><p>As our modern lives increasingly migrate online, our interactions become more and more faceless, causing us to become less sure about the humans on the other side of our digital transactions. </p><p>Several articles in this issue of Security Management explore what it means when those online are devious and refuse to play by the rules. The cover story "Held Hostage" by Associate Editor Megan Gates discusses the rise of ransomware and the ways that hackers are making it easier for criminals to launch attacks. An article by Don Aviv, CPP, PCI, PSP, and Shannon Wilkinson addresses the next step in social media dominance. Now that social media is so ubiquitous, the line between private and work-</p><p>related posts are blurring. The results can lead to corporate liability. The "Cybersecurity" department explores what identity means after the Equifax hack—if cyber criminals have every detail of a person's history, how can we authenticate anyone online?</p><p>It turns out that people can still hold a grudge. But, unlike the raven, we find it increasingly difficult to know who conned us.   ​</p>
https://sm.asisonline.org/Pages/Blurred-Lines.aspxBlurred LinesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​As Americans tried to make sense of the worst mass shooting in recent history, the Islamic State saw an opportunity. After a shooter opened fire from a high-rise hotel in Las Vegas upon a crowd of concertgoers below, killing at least 58 before ending his own life, ISIS claimed responsibility for the attack. The Amaq News Agency, an outlet linked to ISIS, reported that the shooter had converted to Islam a few months prior and followed instructions to carry out an attack on the Las Vegas Strip. So far, however, authorities say there is no connection between the shooter and the international terrorist organization—although his motive for the shooting remains unclear.</p><p>This is a common move by ISIS, especially while the organization continues to lose territory in Iraq. The extremist organization has claimed responsibility for several deadly incidents this year—including the killing of 37 at a Manila casino in June, the August vehicle attack in Barcelona, and the attempted London subway bombing in September—but authorities say there were no concrete connections between ISIS and the perpetrators of those events.</p><p>And even after events where there is a discernable link between the attacker and a terrorist organization, the verbiage surrounding the motive can be confusing—phrases like "inspired by," "affiliated with," or "radicalized by" can create more questions than answers. </p><p>"The sorts of attacks ISIS has claimed responsibility for are all over the place in terms of the accuracy of those claims," says Peter Mandaville, a George Mason University professor and senior fellow with the Brookings Institution. "It's a strategic communications or political calculation on its part for it to step forward and claim an attack, whether or not it had anything to do with it at all."</p><p>The National Consortium for the Study of Terrorism and Responses to Terrorism (START)—a leading resource for global terrorism research and attack data—has designated four classifications for ISIS-related terrorism. ISIS predecessors are organizations that were part of ISIS prior to adoption of its name in 2013; affiliated attacks are conducted by organizations that have declared allegiance to ISIS; inspired attacks are by individuals who have indicated that they were motivated by allegiance to ISIS; and an attack by ISIS itself is carried out by operatives of the core of the organization, primarily based in Iraq and Syria. </p><p>In its recent overview of terrorism in 2016, START researchers note that classifying predecessors and affiliates was a difficult process. "Perhaps the most significant challenge is the fact that links between these groups exist on a continuum ranging from formally established, operational coordination and cooperation to more abstract, ideological support," a methodological note in the report states. "Further complicating matters is the fact that often little detail about the exact nature of these relationships is available in open source materials, and the terminology used by both the media and the group leaders is extremely imprecise. Terms such as 'link,' 'allegiance,' 'alliance,' 'support,' 'loyalty,' and 'endorse' are used interchangeably."</p><p>Additionally, researchers must conduct a thorough review of direct evidence from an attack—such as statements to authorities from the perpetrator or their postings on social media—to accurately classify individual attackers as inspired by, but not linked to, ISIS. </p><p>But in the immediate aftermath of a crisis, trying to classify an attacker's relationship—if any—with an extremist group can feel frivolous. During an investigation, as with the Las Vegas shooter, initial links with extremists that are later disproved can spark government coverup conspiracy theories. And if ISIS is increasingly falsely claiming responsibility for incidents, how much attention should be paid to its claims?</p><p>"It matters from the point of view of how you assess the level of risk that the attacker represents and how you deal with it," Mandaville says. "If someone is a lone wolf attacker who is operating in an inspired mode and carries out a low-tech attack, and otherwise has no operational connections to one of these movements, then you deal with that person in a different way than someone who is actually a figure within a network of operatives present in your country that has actual organizational connections to one of these groups. In that case, that suggests evidence of a more systematic threat that law enforcement and security services need to respond to in a more thorough way."</p><p>START researchers' exhaustive analysis of each attacker's motives for some 1,400 terrorist incidents in 2016 also helps provide a bigger-picture understanding of the threat. For example, START's 2016 terrorism overview report maps out attacks by the four categories of ISIS attackers. The graph shows a rapid leap in ISIS-affiliated attacks in early 2015 but a gradual decline over 2016, signaling Boko Haram's rise and fall as an ISIS affiliate. </p><p>The data can help point counterterrorism and investigation efforts in the right direction, as well as illustrate to researchers the aims—and struggles—of extremist organizations.</p><p>"In a sense, we're dealing with what you might call the human resources problem that these groups face," Mandaville explains. "It's a calculus of the cost and risks associated with training and directly deploying operatives in an operational way, versus achieving their goals by trying to inspire individuals that otherwise have no connection to them to try to undertake these kinds of attacks."</p><p>Mandaville, who was born in the Middle East and advised various government agencies following 9/11, says the struggle of recruiting versus inspiring attackers is not new—and cites al Qaeda as an example.</p><p>When the global jihadist movement first started to come together in Afghanistan in the 1980s, al Qaeda operated in a classic guerilla warfare style with a clear command structure. However, the 9/11 attacks were divisive among the jihadist movement, creating a shake-up in the structure of the extremist organization, Mandaville says.</p><p>"Al Qaeda lost a lot of its best trained followers, people who disagreed with the attacks, and it had to rely on amateur jihadis, self-starters, and people it couldn't directly reach but only inspire and provide minimal direction," Mandaville tells Security Management. "That element of needing to take what it could get is certainly very relevant here."</p><p>After ISIS recently lost control of Mosul—which it took over and declared a caliphate three years ago—experts say they are seeing more desperation from the extremist group, including laying claim to attacks that had nothing to do with it. </p><p>"Where this goes in the next phase of the counter-ISIS strategy really depends on what sorts of calculations ISIS makes as the current operations against it really seem to get close to its core areas of control in Syria," Mandaville explains. "It could voluntarily give up territory and simply revert to a more conventional insurgency guerilla mode in order to continue surviving. We maybe regain the territory it controls, but ISIS continues to exist in some form." </p><p>Mandaville notes that as ISIS continues to lose physical ground, more foreign recruits are going to be displaced, potentially creating a new type of terrorist that defies existing categorization.</p><p>"No matter how this goes in the next few months, one of the key questions facing the national security community right now is what happens to the thousands of foreign fighters who went to Syria to work with them?" Mandaville says. "While regaining ISIS-controlled territories is certainly a positive development, it's actually going to also confront us with new risks and new sorts of policy conundrums."</p><p>Another uncategorized extremist player that often flies under the radar is what Mandaville calls the online fanboy—the person who has no interest in carrying out attacks in the name of ISIS, but contributes to the cause by retweeting extremist propaganda and amplifying its message.</p><p>"The various roles that people can play in helping these groups reach other people, including potential recruits for violent or kinetic activity—you have to understand there's an ecosystem that's much broader than just the people who carry out the attacks themselves, or the people who represent the jihadi groups that try to recruit them," Mandaville says. </p>
https://sm.asisonline.org/Pages/Cutting-Edge-Criminals.aspxCutting-Edge CriminalsGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​During the dog days of last summer, officials from the U.S. Securities and Exchange Commission (SEC) turned up the heat and made some waves by announcing charges in two major information trading cases.</p><p>In the first case, the SEC an­nounced insider trading charges against seven people who allegedly made millions by trading on confidential information about many impending mergers and acquisitions. According to the agency, Daniel Rivas, a former IT employee of Bank of America, allegedly used his access to a bank computer system to tip off individuals who traded on the information. The traders then profited on market-moving news related to 30 impending corporate deals. </p><p>"IT employees are often entrusted with broad access to incredibly valuable, nonpublic information and have a duty to safeguard that information," Jina L. Choi, director of the SEC's San Francisco Regional Office, said in a statement. </p><p>The SEC's complaint alleges that Rivas frequently tipped his girlfriend's father, James Moodhe, who traded on the information and used coded conversations and in-person meetings to relay the tips to his friend, Michael Siva, a financial advisor at a brokerage firm. Siva allegedly used the confidential information to make profitable trades for his brokerage firm clients, earning commissions for himself in the process, and he passed numerous tips along to a client who traded on them. The complaint alleges that Siva also traded on behalf of himself and his wife based on two of the tips he got from Moodhe, a former financial services company treasurer.</p><p>Two weeks later, the SEC charged Evan R. Kita, a CPA and former accountant at Celator Pharmaceuticals Inc., with passing on confidential information to two friends about the clinical trial results for a cancer drug and its acquisition by another company. This was valuable information—Celator's stock ultimately rose more than 400 percent when it announced positive results for its drug to treat leukemia. According to the SEC's complaint, the two friends purchased Celator stock based on Kita's tips, and agreed to share their trading profits with him. One friend also allegedly passed on tips to his father.</p><p>Besides involving multiple players and much information, the two cases had something else in common. In both, the suspects used an encrypted, self-destructing messaging application to evade detection.</p><p>"The tippers and traders in this case are alleged to have used various methods to try to cover their tracks, but their efforts failed," Steven Peikin, codirector of the SEC Enforcement Division, said when the charges were announced. (SEC officials declined a request from Security Management for further comment.)</p><p>And in both cases, the SEC used sophisticated data analytic tools to detect suspicious patterns such as improbably successful trading across different securities over time. These enhanced detection capabilities enabled SEC enforcement staff to spot the unusual trading activities, such as in the case of the two friends Rivas tipped off: both were inexperienced traders, but in just over a year they turned less than $100,000 into more than $2 million in profits by making aggressive options trades based on the confidential information, the SEC alleged. </p><p>These cases highlight the ways in which criminals are increasingly capitalizing on technologies to commit white collar crimes, and how law enforcement and investigators are fighting back with their own technologies, experts say. While the technologies used are not brand new, the white-collar context is one of the latest iterations of the ongoing struggle.   </p><p>On the perpetrator side, self-destructing messages are nothing new, says Marcus Christian, an attorney in Mayer Brown's White Collar Defense & Compliance group. Decades ago, an early version of this was regularly portrayed in the opening mission message of the old Mission Impossible television show: "Good luck, Jim. This tape will self-destruct in five seconds." </p><p>"That's just old-school spy stuff," Christian says. And from a national security standpoint, encrypted access to communications has been an issue for years, and terrorist groups continue to use encryption to cover their tracks.</p><p>But, the availability of applications that allow encryption is becoming more widespread, and this means that they are popping up more in white collar cases. In the the Celator case, for example, the SEC said it believes that some of the suspects communicated through an encrypted smartphone application. "I think it's the availability of the thing that is driving this," Christian says. "If any particular app has the potential to host encrypted messages, it's something that's in the field of play. Generally, the easier it is, the more likely it is that someone will use it."</p><p>Encryption can also make prosecution harder, says Christian, who is a former prosecutor in the U.S. Attorney's Office for the Southern District of Florida. Insider trading cases are often based on "volumes and volumes of recovered documents. To the extent that information is encrypted, that is something that would make [prosecution] harder," he explains. Encryption is also used in money laundering, where parties need to coordinate the transfer of dirty money, and to hide evidence in fraud cases. </p><p>On the law enforcement side, the use of big data tools, which has "picked up steam" in the last few years, is a significant development because it can change the model for catching illegal activity, says Jonathan Fairtlough, a managing director with Kroll's Cyber Security and Investigations practice. </p><p>The traditional investigative model for insider trading, he explains, was that a tip spurred an investigation, uncovering more information, which is then used to build a case from the ground up. Fairtlough formerly served as a prosecutor in the Los Angeles County District Attorney's Office, where he was a cofounder of the High Technology Division. </p><p>But now, the more widespread use of data analytics allows enforcement officials to analyze data (trades are recorded electronically) first, and detect patterns as they are occurring. Complex trading algorithms can identify abnormal patterns, such as trades that are going against prevailing investor sentiment. Once abnormal activity is identified, investigators can track backward and look at the people behind the trades, and investigate any potential relationships between suspect traders and others who could be providing inside information.</p><p>"It's a proactive use of technology, and it's a welcome tool to protect markets," Fairtlough says. It is also a potential way to beat encryption. If relationships between suspect traders and those supplying them with inside information are revealed, it allows investigators to approach them and convince them to cooperate in the prosecution. This can help prosecutors win the case, even if they are not able to retrieve encrypted messages. </p><p>Security operations in the private sector can also benefit from these analytical tools, he adds. By identifying abnormal patterns in a repeated activity (purchases in a retail context, for example), the tools can show where the security operation needs to focus its limited financial resources.</p><p>Meanwhile, the technological race between criminals and security continues, Christian says. The various ways that lawbreakers can use technology to commit crimes is growing every day, and so those on the side of law enforcement must keep innovating and be ready for anything. "There will be more surprises around the corner," Christian says.</p>
https://sm.asisonline.org/Pages/Postal-Peculiarities.aspxPostal PeculiaritiesGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Does the system of international mail security in the United States have a hole in it? The U.S. Government Accountability Office (GAO) recently explored the issue, and suggested that some extra measures may be warranted.</p><p>Currently, the U.S. Customs and Border Protection (CBP) agency is charged with targeting and inspecting inbound international items that come in through the mail, and with seizing any illegal items. Carriers like the U.S. Postal Service (USPS) and express services like FedEx provide items to CBP for inspection as international mail arrives in the United States.</p><p>To assist in this process, the express services are also required to provide CBP with electronic advance data (EAD), such as the shipper's and recipient's name and address, for inbound international mail. However, unlike the express operators, USPS is not currently required to provide CBP with any EAD. In general, USPS relies on foreign postal operators to provide EAD voluntarily, and under mutual agreement. </p><p>In 2014 and 2015, USPS and CBP initiated two pilot programs in the New York area to test this system. Under the pilot program, CBP uses EAD that it receives through agreements with foreign postal operators to target a small number of pieces of mail each day. So, when USPS employees in the New York facilities come across these preselected pieces, they are alerted that CBP has targeted the item, and they set the item aside for a later inspection.</p><p>However, occasionally this system breaks down. The GAO found that sometimes the targeted mail gets lost after it arrives at the New York facilities, and slips through the cracks without inspection. "Locating targeted mail once it arrives at a [facility] has been a challenge," the report says. </p><p>How often does this slippage occur? It happened to about 18 percent of targeted items in one pilot program, and about 42 percent of targeted mail in the other pilot, according to the report. Moreover, GAO found that the agencies have not devised clear performance goals to evaluate the programs, nor have they completed a cost-benefit analysis on using EAD to target mail for inspection. </p><p>Given these findings, the GAO recommended that CBP, in coordination with USPS, establish performance goals to assess the pilot programs and evaluate the costs and benefits of using EAD to target mail for inspection compared with other targeting methods. </p><p>"It is important that CBP and USPS carefully consider actions to enhance inbound international mail security, to avoid wasting time and money on potentially ineffective and costly endeavors," the report says.  </p><p>CBP and USPS agreed with the recommendations, and CBP plans to implement them by February 28, 2018. ​</p>
https://sm.asisonline.org/Pages/Former-U.S.-National-Security-Advisor-Pleads-Guilty-To-Lying-To-The-FBI.aspxFormer U.S. National Security Advisor Pleads Guilty To Lying To The FBIGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Former U.S. National Security Advisor Michael T. Flynn pleaded guilty to lying to the FBI about conversations with a Russian ambassador in December 2016. Flynn’s plea marks a new phase of the ongoing investigation by Special Counsel Robert S. Mueller III into the 2016 U.S. presidential election.</p><p>Appearing in U.S. federal court this morning, Flynn entered a guilty plea for <a href="https://apps.npr.org/documents/document.html?id=4318002-Flynn-Charging-Document" target="_blank">one count of making false statements</a> to the FBI about conversations he had with Russian ambassador Sergey I. Kislyak between when U.S. President Donald Trump was elected in November 2016 and his inauguration in January 2017. <br></p><p>Flynn told FBI agents during a voluntary interview in January 2017 that he did not ask Kislyak to “refrain from escalating the situation” when then U.S. President Barack Obama imposed sanctions against Russia for its interference in the election. Flynn also wrongly said he did not remember further conversations with Kislyak, who claimed Russia was moderate in its response to those sanctions because of a request made by Flynn.<br></p><p>Flynn’s statements “impeded” and had a “material impact” on the FBI’s investigation into the existence of any links or coordination between individuals associated with the Trump campaign and Russia’s efforts to interfere with the 2016 presidential election, according to a <a href="https://www.nytimes.com/slideshow/2017/12/01/us/flynn-sanctions-russia/s/02dc-flynn-newdocs-slide-HJHZ.html" target="_blank">statement of offense </a>obtained by <em>The New York Times.</em><br></p><p>“Mr. Flynn’s pre-inauguration discussions with Sergey I. Kislyak, the Russian ambassador, about foreign policy were part of a coordinated effort by aides running Mr. Trump’s transition into the White House, documents released as part of Mr. Flynn’s plea agreement show,” the <a href="https://www.nytimes.com/2017/12/01/us/politics/michael-flynn-guilty-russia-investigation.html?hp&clickSource=story-heading&WT.nav=top-news&module=Slide&region=SlideShowTopBar&version=SlideCard-1&action=Click&contentCollection=U.S.&slideshowTitle=Read%20Flynn%E2%80%99s%20Statement%20of%20the%20Offense&currentSlide=1&entrySlide=1&pgtype=imageslideshow" target="_blank">Times reports</a>. “In at least one instance, federal prosecutors say, Mr. Flynn was directed by a ‘very senior member’ of Mr. Trump’s presidential transition team.”<br></p><p>The senior member was not named, but members of the transition team included U.S. Vice President Mike Pence, Trump’s son-in-law Jared Kushner, and Trump’s first chief of staff Reince Priebus.<br></p><p>White House lawyer Ty Cobb released a statement and said that nothing about Flynn’s plea “implicates anyone other than Mr. Flynn,” according to the <a href="https://apnews.com/99bb8f75c5514af8b7e5ec77ea4f6f68?utm_campaign=SocialFlow&utm_source=Twitter&utm_medium=AP" target="_blank">Associated Press</a>. Cobb also said that “false statements involved mirror the false statements to White House officials which resulted in [Flynn’s] resignation in February of this year.”<br></p><p>Flynn has now pledged to cooperate with Mueller’s investigation, and released a statement via his legal team <a href="https://www.npr.org/2017/12/01/561238303/michael-flynn-sr-expected-to-plead-guilty-to-lying-to-fbi?utm_source=twitter.com&utm_medium=social&utm_campaign=npr&utm_term=nprnews&utm_content=202901" target="_blank">obtained by NPR</a> recognizing that his actions were wrong.<br></p><p>“My guilty plea and agreement to cooperate with the Special Counsel’s Office reflect a decision I made in the best interests of my family and our country,” Flynn said. “I accept full responsibility for my actions.”<br></p><p>As part of his plea agreement, Flynn has agreed to cooperate fully with Mueller’s investigation and offer information on “any and all matters” that prosecutors request. His sentencing has not been scheduled, but could face up to five years in prison for making false statements to the FBI.<br></p><p><br></p>
https://sm.asisonline.org/Pages/How-to-Minimize-Cybersecurity-Vulnerabilities-Article.aspxHow to Minimize Cybersecurity VulnerabilitiesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​​When it comes to cybersecurity, your chief objective should be to manage things proactively and on your terms, as opposed to constantly playing catch-up and responding to vulnerabilities only after they've been exploited.</p><p>Unfortunately, too many organizations, including the U.S. federal government, still operate in a reactive mode because they generally lack two things: 1) accurate visibility into their own IT infrastructure and the potential cyber vulnerabilities lurking there; and 2) up-to-date, accurate information to help them prioritize and manage their vulnerabilities from a risk-management perspective.</p><p>After a decade of experience consulting with U.S. federal agencies, I've found it all too common for organizations to have little to no insight into the End-of-Support/End-of-Life (EOS/EOL) dates for their software and hardware assets. Many also don't know the Common Vulnerability Scoring System (CVSS) values of their hardware and software assets.</p><p>This is understandable. Today, there are 31 million naming conventions that exist for 2 million hardware and software products—including, for example, 16,000 ways that inventory tools refer to an SQL Server. This lack of uniformity for how specific products are referred to results in a confusing hodgepodge of data that undermines most efforts at obtaining a comprehensive view of a network's IT asset inventory and risk profile. The result is that IT managers often can't readily identify the network-attached assets on their approved and unapproved lists—nor what the rogue assets are on either list.</p><p>Without this kind of intelligence and visibility into an enterprise's IT infrastructure, it's virtually impossible to deploy proactive practices and policies for addressing cyber risk. Imagine what could be done with a comprehensive view of all the network-attached assets subject to EOL today, and those that will be EOL six months or a year from today. This information goes a long way toward taking a proactive position in prioritizing those vulnerabilities.</p><p>One approach for doing that, for example, is to take the list of assets that are EOL or nearly EOL, and look at the assets that are also unapproved—and then see which of those assets carry high CVSS values.</p><p>Not only does this kind of visibility and knowledge inform IT security staffs about the assets they should focus on and when, but it also helps inform planners in advance of the budgeting, contracting and logistical needs associated with replacing EOL hardware and software.</p><p>Having comprehensive information about vulnerabilities residing across the IT infrastructure enables IT managers to better understand their existing environments and proactively transition to their desired end-state environments. But this can't be done when there are significant blind spots crippling an agency's view of its infrastructure and vulnerabilities.</p><p>It is estimated that between 2016 and 2019, more than $3 billion in U.S. federal IT assets will become end-of-life. For each of these assets, this means there will be no patch management, no upgrades, no more vendor service or support. What may be less commonly known is that EOL assets represent vulnerabilities where hackers and malware may come in.</p><p>Many of the most frequently exploited cybersecurity vulnerabilities, known as Common Vulnerabilities and Exposures (CVEs), date back 10 to 15 years or more. And although these vulnerabilities are well known, they continue to be successfully exploited by hackers. That's because EOL software and hardware possessing these CVEs continue to live on federal networks, often without the knowledge of IT staff.</p><p>This is unnerving news if you're a chief information officer or a chief information security officer. It's even worse if you don't have accurate data to tell you exactly where your blind spots are and how to prioritize the mitigation of those vulnerabilities.</p><p>The current process of identifying EOS/EOL is a manual process that's very time consuming. One of the problems is the EOS/EOL data isn't built into the software itself, so security management professionals must find a way to centralize the data. If they do this, they must also continually update, as data changes over time. In addition, most companies don't use software from a single vendor, so they need to gather this data from a variety of vendors, and then continue to research per vendor, per software.</p><p>How can U.S. federal agencies and other enterprises of all sizes go from reactive to proactive? Here are four actions to get you started:<br></p><p dir="ltr"><strong><span style="margin:0px;font-family:calibri, sans-serif;font-size:11pt;"><font color="#000000">•<span style="margin:0px;">   </span></font></span>Compile and review an inventory of your EOS/EOL assets.</strong><em> </em>Knowing your EOS/EOL data for all of your network-connected hardware and software provides more comprehensive cybersecurity risk awareness. And knowing what IT assets are EOL today, and those destined to be EOL in the future, empowers security teams to get ahead of their risks, so they can proactively mitigate them.<br><br><strong><span style="margin:0px;font-family:calibri, sans-serif;font-size:11pt;"><font color="#000000">•<span style="margin:0px;">   </span></font></span>Identify approved/unapproved IT asset visibility.</strong> It is one thing to have an approved/unapproved list of IT assets. It's another thing to enforce the list. Enable security teams to identify the hardware and software on their networks—including rogue assets that are unmanaged—and then break out which assets are approved and unapproved. It's also just as important to identify which IT assets on your networks are neither approved nor unapproved and need to be reevaluated.<br><br><strong><span style="margin:0px;font-family:calibri, sans-serif;font-size:11pt;"><font color="#000000">•<span style="margin:0px;">   </span></font></span>Create a value score for common vulnerability values.</strong> Knowing the risk severity scores of vulnerabilities, as defined by the National Institute of Standards and Technology, contributes to better and more proactive decisions for how to direct your limited risk-mitigation resources.<br><br><strong><span style="margin:0px;font-family:calibri, sans-serif;font-size:11pt;"><font color="#000000">•<span style="margin:0px;">   </span></font></span>​Focus on the marriage of EOL and CVSS data. </strong>Plotting your enterprise's riskiest assets (as measured by CVSS values) with those at or near EOL offers a quick way for you to prioritize mitigation efforts and proactively neutralize potentially ticking time bombs on your network.<br><br>Taking these steps will go a long way to help you manage your vulnerabilities from a risk management perspective.<br><br><em>Clark Campbell works with U.S. federal IT teams to help them gain clearer insight into their IT assets. Clark is vice president of public sector at Flexera, the maker of Technopedia, a comprehensive source of IT asset information. </em><em>He can be reached at </em><em>ccampbell@flexera.com</em><em>.</em></p>
https://sm.asisonline.org/Pages/Minimize-Cybersecurity-Vulnerablilies.aspxHow to Minimize Cybersecurity VulnerabilitiesGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​​​When it comes to cybersecurity, your chief objective should be to manage things proactively and on your terms, as opposed to constantly playing catch-up and responding to vulnerabilities only after they've been exploited.<br><br>Unfortunately, too many organizations, including the U.S. federal government, still operate in a reactive mode because they generally lack two things: 1) accurate visibility into their own IT infrastructure and the potential cyber vulnerabilities lurking there; and 2) up-to-date, accurate information to help them prioritize and manage their vulnerabilities from a risk-management perspective.<br><br>After a decade of experience consulting with U.S. federal agencies, I've found it all too common for organizations to have little to no insight into the End-of-Support/End-of-Life (EOS/EOL) dates for their software and hardware assets. Many also don't know the Common Vulnerability Scoring System (CVSS) values of their hardware and software assets.<br><br>This is understandable. Today, there are 31 million naming conventions that exist for 2 million hardware and software products—including, for example, 16,000 ways that inventory tools refer to an SQL Server. This lack of uniformity for how specific products are referred to results in a confusing hodgepodge of data that undermines most efforts at obtaining a comprehensive view of a network's IT asset inventory and risk profile. The result is that IT managers often can't readily identify the network-attached assets on their approved and unapproved lists—nor what the rogue assets are on either list.<br><br>Without this kind of intelligence and visibility into an enterprise's IT infrastructure, it's virtually impossible to deploy proactive practices and policies for addressing cyber risk. Imagine what could be done with a comprehensive view of all the network-attached assets subject to EOL today, and those that will be EOL six months or a year from today. This information goes a long way toward taking a proactive position in prioritizing those vulnerabilities.<br><br>One approach for doing that, for example, is to take the list of assets that are EOL or nearly EOL, and look at the assets that are also unapproved—and then see which of those assets carry high CVSS values.<br><br>Not only does this kind of visibility and knowledge inform IT security staffs about the assets they should focus on and when, but it also helps inform planners in advance of the budgeting, contracting and logistical needs associated with replacing EOL hardware and software.<br><br>Having comprehensive information about vulnerabilities residing across the IT infrastructure enables IT managers to better understand their existing environments and proactively transition to their desired end-state environments. But this can't be done when there are significant blind spots crippling an agency's view of its infrastructure and vulnerabilities.<br><br>It is estimated that between 2016 and 2019, more than $3 billion in U.S. federal IT assets will become end-of-life. For each of these assets, this means there will be no patch management, no upgrades, no more vendor service or support. What may be less commonly known is that EOL assets represent vulnerabilities where hackers and malware may come in.<br><br>Many of the most frequently exploited cybersecurity vulnerabilities, known as Common Vulnerabilities and Exposures (CVEs), date back 10 to 15 years or more. And although these vulnerabilities are well known, they continue to be successfully exploited by hackers. That's because EOL software and hardware possessing these CVEs continue to live on federal networks, often without the knowledge of IT staff.<br><br>This is unnerving news if you're a chief information officer or a chief information security officer. It's even worse if you don't have accurate data to tell you exactly where your blind spots are and how to prioritize the mitigation of those vulnerabilities.<br><br>The current process of identifying EOS/EOL is a manual process that's very time consuming. One of the problems is the EOS/EOL data isn't built into the software itself, so security management professionals must find a way to centralize the data. If they do this, they must also continually update, as data changes over time. In addition, most companies don't use software from a single vendor, so they need to gather this data from a variety of vendors, and then continue to research per vendor, per software.<br><br>How can U.S. federal agencies and other enterprises of all sizes go from reactive to proactive? Here are four actions to get you started:<br><br>•   <strong>Compile and review an inventory of your EOS/EOL assets.</strong> Knowing your EOS/EOL data for all of your network-connected hardware and software provides more comprehensive cybersecurity risk awareness. And knowing what IT assets are EOL today, and those destined to be EOL in the future, empowers security teams to get ahead of their risks, so they can proactively mitigate them.<br><br>•  <strong> Identify approved/unapproved IT asset visibility.</strong> It is one thing to have an approved/unapproved list of IT assets. It's another thing to enforce the list. Enable security teams to identify the hardware and software on their networks—including rogue assets that are unmanaged—and then break out which assets are approved and unapproved. It's also just as important to identify which IT assets on your networks are neither approved nor unapproved and need to be reevaluated.<br><br>•   <strong>Create a value score for common vulnerability values.</strong> Knowing the risk severity scores of vulnerabilities, as defined by the National Institute of Standards and Technology, contributes to better and more proactive decisions for how to direct your limited risk-mitigation resources.<br><br>•   ​<strong>Focus on the marriage of EOL and CVSS data. </strong>Plotting your enterprise's riskiest assets (as measured by CVSS values) with those at or near EOL offers a quick way for you to prioritize mitigation efforts and proactively neutralize potentially ticking time bombs on your network.<br><br>Taking these steps will go a long way to help you manage your vulnerabilities from a risk management perspective.<br><br><em>Clark Campbell works with U.S. federal IT teams to help them gain clearer insight into their IT assets. Clark is vice president of public sector at Flexera, the maker of Technopedia, a comprehensive source of IT asset information. He can be reached at ccampbell@flexera.com.</em></p>
https://sm.asisonline.org/Pages/ENDURECE-BLANCOS-SUAVES-CON-PSIM.aspxENDURECE BLANCOS SUAVES CON PSIMGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p style="text-align:justify;">Los "blancos suaves" (del inglés <em>soft targets</em>) son aquellos que son fácilmente accesibles para el público, como centros comerciales, hoteles, y hospitales, y resultan especialmente vulnerables a ataques por mano de terroristas, criminales, y otros actores maliciosos. Los ataques recientes alrededor del mundo han aumentado la concientización sobre la necesidad de proteger estos espacios. Los practicantes de seguridad deben tener en mente que el deber de proteger una empresa se extiende desde sus empleados a cualquiera que ponga pie en su propiedad.</p><p style="text-align:justify;">En estos sitios, las soluciones típicas de seguridad física incluyen una separación clara entre las áreas públicas y las restringidas al personal, acceso controlado a áreas sensibles para prevenir entradas no autorizadas, y acceso limitado a las instalaciones fuera del horario comercial. Estas medidas dependen fuertemente en la implementación y gestión de niveles variantes de permisos de acceso para cada área, aplicando una combinación de tecnologías de seguridad. Incluso los mejores despliegues de estos sistemas no eliminan el riesgo; sino que ayudan al equipo de seguridad a contener las amenazas.</p><p style="text-align:justify;">Al contar con diversos sistemas, ésto se vuelve una tarea compleja que podría abrumar al personal de seguridad encargado del monitoreo, la identificación y la respuesta ante eventos. Para instalaciones multiuso, las soluciones de Gestión de Información para la Seguridad Física (PSIM) simplifican estos complicados procedimientos con alertas y acciones de respuesta automatizadas e inteligentes, junto con una conciencia situacional significantemente mejorada.</p><p style="text-align:justify;"><strong>Alerta</strong></p><p style="text-align:justify;">Cada vez que un individuo no autorizado ingresa a un área privada o sensible, las organizaciones deben tratar al incidente como sospechoso a menos que y cuando sepan que hay una razón válida para el ingreso. Y, tras cualquier brecha de seguridad, ya sea intencional o accidental, malintencionada o inofensiva, cada segundo cuenta. Ésto enfatiza la necesidad fundamental de que los operadores y el resto del personal de seguridad sepan sobre la situación lo antes posible. Con automatización y la capacidad  de integrar de forma fluida múltiples sistemas en una sóla interfaz, las soluciones de PSIM pueden acelerar el proceso de alerta para mejorar la conciencia y la respuesta.</p><p style="text-align:justify;">Por ejemplo, se podrían desplegar sistemas integrados de control de acceso y videovigilancia inteligente para alertar al personal cuando alguien ingresa a un área restringida, tal como un centro de datos, fuera del horario laboral. Cuando una alerta proviene del sistema de control de accesos, la solución PSIM puede invocar automáticamente la transmisión de video asociada con el evento, proveyendo a los operadores visibilidad directa sobre la situación.</p><p style="text-align:justify;">Otra alerta podría ser disparada por un informe o descripción inicial entregada por un usuario móvil. En este caso, la PSIM podría correlacionar los datos con transmisiones de cámaras de videovigilancia cercanas, y otros sistemas. Sin importar cuál sea la fuente de la alerta, la solución se asegura de que los operadores tengan acceso instantáneo a información valiosa que les permita analizar rápidamente la situación e iniciar una respuesta apropiada, basada en un completo entendimiento del incidente.</p><p style="text-align:justify;"><strong>Respuesta</strong></p><p style="text-align:justify;">Una vez que se ha generado una alerta, deben existir acciones prestablecidas para ayudar al personal a determinar el camino a seguir para resolver una situación lo más pronto posible. En muchos casos, no es necesaria ninguna respuesta. Por ejemplo, si un individuo sostiene una puerta abierta por unos segundos, el sistema de control de accesos puede generar una alerta que indique que la puerta está siendo bloqueada. Usando material videográfico asociado con la acción, un operador puede terminar en segundos si ésto fue realizado para permitir un ingreso no autorizado o si la persona entrando simplemente se detuvo un momento para leer su teléfono móvil. Sin la capacidad que ofrece la videovigilancia, tendría que enviarse a un guardia para que evalúe la situación: es decir, no sería el uso más eficiente de tiempo y recursos.</p><p style="text-align:justify;">Dado el considerable número de alertas no accionables que los operadores reciben durante sus turnos, pueden no estar preparados para un evento que sí requiera acción, más allá de qué tan bien hayan sido entrenados. Ésto puede causar confusión y estrés, lo que puede complicar la situación y conducir hacia el caos. Contar con procedimientos operativos estandarizados (POEs, SOPs en inglés) bien deinifidos para que guien a los operadores y a otros a través de cada proceso reduce el potencial de estrés, pánico, o confusión, los cuales contribuyen a una alta probabilidad de errores humanos. Sin embargo, POEs que son complicados o difíciles de ubicar no harán nada para reducir esta probabilidad.</p><p style="text-align:justify;">La PSIM puede automatizar muchos de los más mundanos y básicos pasos para simplificar procesos y permitir que los operadores se concentren únicamente en las tareas críticas que requieren intervención humana, tales como determinar si una persona detectada a través de videovigilancia realmente representa una amenaza. Ésto permite al personal de evaluar rápidamente la situación y determinar la respuesta más apropiada.</p><p style="text-align:justify;"><strong>Conciencia Situacional en Tiempo Real </strong></p><p style="text-align:justify;">Al responder a un incidente, es importante que los guardias, primeros respondientes, y otros, tengan la información más completa posible para asegurar la respuesta más efectiva y eficiente.</p><p style="text-align:justify;">Los sistemas integrados mejoran esta conciencia al reunir grandes cantidades de datos, provenientes de varios sistemas, que pueden ser combinados para evaluar un incidente. Mientras que inspeccionar manualmente innumerables sistemas para obtener y clasificar esta información no es viable, las soluciones automatizadas de PSIM ponen toda la información relevante al alcance de la mano de los operadores. Ésto permite al personal de seguridad tomar decisiones rápidas y precisas basándose en una imagen completa del evento; compartir fácilmente la información en tiempo real con los respondientes apropiados; y coordinar la respuesta entre todas las partes involucradas. Esta colaboración provee una conciencia situacional crítica a aquellos respondientes que, entonces, pueden realizar decisiones más informadas que permitan una respuesta ágil para ayudar a prevenir que el incidente se desenvuelva.</p><p style="text-align:justify;">Cuando deben protegerse instalaciones con múltiples niveles de privilegios de acceso, surge una amplia variedad de desafíos. Al desplegar una solución PSIM para englobar la información decisiva, las organizaciones pueden superar los retos a los que se enfrentan, mientras que aumentan la seguridad para aquellas aplicaciones potencialmente complejas.</p><p style="text-align:justify;"><strong><em>Simon Morgan</em></strong><em> es el director de tecnología (CIO) de SureView Systems.</em></p><p style="text-align:justify;"><em>The translation of this article is provided as a courtesy by Ari Yacianci. </em>Security Management <em>i</em><em>s not responsible for errors in translation. Readers can refer to the original English version here:</em><em> https://sm.asisonline.org/Pages/Harden-Soft-Targets-with-PSIM.aspx​</em><br></p>
https://sm.asisonline.org/Pages/What's-New-in-Access-Control.aspxWhat's New in Access Control?GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Innovation in access control is quietly heating up. The industry is ready to implement innovations on a broad scale that have been just out of reach. Demand for virtual credentials is growing, facial recognition technology is both technically and economically feasible, and migration to the cloud is increasing—and increasingly beneficial. Over the next few years, market adoption of these advances will transform the ways security professionals operate and organizations benefit from their access control systems. </p><p><strong>Virtual credentials and mobile access technology</strong></p><p>The demand for virtual credentials and mobile access is intensifying, driven in part by younger members of the workforce who never go anywhere without their smartphones. Suffice to say, most employees wouldn't turn their cars around for a forgotten physical credential, but they'll certainly restart their commutes to collect forgotten smartphones. </p><p>The benefits are simple: convenience, compliance, and satisfaction of workforce demand. Everyone carries their phone, security professionals enhance their management capabilities, and employees can stay on the move. By including the credential in a mobile device, embedded in an app, organizations can also provide novel security capabilities, such as threat reporting and virtual photo ID. </p><p>The good news is that virtual credentials and mobile access technology have progressed to the point that they are easier to implement. Migration is straightforward, and implementation does not need to be all-or-nothing. Instead it can be taken in phases leading to an interim hybrid approach that includes physical and virtual credentials. </p><p><strong>Facial recognition</strong></p><p>Facial recognition offers the advantage of using existing access control rules, while reducing the friction of the user experience. </p><p>Picture a busy New York City high-rise office building with turnstiles that control access to an elevator lobby. There are always a few employees who have to search their pockets or backpacks to fish out a physical credential. Implementing facial recognition eliminates that bottleneck. The software scans people as they approach the turnstile and transmits a virtual credential to the access control system. Where a line might otherwise have formed, authorized employees now pass through turnstiles efficiently. </p><p>Facial recognition access control is no longer out of reach. Today's computing power can be combined with increasingly high-definition cameras and advanced recognition algorithms to bring the costs of implementation way down. </p><p><strong>Access control in the cloud</strong></p><p>The access control server is the nerve center of an access control system, but it no longer needs to physically exist. The increasing prevalence of the cloud eliminates that necessity. </p><p>Rather than dealing with the maintenance of a physical server, the speed and convenience of the cloud can handle everything a hardware box used to. This advance allows for increased scalability. And it provides flexibility in how security professionals purchase and use access control servers. Now the integrator or manufacturer can reduce end user burden and cost by ensuring that systems are backed up and updated remotely.<strong> </strong></p><p><strong>What's next?</strong></p><p><strong></strong>Innovations in access control systems will drive the industry over the coming years. Novel credentials, such as mobile access and face recognition technology, combined with cloud-based servers will deliver an altogether improved experience. </p><p><em>John L. Moss is CEO of S2 Security.</em></p>
https://sm.asisonline.org/Pages/GridEx-IV-Tests-The-North-American-Power-Grid.aspxGridEx IV Tests The North American Power GridGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The North American power grid is completing its largest biennial exercise today, called GridEx, with its highest number of participants since it was launched in 2011 by the North American Electric Reliability Corporation (NERC).</p><p>More than 5,000 electric utilities; regional and federal government agencies in law enforcement, first response, and intelligence community functions; critical infrastructure cross-sector partners; and supply chain stakeholders participated in GridEx IV, a biennial exercise designed to simulate a cyber/physical attack on electric and other critical infrastructure across North America.</p><p>The exercise promotes a strong learning environment and collaboration between industry and the public sector to "enhance the security, reliability, and resiliency" of the bulk power system, said Charlie Baradesco, CEO of NERC.</p><p>Exact details of the exercise are not released due to security concerns. But it is similar to the other GridEx exercises in that it has participants work through their incident response plans, practice their local and regional response, engage interdependent sectors, improve communication skills, engage senior leadership, and compile lessons learned. The exercise, however, has no impact on the real electric grid.</p><p>GridEx IV is a "series of escalating scenarios in which the system is stressed continually further," says Tom Fanning, Electricity Subsector Coordinating Council cochair and chairman, president and CEO of Southern Company. "Consider the joint effects of a cyber and kinetic attack that,​ as time goes by, creates greater consequences to our ability to undertake commerce…what we're looking for are the potential friction points or breaks in the system. That's how we learn."</p><p>Also new this year is an emphasis on communication with the public, incorporating social media response and fake news mitigation​ says Marcus Sachs, CSO of NERC. On the first day of the exercise, participants uploaded photographs of simulated damage, explosions, and news stories to test how that information would play out. </p><p>"Allowing that to play out in an exercise space…shows how the simulation is a good replication of real world problems that we face," Sachs says.</p><p>The exercise also pulls in other industry stakeholders outside of the utilities sector, such as finance and telecom, because the utility sector is dependent on these to get the grid back up and running should an incident occur.</p><p>"We're taking the Russian nesting doll approach to preserving our system when it's under duress," Fanning adds. "We're dependent on telecom—we've got to be able to talk to our people in the field."</p><p>While a cyberattack has never turned off the power in North America, stakeholders must remain vigilant, Baradesco added in a call with reporters on Thursday. GridEx helps ensure "we remain as prepared as possible."</p><p>More than 400 executives—from government and the private sector—are also involved in this year's GridEx, participating in tabletop exercises to work through how they would handle an attack on the grid. </p><p>This participation is critical, Sachs says, because "security starts at the top."</p><p>And this commitment to getting those at the top involved in the exercise sets GridEx apart from other exercise scenarios, says Brian Harrell, CPP, vice president of security at AlertEnterprise. </p><p>"While federal partners have often incorporated losing critical grid components within their exercise scenarios, GridEx is the only event that has industry CEOs, trade associations, government partners, academia, and utility subject matter experts responding to a grid reliability scenario," Harrell says.</p><p>Harrell is the former operations director of the Electricity ISAC and director of critical infrastructure protection programs at NERC. He helped launch the first GridEx in 2011 because, as the largest machine on the planet, the North American power grid requires constant maintenance, monitoring, and continuous learning.</p><p>"Exercises are a key component of national preparedness—a well-designed exercise provides a low-risk environment to test capabilities, familiarize personnel with security policies, and foster interaction and communication across organizations," Harrell adds.</p><p>Participation in GridEx is voluntary, but Harrell says there is value for utilities to participate—even if in a limited capacity. </p><p>"Reviewing the security response to the grid's critical components, such as generators, large substations, and transmission lines during a disruptive, coordinated attack on the grid will help industry understand how to make the system more secure," he says.</p><p>Other industries—both those inside and outside the United States—run exercises to test specific response plans, policies, and procedures. But these exercises tend to focus on reliability issues, as a result of supply shortages, natural disasters, and catastrophic failure, Harrell explains.</p><p>"Very few exercises incorporate a coordinated physical and cyberattack scenario designed to destroy critical infrastructure components," Harrell says.</p><p>This has become all the more important after the cyberattack on Ukraine's electric grid in December 2015, which resulted in the first known loss of power due to a cyberattack. </p><p>"The United States has never experienced a massive cyberattack-related power outage, but there have been direct cyber events in recent years against energy infrastructure, including intrusions into energy management systems, targeted malware,, and advanced persistent threats (APTs) left behind on computers by phishing attacks," Harrell says. "The perception that cyber risks are low because only a few and limited attacks have occurred on industrial control systems is not just ignorant, but highly dangerous."</p><p>Once GridEx IV is completed, participants will begin to share lessons learned which NERC will compile into an after-action report. That report, according to officials on Thursday's call, is expected to be released in March 2018. ​</p>
https://sm.asisonline.org/Pages/School-Lockdown-Procedure-Prevented-Tragedy-in-Rancho-Tehama.aspxSchool Lockdown Procedure Prevented Tragedy in Rancho TehamaGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Students were running around on the playground and parents were dropping their children off at Rancho Tehama Elementary School Tuesday morning when the school secretary heard the first gunshots fired by Kevin Neal up the road. Without delay, the administrators started a reverse evacuation and lockdown procedure, whisking children and parents alike into the elementary school. By the time Neal—who was on a shooting rampage throughout the small town—arrived at the campus, two-thirds of the school’s 100 students were inside, said district superintendent Richard Fitzpatrick. </p><p> The school’s head custodian saw Neal crash his truck into the school’s gate and begin walking toward the facility, so the custodian stepped out and distracted him while the rest of the students were ushered into safety. Neal began firing but his gun jammed, providing essential seconds for the custodian to escape.</p><p>"The custodian's actions in diverting the attention from the shooter at that time gave us the much-needed seconds to complete the (lockdown) process," Fitzpatrick said in a Wednesday press conference. "That amount of seconds was critical."</p><p>Through surveillance video, Neal can then be seen going from door to door trying to find an entry, and when he failed, he began shooting through the school’s walls, windows, and doors. One child received gunshots in his chest and right foot while crouching under a table inside the classroom and is in fair condition at a local hospital.</p><p>Neal was unable to find an unlocked door to access the students, parents, and staff in the school, so he left the campus and was shot and killed by police a short time later. Fitzpatrick acknowledged that while one student was seriously injured, the incident could have ended much worse.</p><p>"The reason that I'm standing here today and I'm able to speak to you without breaking down and crying is because of the heroic efforts of our school staff," Fitzpatrick said.</p><p>Paul Timm, PSP, vice president at Facility Engineering Associates and a member of the ASIS School Safety and Security Council, says that the school’s straightforward and efficient lockdown procedure was the result of a heightened level of awareness.</p><p>“We are in a time of heightened awareness,” he tells <em>Security Management</em>. “This is following the events of Las Vegas, New York, and Texas. While only one of those involved a school, at the forefront of our minds is that there could be some kind of violence that takes place in our communities. One was a concert, one was a church, and one was right during dismissal time near a bike path before a parade. I think that helps everybody because we’re thinking, ‘how would I respond, what would I do, are we prepared?’ And that had to help them.”</p><p>Timm encourages school officials to always err on the side of caution when it comes to enacting lockdown or evacuation procedures—he notes that Rancho Tehama administrators began lockdown procedures before seeing the threat or being alerted by law enforcement. </p><p>“Not many of us really know, genuinely, what gunshots will sound like, and in Rancho Tehama they were able to just say, ‘I’m not going to assess whether that’s a real gunshot or not, we’re just getting in motion,’” Timm notes. “I think that erring on the side of caution is always the best thing to do. We can always say ‘whoops’ if someone got excited over a balloon popping and went into lockdown, but you’d much rather see them err on that side than someone investigating and finding out we’re not where we should be and we’re in big trouble.”</p><p>Timm has been in the school security industry since before the Columbine High School shooting, and says that, despite the relative regularity of incidents at schools, he often hears that people don’t want to increase school security. “Sometimes people say to me that it’s a shame that we have to live in a time where these things happen and we have to keep schools locked down,” he says. “I like to equate it to vehicle safety—In the 70s you could buy a car that didn’t have seatbelts and car seats were nonexistent. That doesn’t mean it was better back then—it wasn’t. It might be less comfortable, but let’s face it, it’s safer to wear a seatbelt, to have kids in car seats. Whenever schools are questioning whether or not basic access control, emergency preparedness, and communication systems and capabilities are necessary, I don’t think it’s sad—I think the safer way to go is generally the better way, as long as we can keep perspective. I don’t want schools to look like Fort Knox either, but I do want them to be safer than they are today.”</p><p><em>For free school security resources compiled by ASIS, visit <a href="https://www.asisonline.org/Membership/Member-Center/Security-Spotlight/Pages/Spotlight-on-School-Security.aspx" target="_blank">https://www.asisonline.org/Membership/Member-Center/Security-Spotlight/Pages/Spotlight-on-School-Security.aspx</a>.</em><br></p>
https://sm.asisonline.org/Pages/Securing-Service--How-Security-Is-Helping-The-Children-Of-Camden-County.aspxSecuring Service: How Security Is Helping Camden County’s ChildrenGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​The environment in which children grow up can shape their behaviors and influence their health, studies show. The social and economic features of a community can have major implications on mortality, general health status, disabilities, birth outcomes, mental health, injuries, violence, and other important health signs, according to a brief published by the Robert Wood Johnson Foundation Commission to Build a Healthier America.​</p><p>Camden City in Camden County, New Jersey, is directly across the Delaware River from Philadelphia, Pennsylvania. Although it is surrounded by some of the wealthiest communities in New Jersey, it’s ranked the poorest and most crime-ridden city in New Jersey. Neighborhood Scout—an online research group—ranked Camden City as the fourth most dangerous city in 2017. </p><p>This is because with a population of 70,309 people, Camden City had 1,895 violent crimes in 2014—meaning the city averaged 25.66 violent crimes per 1,000 residents. That rate is six times higher than the national average of 3.8.</p><p>Additionally, Camden City is among the poorest cities in the nation. The unemployment rate is 30 to 40 percent, with a median household income of $26,000. In 2011, a <em>Rolling Stone</em> report found that a quarter of a billion dollars was being made in revenue from about 175 open-air drug markets, but the annual tax income was only $24 million.</p><p>Virtua is a large healthcare system serving southern New Jersey that provides care through three hospitals (Virtua Marlton, Virtua Memorial, and Virtua Voorhees), three health and wellness centers, two long term care and rehab centers, three medically-based fitness centers, 16 mobile intensive care units, and a variety of outpatient health services. Virtua also has two satellite emergency departments.</p><p>The healthcare system’s mission supports health, wellness, and accessibility to all. Beginning in late 2013, Virtua began making strides to promote the health and well-being of the children in Camden City when the Early Intervention Program (EIP) became a comprehensive agency in Camden County.</p><p>EIP provides a variety of therapeutic and support services to help infants and toddlers with developmental issues. As part of the program, practitioners—including physical therapists, occupational therapists, speech-language pathologists, social workers, special education teachers, behaviorists, and teachers—help children from birth to age three overcome delays.</p><p>During 2011, 2012, and most of 2013, most of those in Camden City who were eligible for EIP had difficulty receiving timely services. Services are considered timely when they start within 30 days of a plan being written. Camden City’s national reputation as a high crime area made it difficult for healthcare providers to ensure their own safety, limiting their ability to respond to requests for services through EIP.</p><p>In 2013, more than 200 children in Camden County waited more than 30 days for their services to start—waiting an average of 48.39 days with a longest wait of 121 days. This not only affected families in Camden County, but also held up other children on the list for services because if the first child on the waitlist was from Camden City, he or she had to receive services before other children further down the list could receive services. With no practitioners available, the number of children served decreased over time while the wait time for services increased.</p><p>The security department of 19 full-time employees and several part-time employees assigned to the Virtua Camden campus provides routine and emergency services to the entire campus, as well other services: producing ID badges, managing beepers, managing the lost and found, receiving package delivers, handling patient belongings and valuables, and providing nuclear medicine escorts and vehicle assistance.</p><p>When the notion of providing security escorts to EIP staff was proposed, the security department rose to the challenge. Each officer volunteered to be available for patient visits, realizing how important it was for young children in Camden to receive the EIP services.</p><p>To set up a security escort, EIP staff would call the security department—at least two days before the service was needed but no more than five days in advance—and provide the date the service was needed, the pick-up time, and the drop-off time. EIP staff also shared their cellphone number so they could be reached.</p><p>The security department then logged the information into an Early Intervention & Home Care Security Escort Form that included the practitioner’s name, cell phone number, and estimated start and end times. Then, from a list of available officers, the department would contact officers to fill the security escort—preference was given to non-overtime per diem, part time, and pool officers. If a security officer was not available, the department would contact the EIP manager. </p><p>When practitioners arrived on campus, the assigned security officer would travel with the practitioner—in his or her personal vehicle—to the appointment location. The officer then stationed themselves outside the location, unless specifically invited to enter, to respond to any signs of distress and protect the practitioner’s vehicle. </p><p>The value and success of the security escort program continued the EIP’s growth. Within a few months, the security escort service expanded as the department became critical in supporting the EIP. In December 2013, the department provided 20.75 hours of security escorts per month and the average wait time for children waiting for services dropped from 48 days to 12.</p><p>By October 2014, the service had expanded to provide 83.50 hours per month, and continued to grow. A mother and her child were also invited to share their experience with the EIP at a holiday staff meeting and the difference the service made to her family.</p><p>The mother explained that children only have a small window of time to receive early intervention services because when they reach 36 months of age, they are no longer eligible to receive services. By reducing the wait time for services, the security department was able to ensure more children were reached, and their needs were identified and addressed.</p><p>In 2015, the security department saw a decrease in the number of calls it was receiving for escort services. Department leadership contacted the EIP leadership to discuss the decrease, and found that EIP staff had become more comfortable providing services within Camden City without a security presence. The EIP staff said they felt welcomed by the residents and that the residents knew they were providing valuable services to the children of Camden. </p><p>Meanwhile, the number of services that the EIP provides has continued to grow in Camden County—increasing from 284 in 2012, to 294 in 2013, 4,123 in 2014, 6,302 in 2015, and 7,978 in 2016.</p><p><em>Maria P. Emerson, MA, CCC-SLP, is the director of the Virtua Early Intervention Program. Maria Franchio, PT, is AVP of Virtua Rehabilitation Services. Dana Gussey is a public health major at Stockton University and an intern in the Virtua Safety Department. Paul Sarnese is the AVP of safety, security, and emergency management for the Virtua Safety Department. ​</em></p><p><br></p>
https://sm.asisonline.org/Pages/Highway-to-Hurt.aspxHighway to HurtGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Smuggling is a serious crime, but when the cargo being smuggled is human, the crime can go beyond serious, into the realm of the tragic.</p><p>A particularly horrid example of this came about last July, when authorities found the gruesome results of a criminal smuggling enterprise: 39 undocumented immigrants, nine dead (a tenth died later) and the rest needing hospitalization, lying in a tractor-trailer parked at a Walmart in San Antonio, Texas. The trailer had contained an estimated 70 to 200 illegal aliens total during its journey, according to court records.  </p><p>A few weeks later, U.S. Immigration and Customs Enforcement (ICE) officials reported that the San Antonio incident was only one of four that had occurred in nearby areas, all within a few weeks’ time. Although the other three did not involve loss of life, they were still disquieting; in one of the incidents in July, border agents in Laredo, Texas, found 72 people from Mexico, Ecuador, Guatemala, and El Salvador locked inside a trailer. Border security leaders pledged to fight the problem. </p><p>“This horrific crime…ranks as a stark reminder of why human smuggling networks must be pursued, caught and punished,” ICE Acting Director Thomas Homan said after the San Antonio incident. “[ICE] works year-round to identify, dismantle, and disrupt the transnational criminal networks that smuggle people into and throughout the United States. These networks have repeatedly shown a reckless disregard for those they smuggle.” </p><p>How do these human smuggling operations work? Often, the process begins a few months before the smuggling, in a country such as Mexico, Guatemala, or Honduras, where sizable numbers of people are looking to emigrate, according to an investigation and review of court documents by the Associated Press. Those seeking to cross the border get to the Mexican–U.S. border region, and then cross by foot or river raft. They are then picked up by a tractor trailer somewhere past the border. The stressful traveling conditions make them vulnerable—dehydration, hyperthermia, and asphyxiation have been among the causes of death in truck cases.</p><p>One analyst, the U.K.-based global risk firm Verisk Maplecroft, warns companies that an increase in human smuggling activity could have ramifications for supply chain security. “Under the Trump administration, businesses with supply chains that rely on low-skilled, temporary migrant labour will face increasing risks of modern slavery in their workforce,” the firm says in one of its risk reports for 2017.</p><p>Verisk Maplecroft outlines the risk involved as follows. The construction of a U.S.–Mexico border wall, or stricter enforcement of deportation rules, will not reduce the appeal of migration for thousands of Latin Americans. But it could increase trafficking costs and deepen migrant worker debt, making migrants more vulnerable to exploitation. Suppliers in agriculture, construction, manufacturing, hospitality, and transport would be most exposed to supply chain risk. </p><p>Emigration-related schemes are not the only form of human smuggling that ICE and its allies are fighting. Human trafficking for the purposes of coerced sex trade operations also continues—a practice that groups like Truckers Against Trafficking (TAT) are trying to help eradicate. </p><p>The group, a 501c(3) nonprofit, takes an all-hands-on-deck approach and partners with members of the trucking and truck stop industries, law enforcement officers, and trafficking survivors to fight human trafficking. The group’s educational efforts include a 36-minute video that offers an overview of the trafficking issue, as well as four-hour training sessions for law enforcement officers such as the state highway patrol, according to Kylla Lanier, deputy director and cofounder of TAT.</p><p>Included in this training are case studies from officers who stopped a truck for a violation, and then upon closer inspection detected a trafficking incident. In the case studies, officers give a breakdown of the indications that tipped them off, and offer advice and best practice guidance for other officers. </p><p>For example, the passengers in the truck may exhibit some telling signs and behaviors, Lanier explains. “If the passengers are young, are they afraid to look at you? Are they acting like normal kids, or are they looking really scared?” she says. Sometimes, the passengers may have branding tattoos or bruises from physical abuse, and may be carrying many hotel key cards. Officers who speak with the driver and passenger separately sometimes find out that their respective stories do not match, or even make much sense. </p><p>Traffickers also exploit locations as well as victims, she adds. They will look for rest stops and other areas that are not well lit, without visible security, and which have a captive audience of drivers rolling through. “That’s where they will bring their victims to,” she explains. TAT works with truck stop industry partners to help make their facilities more safe and secure. </p><p>TAT also works closely with sex trafficking survivors; the group has two on staff. Survivors are key in the antitrafficking movement, because they can change perceptions about the sex trade. </p><p>Prostitution is “a vicious evil system” that has been whitewashed as a victimless crime, Lanier says, in part through unrealistic portrayals like the movie Pretty Women. In reality, the vast majority of those in the trade are being prostituted against their will, in hotels, motels, and rest areas, and are “cruelly raped and beaten within an inch of their lives,” she explains.</p><p>“It’s not the oldest profession,” Lanier says, “it’s the oldest oppression.” One study found that the rate of post traumatic stress disorder among prostitutes is equal to that of war veterans, she adds. </p><p>Given this, having the survivor’s voice in the issue is vitally important, because they can discuss the victim’s experience and point of view and “what’s going on behind the scenes,” Lanier explains. So, when people assume the survivor turned to prostitution to support a drug habit, the survivor can tell them it was just the opposite—being forced into the sex trade made the victim turn to drugs and alcohol. </p><p>Such compelling stories from survivors have helped the antitrafficking cause spread awareness, and the cause has made inroads. And on the legislative front, other advocacy groups such as Polaris pressured the U.S. House of Representatives into reauthorizing the Trafficking Victims Protection Act, which was created in 2000, in July 2017. </p><p>But in the end, demand for prostitution needs to be reduced so that further inroads can be made, and that will take “a societal paradigm shift,” Lanier says. ​</p>
https://sm.asisonline.org/Pages/Slipping-Through-the-Cracks.aspxSlipping Through the CracksGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Federal, state, and local law enforcement agencies will soon have their pick of surplus U.S. military gear, including grenade launchers and high-caliber weapons, after U.S. President Donald Trump rolled back an Obama-era action curtailing the transfer of military equipment to police.</p><p>The U.S. Department of Defense (DoD) Law Enforcement Support Office (LESO) program was reined in by then President Obama in 2015 after a spate of killings by police sparked public outrage. </p><p>Law enforcement agencies could still acquire medical supplies, training devices, protective gear, and some lethal weapons through the reduced LESO program, but the full range of excess military equipment was unavailable.</p><p>The program has been fully reinstated. Concerns about the program’s ability to properly disseminate the military equipment were raised even before Trump expanded the policy. While investigating the LESO program, a congressional watchdog agency stumbled upon an “ineligible entity” that had categorized itself as a federal agency and successfully gained access to military equipment. The U.S. Government Accountability Office (GAO) notified DoD and learned that the case was already being investigated. </p><p>But at one point the entity had been approved to use the LESO program. So in late 2016, GAO decided to figure out how this happened by creating its own fraudulent federal agency and applying to the LESO program. The investigation ended up going much further than researchers initially expected.</p><p>“We noticed that one of the participants in the program had a somewhat unusual name, and we weren’t aware of a federal agency having that particular name,” explains Zina Merritt, director of GAO’s Defense Capabilities and Management Team. “We kept looking at the processes through which DoD provided this equipment to federal agencies, and we decided that it would be appropriate to task the internal controls through using our investigative capabilities to see how vulnerable the program potentially was.”</p><p>The Defense Logistics Agency (DLA) manages the LESO program, which has provided more than $6 billion in excess DoD property to more than 8,600 agencies since 1991. While GAO was investigating the program, before Trump expanded access to equipment, about 4 to 7 percent of the property was sensitive and could not be released to the public. GAO has studied the LESO program before, and upon the most recent review found that most policy enhancements had occurred at the state and local level; few had been made in regard to federal agencies.</p><p>GAO researchers submitted a fake application that included a fictitious agency name, number of employees, point of contact, and physical location. They were surprised when, in early 2017, the nonexistent agency was approved to participate in the LESO program. </p><p>“We thought they would have noticed that our Web address was not a .gov address,” Merritt says. “We thought they would probably call us and verify some of the information, and they did not—correspondence was mostly by email. They asked us for the statute that created our particular organization, and we sent them a bogus statute, but they didn’t catch that. We left them a lot of bread crumbs but we didn’t get caught, and we thought we would get caught along the way—we were hoping that we would get caught.”</p><p>The investigators were given access to the program’s online portal to request property and selected more than 100 items, including night vision goggles, simulated rifles, and pipe bomb trainers—items that could be made lethal if modified with commercially available items. </p><p>When researchers went to pick up the items from a disposition site, they were able to pass security checks and enter the warehouse—two of the three sites did not check the investigator’s identification. They also were given more items than they were approved to receive.</p><p>When Merritt and her team disclosed their investigation, she says DLA officials were surprised by the results. </p><p>“Not only could we gain access to the program, but, we identified other weaknesses at the disposition sites, such as people not checking IDs or people not counting the items we were provided,” she says. “You have to keep in mind that we could have gotten other items such as actual rifles, Humvees, and things like that—we just opted not to get those things. But once approved, you can get lethal items as well.”</p><p>Merritt notes that in the midst of the GAO investigation, however, DLA officials had already begun to strengthen the LESO application process. </p><p>“They were creating memorandums of understanding with the federal agencies applying; that’s something they didn’t have prior,” Merritt tells Security Management. “However, they just had not gone a step further to actually have federal coordinators for the federal participating agencies. That’s a step they did after we completed the review.”</p><p>Following the GAO report’s release in July, Merritt testified before a U.S. House of Representatives subcommittee about the findings and further recommendations, including revising procedures for approving applications, conducting a fraud risk assessment to mitigate risk, and ensuring that officials verify the identification of people picking up items as well as the number of items retrieved. Merritt has seen other improvements to the program already, including in-person visits to LESO-involved agencies and making sure applicants are eligible to take part in the program.</p><p>“I think now, at least with the process of applications, they are ensuring they’re legitimate agencies—that’s where the principal breakdown was,” Merritt explains. “The first step was at least having better oversight and processes to prevent entities that were not eligible to participate to gain access in the first place.”</p><p>The flow of military equipment isn’t just a problem in the United States. DoD runs another program that provides military equipment to Iraqi security forces, including the Kurdistan Regional Government forces, to fight ISIS. </p><p>Since 2015, about $2 billion in equipment, such as weapons and vehicles, was funded through the Iraq Train and Equip Fund (ITEF), sent overseas, and transferred to the governments. However, another GAO report found that the transfer of equipment has not been properly documented due to data reporting and interoperability issues.</p><p>The report, DoD Needs to Improve Visibility and Accountability Over Equipment Provided to Iraq’s Security Forces, looks at how DoD tracks the status of the equipment from acquisition through transfer to foreign governments. </p><p>Jessica Farb, director of internal affairs and trade at GAO, tells Security Management that personnel were not properly using the Security Cooperation Information Portal (SCIP), a Web-based tool that tracks the equipment flow.</p><p>“What we found was that by not using the SCIP, which is not just for Iraq but all cooperation matériel that we provide to partnered nations, DoD broadly could not have complete visibility and be able to account for everything that was going on because the system had missing information,” Farb says. </p><p>Of the 566 requisitions marked complete that GAO studied, fewer than half had the arrival date of the equipment at the point of departure in the United States recorded, and none had information on when the equipment was shipped from the United States, when it arrived in Kuwait or Iraq, or when it was transferred to the foreign governments. </p><p>Additionally, the report found missing documentation from equipment transfers to Iraq and Kurdistan governments—more than half of the forms were missing the date of transfer and case identifier information. Officials said they issued verbal orders requiring case identifier information to be included on the forms, but GAO noted that the program’s standard operating procedures do not include that requirement.</p><p>“By not capturing the transfer dates of ITEF-funded equipment..., DoD components’ visibility over the amount of ITEF-funded equipment transferred to the government of Iraq is limited,” the report explains. The missing transit information means that DoD cannot ensure that the equipment has reached its intended destination.</p><p>GAO didn’t issue any recommendations because it could not pin down why SCIP was not being used to document the transfer of equipment. The system itself may not be importing data correctly from other DoD data systems, but there is also a lack of clear procedures for reporting the data, the report notes. </p><p>“Essentially, that’s why we made a recommendation about DoD looking at the root causes, because it wasn’t easy for them or for us to identify what the single cause was,” Farb explains. “Was it people not entering information, or was it interoperability issues? We didn’t really come to the conclusion that one is the biggest or the single most important issue.”</p><p>Greg Schneider, CPP, president of security consultation company Battle Tested Solutions, LLC, says both reports demonstrate the lack of control measures in such military equipment supply chains. Transferring American-made weapons to foreign governments has been a quagmire for many decades, he says, because of how easily they can fall into the wrong hands.</p><p>“Sometimes weapons that are funded for one cause can get retasked and repurposed, or sometimes go missing, because sometimes no one wants to leave any traces if they want to get arms into the hands of other people,” Schneider notes. “In Iraq and Kurdistan, there are so many different parties at play, and you have other parties on the outside that are watching with great interest the whole process of the United States delivering weapons to the Kurds because maybe they don’t like the Kurds.” </p><p>Meanwhile, Farb says GAO will continue to help DoD figure out why transfer dates for ITEF-funded equipment aren’t being recorded. Current ITEF funding ends next fall, and Farb notes that the new administration has set up a program that would both equip and train Iraq and Syria to oppose adversaries. </p><p>As for the LESO program, Merritt says GAO does not take a position on the recent change in policy, but reaffirms that as long as the program continues, the agency will be paying close attention to DOD’s efforts to rectify the lapses in security. </p><p>“The way we view it is one item of this type getting into the wrong hands is one item too many,” she says. “We just can’t emphasize that enough.” </p><p>​ASIS International's <a href="https://www.asisonline.org/Standards-Guidelines/Documents/SCRM_Executive%20Summary.pdf" target="_blank">Supply Chain Risk Management Standard ​</a>helps organizations address operational risks in their supply chains, including risks to tangible and intangible assets, developed by a global, cross-disciplinary technical team and in partnership with the Supply Chain Security Council.  ​</p>
https://sm.asisonline.org/Pages/Subway-Surveillance.aspxSubway SurveillanceGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​For small business profitability, it’s the little things that make a difference, and keeping tabs on employees can help prevent shrinkage. According to Subway franchise owner Kim Jordan, protecting her assets means that every bag of chips and loaf of bread must be accounted for. “The only way we can make money as a franchise is by keeping our labor expenses down…and by keeping our food costs down,” says Jordan, who owns six of the sandwich franchise stores in Alabama. </p><p>Because employees often work solo shifts in the store, Jordan has experienced food theft, which drives up business costs.  </p><p>“The greatest loss to my business is employee theft, whether it may be someone walking out the door with a case full of steak, stealing products, or giving away products,” she explains. </p><p>While Jordan knew that video surveillance would help, the infrastructure for individual security systems at each store would have been burdensome from a financial and management perspective, she says. That’s when she turned to Hokes Bluff, Alabama-based security integrator Lee Investment Consultants, LLC, to determine the best solution for preventing the theft and robbery plaguing the restaurant. <img src="/ASIS%20SM%20Callout%20Images/1117%20Case%20Study%20Stats%20Box.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:430px;height:244px;" /></p><p>After evaluating a number of manufacturers, the decision was made to choose two camera models and a video management system from Hanwha Techwin America. With this system, the end user can view live video remotely or from individual store locations, and easily review recorded footage. </p><p>The install at the first store location was completed in May 2015, and over the next year and a half the other stores were outfitted. The last installation, at the store located inside a Walmart, was completed in November 2016. </p><p>To keep infrastructure costs down, the integrator provides long-term video storage at its hosting facility. It keeps footage for 30 days for the Subway stores before overwriting it. </p><p>Given the limited bandwidth Subway restaurants use mainly for their point of sale (POS) systems, local SD recording has been a major benefit of the system. For redundancy purposes, recording is performed right on the device using an SD card, and the video is uploaded overnight to the storage servers. </p><p>Most store locations have two cameras–one pointed at the sandwich line and register, and another pointed at the back portion of the store where the coolers are. One of the larger stores has three cameras, and the Walmart location only has one camera at the entrance. </p><p>“We’ve had problems where employees are voiding out transactions at the register,” Jordan says. “Once employees get clever with the computer system, they might void out an order they just transacted…and stuff that money in their pocket.” </p><p>Now the problem with employee theft at the register has gone down, Jordan says, because they can view the cameras which are pointed at the POS terminals. “We can go back and view the video at the time that void was made, so we can see if the transaction is legitimate or not.”</p><p>Many of her individual store managers have access to the camera feeds, and Jordan entrusts them with reporting any cases of theft or unwanted employee behavior.</p><p>For example, one of her managers performed an inventory check and realized several bags of sandwich sauce were missing. Suspecting one employee in particular as the culprit, that manager decided to watch a live video feed the next time that employee was working. </p><p>“She just sat there...and actually watched the employee sneaking out the front door with the sauces,” Jordan says. The employee was immediately fired. “If someone’s going to steal a bag of sweet onion teriyaki sauce, they’re not trustworthy.” </p><p>The cameras have also led to the arrest of employees in more serious incidents. “A few months ago a customer had come in and had left her wallet behind, so my manager put it in a filing cabinet and told an employee that was coming in it was there,” she explains. “And when the lady came to pick up her wallet, she had a credit card and cash that was missing.” </p><p>Video revealed that the employee who knew where the wallet was had stolen a credit card, and used it to buy a bag of chips in the store. The security integrator helped Jordan upload the footage onto a thumb drive to take to the police. “We got a warrant, and they arrested her for using that credit card,” Jordan tells Security Management. “We could not have proved it if it weren’t for the cameras.” </p><p>Even more recently, Jordan noticed about $5,000 was missing from the franchises’ bank deposits that a manager was supposed to be putting in the bank. “Our cameras provided the evidence that she did get the deposits out of the safe and walked out of the store with them,” Jordan says. The manager was arrested and charged with felony embezzlement.</p><p>“I never give someone a second chance to steal,” Jordan says. “To me if they steal a bag of chips or give a sandwich to a friend, then they’ll take home five sandwiches for themselves when they get the chance.” </p><p>The return on investment from a business perspective has also been huge, Jordan notes. “At one location, our food cost for months had been above 40 percent,” she notes. “After we got those cameras, within a week our food cost came down within the margin we needed.” </p><p>The cameras have also led to a greater sense of security among her workers. “I have had employees say they feel safer because of the cameras,” she notes. “Especially with some younger employees, 16 or 17 years old, it’s been a comfort to their parents having the cameras when their child is closing alone.”</p><p><em>For more information: Tom Cook, tom.cook@hanwha.com, www.hanwhasecurity.com, 201.325.2623 ​</em></p>
https://sm.asisonline.org/Pages/November-2017-ASIS-News.aspxNovember 2017 ASIS NewsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​Those We Cheer This Year</h4><p>ASIS presented MANY awards at the ASIS International 63rd Annual Seminar and Exhibits to celebrate members and partners with noteworthy accomplishments in 2017. These honored members and supporting organizations exemplify the determination and capability of all involved with the Society.</p><p>ASIS is pleased to recognize these outstanding accomplishments. The Don Walker Award for Enterprise Security Executive Leadership celebrates an individual who demonstrates a commitment to promoting security management education, certification, and standards. This year, it was presented to Raymond T. O’Hara, CPP. A former ASIS president, O’Hara currently serves as executive vice president at AS Solution. Throughout his career, he has supported lifelong learning, board certification, and the development of the next generation of security leaders.</p><p>The Presidential Award of Merit is presented to individuals who contribute to ASIS as exemplary volunteer leaders. The 2017 recipients of the award are Joseph N. Masciocco and Les Cole, CPP. Masciocco, president of Security Integrations, is a 33-year member of ASIS who is a senior regional vice president. He has been involved in ASIS volunteer leadership since 1995.</p><p>Cole, who passed away on September 15, 2017, was an ASIS member for 41 years, and served as a council vice president from 2011 to 2016. Don Knox, CPP, a fellow council vice president, accepted the award on behalf of Cole and his family.</p><p>The Certification Organization Award of Merit goes to entities that have made strides advancing the professionalism of the security field through board certification. The award was presented to Guidepost Solutions and Tech Systems.</p><p>In addition, the Certification Regional Award recognizes individuals who help advance ASIS board certification. Winners this year are Randolph C.D. Brooks, CPP, Region 6C; Mushtaq Khan, CPP, PCI, PSP, Region 13A; J.D. Killeen, CPP, Region 6B; Allan L. McDougall, CPP, PSP, Region 6B; Garfield A. Owen, PSP, Region 7B; Percy J. Ryberg, CPP, Region 8C; Jasvir Singh Saini, CPP, Region 13A; Gwee Khiang Tan, CPP, Region 13B; Larry D. Woods, CPP, PSP, Region 4A; and Richard J. Wright, PSP, Region 3C.</p><p>The I.B. Hale Chapter of the Year Award recognizes chapters of ASIS who excel in membership growth, educational programming, publications, and the advancement of the security profession. The chapters recognized in 2017 were the Mexico City Chapter and the National Capital Chapter. </p><p>The Roy N. Bordes Council Member Award of Excellence, presented to Doug Powell, CPP, PSP, distinguishes an ASIS council member who helps engage the next generation of security professionals through sharing their knowledge and expertise with ASIS educational programs and publications.</p><p>The E.J. Criscuoli, Jr., CPP Volunteer Leadership Award was presented to Dr. Rolf Sigg. This award acknowledges the contributions made by one member to ASIS’s chapter and regional levels over an extended period of time.</p><p>The Matthew Simeone P3 Excellence Award is administered by the ASIS Law Enforcement Liaison Council and recognizes programs that promote cooperation between public and private sectors. The 2017 award was presented to the Columbus Police Department’s Capital Crossroads and Discovery SID Program.</p><p>The Transitions Ad Hoc Council, with the support of the ASIS Foundation, confers three Council Certification Scholarships to individuals serving in law enforcement who are seeking ASIS board certification. In 2017, the scholarships were awarded to Lieutenant Chapin T. Jones of the Louisville (Kentucky) Metro Police Department, Officer Henry K.S. Chong of U.S. Customs and Border Protection, and Lieutenant Brian T. Woods of the Los Angeles Police Department.</p><p>The ASIS Foundation also supports the Military Liaison Council Certification Scholarships. The 2017 recipients of these scholarships are Lieutenant Colonel Robert Kwegyir Sagoe, who serves at Headquarters Northern Command in Ghana; Master Sergeant Liviu Ivan and Lieutenant Colonel Eric Minor, who both serve in the U.S. Army at the Mission Command Center in Ft. Leavenworth, Kansas; and Lieutenant Colonel Richard Cobba-Eshun, who serves in the Department of International Peace Support Operations for the Ghana Armed Forces.</p><p>This year is the 40th anniversary of the ASIS International Board Certification Program, initiated in 1977 with the Certified Protection Professional® (CPP) designation. Four individuals have been active CPPs since the program’s inception. They were recognized at the Opening Luncheon on Monday, September 25. They are Dr. James D. Calder, CPP, professor at University of Texas; Don W. Walker, CPP, chairman of Securitas Security Services USA, Inc.; Dr. Kenneth G. Fauth, CPP, senior consultant at K. Fauth, Inc.; and James P. Carino, Jr., CPP, senior consultant at Executive Security Consultants.</p><p>ASIS salutes all these award winners for their valuable contributions to the security profession.</p><h4>A Digital Transformation</h4><p>Remaining relevant in today’s on-demand, content-driven world means that associations must be data-driven, customer-obsessed, hyper-connected, and agile. The need for innovation has never been greater.</p><p>With a clear directive to transform the organization through the strategic use of technology, ASIS strives to remain at the vanguard of the evolving security profession. It is currently engaged in a broad range of innovative projects, including a major redesign of the primary website and the underlying technologies that support both rapid content creation and the online and mobile member experiences that users expect in the consumer world.</p><p>In early 2018, ASIS will launch phase one of a multi-year transformation project focused on improved and personalized content access, user-centric search and commerce, online community, and integrated systems for learning and certification.</p><p>Building on a world-class enterprise system for commerce and content management, the new website will use a taxonomy structure to drive better content organization. Users will enjoy an intuitive and dynamic navigation structure to browse the site, and they will be presented with streamlined, personalized content.</p><p>One of the key strategies is to create a powerful search function that will unify content from a variety of ASIS sources (Web, learning, Security Management, and events, for example). By creating a search-centric site that allows users to filter results, ASIS will be able to meet its goal of helping members in their “moment of need” by providing resources of all types in a single interface.</p><p>There will be a major facelift for the website, incorporating a more graphical and modern interface with relevant imagery, infographics, and videos to present content in a variety of ways on both desktop and mobile devices. </p><p>The “mobile first” initiative also ensures that all online experiences—from search to joining the organization—are simple and engaging on any device, regardless of size. In addition to the website overhaul, ASIS will be upgrading its membership database, including new functionality for engagement, certification, profile management, and data analytics.</p><p>The system will be tightly integrated with the website to ensure a positive user experience across platforms. ASIS will be asking members to fully update their online profiles, both to help drive online personalization and to comply with the EU General Data Protection Regulation, which takes effect in 2018.</p><p>Finally, ASIS will launch an online community platform aimed at providing its customers, members, and prospects with one secure location to interact and build value within the security profession. By providing an online home where members can network, share ideas, answer questions, and stay connected, ASIS will empower them to engage in real time with their peers, chapters, ASIS staff, and industry experts. The online community tools will also allow the Society to provide more engagement for committees, councils, and chapters, and serve as a dynamic online membership directory.</p><h4>Life Member</h4><p>Michael A. Khairallah, a member of the New Orleans Chapter since 1981, has been granted Life Member status. He has served ASIS as a regional vice president, assistant regional vice president, and chapter chair.</p><h4>​MEMBER BOOK REVIEW</h4><p><em>Implementing Physical Protection Systems: A Project Management Guide</em>. By David G. Patterson, CPP, PSP. CreateSpace Publishing; available from ASIS; item #2335; 330 pages; $58 (members); $63 (nonmembers).</p><p>Author David G. Patterson, CPP, PSP, drew on decades of experience in physical security project management to write <em>Implementing Physical Protection Systems: A Project Management Guide. </em>The book is a comprehensive guide to the processes involved in setting up various elements of physical security plans.</p><p>As a follow-up to the author’s prior text, Implementing Physical Protection Systems, this book is geared towards the project management aspects of any physical security endeavor. It provides a clear review of the many topics under the umbrella of physical security. While covering many of the basic elements of physical security (lighting, fencing, alarming, and cameras), it also goes into the more technical aspects of cabling and necessary support networks.</p><p>If you are not a physical security specialist, but aspects of the technology side of security still fit within your area of responsibility, this book may be appealing. The text is simple to understand and the more complex parts of these projects are explained in terms that most security generalists will be familiar with.</p><p>A longtime member of the ASIS Physical Security Council, Patterson compiled information and concepts from experts in the technology aspects of security, delineating steps of the project in easy-to-read references. From risk assessments to deliverables and all action steps in between, his book serves as a valuable guide. Borrowing from the simple explanations he provides may help security practitioners explain the processes to nonsecurity leaders. For example, there is a section on documenting effectiveness, which can easily translate to return on investment, a term that every business leader should understand.</p><p>Clearly not intended to be the definitive text on all technical aspects of implementing security projects, the book will serve well as a resource to pull off the shelf at the onset of a new physical security project.</p><p>[Note: Author David Patterson passed away September 2, 2017.]</p><p><em><strong>Reviewer: Michael D’Angelo, CPP,</strong> is the principal and lead consultant for Secure Direction Consulting, LLC, a Florida-based independent security consulting firm. He served on the South Miami, Florida, Police Department for more than 20 years, retiring as a major. He is an ASIS member and currently serves on both the Healthcare Security Council and the ASIS Transitions Ad Hoc Council. ​</em></p>
https://sm.asisonline.org/Pages/The-Zero-Day-Problem.aspxThe Zero Day ProblemGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In August 2017, FireEye released new threat research confirming with “moderate confidence” that the Russian hacking group APT28, also known as FancyBear, was using an exploit to install malware on hotel networks that then spread laterally to target travelers. </p><p>“Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks,” FireEye said in a blog post. “No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network.”</p><p>After APT28 accessed corporate and guest machines connected to the hotel Wi-Fi networks, it deployed a malware that then sent the victims’ usernames and hashed passwords to APT28-controlled machines.</p><p>“APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network,” FireEye explained. </p><p>This new method is worrisome for security experts because the exploit APT28 was using to infiltrate hotel networks in the first place was EternalBlue, the same vulnerability used to spread ransomware such as WannaCry and NotPetya. It was also allegedly stolen from the U.S. National Security Agency (NSA).</p><p>A group of hackers, dubbed the Shadow Brokers, posted the EternalBlue exploit online in April 2017 after claiming to have stolen it from the NSA. The leak was just one of many the group has made over the past year detailing NSA vulnerabilities that exploited Cisco Systems, Microsoft products, and others. </p><p>The leaks prompted renewed debate on whether the NSA should change its vulnerabilities equities process (VEP) to disclose cyber vulnerabilities to the private sector more frequently to prevent future cyberattacks.</p><p>Some of the harshest criticism came from Microsoft itself. In a blog post, President and Chief Legal Officer Brad Smith wrote that the WannaCry attack provided an example of why “stockpiling of vulnerabilities by governments” is a problem.</p><p>“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” Smith explained. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world—nation-state action and organized criminal action.”</p><p>The VEP began to take form under the George W. Bush administration when then President Bush issued a directive instructing the director of national intelligence, the attorney general, and the secretaries of state, defense, and homeland security to create a “joint plan for the coordination and application of offensive capabilities to defend U.S. information systems.”</p><p>Based on this directive, the respective agencies recommended that the government create a VEP to coordinate the government’s “offensive and defensive mission interests,” according to a memo by the Congressional Research Service (CRS) in February 2017. </p><p>The Obama administration then created the current VEP, which became publicly known in 2014 in response to the Heartbleed vulnerability—a bug in the OpenSSL cryptographic software that allowed protected information to be compromised. </p><p>The VEP, as it is known to exist today, provides the process for how the U.S. government chooses whether to disclose vulnerabilities to the vendor community or retain those vulnerabilities for its own use.</p><p>“Vulnerabilities for this purpose may include software vulnerabilities (such as a flaw in the software which allows unauthorized code to run on a machine) or hardware vulnerabilities (such as a flaw in the design of a circuit board which allows an unauthorized party to determine the process running on the machine),” according to the CRS memo sent to U.S. Representative Ted Lieu (D-CA).</p><p>To be eligible for the VEP, however, a vulnerability must be new or not known to others. Vulnerabilities are referenced against the Common Vulnerabilities and Exposures Database to determine if they are new or unknown.</p><p>When choosing to disclose a vulnerability, there are no clear rules but the U.S. government considers several factors, according to a blog post by former White House Cybersecurity Coordinator Michael Daniel that was written in response to allegations that the NSA knew about the Heartbleed vulnerability prior to its disclosure online.</p><p>For instance, the government considers the extent of the vulnerable system’s use in the Internet’s infrastructure, the risks and harm that could be done if the vulnerability is not patched, whether the administration would know if another organization is exploiting the vulnerability, and whether the vulnerability is needed for the collection of intelligence.</p><p>The government also considers how likely it is that the vulnerability will be discovered by others, if the government can use the vulnerability before disclosing it, and if the vulnerability is, in fact, patchable, according to Daniel.</p><p>In the post, Daniel wrote that the government should not “completely forgo” its practice of collecting zero-day vulnerabilities because it provides a way to “better protect our country in the long run.”</p><p>And while the process allows the government to retain vulnerabilities for its own use, it has tended to disclose them instead. NSA Director Admiral Michael Rogers, for instance, testified to the U.S. Senate Armed Services Committee in September 2016 that the NSA has a VEP disclosure rate of 93 percent, according to the memo which found a discrepancy in the rate.</p><p>“The NSA offers that 91 percent of the vulnerabilities it discovers are reported to vendors for vulnerabilities in products made or used in the United States,” the memo said. “The remaining 9 percent are not disclosed because either the vendor patches it before the review process can be completed or the government chose to retain the vulnerability to exploit for national security purposes.”</p><p>Jonathan Couch, senior vice president of strategy at ThreatQuotient, says that the U.S. government should not be expected to disclose all of the vulnerabilities it leverages in its offensive cyber espionage operations.</p><p>“Our government, just like other governments out there, is reaching out and touching people when needed; they leverage tools and capabilities to do that,” says Couch, who prior to working in the private sector served in the U.S. Air Force at the NSA. “You don’t want to invest a ton of money into developing capabilities, just to end up publishing a patch and patching against it.”</p><p>However, Couch adds that more could be done by agencies—such as the U.S. Department of Homeland Security (DHS)—that work with the private sector to push out critical patches on vulnerabilities when needed.</p><p>“Right now, I think they are too noisy; DHS will pass along anything that it finds—it doesn’t help you prioritize at all,” Couch says. “If DHS could get a pattern of ‘Here’s what we need to patch against, based on what we know and are allowed to share,’ then push that out and allow organizations to act on that.”</p><p>Other critics have also recommended that the government be more transparent about the VEP by creating clear guidelines for disclosing vulnerabilities and to “default toward disclosure with retention being the rare exception,” the CRS explained.</p><p>One of those recommendations was published by the Harvard Kennedy School’s Belfer Center for Science and International Affairs in Government’s Role in Vulnerability Disclosure: Creating a Permanent and Accountable Vulnerability Equities Process. </p><p>The paper, written by Ari Schwartz, managing director of cybersecurity services for Venable LLP and former member of the White House National Security Council, and Rob Knake, Whitney Shepardson senior fellow at the Council on Foreign Relations and former director for cybersecurity policy at the National Security Council, recommended the VEP be strengthened through formalization. </p><p>“By affirming existing policy in higher- level, unclassified governing principles, the government would add clarity to the process and help set a model for the world,” the authors explained. “If all the countries with capabilities to collect vulnerabilities had a policy of leaning toward disclosure, it would be valuable to the protection of critical infrastructure and consumers alike, as well as U.S. corporate interests.”</p><p>However, the authors cautioned that affirming this process does not mean that the government should publicize its disclosure decisions or deliberations.</p><p>“In many cases, it likely would not serve the interests of national security to make such information public,” according to Schwartz and Knake. “However, the principles guiding these decisions, as well as a high-level map of the process that will be used to make such decisions, can and should be public.”</p><p>U.S. lawmakers also agree that the VEP should be overhauled to boost transparency. In May, U.S. Senators Brian Schatz (D-HI), Ron Johnson (R-WI), and Cory Gardner (R-CO), and U.S. Representatives Ted Lieu (D-CA) and Blake Fernthold (R-TX) introduced legislation that would require a Vulnerabilities Equities Review Board comprising permanent members. These members would include the secretary of homeland security, the FBI director, the director of national intelligence, the CIA director, the NSA director, and the secretary of commerce. </p><p>Schatz said that the bill, called the Protecting Our Ability to Counter Hacking (PATCH) Act, strikes the correct balance between national security and cybersecurity.</p><p>“Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security,” he explained in a statement.</p><p>Additionally, the secretaries of state, treasury, and energy would be considered ad hoc members of the board. Any member of the National Security Council could also be requested by the board to participate, if they are approved by the president, according to the legislation.</p><p>The bill has not moved forward in Congress since its introduction, which suggests that many do not see a need for an overhaul of the current disclosure system. </p><p>“It’s just not realistic for NSA, CIA, or the military or other international governments to start disclosing these tools they’ve developed for cyber espionage,” Couch says. ​ ​</p>
https://sm.asisonline.org/Pages/Fake-News-Real-Threats.aspxFake News. Real ThreatsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In November 2016, a man armed himself with an assault rifle and drove six hours from North Carolina to Washington, D.C. His goal was to storm Comet Ping Pong, a D.C. pizza restaurant, and rescue children being held captive and abused by Hillary Clinton. Once inside, the man fired on the restaurant, but no one was hurt. </p><p>The Comet Ping Pong story was one of many deliberately false news stories circulating in 2016. After the story was exposed as a hoax, “a post on Twitter by Representative Steven Smith of the 15th District of Georgia—not a real lawmaker and not a real district—warned that what was fake was the information being peddled by the mainstream media. It was retweeted dozens of times,” according to The New York Times.</p><p>The concept of fake news entered the popular vocabulary during the U.S. presidential election in 2016. While intentionally spreading false news reports for financial, political, or psychological reasons is not a new phenomenon, the practice has expanded significantly in the last year. During the particularly divisive U.S. election, numerous hyper-partisan blogs and websites posted a wide range of rumors, conspiracy theories, and fabrications, which have collectively been labeled fake news. Far from its original meaning—articles that are blatantly untrue—the term fake news has been embraced by all sides of the political divide to denigrate reporting that they feel is biased or incomplete.</p><p>While primarily political in nature, fake news has been used against various organizations and poses a real and increasing threat to private sector organizations of all sizes. It is important for security professionals to explore the relationship between fake news and corporate security, and determine how they can begin to address the threats posed by the release of false news and information.</p><h4>Transmission<br></h4><p>There has been an explosion in the creation and distribution of fake news through various online channels, including blogs, websites, discussion forums, and especially social media platforms. According to a 2017 survey, A Real Plague: Fake News, conducted by Weber Shandwick, Powell Tate, and KRC Research, approximately 7 in 10 American adults reported having read a fake news story in 2016. Research conducted by Hunt Allcott and Matthew Gentzkow and published in the spring 2017 edition of The Journal of Economic Perspectives also found that a database of 38 million shares of fake news stories on social media translated to about 760 million instances of clicking on, and reading, fake news stories. </p><p>The subject matter of these stories has run the gamut from political conspiracies to alleged criminal conduct by high-profile individuals to allegations of corporate political bias. A unique aspect of the current situation is that these stories are shared more widely, and more quickly, than ever before due to the ubiquity of social media. According to Allcott and Gentzkow, the list of fake news websites compiled by Stanford University received 159 million visits during the month of the election, while some 41.8 percent of individuals reported that they were exposed to fake news via social media.</p><p>Another important aspect of the current situation is that many of these fake news stories have gained a level of credibility among segments of the population that is surprising considering the sometimes bizarre nature of the claims made. In a study by Ipsos Public Affairs for BuzzFeed, 75 percent of respondents who reported remembering a fake news headline believed it to be accurate. In the study by KRC Research, 74 percent of individuals surveyed reported that it is difficult to determine what news is real and what is not.</p><p>The increased acceptance of baseless rumors and extreme conspiracy theories is due in no small part to a widespread decline in trust in media, government, academia, and most other forms of traditional authority. The falling levels of trust in media have been well documented by Gallup, Pew Research, and the Edelman Trust Barometer. This collapse of trust has led to the increased importance of the “people like me” category as a trusted source of news and information. according to Edelman’s 2017 global report. Because of these developments, sources such as Reddit, personal blogs, Facebook accounts, and quasi-official websites have gained credibility, while trust in traditional news media and government sources has declined. The fact that these fake news stories are rebroadcast many times, through cross-links and reposts on social media, further adds to the illusion of credibility. </p><p>If fake news were limited to stories about Area 51 or the JFK assassination, it would represent an interesting sociological case, but with limited relevance to corporate security. However, both the subject matter and the intensity of emotion elicited make fake news a real threat to corporations in terms of potential financial losses, reputational damage, and the physical security of facilities and personnel. This enhanced threat environment will require adaptation by corporate security professionals and the incorporation of new defensive and offensive capabilities to existing corporate security plans.</p><p>The increasingly widespread use of false or misleading information to cause confusion or harm to an individual or organization is not likely to disappear in the near term. The efficiency of this technique has been clearly demonstrated and the tools facilitating it are becoming ever more powerful, accessible, and easy to use. It is also difficult to imagine a significant increase in trust in traditional authority figures in the near future. </p><p>For corporations, some of the most serious fake news risks relate to stock manipulation, reputational damage, and the related loss of business—through boycotts for example—and direct threats to staff and property.</p><h4>Stock Manipulation</h4><p>At the macro level, fake news has been used to move entire stock exchanges. This was the case in April 2013 when a tweet that appeared to come from the Associated Press (AP) Twitter account reported that there had been an explosion at the White House and that U.S. President Barack Obama was injured. The Dow Jones Index lost 145 points in two minutes, while the S&P lost $136.5 billion. The news was quickly disproved and the market corrected within minutes, but the potential for large-scale disruption was demonstrated. In this instance, the fake news attack was claimed by the Syrian Electronic Army, according to The Washington Post.</p><p>In October 2009, the Stock Exchange of Thailand (SET) fell 7.2 percent because of an online rumor related to the health of the Thai king. The market made up about half of the loss within the next trading day, and the Thai police made several arrests related to the case later that month, as reported by Reuters.</p><p>Fake news has been used to manipulate the shares of individual companies as well. In May 2015, a fake offer to purchase Avon Products led to a surge in trading and a significant increase in the share price, according to The New York Times. Then in November 2016, a fake offer to acquire Fitbit shares led to a spike in activity, and a temporary halt to the trade in Fitbit stocks as reported by The Financial Times. In 2013, a fake press release was posted claiming the Swedish company Fingerprint Cards AB would be acquired by Samsung. Company shares surged until trading was halted. </p><p>In the United States, the Securities and Exchange Commission (SEC) has taken an increasingly aggressive stance in combating this threat to market integrity. It has filed enforcement actions against 27 companies and individuals involved in “alleged stock promotion schemes that left investors with the impression they were reading independent, unbiased analyses on investing websites while writers were being secretly compensated for touting company stocks,” according to an SEC statement.​</p><h4>Reputation</h4><p>False stories, rumors, or statements taken out of context have led to both reputational harm, as well as to threats to corporate personnel and property. In this type of threat, a corporate statement or action that would be innocuous under normal circumstances has taken on an increased risk due to hyper-sensitive stakeholders.</p><p>A case in point was New Balance, when Matthew LeBretton, vice president for public affairs said, “The Obama administration turned a deaf ear to us and frankly, with President-elect Trump, we feel things are going to move in the right direction,” during an interview with The Wall Street Journal. The statement related specifically to President Trump’s plan to withdraw from the TransPacific Partnership (TPP), but was widely misinterpreted. This caused a twofold issue for New Balance. First, anti-Trump individuals saw the statement as an endorsement of the candidate and everything he was purported to believe. This in turn led to calls for a boycott, and many social media posts depicting the destruction of New Balance products as reported by CNBC. A few days later the same statement led Andrew Anglin, a blogger associated with the white supremacist movement, to write on his popular Daily Stormer blog that New Balance shoes were the “Official Shoes of White People.” New Balance was blindsided by the intensity of reactions to a single statement related to a proposed international trade agreement and was forced into reactive positions throughout the crisis.</p><p>Another executive statement that was taken out of context and twisted to fit a partisan narrative was made by Indra Nooyi, CEO of PepsiCo in her interview with Andrew Sorkin of The New York Times on November 9, 2016. Her statement included congratulations to President-elect Trump on his victory, while also indicating that some of her employees expressed concerns about their safety as a result of the election. Numerous fake media outlets exaggerated the statement by claiming that she and her employees were “terrified” of Donald Trump and his supporters. This led to a firestorm of social media protests against Pepsi, including calls for a boycott and threats against the company.</p><h4>Direct Threats</h4><p>As noted above, one of the most serious cases of threats to an organization based on fake news were the reports of child abuse allegedly masterminded by Hillary Clinton and carried out at a D.C. pizza parlor. While the story was repeatedly debunked, it nevertheless continued to circulate and was supported by Michael Flynn, Jr., son of then National Security Director General Michael Flynn, according to The Washington Post. The shooter was arrested immediately after leaving the pizzeria, where he found no evidence of any abuse. He later pled guilty to the interstate transportation of ammunition and a firearm, a federal charge, in addition to a D.C. charge of assault with a dangerous weapon, according to The Hill.</p><p>This case indicates that even the most ridiculous story, if repeated often enough, will find an audience that believes it, and possibly someone who is willing to take action based on its claims. It is possible that a less extreme story focusing on a corporate executive or brand would lead to similar examples of direct action.​</p><h4>Countermeasures</h4><p>Countering fake news is difficult when the target audience finds it easy to discount facts and the usual sources of information are distrusted. However, there are a number of actions that corporate security teams can take to mitigate the risks posed by this new threat.</p><p><strong>Risk assessment. </strong>As with any threat to corporate security, the place to start is with a detailed risk assessment. The corporate security team needs to look at both internal and external factors to determine both the level of risk, as well as the most likely points of attack. Internal factors include employee demographics, employee morale, and computer use policies. The external factors include the competitive environment, the current perception of the organization and its management, the level of openness and transparency, and the nature of current conversations about the organization. With this information, corporate security will be in a much stronger position to establish policies and procedures to mitigate the risks from fake news attacks.</p><p>A white paper by Accenture focusing on social media compliance and risk in the international financial industry highlights the importance of identifying areas where an institution has vulnerabilities and incorporating the findings into its risk mitigation plans. A survey of executives cited in the white paper, A Comprehensive Approach to Managing Social Media Risk and Compliance, found that 59 percent of respondents reported having no social media risk assessments in place, while only 36 percent reported being offered any training on social media risk mitigation.</p><p><strong>Monitoring. </strong>To have any hope of effectively countering fake news, the corporate security team needs to have as close to real-time visibility of its appearance as possible. This points to the requirement for a comprehensive monitoring program that builds on any existing media or social media monitoring capability the organization already possesses.</p><p>It is important that this monitoring program specifically focus on channels that are outside the organization’s norm. These channels may be antithetical to the values of the organization, targeted to a demographic that is generally not associated with the company, or linked to apparently phony information sources. It is also important to look specifically for negative references to the organization.</p><p>After experiencing a number of negative stories driven by news and social media, Dell Computer adopted an “everyone is listening” approach to social media monitoring. A Framework for Social Analytics by Susan Etlinger of the Altimeter Group discusses Dell’s hybrid model for media monitoring, which gives a large number of its 100,000 plus workforce some responsibility for monitoring social media channels related to their lines of business. The company also has a Social Media Listening Command Center, which employs sophisticated social media monitoring software to complement its traditional media monitoring program.  </p><p>A company’s monitoring system should also include an analysis component that helps vet the material, determining how it should be classified and its importance from a risk management perspective. This component would then ensure that any important material is routed to the key decision makers for immediate action.</p><p>Finance, investment, and hedge fund companies have been taking a lead in the area of monitoring and identifying fake news stories. The growth of organizations that can deploy multiple content generators focusing on specific companies poses a significant risk to stock market investors. According to reporting in Forbes, companies are also seeking to develop algorithms that can sort through large quantities of content and identify malicious fake news campaigns. One such company that has been widely cited in this regard is Houston-based Indexer LLC.​</p><h4>Response Plans</h4><p>Based on the results of the risk audit, the most likely fake news scenarios should be identified and used to create detailed response protocols that can be activated in the event of an actual fake news situation. At a minimum, these plans should include contact information for all crisis team members, checklists for key actions, prepared statement templates to be used with internal and external stakeholders, and escalation metrics in the event that the fake news situation is not immediately contained.</p><p>The importance of incorporating the social media environment into a robust crisis response system is shown in the Nuclear Energy Institute’s Implementing and Operating a Joint Information System planning document. The plan covers the importance of preassignment of roles and responsibilities, training and readiness exercises, and media monitoring and engagement. The last item includes specific information on the importance of ensuring that information on social media regarding nuclear facilities and incidents is accurate, and that rumors and falsehoods are flagged and corrected.​</p><h4>Training</h4><p>The weaponization of news represents an evolving threat for many organizations and is not often included in corporate crisis management plans or training programs. As examples of fake news incidents increase, corporate security professionals should build this new threat into security training that is offered in conjunction with the corporate communications and human resources functions. Members of the senior leadership team should also be involved in any fake news response training.</p><p>Countering fake news requires fast decision making and decisive action on the part of the organization. To be able to execute effectively, the relevant personnel should be exposed to these scenarios in a simulated environment.</p><p>The communications function at DePaul University in Chicago, recognized the importance of building a mix of true and false information on social media into its crisis response training program. The result was a multi-party simulation exercise involving real-time interactions with traditional media, Twitter, and Facebook, as well as direct stakeholder communications. One of the key challenges in this type of training is sorting through incoming information quickly while still ensuring that key facts are not overlooked.​</p><h4>Cross-Functional Teams</h4><p>By its nature, the threat posed by fake news needs to be met by a comprehensive organizational response. This implies a cross-functional approach to fake news management. While corporate security may take point, the expertise and resources available to the corporate communications, human resources, and legal teams will prove critical.</p><p>An executive from an international bank reported to Accenture that it was important for all key functions to participate in risk management planning, especially when it concerns social media. “However, it is always important to have a representative from risk sitting at the table—someone from compliance, someone from legal, and so forth, to provide guidance to the business and make sure what the company is doing is sound,” notes the Accenture white paper.</p><p>Because fake news is still a type of news, the communication and media relations skills of the corporate communication function will be needed to analyze the content and develop and distribute counter messages to all fake news reports. This function may also be the appropriate host for the monitoring program because it is a logical extension to standard corporate media monitoring activities.  </p><p>Employees are a critical audience for fake news and an important distribution channel for counter messaging. This being the case, the human resources department needs to be involved in the creation and execution of corporate security strategy with regards to fake news.  </p><p>To ensure that the organization’s rights are fully protected, and that it does not itself cross the line in terms of libel, the corporate legal team should be involved in the fake news strategy, and have a role in vetting counter messages.​</p><h4>Communications</h4><p>Because of the potentially serious morale and operational ramifications fake news can have on an organization, it is vital that employees are provided with clear and accurate facts and count­er messages as quickly as possible.</p><p>Beyond reacting to a fake news incident, the organization should seek to inoculate its staff against its effects by undertaking a comprehensive internal communications and employee engagement program. This can be incorporated into the concept of encouraging employees to be brand ambassadors.</p><p>Organizations that are most vulnerable to fake news are those about which little is known. Without a base of preexisting knowledge, stakeholders who are exposed to fake news cannot immediately discount it, which is where the seeds of doubt take root. It is thus important that the organization be as transparent as possible, which includes regular proactive external communications. Corporate actions and policies should be communicated, explained, and contextualized to establish the reality of the situation before a fake news story can present a false narrative.  </p><p>It is especially important to get in front of any bad news stories and ensure that the organization is seen as working to resolve the issue, rather than hiding it. The idea of a first mover advantage with releasing properly contextualized negative information is a central tenet of contemporary public relations practice, and it can help thwart attempts to create a scandal by fake news outlets. ​</p><h4>Trust</h4><p>While a full discussion of trust-based relationships is beyond the scope of this article, it should be noted that the establishment of trust with key stakeholders is one of the best defenses against fake news attacks. Creating trust goes beyond simply telling the truth. It involves a range of factors including organizational reliability, competence, and benevolence, along with honesty and transparency. Because trust building involves all aspects of organizational behavior, it must be seen as a strategic initiative and be driven by senior management. Trust’s relationship to fake news defense is likely to be a collateral benefit rather than a primary driver of the initiative.  </p><p>The use of intentionally false or misleading information distributed through online and social media channels to disrupt or harm organizations is likely to increase dramatically in the years ahead. These actions are increasingly easy and cheap to execute, and take advantage of current weaknesses in organizational capabilities and the fact that societal trust in most traditional authority figures is at a historically low level. It is thus imperative that responsible corporate security professionals develop the internal capabilities and protocols to deal with this new threat environment before they are faced with a fake news attack. The good news is that most of the necessary resources already exist to some degree within the organizational structure and only need to be oriented around the fake news threat. This will include proactive measures such as audits, monitoring, training, and proactive communications, as well as moving quickly to react to the emergence of damaging fake news to contain it and neutralize its ability to damage the organization.  </p><p>In today’s hyperconnected global information environment no organization is safe from a fake news attack. We have had ample warnings that the threat is real and is likely to get worse.  There is no time to waste in hardening the organization against this new type of assault.  </p><p><em>Jeremy E. Plotnick, Ph.D., is founder of CriCom LLC. He has worked in international communications consulting, public affairs, and public relations for more than 20 years. ​ ​ ​</em><br></p>
https://sm.asisonline.org/Pages/November-2017-Industry-News.aspxNovember 2017 Industry NewsGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<h4>​VIKINGS STADIUM OPENS DOORS</h4><p>The new U.S. Bank Stadium—home of the Minnesota Vikings—hosted more than 66,000 fans at the first Monday night game of the 2017 season. Completed last year, the 1.5 million-square-foot stadium campus is flexible enough to serve as a true multipurpose stadium that can host football, soccer, baseball, basketball, motorsports, major concerts, and other events.</p><p>ASSA ABLOY was tapped to provide more than 1,500 doors and openings for the state-of-the-art stadium. A truncated construction timeframe provided the impetus for using preassembled openings. The ready-to-install openings improved onsite management of multiple components and saved time through a streamlined installation process.</p><p>The openings included products from ASSA ABLOY Architectural Door Accessories, including McKinney hinges, Pemko accessories, and Rockwood door trim, as well as Curries hollow metal doors and frames; Sargent locks, exit devices, and door closers; Medeco high-security cylinders and keys; and Securitron access control components.​</p><h4>PARTNERSHIPS AND DEALS</h4><p>Dahua Technology is partnering with Anixter International to market Dahua products throughout the United States and Canada.</p><p>Anomali and NSS Labs, Inc., announced a strategic partnership that provides enterprise customers with a unified view of unmitigated threats and empirical data regarding the effectiveness of security controls.</p><p>Bold Technologies completed the integration of ManitouNEO with innoVi from Agent Video Intelligence to provide monitoring centers with a video intrusion system. </p><p>Boon Edam product data and customized specifications for the Americas are available through the ARCOM software platform to architects, engineers, and design professionals.</p><p>Brady announced that its Brand Protection business partnered with Kezzler and Honeywell to bring product authentication labeling and tracking to Genetron 134, a refrigerant. </p><p>ByteGrid Holdings LLC announced an agreement with Empowerment through Technology and Education to provide greater compliance and control of hosted business-critical data.</p><p>Baltimore Cyber Range LLC and Cyberbit Ltd. announced the opening of the new Baltimore Cyber Range cybersecurity training and simulation center in Baltimore, Maryland.</p><p>Camden Door Controls retained manufacturer’s representative JClemente & Associates to service its southern California territory.</p><p>Cellebrite is joining the National Center for Missing & Exploited Children and Project VIC in the global fight against child exploitation. </p><p>Claroty and Schneider Electric are partnering to address safety and cybersecurity challenges for the industrial infrastructure sector.</p><p>Conformance Technologies announced that Pivotal Payments selected its solutions to enhance business effectiveness and protection of its North American merchant portfolio. </p><p>The addition of deverus, Inc., background checking software to the iCIMS partner ecosystem will provide cost savings and improved speed to customers.</p><p>EventTracker announced that its SIEM platform was implemented at OneBlood, Inc.</p><p>Exabeam and ThreatConnect, Inc., announced a product integration designed to improve overall cybersecurity and incident response.</p><p>EyeLock LLC entered into a partnership with CSD (Central Security Distribution) to deliver EyeLock’s product suite in Australia. EyeLock is also developing iris authentication solutions to work with Qualcomm Mobile Security. </p><p>Farpointe Data helped Secure Our City, Inc., improve security access for a parking garage.</p><p>Galaxy Control Systems completed an integration with IP-enabled solutions from ASSA ABLOY. </p><p>Genetec and Alutel Mobility partnered to offer extended access control capabilities to open areas without having to rely on physical readers or installations.</p><p>Hikvision Canada Inc., provided cameras for the JPPS Children’s Centre in Montreal that were installed by integrator Alarme Sentinelle. Petite Echelle Centre in Montreal worked with integrator Intelgest to upgrade its security system with Hikvision.</p><p>Honeywell and eDist Security expanded their relationship around the Genesis Series Cable product line. </p><p>Huttig Building Products selected TierPoint to provide colocation and data center migration services.</p><p>Imagination Technologies and Sierraware are collaborating to make Sierraware’s SierraTEE available for devices based on Imagination’s MIPS CPUs.</p><p>ISONAS Inc. announced that Transportation Impact selected the ISONAS Pure IP access control solution to secure its corporate headquarters.</p><p>Johnson Controls announced that its American Dynamics victor Video Management Software integrates with the Guardian Indoor Active Shooter Detection System from Shooter Detection Systems.</p><p>Karamba Security joined the Automotive Grade Linux (AGL) Project and The Linux Foundation to help develop its cybersecurity best practices.</p><p>The Legrand On-Q Digital Audio System has been integrated with Alarm.com.</p><p>Netwrix Corporation announced that its Netwrix Auditor empowers Guadalupe Valley Electric Cooperative to minimize insider threats and improve database security.</p><p>OnSSI and Seagate teamed up to provide a robust recording solution designed for more efficient system expansion and scalability.</p><p>Ever and Pinn formed a technology partnership to integrate Ever’s facial recognition into Pinn’s secure attribution platform.</p><p>Enterprise Performance Consulting joined the PSA Business Solutions Program to offer business consulting and operations team training programs to PSA integrators. </p><p>Point Blank Enterprises and Special Ops Bunker made an exclusive global marketing agreement to offer Special Ops Bunker products through the Point Blank global network.</p><p>Golden Lion Marbella, a casino in Panama, selected Qognify VisionHub to upgrade its security, safety, and operations.</p><p>RapidSOS is partnering with WiseWear, Fusar, Kairos, Lumenus, and ROAR for Good to provide a rich data link to 911 from wearable products, so users can connect to 911 by pushing a panic button or by detection from a wearable device during a crash or medical emergency.</p><p>Sky and Cisco have a multi-year digital security agreement to support the expansion of Sky video services across any screen.</p><p>Suprema announced that its BioSign mobile fingerprint authentication algorithm was selected by Samsung for two smartphone models.</p><p>Traka UK joined forces with Edesix, to ensure that equipment used across the U.K. Prison Service is safely stored and managed.</p><p>TruTag Technologies’ signature authentication solution will be used by Hongyang Biotechnology Co. to protect the livestock supply chain from counterfeiting and diversion.</p><p>Visual Management Systems Ltd. was invited to join the Airports Centre of Excellence, which aims to improve the passenger experience.</p><p>Vodafone Group joined the prpl Foundation to focus on enabling the security and interoperability of embedded devices.</p><p>VTT Technical Research Centre of Finland Ltd. and ITS Russia signed a partnership agreement concerning the development of intelligent transport systems for border crossings. </p><p>Watermark Risk Management International, LLC, and TEAM Software, Inc., created a strategic partnership where Watermark will be a preferred provider of consulting services on TEAM software solutions.</p><p>WestJet Airlines realized improved efficiency and streamlined communication by partnering with Send Word Now.​</p><h4>GOVERNMENT CONTRACTS</h4><p>AirMap and the Kansas Department of Transportation will deploy Unmanned Traffic Management technology across Kansas to support the growth of the state’s drone economy and ensure safer skies.</p><p>ATS Armor LLC received an order from Miami-Dade Police Department for 1,500 active shooter kits, enough for every patrol car.</p><p>Canon U.S.A., Inc., received two BLI PaceSetter Awards in the Document Imaging Security and Mobile Print categories from Keypoint Intelligence.</p><p>Cardiac Science announced that Boston Public Schools will purchase Powerheart G5 automated external defibrillators.</p><p>The State of Louisiana is working with CA Technologies to enable citizens to securely access information across government services through the Louisiana Enterprise Architecture Project.</p><p>An Elbit Systems of America Integrated Fixed Tower border security system passed U.S. Customs and Border Protection systems acceptance testing.</p><p>The city of Troy, Alabama, selected Extreme Networks software-driven networking technology to provide reliable, fast, and secure connectivity across 70 locations.</p><p>FirstNet and AT&T will deliver a specialized wireless broadband network to Arizona’s public safety community.</p><p>Sherburne County Sheriff’s Office in Minnesota will use GUARDIAN RFID technology to mitigate risk and improve operational efficiency in the Sherburne County Jail. </p><p>IPVideo Corporation was selected by the San Jose Police Department to help improve and upgrade its interview recording platform. </p><p>Janus Global Operations will clear areas of Mosul, Iraq, of ISIS-placed booby traps and other explosives under an agreement with the U.S. Department of State’s Office of Weapons Removal and Abatement.</p><p>Milestone Systems completed a security surveillance solution for Goyang City in South Korea.</p><p>NEC Corporation provided a facial recognition system for South Wales Police in the United Kingdom through NEC Europe Ltd.</p><p>Scott Safety was selected to provide technology and equipment to the California Department of Forestry and Fire Protection.</p><p>Southern Linc entered into a partnership with the City of Huntsville and Madison County Alabama’s 911 dispatch center to add LTE wireless data transmission equipment to connect first responders to the new network. </p><p>Agencies, including the U.S. General Services Administration, the U.S. Joint Chiefs of Staff, and the U.S. Army, have used eSignLive from VASCO Data Security for secure and compliant electronic signing of documents using Personal Identity Verification cards or Common Access Cards.​</p><h4>AWARDS AND CERTIFICATIONS</h4><p>Atomic Data attained SOC 3 certification for the seventh year in a row from the American Institute of Certified Public Accountants.</p><p>Conduent Incorporated was awarded a U.S. patent for technology that automatically recognizes facial expressions using images from low-resolution cameras.</p><p>Consolidated Communications Holdings, Inc., achieved MEF CE 2.0 certification for carrier grade, interoperable Ethernet services. </p><p>Day & Zimmermann earned a ranking of 188 on the Forbes America’s Largest Private Companies list. It is also on the Defense News Top 100 List.</p><p>Everest Technologies received ISO 27001:2013 accreditation for its information security management system.</p><p>Fornetix, LLC, gained a U.S. patent that covers breakthrough solutions for the management of encryption keys and other security objects.</p><p>Hesco was placed in the Commander’s Choice category and recognized as a Superior Supplier to the U.S. Defense Logistics Agency.</p><p>Frost & Sullivan recognized IriTech, Inc., with the 2017 North American Frost & Sullivan Award for New Product Innovation.</p><p>StoneLock is the winner of the annual Government Security News Airport, Seaport, Border Security Awards Program for Best Facial Recognition Technology.</p><p>TEAM Software, Inc., is the winner of the Web.com 2017 Small Business of the Tournament Award for Nebraska.</p><p>Vinson Guard Service, Inc., gained national certification as a Women’s Business Enterprise by WBEC South, a regional certifying partner of the Women’s Business Enterprise National Council. </p><p>Zentera Systems, Inc., was awarded Best of Show for Best Security or Privacy Solution at IoT Evolution Expo.​</p><h4>ANNOUNCEMENTS</h4><p>AngelTrax relocated all operations into a renovated facility that serves as its new headquarters and manufacturing, inventory, and distribution centers.</p><p>ASSA ABLOY acquired SMI (Shree Mahavir Metalcraft), a leading OEM manufacturer of architectural hardware in India.</p><p>The Association of Public-Safety Communications Officials (APCO) International and IBM announced that APCO International’s new guide card software will use IBM Watson Speech-to-Text and Watson Analytics.</p><p>CEDIA and The Electronic Security Association announced a strategic reciprocal training relationship that will expand the educational opportunities for members of both associations.</p><p>Columbus State University received a grant from the U.S. National Security Agency to develop a new tool for rapid cybersecurity training and curriculum development. </p><p>EventTracker introduced the EventTracker Partner Program. </p><p>EY opened its advanced cybersecurity center in Dallas, Texas, to help clients stay ahead of emerging threats.</p><p>Lantronix, Inc., joined the Kepware IoT Alliance Program.</p><p>Marks USA, a division of NAPCO, launched a new website at marksusa.com.</p><p>NXP Semiconductors N.V. is expanding its operations in the United States, enabling its U.S. facilities to manufacture security chips for government applications.</p><p>ONVIF announced the final release of Profile A for broader access control configuration and the Release Candidate for Profile T, a draft specification with advanced streaming capabilities that adds in support for H.265 video compression.</p><p>Proficio expanded into Hong Kong to broaden its presence in the Asia-Pacific region.</p><p>PSA is working with Matterhorn Consulting to enable PSA members to hire military veterans.</p><p>Stanley Black & Decker opened a new Breakthrough Innovation center in Boston dedicated to advancing technological innovation in its security business.</p><p>The Protection Bureau awarded scholarships to 10 children of company employees.</p><p>ThetaRay opened its first U.K. office in London.</p><p>Top Notch Distributors updated its website at topnotchinc.com.</p><p>Toshiba Surveillance & IP Video Products Group launched its Safe Scholar program to help schools reduce the total cost of video surveillance system ownership. </p><p>WatchGuard Technologies acquired Datablink, a provider of advanced authentication solutions. </p><p>Webroot acquired the assets of Securecast, a security awareness training platform, and launched Webroot Security Awareness Training as a beta program.</p><p> ​</p>
https://sm.asisonline.org/Pages/The-Unseen-Threat.aspxThe Unseen ThreatGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Traditionally, factory security assessments have been directed towards the inside of the factory or plant and not to the more exposed perimeter, including the perimeter wall of the factory structure and the fence line. Similarly, assessors often look at the factory’s cyber network and examine the configuration of servers, switches, and human-machine interfaces, but may pay less attention to the outside of the facility walls and physical grounds because they tend to fall outside the classic cyber and physical security boundaries. </p><p>However, with the increased awareness of the security weaknesses that industrial control systems face, there has been a growth in requests to security and consulting companies for combined cyber and physical security assessments of factories and critical infrastructure. The North American Electric Reliability Corporation (NERC) puts out Critical Infrastructure Protection (CIP) standards that strengthen the cybersecurity of North American electric grid operations, and recent updates emphasize the importance of strengthening both physical and electronic security perimeters. </p><p>A shift in the industry toward enterprise security risk management (ESRM)—which focuses on using risk assessments to inform an organization’s security approach—moves beyond assessing physical security. However, this can be a difficult shift for facilities that do not have a clear risk profile.</p><p>This gap in the security assessment process offers an opportunity for plant managers to take an ESRM-inspired approach and better understand their security and infrastructure vulnerabilities to both physical and cyber threats.​</p><h4>DRAWING THE LINES</h4><p>Two security concepts raised in the NERC CIP are related to electronic security perimeters (ESPs) and physical security perimeters (PSPs). The ESP is an imaginary perimeter drawn around a set of critical cyber assets and is usually defined by the location of perimeter access points such as firewalls and modems. The PSP is typically defined as a six-sided border that surrounds critical assets. In the NERC model, the border is intended to totally enclose the ESP. </p><p>Although the ESP is a logical, imaginary depiction, it gives a sense of the electronic traffic flowing into and out of a critical set of digital assets as well as the physical plant. This assessment is normally performed by evaluating network topology diagrams, walking down network systems looking for telephone and wireless infrastructure, and conducting interviews with plant operations technology staff. If done thoroughly, the assessors are also looking at wireless traffic such as cellular, LAN network, or Wi-Fi connectivity flowing across the ESP.</p><p>A PSP is more readily determined and tangible. Here, security is literally walking along the perimeter of a room or building that is enclosing the ESP. Security is normally looking for any means of physical penetration such as doors, ventilation louvers, or an opening under the wall or fence. A PSP determination is more natural and can be readily performed by a skilled physical security professional.​</p><h4>ELECTRONIC PERIMETERS</h4><p>A structured but more unusual way to approach a facility assessment is to start with the ESP and PSP concepts in mind and to apply them to the footprint of the facility being examined.  </p><p>Begin with an overhead view of the facility and the corresponding fence line if possible. One technique is to obtain the satellite view of the facility from an online mapping tool such as Google Earth. Alternatively, a plan view drawing of the facility and surrounding grounds obtained from the facility service manager may be used.</p><p>Using this overhead view, draw a border around the facility perimeter with an optional border at the fence line. Once the analysis boundary has been identified, pinpoint both tangible and invisible services and activities, including underground, airborne, or surface vectors. Consider services that cross this boundary and place them on the map where they enter the facility.</p><p>Infrastructure to consider includes electric power feeds from substation or emergency generators, natural gas or propane, water, sewer, enterprise and public fiber connections, telephone and cable television lines, and other commercial services. Inbound services such as product feeds from other facilities and deliveries like mail or packages, as well as outbound shipments, should also be taken into consideration.</p><p>Electronic signals that cross in and out of the facility include Wi-Fi, cellular, radio, and satellite communications, and these should be included on the risk map. For example, while performing an assessment of a client’s facility, including a wireless security inspection, Wi-Fi service was detected but was not owned or provided by the enterprise. The investigation revealed that the signal was from a nearby house and was not secured, allowing employees and visitors at the factory to connect to the rogue Wi-Fi. Such a connection could contaminate the individual’s laptop or mobile phone, as well as other Wi-Fi–equipped devices, with a worm, virus, or ransomware from the unknown and uncontrolled Wi-Fi.</p><p>A similar vulnerability was discovered at another power plant: a contractor’s trailer adjacent to the plant fence line had an insecure Wi-Fi set up, which was available inside the power plant.</p><p>Depending on the age and type of property, identifying these services may be a challenge. Older facilities may not have the necessary drawings, infrastructure diagrams, or employee knowledge to identify where the underground lines are for some of these services. Older facilities also suffer from abandoned equipment and systems that tend to be ignored because they are no longer in service. If the client has recently purchased the property, it may not know where these services enter or exit the plant.</p><p>An additional complication is that some services have dual feeds from separate locations. For instance, a data center will normally have redundant power and communications at different perimeter locations. These should be reflected on the analysis mapping.</p><p>Once these various activities and services have been identified and listed, begin looking at the vulnerabilities each poses to the plant and to the availability of the facility operations. </p><p>The perimeter assessment should be more holistic than simply walking down a fence line or the perimeter of a building. For example, while performing this analysis for a client, a problem was identified with the underground water feed into the plant. The plant had only one line entering the plant supplying potable water, service water, and fire protection/sprinkler water. The line ran under the fence, across a large field between the fence and the factory itself, and then into the building with some feeders going to the fire pumps located outside the factory in a field. The line could be subject to backhoe or digging damage because it was not effectively marked, but the larger problem was outside of the fence.</p><p>Beyond the fence line was the water service building—a small, unmarked wooden structure that contained the tap into the local city water supply, as well as several isolation valves and a flow meter for billing and volume calculations. The inspector discovered the building open and unoccupied—the door padlock was hanging open on the hasp. This would have allowed an attacker to shut the water supply valves and take advantage of the unlocked padlock to either lock the valves or close and lock the building door, thus delaying emergency responders to reopen the valves. Such an attack would have posed serious consequences for the factory because closing these valves would have shut off all water to the facility.</p><p>The inspector needs to look at all telltale signs and artifacts—many of which are prominently placed—that could tell an attacker where a softer and more vulnerable service feeding the plant is located. For example, site and facility architects use underground vault covers that explicitly label the service. That practice can be helpful for maintenance and emergency response but it also provides an easy target for criminals. </p><p>Similarly, the way these vault covers are secured could be problematic. The covers should be locked, but an added layer of security includes using tamper-resistant fasteners or proprietary screw heads and bolts.</p><p>Conducting an integrated, ESRM-based analysis helps bring awareness of what crosses facility boundaries, whether it be in electronic or physical form. It encourages plant managers to document underground infrastructure and fill gaps in knowledge, and provides enhanced planning for both physical and wireless attacks from modes ranging from surface injections to airborne threats. By mapping out both the physical and electronic perimeters, a facility’s security approach can be based on what can and cannot be seen.  </p><p><em>Ernie Hayden, PSP, Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), SANS Global Industrial Cyber Security Professional (GICSP), is the ICS cybersecurity lead at BBA, a Canadian engineering company. He is a member of ASIS. ​</em></p>
https://sm.asisonline.org/Pages/The-Future-is-Flexible.aspxThe Future is FlexibleGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Mention teleworking, and some managers immediately feel at sea. How can I supervise employees I can’t see? Will staffers be sending check-in emails while watching Netflix? Can professionalism be maintained in pajamas?</p><p>Yet behind these fears lay opportunities. Teleworking, if planned and managed successfully, can be thought of as an opportunity for an organization to build trust and productivity among employees. It can also be employed as a strategic talent management initiative that improves employee attraction, engagement, and retention while reducing costs for both the firm and the workers. </p><p>In the security field, there are some jobs that are not conducive to telework, such as physical security positions that require an on-site presence. But others are more location flexible, and some positions have elements of both–they require on-site availability on some days, but they also include duties that can be conducted at home, such as report writing, security officer scheduling, or customer service interactions that take place over email and phone. Security managers who dismiss telecommuting because not every position in their department is telework-friendly may be losing out on the broader organizational benefits of telework. </p><p>The aim of this article is twofold. It will offer some best practice guidance, mined from expert opinion and recent research, for managing teleworkers. It will also explore how a telework program can be used by a manager so that it plays a key role in the organization’s talent management strategies. ​</p><h4>Growing Trend</h4><p>About 43 percent of U.S. workers work remotely in some capacity, even if that means telecommuting only once a week or less, according to the 2017 version of Gallup’s annual report, The State of the American Workplace. That percentage is up from 39 percent in 2012, which indicates a moderate but steady increase in teleworking.</p><p>As telecommuting becomes more popular, the average amount of time each teleworker spends at home or in another remote location increases. The percentage of U.S. teleworking employees who spend 80 percent or more of their time (equivalent to four days per week or more) working remotely has increased from 24 percent in 2012 to 31 percent in 2016. The number of employees who work remotely 40 to 80 percent of the time has also slightly increased, while the number of employees working remotely less than 20 percent of the time has decreased.</p><p>In addition, in more than half of the largest U.S. metro areas, telecommuting beats public transportation as the preferred commuting option, according to another report, 2017 State of Telecommuting in the U.S. Employee Workforce. Telecommuting has grown far faster than any other commuting mode, according to the study, which was issued by FlexJobs and Global Workplace. </p><p>One of the drivers of the growth of telework has been the U.S. federal government. In 2010, the U.S. Telework Enhancement Act became law, and it required the head of each executive agency to establish and implement a policy under which employees could be authorized to telework. The U.S. General Services Administration (GSA) serves as the lead agency for the government’s initiative; in its latest annual report to Congress, GSA said that federal teleworking continues to increase, with participation growing from 39 percent to 46 percent of eligible employees from 2013 to 2015. </p><p>Another telework driver is the increasing pressure from younger workers for more work options. “The millennial generation, which values flexible work, has risen to prominence in the workforce. They are influencing and encouraging remote work policies,” says Robert Arnold, a principal with management consultancy Frost & Sullivan’s Digital Transformation-Connected Work Industry practice. With developments like advanced cloud services, technology continues to evolve and offer more reliable support for remote work, Arnold adds. </p><p>Nonetheless, barriers remain. “Federal agencies have made considerable progress (in teleworking), but they also continue to report challenges such as management resistance, outdated cultural norms, and technology limitations,” the GSA said in its latest annual report to Congress. </p><p>Often, this management resistance simply boils down to lack of trust, says Kate Lister, president of Global Workplace Analytics. “Some managers have this attitude–if they’re not looking at [workers] in the office, they’re at home on the sofa eating bonbons,” she says. Ironically, she adds, being in sight does not always mean being productive; workplace studies show that the majority of both cat videos and pornography are viewed in the office during working hours.​</p><h4>Concentrative v. Collaborative</h4><p>One of the first tasks for those who plan to manage teleworkers is deciding who on staff may be eligible for telework. Overall, Gallup has found that a little over half of U.S. jobs, or about 55 percent, could allow for telecommuting, at least on a part-time basis. </p><p>Security jobs that require a daily on-site presence are generally not eligible for telework. And some employees, regardless of position requirements, simply do not want to telecommute. “Many people already know this about themselves—given the choice, they will opt to go into an office every day for the companionship, sense of purpose, or because they don’t trust themselves to be productive at home,” say consultants from Frost & Sullivan in their report, Best Practices for Managing Teleworkers: Changing Attitudes, Changing Ways.</p><p>However, those holding jobs with part-time on-site requirements may be eligible. Lister cites the example of a group of park rangers she worked with. Although they spent much time patrolling the park, they also had administrative responsibilities such as report writing, allowing many to successfully telecommute part time.</p><p>For guidance, some organizations use the model of concentrative versus collaborative work, Lister explains. Concentrative work, which is best conducted alone and without interruptions, can be done well remotely; collaborative work, such as meetings and group projects, is often best tackled in the firm’s office, with other team members present.​</p><h4>Best Practices</h4><p>Once it is decided who might be working remotely, teleworking managers should keep in mind the following best practices, which come from various experts, including those quoted above, and from program guidance offered by GSA. </p><p>Co-create. A teleworking policy should be developed by the entire team. To set the tone and foster confidence before a new teleworking program begins, managers should engage in dialogue with their teams and address any questions about teleworking. Asking team members to discuss and achieve consensus on solutions to these questions can help the team become more invested in making a teleworking initiative a success.</p><p>While the specific answers will differ for each organization, managers should be prepared for questions such as: </p><p>• How will we connect with each other?</p><p>• How will teleworking affect my performance evaluations and the way my work is assessed?</p><p>• What are the procedures for coordinating team projects?</p><p>• Will teleworking affect my career path?</p><p>• How can we manage customer expectations while teleworking?</p><p>• How can we use technology to help us telework better?</p><p>• Can we create a sense of workplace and community when we are working away from the office?</p><p>Teamwork. If more than one employee is telecommuting, treat telework as a team activity rather than an individual one, whenever possible. Develop a team schedule, rather than an independent schedule, and a teleworking system that is consistent with the needs of the department and organization. This may mean that if an important team meeting needs to be held in person, employees normally scheduled to telework that day may have to come to the office on a scheduled telework day.</p><p><strong>Virtual presence. </strong>Instant messaging systems can be used by team members to check in each morning, and change status when they will be away from the computer for more than a few minutes. Using a rotating system, one team member can also lead a virtual water cooler chat with a question or comment for team members to respond to once or twice a day. Transparent communication tools like shared calendars can also be useful.</p><p>In addition, advanced collaboration tools like video conferencing may also be considered. “They help to bridge the gap by building trust and intimacy that is conveyed by eye contact, body language, and other nonverbal communication cues,” Arnold says. </p><p><strong>Customer service.</strong> If your team members interact with customers, make sure service-level support requirements in communicating with customers are clearly defined. All team members need to agree to meet the same service levels to ensure transparency to the customer. Commit with each other to an acceptable response period for email inquiries or phone calls.</p><p><strong>IT support. </strong>A common reason for teleworking dissatisfaction is IT failure. Teleworkers are dependent on fast, reliable, consistent connections. Work with your IT group to ensure the technology is effective, efficient, operates consistently, and provides excellent customer service. IT department involvement and support is critical to your success.</p><p><strong>Trust. </strong>In talking with teleworkers on the phone, managers should avoid comments like, “Hey, I hear a washing machine. Are you doing your laundry, or working?” Instead, managers should use telework as an opportunity to foster trust between employees and management. Established daily check-ins can be useful, but rigid micro-monitoring of daily activities hinders productivity and creates an environment of distrust.</p><p><strong>Get together.</strong> The value of in-person community office time increases when working in a mobile environment. Collectively decide what types of events and activities will build a sense of cohesion and community. A regular social event might be included. </p><p><strong>Office space options. </strong>In some organizations, teleworkers are encouraged to share their space while teleworking, and relinquish their in-office space when working in the office. This will require coordination with other employees, and sometimes the development of shared space protocols. Hoteling software, which can help administrators keep track of space booking and scheduling, can also assist in this process. </p><p><strong>Manage by results. </strong>For managers used to passing offices where employees are working away, telework can be disconcerting. But apparent worker activity should not be confused with the results those activities produce. Establish a clear definition of objectives and performance indicators, and keep track of those indicators. </p><p><strong>Monitor performance measures. </strong>One measure might be team sick days and absenteeism—have they decreased as your teleworking program progresses? Customer satisfaction might be another measure —has the needle moved in any direction since some team members started teleworking? </p><p><strong>Keep evolving. </strong>Managers should think of a telework program as a continual work in progress. Teams are unlikely to get all arrangements right the first time. Evolving work groups and projects may also force changes in the original arrangements, regardless of how successful they may have been. Remain flexible, evaluate frequently, and adjust the arrangements as needed.​</p><h4>Telework as Strategic Initiative </h4><p>The potential value of a well-managed teleworking program becomes even more clear when it is contextualized in the broader state of the current workplace. And as Gallup’s The State of the American Workplace finds, “the modern workforce knows what’s important to them and isn’t going to settle.” More than half of U.S. employees (51 percent) are searching for new jobs or watching for openings, and 47 percent say now is a good time to find a quality job.</p><p>But in this environment, teleworking options can boost an organization’s employee retention efforts. “Gallup consistently has found that flexible scheduling and work-from-home opportunities play a major role in an employee’s decision to take or leave a job,” the report says. </p><p>GSA has found that teleworking can have a positive impact, in various ways, on the worker. In research comparing teleworkers with nonteleworkers, GSA found that teleworkers report more job satisfaction and higher engagement levels. They are also less likely to want to leave their current organization than nonteleworkers. </p><p>Private sector experts have found similar effects. “We do find that job satisfaction and loyalty continue to be positively impacted by remote work. Work-life balance is a big emphasis by employers in many sectors that wish to recruit and retain top talent and employees with increasingly scarce skill sets,” Arnold says.</p><p>Indeed, when it comes to employee engagement, the Gallup report showed that the most engaged workers were those who spent 60 to 80 percent of their week—or roughly three to four days—working from home. While four days out of the office may be a bit extreme for some organizations, Lister says that many employers are finding two to three days a week as the telecommuting “sweet spot,” with workers benefitting from both in-office camaraderie and out-of-office concentrative sessions. And Gallup has found that workers who say they have privacy when they need it are 1.7 times more likely to be engaged than workers who do not have that luxury.</p><p>Organizations are also finding other benefits to telework. Some organizations have combined an increase in telework with a transition to a smaller office space, thus reducing overhead costs. </p><p>And the 2017 State of Telecommuting in the U.S. Employee Workforce report found that employers, on average, save roughly $11,000 per half-time telecommuter per year. In addition, firms are often getting more out of their telecommuters. A half-time teleworker gains back an average of 11 days a year in commuting time, and will devote about 60 percent of that gained time toward work, Lister says. </p><p>Finally, as the benefits of teleworking become apparent to more employees and more organizations, they are also forcing change, Gallup finds. Organizations are being forced to reconsider how to best manage and optimize performance. Even the basic idea of when and where people work is evolving. </p><p>“The workplace is changing,” Gallup says, “at unprecedented speed.”  ​</p>
https://sm.asisonline.org/Pages/Officials-Say-New-York-Attacker-Acted-in-the-Name-of-ISIS.aspxOfficials Say New York Attacker Acted in the Name of ISISGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Sayfullo Saipov, the man accused of killing eight people by mowing down pedestrians and cyclists on a Manhattan bike path, plotted for weeks and then carried out the attack in the name of the Islamic State (ISIS), officials said Wednesday. </p><p>Saipov is a legal permanent resident of the United States who arrived from Uzbekistan in 2010 through a diversity visa program. Officials said Saipov was influenced by ISIS after coming to the United States. He left notes pledging his allegiance to the group, authorities said, though more direct connections between Saipov and ISIS have not been identified.</p><p>The notes were handwritten in Arabic, and essentially said that the Islamic State would endure forever, according to John Miller, deputy New York police commissioner for intelligence and counterterrorism, who spoke to reporters at a briefing on Wednesday. ISIS has urged its followers to use vehicles to carry out attacks.</p><p>"He did this in the name of ISIS," Miller said. "He appears to have followed almost exactly to a T the instructions that ISIS has put out in its social media channels before with instructions to their followers on how to carry out such an attack."</p><p>The new details came as authorities continued to explore the violent rampage that tore through a stretch of Lower Manhattan and became New York's deadliest terrorist attack since Sept. 11, 2001.</p><p>Police say Saipov climbed into a rental truck on Tuesday afternoon and careened down a bike path along the Hudson River, slamming into numerous people before he was wounded by police and taken into custody. He drove southbound on the path "at a high rate of speed" and appeared to specifically target cyclists and pedestrians, Miller said.</p>
https://sm.asisonline.org/Pages/Houston-Secures-the-World-Series.aspxHouston Takes Measures to Secure World SeriesGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>The city of Houston, Texas, is gearing up for an <a href="https://www.click2houston.com/news/houston-police-prepare-for-world-series" target="_blank">influx of tens of thousands of fans at the 2017 Major League Baseball World Series</a>, set to take place this week between the Los Angeles Dodgers and Houston Astros. The city is no stranger to protecting such large gatherings, as it recently played host to Superbowl LI and the American League Championship Series. "We'll have plenty of resources on hand, and we will have resources both seen and unseen to protect the public," Executive Assistant Police Chief Matt Slinkard said in a news conference Monday at the police department's downtown headquarters. "You can always learn something from each and every major event that you host." </p><p>Police are working with the Harris County Sherriff's Office and federal law enforcement to<a href="http://www.houstonchronicle.com/news/houston-texas/houston/article/Law-enforcement-beefs-up-security-for-World-Series-12300524.php%20%E2%80%8B" target="_blank"> gather threat intelligence leading up to the game</a>, and will utilize those partnerships to secure the more than 40,000 fans inside Minute Maid Stadium. He remarked that the various locations where the game can be viewed, including bars and block parties, add to the complexity of providing security. "Fortunately, we went through this drill for the Super Bowl, so we're applying lessons learned and tweaking them–but we're used to working together, [and we are] already doing that now," Slinkard noted.</p><p>The faceoff between the Houston Astros and Los Angeles Dodgers will begin in Los Angeles, and games three and four in the series will be at Minute Maid Stadium (and five, if needed). For a possible game six and seven, the series returns to Los Angeles.  </p><p>Officials will deploy measures both on the ground and above to secure the best-of-seven series. Aviation measures are in place, as federal officials enact a limited no-fly zone during the games. In addition, two SkyWatch platforms, mobile surveillance systems that allow deputies to view the game from high above, will be deployed at the stadium. </p><p>Slinkard added that fans can expect additional traffic safety measures around the city, including DWI enforcement. The city is also encouraging baseball fans to be the eyes and ears of security while attending the series, and FBI Spokeswoman Christina Garza urged citizens to take it upon themselves to look out for suspicious behavior. "We constantly remind the public to be aware of their surroundings and report anyone or anything that might seem suspicious to law enforcement," she told the <em>Houston Chronicle</em>.  ​</p>
https://sm.asisonline.org/Pages/Harden-Soft-Targets-with-PSIM.aspxHarden Soft Targets with PSIMGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​Soft targets—those that are readily accessible to the public, like shopping malls, hotels, and hospitals—are especially vulnerable to attack by terrorists, criminals, and other bad actors. Recent attacks around the globe have raised awareness of the need to protect these spaces. Security practitioners must keep in mind that the duty of care for enterprises extends beyond just a company's employees to anyone who sets foot on the property.  </p><p>In these locations, typical physical security solutions include clear separation between public and staff-only areas, controlled access to sensitive areas to prevent unauthorized entry, and limited access to the facility during nonbusiness hours. These measures rely heavily on implementing and managing varying levels of access permissions for each area using a mix of security technologies. And even the best deployments of these systems do not eliminate risk; rather they help security to contain the threat.   </p><p>With many diverse systems, this becomes a complex task that could quickly overwhelm security staff who are also tasked with monitoring, identifying, and responding to events. For multi-use facilities, physical security information management (PSIM) solutions simplify these complicated procedures with automated, intelligent alerts and response actions, along with greatly improved situational awareness. </p><p><strong>Alerting</strong></p><p>Any time an unauthorized individual enters a private or sensitive area, organizations should treat that incident as suspicious unless and until they learn there is a valid reason for the entry. And with every security breach—whether intentional or unintentional, malicious or harmless—time is of the essence. This underscores the vital need for operators and other security staff to know about the situation as soon as possible. With automation and the ability to seamlessly integrate multiple systems into a single interface, PSIM solutions can speed the alerting process to improve awareness and response.</p><p>​For example, integrated access control and surveillance systems with video analytics could be deployed to alert staff when individuals enter a restricted area, such as a data center, after hours. When an alert comes in from the access control system, the PSIM solution can automatically call up surveillance video associated with the event, providing operators with direct visibility into the situation. </p><p>Another alert could be triggered by an initial report or description submitted by a mobile user. In this case, the PSIM could correlate with nearby video and other systems. Regardless of the source of the alert, the solution ensures that operators have instant access to valuable information and insight, allowing them to quickly assess the situation and initiate the appropriate response based on a full understanding of an incident. </p><p><strong>Response</strong></p><p>Once an alert has been generated, established actions must be in place to help staff determine the appropriate course of action to resolve an issue as quickly as possible. In many cases, no response is necessary. For instance, if an individual holds a door open for a few seconds, the access control system may generate a door-prop alert. Using video associated with the action, an operator can determine in seconds whether this was to allow unauthorized entry or if the person entering simply paused to read an email or text on a cell phone. Without the video capability, a guard would need to be dispatched to assess the situation—not the most efficient use of time and resources.</p><p>Given the large number of nonactionable alerts operators receive throughout their shifts, they may not be prepared for an event that does require action, regardless of how well they have been trained. This can cause confusion and stress, which can complicate the situation and lead to chaos. Having well-defined standard operating procedures (SOPs) in place to guide operators and others through each process reduces the potential for stress, panic, or confusion, all of which contribute to a high potential for human error. However, complicated or difficult-to-locate SOPs will do nothing to reduce this likelihood. </p><p>PSIM can automate many of the more mundane and basic steps to simplify processes and allow operators to focus only on the most critical tasks that require human intervention, such as determining whether a person seen on video represents a potential threat. This enables security staff to quickly assess the situation and determine the most appropriate response. </p><p><strong>Real-Time Situational Awareness</strong></p><p>When responding to an incident, it is important for guards, first responders and others to have the most complete information to ensure the most effective and efficient response. </p><p>​Integrated systems improve this awareness by providing large amounts of data from various systems that can be combined to evaluate an incident. While searching myriad systems to gather and sort through this information manually is not feasible, automated PSIM solutions put all the relevant information at operators' fingertips. This allows security staff to make quick, accurate decisions based on a complete picture of an event and easily share information in real time with appropriate responders and coordinate response among all parties involved. This collaboration provides critical situational awareness to those responders, who can then make faster, more informed decisions that enable swift response to help prevent an incident from unfolding.</p><p>A wide variety of challenges arise when securing facilities and campuses with multiple levels of access privileges. By deploying a PSIM to aggregate crucial information, organizations can overcome the many challenges they face while also increasing safety and security for these potentially complex applications.</p><p><em>Simon Morgan is chief technology officer for SureView Systems. ​</em></p>
https://sm.asisonline.org/Pages/Why-Companies-Should-Hire-People-Not-Resumes.aspxWhy Companies Should Hire People, Not ResumesGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p><em>Security Management</em> has partnered with the Society for Human Resource Management (SHRM) to bring you relevant articles on key management topics and strategies​. This article by Erin Binney ​discusse​s the value of hiring the underdog.<br></p><p>--​</p><p>​BOSTON—Two resumes lie side by side on a recruiter's desk. Candidate A has an Ivy League education, a 4.0 GPA and a slew of impressive internships. Candidate B graduated from a state school with a 3.4 GPA and once worked as a singing waitress. Which candidate is more likely to add value to the organization?</p><p>Regina Hartley, a vice president of HR at UPS, argues that it just might be Candidate B, and she explained why during her closing keynote presentation at the Human Capital Institute's 2017 Strategic Talent Acquisition Conference.</p><p>If the recruiter were to do a little digging, Hartley said, he or she might discover that Candidate B is a "scrapper"—someone who has faced adversity and succeeded in overcoming obstacles.</p><p>Attendance at a less prestigious educational institution may have been the result of financial limitations, not a lack of intelligence, for example, and an uneven work history might mean that the person had to take time off to care for a loved one.</p><p>But through these experiences, Candidate B may have become incredibly resilient or developed superior problem-solving skills. She can bring those and other desirable qualities to your organization—but only if you're willing to take a chance on her.</p><p>"There are people out there who can transform your organization," Hartley said, "but they're getting filtered out through the recruitment and selection process."</p><h4>Who Are Scrappers?​</h4><p>Hartley referred to a concept called "post-traumatic growth" and cited a study of 698 children who grew up in less-than-ideal circumstances. One-third of them went on to lead healthy, productive, successful lives.</p><p>Steve Jobs is an example of a scrapper, she said. He struggled with his feelings about being placed for adoption, was diagnosed with dyslexia and dropped out of college before founding Apple.</p><p>Kat Cole might consider herself a scrapper, as well. Cole experienced what she describes as a "Jerry Springer" childhood. She was raised by a single mother, worked as a Hooters waitress when she was a teenager and dropped out of college. Now, she's group president of FOCUS Brands, the franchisor and operator of Cinnabon, Carvel, Moe's Southwest Grill and other restaurants.</p><p>Cole recently told HR Magazine that her work ethic "came from watching my mom, who worked three jobs while she was single and taking care of us. In many ways, I grew up as a normal kid. But I also had to look after my sisters, so I had to develop a great work ethic early in life."</p><p>In many cases, Hartley said, scrappers succeed not in spite of their circumstances but because of them. In fact, many of these people "attribute their success to adversity," she said.</p><p>Hartley urged attendees to read between the lines on a resume. "Struggle is a great indicator of resilience, creativity and critical thinking," she said.</p><p>Scrappers also tend to:</p><ul><li>Be self-reliant.<br></li><li>Have a sense of purpose.<br></li><li>Be problem-solvers.<br></li><li>Refuse to give up.<br></li><li>Take personal responsibility for difficulties.<br></li></ul><div><br></div><h4>'Be the Gateway'​</h4><p>For talent acquisition professionals who are ready to introduce scrappers into their organizations, Hartley had this advice: Don't rely exclusively on technology. It's easy to let tech solutions whittle down your applicant pool, but doing so may not yield the best candidates. Screening systems may reject applicants whose resumes don't contain the right keywords or don't check certain predetermined—and often irrelevant—boxes.</p><p>"The resume tells me what a person did, but it doesn't tell me who you are," Hartley said. Remember, she told the audience, "you're hiring people, not resumes."</p><p>Use innovative recruiting methods. Companies can hold events that give scrappers a chance to show what they can do in a real-world setting. If your organization is hiring for entry-level IT positions, she suggested, sponsor a hackathon where prospective employees can showcase their coding skills. You may discover that the best performers aren't the university recruits with the best pedigrees.<br></p><p>Educate hiring managers. Hiring managers may be skeptical of scrappers' value. The best way to educate them, Hartley said, is to identify a scrapper who has already proven himself or herself at the organization. Find that person who started in the mailroom, worked her way up the company ranks and is now known as someone who helps drive the business.<br></p><p>Talent acquisition professionals have a lot of influence over which candidates get passed along to hiring managers and which ones are chosen for interviews, Hartley said. "Don't be the gatekeeper. Be the gateway."<br></p><p><em>© 2017, SHRM. This article is reprinted from https://shrm.org with permission from SHRM. All rights reserved. ​​ ​​</em><br></p>
https://sm.asisonline.org/Pages/Building-a-Professional-Guard-Force.aspxBuilding a Professional Guard ForceGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>In today's environment of heightened security in all areas, security departments are struggling to attract and retain high-quality guards. Now more than ever, it's vital to examine how security guards are evaluated, trained, and compensated.</p><p>All entities, including corporations and government facilities, understand the importance of a top-notch security force. However, not all of them recognize the elements needed to create such a force.</p><p>Security managers may presume that a security guard who passed the preemployment screening and successfully completed training when hired will perform the required duties well. And that may be true. But human nature allows people to become complacent, cut corners, and get too comfortable. Continuing education, regularly scheduled evaluations, and enhanced training can improve the team's performance.</p><p>On March 1, 2016, at Escuela Campo Alegre, Caracas, Venezuela, we initiated a new method of recruitment and selection for incoming loss prevention and control analysts (LPCAs). At that time, we chose to enhance our program by hiring 10 people with bachelor's or associate degrees in engineering, economics, administration, education, and other related fields.</p><p>We developed a screening and training program for candidates hoping to join our security team as LPCAs. In addition, we created a regimen of close supervision and daily evaluation of the security force to reinforce the training. </p><p>Here are the elements that led to success in creating excellent employees for our school's protection, from the first job application to seasoned protection professional.</p><p><strong>SCREENING AND TRAINING</strong></p><p><strong>Detailed job description. </strong>Experience has taught me the importance of a detailed and clearly stated job description. Candidates for the position of LPCA receive a precise explanation of the duties and expectations. This is presented first so that potential candidates fully understand the duties and responsibilities of the position. If the job description isn't something the candidate wants to do, we have saved everyone a lot of time.</p><p><strong>Required qualifications. </strong>Every security force has necessary requirements when seeking team members such as age, place of residence, experience, physical abilities, criminal background, and computer skills. Education, of course, is taken into consideration, and at Escuela Campo Alegre we look for higher education, from associate degree to bachelor's degree and up, for LPCA candidates.</p><p><strong>Testing potential candidates. </strong>LPCAs must have certain abilities from the beginning.</p><p><em>Observation.</em> The candidate must be attentive and aware at all times of the general appearance of people, placement of objects, locations, colors, vehicles, and location of security equipment.</p><p><em>Oral communication.</em> The candidate must be able to respond in detail when relaying and explaining the facts of a situation. The candidate must also be able to delegate duties to a third party using clear directions.  </p><p><em>Written communication: </em>The candidate must be able to write a report using correct grammar and vocabulary. An excellent memory is needed to write a complete report. Also, the candidate must be computer literate to produce the report.</p><p>During the interview process, we determine if the candidate has the qualifications listed above. We evaluate the ability to give directions properly to a third party. Observation skills are also evaluated. Reporting skills are tested by having the candidate read and summarize a paragraph using a computer.</p><p><strong>Introduction to private surveillance. </strong>A candidate who passes the initial interview process is invited to attend an eight-hour training presentation the next day. This introduction exposes the candidate to the basic requirements of private security. Among the topics addressed are the expectations of a security officer, the organizational mission, legal aspects, visitor management, keys and locks, and guard tours.</p><p>After the presentation, the candidate undergoes a test, which requires 17 points to pass. If successful, the candidate is invited to come the following day to read the operations manual. </p><p><strong>Operations manual. </strong>This next step is important. We determined that it requires five business days to read, analyze, and understand the school's operations manual. We administer an evaluation at the end of each day to determine whether the candidate has understood the reading for the day. This helps to clarify questions or misunderstandings the candidate may have. If the candidate does not reach the minimum score during the first evaluation, the average of the first and second tests must be a passing score. Candidates who do not receive the required score are no longer considered, but those who pass the evaluation are invited to the induction program.</p><p><strong>Induction program. </strong>This phase of our program provides detailed descriptions of the jobs to be performed. Candidates learn that they will rotate throughout the facility and understand that there are multiple and varying tasks at each location. They receive on-the-job exposure to the work by staying at our institution during four day shifts and two night shifts.</p><p>The candidate is evaluated each day, and the minimum passing grade is 17 out of 20 points. Once again, candidates who do not receive a passing grade will no longer be considered for a position.</p><p><strong>Final evaluation. </strong>After passing the induction program, the candidate will meet with the security manager for the final assessment. This assessment includes topics such as employee identification, addresses of various locations, location of safety equipment, knowledge of the operations manual, recognition of patrol routes, and disciplinary code.</p><p><strong>Assignment to a guard group. </strong>Candidates who advance through the final evaluation receive the rank of Officer I and are assigned to a regular working group. Together with the supervisor, the officer will put into practice all theoretical and practical knowledge achieved through training. The officer will work as an auxiliary for 90 days and will perform day-shift and night-shift tasks in conjunction with the assigned group. </p><p>During this trial period, the officer will be guided and instructed by the supervisor regarding the responsibilities of the log book; closing and opening of facilities; operation of lighting; vehicle fleets; entry and exit of students; entrance of drivers, chauffeurs, and caregivers; Escuela Campo Alegre staff, contractors, tutors, substitutes, trainers, and frequent visitors; entry and exit materials; fire alarm system; evacuation drill; and many other activities. </p><p><strong>Completing the probationary period</strong>. Once Officer I completes the probationary period, we administer an evaluation to demonstrate readiness to assume multiple responsibilities. If the officer does not pass the evaluation, an additional 15 days as an auxiliary allows for more instruction, followed by another evaluation. When this evaluation is passed, the individual is promoted to Officer II.</p><p><strong>Certification as Loss Prevention and Control Analyst. </strong>An Officer II will work for nine continuous months at the new job, demonstrating knowledge of establishing priorities, situation analysis, decision making, safety, conflict management, investigations, and first aid. Depending on performance and the results of monthly assessments, it can be determined that the officer has a clear understanding of what constitutes the work of the supervisor. The officer is now eligible to be certified as an LPCA. A further evaluation involves a series of cases and situations and requires a passing score to become a certified LPCA.</p><p>Out of 120 people who apply for a position as an LPCA, only about 10 successfully reach this point.</p><p><strong>EMPLOYEE DEVELOPMENT</strong></p><p><strong>Training updates. </strong>In our organization, we believe that providing continuous training enhances the performance of each member of the group. Daily training is provided to each member of the guard force for 15 minutes prior to the day shift and the night shift. This training is different every day and covers more than 40 areas related to the fulfillment of security tasks. The training aims to strengthen the knowledge and ability to perform required tasks.</p><p><strong>Daily evaluations. </strong>From the first moment the candidate joins our ranks, we stress the importance of maintaining our organization with a spirit of healthy competition within the groups. This interest and enthusiasm in our organization fosters respect, pride, and knowledge about the organization.</p><p>The daily evaluation is a practical application that consists of the exchange of files and questions that the coordinator of vigilance presents to each member of the group. Officers must demonstrate their ability to recognize the faces of employees, know the geographical location of any room on campus, know the exact location of the security equipment, provide detailed information of the operations manual, run the courses correctly, and honor the disciplinary code. This daily evaluation keeps officers on their toes and objectively assesses their knowledge.</p><p><strong>Monthly evaluations. </strong>At the end of each month, the scores from the daily assessments are reviewed, allowing us to determine who has been an outstanding analyst and who may need more supervision and additional training. Officers who come up short three times during the school year are reassigned to jobs outside of Escuela Campo Alegre. </p><p><strong>LPCA lectures. </strong>Each LPCA of Campo Alegre School, as part of ongoing professional development, must present a lecture about security once a year. Each 20-minute lecture is followed by a 10-minute question-and-answer session. The topic of the lecture is assigned by management. </p><p><strong>Annual research presentation. </strong>For further professional development, each LPCA at Escuela Campo Alegre must research and propose new tools, criteria, or procedures to make the job function better and more efficiently. This improves the LPCA's skills while helping management meet its objectives.</p><p><strong>Interpersonal communications with management. </strong>Once a week, an off-duty analyst will attend an hour-long meeting with management. The parties discuss topics not related to work, such as sports, hobbies, and leisure pursuits. Management gains an appreciation of the social, cultural, and familial environment of the analyst, and both participants strengthen their communication. </p><p><strong>Disciplinary court. </strong>If any officer is involved in a disciplinary action, that officer seeks a member of his group to act as his "lawyer." The lawyer will represent the officer and help to clarify the situation. Likewise, management will choose an officer to act as "prosecutor" to argue the case of the disciplinary action. This interaction allows each party a fair chance to present facts. </p><p><strong>LPCA authors. </strong>Every member of the security team is required to write an article about campus security. The article is published in our digital magazine and is shared with the Campo Alegre community, including parents, students, teachers, employees, and contractors.</p><p><strong>LPCA of the month. </strong>Each month, an officer who has successfully met all objectives is awarded LPCA of the month. The objectives include staff identification, detailed knowledge of the campus, analytical prowess with regard to the operations manual, location of safety equipment, completion of duties, and adherence to the disciplinary code. The officer must demonstrate clear concise communication and common sense.</p><p><strong>LPCA of the year. </strong>This honor is awarded to the LPCA who has received the greatest number of monthly awards.</p><p><strong>Compensation. </strong>In addition to careful training, we know that humans respond well to a good salary and benefits. They feel appreciated for a job well done. We are proud to say that our LPCAs are the best paid in the country. In addition, they receive a stipend for being a university graduate, a stipend for transportation, and bonuses for work performance. The Escuela Campo Alegre community also shows appreciation through thank you notes and personal gratitude. That goes a long way in making our team feel appreciated.</p><p><strong>RESULTS</strong></p><p>Since Escuela Campo Alegre began this program of recruitment, training, supervision, daily evaluations, and professional development of analysts, management has observed both positive and negative behaviors: distractibility, obscurity, lack of discipline, lack of confidence to perform duties, inequality when working in groups, selfishness, and lying, as well as professionalism, fairness, honesty, transparency, and overall pride in the work and the institution. </p><p>Our evaluation system contributes greatly toward a successful program. A Google Doc is available so that every person on the task force can monitor his behavior and improve in areas of operation, manual details, face recognition, geographic location on campus, security equipment location on campus and security rounds. With this information available at any time, they can self-motivate and improve. The same Google Doc can show them where they stand as far as positioning and they can see what salary increase they may expect on their next evaluation. The disciplinary system tracks all mistakes made by the analyst on duty. This provides the analyst the opportunity to correct mistakes and advance in the program.</p><p>Our turnover is very low because of our evaluation system. It not only helps those who wish to advance, but it also allows others to realize, on their own, that their job performance is too low to continue.</p><p>The analysts take pride in their work and, because they can see what other analysts are achieving, they can collaborate and ask questions of those higher achievers. There are fewer missed shifts. Because the analysts work so closely together and respect each other, they are more willing to cover for a team member.</p><p>It has been arduous work that involves a great deal of discipline, ethics and morals, teaching, and faith in what we are doing. We are proud of our successful program and will continue to refine and improve it in the future.</p><p><em>Guillermo Guevara Penso was security manager at Escuela Campo Alegre in Caracas, Venezuela, until July 2017 when he elected to seek other security related opportunities in Chile. He has more than 30 years of experience in the security field.</em></p>
https://sm.asisonline.org/Pages/Bag-Checks-At-Hotels-Unlikely-To-Become-New-Normal,-Expert-Says.aspxBag Checks At Hotels Unlikely To Become New Normal, Expert SaysGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​In the aftermath of the Las Vegas shooting that killed 59 people and wounded more than 500 others, many are wondering if hotels will change their security policies and procedures. </p><p>One area of concern is if hotels will begin implementing bag checks because gunman Stephen Paddock was able to smuggle 23 firearms, along with other equipment, into his suite at Mandalay Bay to carry out Sunday’s massacre.<br></p><p>The Wynn resort in Las Vegas—located on the opposite end of the Vegas Strip from the Mandalay Bay resort—introduced security guards on Monday afternoon to screen visitors with metal-detector wands. It also implemented a bag check, which created a 10-minute wait to get inside the facility. <br></p><p>This is unlikely to become the new normal for hotel security in the near future, however, says Russell Kolins, CEO of the Kolins Security Group and chair of the ASIS International Hospitality, Entertainment, and Tourism Security council.<br></p><p>“Hotels are in the business of selling privacy—they’re offering hospitality and selling privacy,” Kolins explains, adding that hotels would likely start to lose business if they began checking bags—especially in locations like Las Vegas. <br></p><p>“In Vegas especially, what happens in Vegas stays in Vegas,” Kolins says. “People bring items they don’t want other people to see.”<br></p><p>At airports, travelers are subject to bag searches—as well as body scans—because they are a different kind of target than a hotel. Travelers also have no expectation of privacy while on a plane, except for in the bathroom, unlike in a hotel where travelers expect privacy within their room, Kolins says.<br></p><p>One policy that might need to be revisited following the shooting, however, is how hotels handle checking rooms that have a “Do Not Disturb” sign on the door. <br></p><p>Paddock checked into the Mandalay Bay on Thursday and kept a “Do Not Disturb” sign on his hotel door throughout his stay. This meant hotel cleaning staff did not enter his room, <a href="https://www.nytimes.com/2017/10/03/us/las-vegas-gunman.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=a-lede-package-region&region=top-news&WT.nav=top-news&_r=0" target="_blank">according to a hotel worker who spoke to The New York Times,​</a> because housekeeping is only allowed to enter a room with such a sign on it if a security guard is present.<br></p><p>Requiring a security guard be present to enter rooms with privacy signs is the right move, Kolins says, but hotels should consider changing their policies to require room checks every other day.<br></p><p>“That’s an arbitrary period of time, but I think a policy should be instilled to at least check on the rooms,” Kolins says, adding that hotels would have to make patrons aware of the policy. But such a policy could, potentially, prevent an individual from using a hotel room for an extended period of time to plot a criminal act.<br></p><p>Kolins leads a team of court-certified security experts at his firm. He says he thinks it’s unlikely that Mandalay Bay will be sued for negligence for the shooting because to sue for negligence, plaintiffs must be able to show foreseeability. <br></p><p>“This is unprecedented—nothing like this has ever happened,” Kolins explains. “If something happens the first time, it’s not foreseeable.”<br></p><p>Now that such an attack has happened, though, if a similar attack happens plaintiffs could potentially bring a lawsuit saying it was foreseeable. In response, Kolins says he expects the hotel security industry to begin having seminars and tabletop meetings to determine how they would handle a similar case.<br></p><p>“I think what this has done is show that the slogan ‘expect the unexpected’ is again proven to be true,” Kolins says. “It wasn’t foreseeable because it was unprecedented.”​<br></p>
https://sm.asisonline.org/Pages/LIVE-UPDATES-LAS-VEGAS-SHOOTING.aspxLIVE UPDATES: Las Vegas ShootingGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>​​​<span style="color:#222222;text-transform:uppercase;font-family:novecentosanswide-bold, sans-serif;font-size:1.1em;">WHAT WE KNOW</span></p><ul><li><span style="line-height:1.5em;">​​​</span><span style="line-height:1.5em;">​58 people were killed and 500 injured in a shooting on the Las Vegas Strip at 10:08 p.m. Sunday (1:08 a.m. ET Monday)</span></li><li><span style="line-height:1.5em;">The gunman, 64-year-old Stephen Paddock, fired shots from a window in the Mandalay Bay Resort and Casino onto the strip below.</span></li><li><span style="line-height:1.5em;">Shooting happened during Jason ​Aldean concert, part of ​​Route 91 Harvest Country Musi​c Festival​​.</span></li><li><span style="line-height:1.5em;"> ​​</span>The massacre has surpassed the Pulse Nightclub tragedy in Orlando as the worst mass shooting in modern U.S. history.</li><li><span style="line-height:1.5em;">Las Vegas Sheriff Joe Lombardo says Paddock he was killed in a standoff with police in his hotel room; he had at least​ 10 rifles on him.</span></li><li><span style="line-height:1.5em;">U.S. official says t​here are currently no known links to terrorism or motives for the shooting, according to CNN.​</span></li><li><span style="line-height:1.5em;">Marilou Danley​ was previously reported as having a possible link to the shooting, but police now say they have made contact with her and she is no longer a person of interest. ​</span></li><li><span style="line-height:1.5em;">Two Las Vegas police officers are hospitalized; one is in critical condition, while ​the other sustained minor injuries.</span></li></ul><h4><br> </h4><h4>Investigators Questioning Gunman's GIrlfriend, and exploring shooter's attack plans</h4><p>​​<strong>​Update, 5:03 p.m. E.T., 4 October 2017</strong></p><p>Marilou Danley, the girlfriend of the Las Vegas gunman, was at the FBI's building in Los Angeles for questioning on Wednesday, according to a law enforcement official. Authorities are seeking her insight into what prompted a man with no evident criminal history to become a mass murderer, the <em>New York Times </em>reported. </p><p>The FBI bureau is trying to reconstruct the actions of the gunman, including finding and interviewing "everyone and anyone who crossed his path in recent weeks," Andrew G. McCabe, the deputy director of the F.B.I., said at a cybersecurity conference in Boston.</p><p>The killer, Stephen Paddock, "is an individual who was not on our radar or anyone's radar prior to the event," Mr. McCabe said in an interview with CNBC outside the conference. "So we really have a challenging bit of detective work to do here, to kind of put the pieces back together after the fact."</p><p>Meanwhile, investigators are exploring whether Las Vegas suspected shooter Stephen Paddock sought a hotel room overlooking another outdoor concert in Las Vegas in late September that featured Chance the Rapper and Lorde, sources told <em>ABC News.</em></p><p>Paddock allegedly rented multiple condos at The Ogden complex in downtown Las Vegas, which overlooked the location of the Life is Beautiful Festival. A spokeswoman for The Ogden referred questions to Las Vegas police.</p><p>At a press conference on Tuesday, authorities were asked if there was any indication Paddock was planning an earlier attack. "No. I'm not prepared to speak about that, but that is part of our investigation," they replied.</p><h4> </h4><h4>bag checks at hotels unlikely to become the new normal, expert says</h4><p><strong>Update, 3:20 p.m. E.T., 4 October 2017</strong><br></p><p>In the aftermath of the Las Vegas shooting that killed 59 people and wounded more than 500 others, many are wondering if hotels will change their security policies and procedures.<br></p><p><em>Security Management </em>reached out to Russell Kolins, CEO of the Kolins Security Group and chair of the ASIS International Hospitality, Entertainment, and Tourism Security Council for his thoughts on the future of hotel security. ​<a href="/Pages/Bag-Checks-At-Hotels-Unlikely-To-Become-New-Normal,-Expert-Says.aspx" target="_blank">Read our analysis here.​</a><br></p><h4>​Live Entertainment Promoters Rethinking Security</h4><p>​​<strong>​Update, 3:00 p.m. E.T., 3 October 2017</strong><br></p><p>Concert and music festival planners are taking a closer look at security protocols following the Las Vegas shooting—which is just the latest attack on a public entertainment venue. Last year’s terrorist attack on the Bataclan theater in Paris, where the Eagles of Death Metal were playing, and the attack earlier this year on the Ariana Grande concert in Manchester show that concerts are tantalizing targets due to their publicity and the large amount of people that flock to them. </p><p>Damon Zumwalt, CEO of the company that provided about 200 security personnel for the Route 91 Harvest music festival, <a href="https://www.cnbc.com/2017/10/02/there-are-bodies-lying-everywhere-security-ceo-from-doomed-vegas-concert-talks-about-getting-the-call.html" target="_blank">described to CNBC</a> the moment he received the call from one of his managers about the shooting. Zumwalt’s company, Contemporary Services, works with law enforcement and runs active shooter drills but at a certain point there is nothing that can be done.</p><p>"We plan for practically everything, but you don't plan for something you can't control, like a guy off-property," Zumwalt said. "That's pretty devastating, and there's just no real reason for that kind of insanity."​</p><p>Following the trend of soft target attacks, many music venues have increased their security. However, experts note that securing an indoor venue is far easier than an outdoor festival—officials can more easily control who enters an indoor space and what they bring with them. Experts agree that there is very little that Route 91 Harvest could have done to prevent Sunday night’s tragedy. </p><p>Going forward, festival organizers will have to be more mindful of event locations and the areas surrounding the festival’s footprint, according to Waco Hoover, CEO of XLIVE, which provides best practices for the industry. Event organizers will have to balance the need for an increased security presence—perhaps changes similar to what airports experienced following 9/11—while allowing the freedom to enjoy recreational activities that festivals foster. </p><p>"If you look at the scenario, this (security) is not a festival issue," <a href="http://www.desertsun.com/story/life/entertainment/music/coachella/2017/10/02/las-vegas-shooting-could-change-festival-security-coachella-and-around-world/724617001/" target="_blank">Hoover told the <em>Desert Sun.</em></a> "This is not a Live Nation or Goldenvoice disclosing their security plans. They’re already working very, very closely with the city and the appropriate authorities to do those types of things. This is something which the producing entity has no control over.”</p><h4><br></h4><h4>Twenty-Three firearms found in gunman's suite as investigation progresses</h4><p><strong>Update, 12:45 p.m. E.T., 3 October 2017</strong><br></p><p>Officials are still investigating the events that led up to the horrific shooting in Las Vegas earlier this week, but did release information confirming they found 23 guns in the gunman's suite.<br></p><p>Las Vegas Metropolitan Police Department Sheriff Joseph Lombardo also told <em><a href="https://www.nytimes.com/2017/10/02/us/las-vegas-shooting-live-updates.html?_r=0" target="_blank">The New York Times</a></em> that when Stephen Paddock's home was searched, they found 19 firearms, "some explosives, and several thousand rounds of ammo."</p><p>Some of the rifles found in Paddock's hotel room at Mandalay Bay may have been modified to make them fully automatic. </p><p>"Automatic rifles, which fire multiple rounds with a squeeze of a trigger, are highly regulated, and on videos posted online by witnesses, the rapid-fire sound indicated that at least one weapon was fully automatic," according to the Times.</p><p><a href="https://lasvegassun.com/news/2017/oct/03/las-vegas-gunman-had-device-turning-weapon-into-au/">In a report by <em>The Las Vegas Sun,</em></a><em> </em>officials said Paddock had two "bump-stocks" that could have converted the firearms into​ fully automatic weapons. </p><p>Officials are currently investigating whether those stocks were used to modify weapons Paddock ultimately used to carry out the massacre.</p><p>The shooting has also raised questions about hotel security and if there are measures that could have detected the ​firearms as they were brought into Mandalay Bay.</p><p><a href="https://www.nytimes.com/2017/10/02/business/hotel-security-las-vegas.html" target="_blank">In an interview with the Times,</a> Mac Segal, consultant at AS Solution, said hotel guests in the United States and Europe place a premium on their privacy, so X-ray machines and explosive scanners are unlikely to appear at hotels anytime soon. ​</p><h4>ASIS condemns vegas shooting, releases resources on soft target security</h4><p>​<strong>Update, 10:45 a.m. E.T., 3 October 2017</strong><br></p><p>​ASIS International<a href="https://www.asisonline.org/News/Press-Room/Press-Releases/2016/Pages/ASIS-Statement-on-Las-Vegas-Tragedy.aspx" target="_blank"> released a statement​</a> condemning the "horrific massacre of Las Vegas concertgoers" and pledging its support to the security community.<br></p><p>"This senseless violence follows an all-too common pattern of lone wolf attacks targeting citizens where they live, work, and play," ASIS said. "Our members, 35,000 strong, stand united against this evil."</p><p>ASIS has also made resources on soft targets and active shooters available, free of charge, to assist the Las Vegas community and security professionals.</p><p>"We will continue to bring our resources to bear to help deter, prevent, and minimize future attacks," ASIS said. "In the days ahead, we will work with our Las Vegas chapter to help the area and its citizens recover and gather best practices to help make our communities more resilient."</p><p><br> </p><h4>ASIS international linkedin discussion of shooting</h4><p><strong>Update, 10:44 a.m. E.T., 3 October 2017</strong></p><p>Any ASIS member who wants to comment or discuss the Las Vegas shooting and reponse may do so on the ASIS International LinkedIn group page. The discussion space can be found at the link below: </p><p><a href="https://www.linkedin.com/groups/38907/38907-6321006327405572098">https://www.linkedin.com/groups/38907/38907-6321006327405572098</a></p><h4></h4><p> </p><h4></h4><h4>ASIS MEMBER OFFERS EXPERT Q&A TO SECURITY MANAGEMENT </h4><p><strong>Update, 1:35 p.m. E.T., 2 October 2017 </strong></p><p><img src="/ASIS%20SM%20Article%20Images/slotnick.JPG" alt="" style="margin:5px;width:300px;height:329px;" /><br> </p><p>Jeffrey A. Slotnick, CPP, PSP, is president of Setracon Enterprise Security Risk Management Services. He is an ASIS Senior Regional Vice President and past chair of the Physical Security Council. <em>Security Management </em>spoke to Slotnick about the deadly shootings in Las Vegas and the event's significance for active shooter preparedness and physical security​. <a href="/Pages/Vegas-Shooting-What-We-Know-Q-and-A-with-Jeffrey-Slotnick.aspx" target="_blank">Read the transcript of th​​e​ convers​ation here. </a><br></p><p><br> </p><h4>PADDOCK'S FATHER WAS ON FBI MOST-WANTED LIST​</h4><p>Update, 4:40 p.m. E.T., 2 October 2017</p><p>Shooter Stephen Paddock's father, Benjamin Hoskins Paddock, was <a href="http://www.cnn.com/2017/10/02/us/las-vegas-attack-stephen-paddock-trnd/index.html" target="_blank">on the FBI's​ most-wanted list​</a> for bank robbery from June 10, 1969 until May 5, 1977, CNN reports. The father escaped from prison in 1969 and was arrested in Oregon in 1978. He died a few years ago.​</p><p><br> </p><h4>BROTHER OF SHOOTER SPEAKS TO FBI​</h4><p><strong>Update, 12:48 p.m. E.T., 2 October 2017<br></strong><b><br></b>The <a href="https://www.washingtonpost.com/news/post-nation/wp/2017/10/02/las-vegas-gunman-liked-to-gamble-listened-to-country-music-lived-quiet-retired-life-before-massacre/?hpid=hp_rhp-top-table-main_paddock-1050am-winner:homepage/story&utm_term=.965714d4ef9f%20%E2%80%8B" target="_blank">brother of Las Vegas shooter Stephen Paddock spoke out​</a> about his relative who took the lives of at least 58 people, saying there is "no reason he did this," the <em>Washington Post</em> reports. Eric Paddock gave a brief interview to the FBI outside his Orlando home. "He's just a guy who played video poker and took cruises and ate burritos at Taco Bell. There's no political affiliation that we know of. There's no religious affiliation that we know of," he said.</p><p>Neighbors from a retirement community in Reno, Nevada, called Paddock "extremely standoffish" and "reclusive." They added that he was a professional gambler, and would often take long absences from the neighborhood with his girlfriend, Marilou Danley. </p><p><br> </p><h4>NUMBER OF KILLED, INJURED RISES</h4><p><strong>Update, 12:21 p.m. E.T., 2 October 2017</strong></p><p><span style="line-height:1.5em;"><span style="line-height:1.5em;">Las Vegas Sheriff Joe Lombardo reports the number of killed in the Las Vegas shooting massacre has risen to 58; the number of injured exceeds 500. <br></span></span></p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 6d28a80b-9134-4377-b608-edba443ffa9d" id="div_6d28a80b-9134-4377-b608-edba443ffa9d" unselectable="on"></div><div id="vid_6d28a80b-9134-4377-b608-edba443ffa9d" unselectable="on" style="display:none;"></div></div><h4><br>PRESIDENT TRUMP CALLS VEGAS SHOOTINGS "ACT OF PURE EVIL"</h4><p><strong>Update, 11:11 a.m. E.T., 2 October 2017</strong></p><p>In his first televised statement on the massacre, President Donald Trump called the Las Vegas shootings "an act of pure evil,"  and called upon Americans' "common humanity" to bring the nation together.</p><p>Trump said the FBI and the U.S. Department of Homeland Security are working closely with local authorities on the investigation and that the agencies will provide ongoing updates. He did not mention the shooter by name or the possibility of terrorism.</p><p>Trump praised police efforts in response to the shooting, and said their swift action helped prevent further loss of life. "I want to thank the Las Vegas Metropolitan Police Department and all of the first responders for their courageous efforts and for helping to save the lives of so many," he said, calling the speed with which they acted "miraculous." He added their response is "what true professionalism is all about."</p><p>The president shared words of solace for the victims and their families, and spoke of a nation united by its shared values and common humanity. "Scripture teaches us the Lord is close to the broken-hearted, and saves those who are crushed," he said. "Our unity cannot be shattered by evil, our bonds cannot be broken by violence; and though we feel great anger at the senseless murder of our fellow citizens, it is our love that defines us today and always will forever."</p><p>Trump said he will be visiting Las Vegas on Wednesday to meet with law enforcement, first responders, and families of the victims, and said he has directed the American flag to be flown at half-staff. </p><div><h4><br>PRESIDENT TRUMP TO SPEAK ON VEGAS SHOOTINGS</h4><strong>Update, 10:36 a.m. E.T., 2 October 2017</strong><br><br>U.S. President Donald Trump is scheduled to address the deadly Las Vegas Shootings from the White House.<br><br></div><div><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read e4e9c8d9-0288-473e-868b-781668132fc1" id="div_e4e9c8d9-0288-473e-868b-781668132fc1" unselectable="on"></div><div id="vid_e4e9c8d9-0288-473e-868b-781668132fc1" unselectable="on" style="display:none;"></div></div></div><p><span></span>  Earlier today, Trump took to Twitter to offer his condolensces to the victims and all those affected. </p><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 1fd74a90-421b-4905-90d3-5b24e00e7a4c" id="div_1fd74a90-421b-4905-90d3-5b24e00e7a4c" unselectable="on"></div><div id="vid_1fd74a90-421b-4905-90d3-5b24e00e7a4c" unselectable="on" style="display:none;"></div></div><div><h4>CITY OF LAS VEGAS SHARES PHONE NUMBER FOR PEOPLE SEARCHING FOR LOVED ONES </h4><p><strong>Update, 9:55 a.m. ET, 2 October 2017</strong><br></p><div class="stream-item-header" style="color:#14171a;font-family:"segoe ui", arial, sans-serif;font-size:14px;background-color:#ffffff;"><div class="ProfileTweet-action ProfileTweet-action--more js-more-ProfileTweet-actions" style="margin:-2px -9px 0px 0px;float:right;display:inline-block;min-width:0px;"><div class="dropdown"><div title="More" class="IconContainer js-tooltip" style="line-height:0;vertical-align:middle;display:inline-block;"><span class="Icon Icon--caretDownLight Icon--small" style="background:none;line-height:15px;vertical-align:baseline;display:inline-block;"></span><span class="u-hiddenVisually" style="padding:0px !important;border:0px currentcolor !important;width:1px !important;height:1px !important;overflow:hidden !important;font-size:1px !important;clip:rect(1px, 1px, 1px, 1px) !important;">More</span></div></div></div></div><div><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read 04997363-3fda-46fd-a4c9-4be635953931" id="div_04997363-3fda-46fd-a4c9-4be635953931" unselectable="on"></div><div id="vid_04997363-3fda-46fd-a4c9-4be635953931" unselectable="on" style="display:none;"></div></div>​<p><strong>UPDATE 10:10 a.m. ET, 2 October 201​7</strong></p><p>More than 50 people are dead and 400 injured in a Las Vegas massacre that began late Sunday night during an open-air country music festival. CNN reports 64 year-old gunman Stephen Paddock opened fire on the crowded strip from the 32nd floor of the Mandalay Bay Resort and Casino as victims below scrambled for cover. Las Vegas Sheriff Joe Lombardo says law enforcement used explosives to break down his hotel room door; Paddock shot himself as the SWAT team entered. In his room they found ​found at least 10 rifles, including one automatic. The event is the deadliest mass shooting in modern U.S. history </p><p><em>Security Management </em>will provide ongoing coverage of the aftermath and investigation of the event. For more information and resources, ASIS International has provided <a href="https://www.asisonline.org/About-ASIS/Who-We-Are/Whats-New/Pages/Soft-Target-and-Active-Shooter-Resources.aspx">resources on soft targets and active shooter events​</a>. </p></div></div>
https://sm.asisonline.org/Pages/Vegas-Shooting-What-We-Know-Q-and-A-with-Jeffrey-Slotnick.aspxLas Vegas Shootings: What it Means for SecurityGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465<p>Jeffrey A. Slotnick, CPP, PSP, is president of Setracon Enterprise Security Risk Management Services. He is an ASIS Senior Regional Vice President and past chair of the Physical Security Council. </p><p><em>Security Management </em>spoke to Slotnick about the deadly shootings in Las Vegas and the event's significance for active shooter preparedness and physical security. Their conversation has been lightly edited for clarity.​</p><p><strong>Stowell: Besides what we're seeing in the news, what other details can you share with us about the shootings in Las Vegas?</strong> </p><p>Slotnick: The shooter was located from the smoke alarm going off in his room…not by tracking shots. I listened to the YouTube video [of the shooting]; he had more than eight guns in the room, two shooting tables with loaded magazines. My gut feeling, from the sound of the gunfire, is that it was probably an AR-15 style rifle but the military version of it. It was a full auto rifle. I think from the sound of it, it was suppressed. He had a silencer on it which would create additional smoke in the room and, of course, trigger the alarm. He had to be very wealthy, the gentleman was a man of means–he's not your typical [guy]. </p><p>He owned aircraft, he was a licensed pilot, he owned homes in several different locations. And just a single rifle like that, you're talking about a suppresser that costs twelve-hundred dollars, and a rifle that has a price of twelve to fifteen-thousand dollars, plus all the tax stamp and licensing to obtain it, which is significant. </p><p>I think this story is going to be rapidly changing through the day because you now have a full team of investigators on the ground including FBI, ATF, and local law enforcement, and they're tracing this guy's patterns. </p><p><strong>Stowell: The shooter fired from the 32nd floor of a high-rise building. Are there any similar active shooter events we can compare this to?</strong> </p><p>The Aurora, Colorado movie theatre shooting is the closest. This guy [Paddock]–he was not aiming his shots. The shot pattern was ranging 20 to 100 yards. But for a trained sniper to shoot from 450 feet away, 125 yards at a down-angle, 32 floors up–it's a difficult shot for a sniper. If you listen to the rapidity of the fire, he was basically just shooting into the crowd. The only time he paused was to change magazines. So those were not aimed shots. He was depressing the trigger and emptying a magazine. </p><p><strong>Stowell: Would you classify this shooting as a soft-target attack?</strong></p><p>Slotnick: Absolutely it's a soft target [attack]. This gentleman displayed a high level of intelligence in planning. He had to choose the room he was in, he had been on the ground since Thursday; he'd had the room since Thursday. I'm sure they're going to find if they retrace his steps he was actually at the venue. He chose his room very carefully. He of course brought in a number of weapons over a period of time; those things were all there.</p><p>Technologies exist that would not have prevented this, but could have significantly minimized the effectiveness and impact of this person. He could have been located a whole lot quicker. There was a technology on the show floor at ASIS in Dallas. It's a shot-spotting technology that integrates with other physical security systems, identifies with high rates of accuracy the location of the shooter, and then with integration into other physical security systems rapidly turns cameras toward the source of gunfire. </p><p><strong>Stowell: What are the barriers that have prevented organizations from investing in this type of technology and integrating it into their physical security systems? </strong> </p><p>Slotnick: That's the big question–showing value for security. People are reticent to invest in technologies that they don't know about, or they find out about, and want to make sure it's not the latest flavor of the day. And our ability as security professionals to make the business case. Look at the expense Mandalay Bay [Resort and Casino] is going through now. I don't know what the cost of these shot-spotting units are, but they're Wi-Fi enabled, they're integrated. I imagine it would have been significantly less than what the hotel is having to spend presently. </p><p><strong>Stowell: There have been so many mass shootings in the United States. How will the conversation in the aftermath of this massacre be different than others?</strong> </p><p>Slotnick: I think the conversation is going to wrap around, what can we do to prevent things like this? Obviously, [Paddock] walked into a hotel at some point in time with eight to 10 firearms. So what processes do we have to have people go through screening? We had the same thing when you think about the Aurora, Colorado, shooting, and movie theatres look at things totally different now. They've integrated physical security systems, or metal screening at the doors depending upon the neighborhood and community, and plans, policies and procedures specifically for active shooter-type events. I would imagine post-event, we're going to see some increases in security programs at hotels and different procedures for checking in. </p><p><strong>Stowell: We focus a lot on helping businesses prepare for active shooter events, but what are the lessons here about personal safety and awareness of surroundings?</strong> </p><p>Slotnick: It's just good knowledge to have, whether you're on foreign travel or whether you're in Las Vegas, knowing how to respond to a disaster, knowing what you're going to do during a disaster, having a personal preparedness plan, and the ability to communicate with people outside of the venue. We tend to think of cell phones as a singular device. There's Twitter, there's LinkedIn, there's Facebook Messenger, there's live feeds, there's FaceTime. There are all kinds of ways to communicate. But having a plan, especially if you're with your family at a location and having a place to congregate; being aware of your surroundings when you go into a venue, and knowing where you're going to go should something happen. Whether it's a natural disaster like an earthquake or whether it's an active shooter event, you must be aware that these things do occur and just have a plan in your mind of where you can go and what you can do. </p>