Cybersecurity

 

 

https://sm.asisonline.org/Pages/Outdated-Protocols-and-Practices-Put-the-IoT-Revolution-at-Risk.aspxOutdated Protocols and Practices Put the IoT Revolution at RiskGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-03-24T04:00:00ZFlorian Eichelberger<p>​Linking physical objects in the real world to the virtual world, enabling “anytime, anyplace, and anything” communication was once the stuff of science fiction. However, it is made real today with the Internet of Things (IoT), which is widely considered to be the next phase of the Internet revolution.​</p><p>Knowing this, it could be expected that the protocols and infrastructure supporting the IoT would be just as advanced—but this is not the case. Instead, the technology underpinning the IoT is straight out of the 1990s or early 2000s—more Sega Dreamcast than PlayStation 4.</p><p>It’s no surprise that the tech industry and the public are falling head-over-heels for the possibility to connect everything, from our toothbrushes to our city infrastructure, to the Internet. However, the more devices we connect, the more opportunities there are for cyber criminals. </p><p>By getting carried away by the opportunity technology brings, we are charging ahead without considering the risks and without securing the technology. Before organizations continue to connect devices to the network, there needs to be a secure foundation to build up from. </p><p>The fundamental standards, which IoT devices have to comply to, must be secure so no one device can be breached and used as an entry point for the whole system. In 2015, the U.S. Federal Trade Commission recommended that security be baked into devices from the beginning—not as an afterthought. </p><p>Yet research from HP in its Internet of Things Research Study showed that 70 percent of the commonly used IoT devices had severe security issues. And there are critical vulnerabilities at the very core of many IoT networks. </p><p><strong>Smart Homes and Buildings</strong><br>The trend of automated buildings and making homes smarter by leveraging the IoT to save energy, increase comfort, or add capabilities for remote monitoring and control is on the rise. However, there are issues with the development of smart buildings and homes.​</p><p>A smart home using home automation is likely to have IoT devices that cover the following areas:</p><p><strong>HVAC Control. </strong>Smart HVAC units control room temperature, as well as automated ventilation systems, which can be switched on to replenish clean air based on temperature, moisture, smoke, heat, dust, or carbon dioxide levels in the unit.</p><p><strong>Light Control.</strong> In conjunction with smart bulbs, these units can adjust lighting behavior according to the presence of people in a designated space. Smart lights can be automatically switched off when the unit is empty and dimmed when there is natural light.</p><p><strong>Smart Surveillance. </strong>Intelligent surveillance systems record activity in the smart home, allowing authorities to remotely monitor where individuals are inside.</p><p><strong>Smart Door Locks. </strong>Smart door locks can be opened or locked remotely by a user. They can also track people entering or leaving the premises, and can act upon this by notifying the inhabitants or authorities. Researchers have found fundamental flaws in this automation system that leave people at risk, such as hackers using simple attacks to open and unlock the doors.</p><p>These systems often utilize wireless IoT protocols, such as ZigBee and Zwave, which have become their greatest asset and their greatest weakness. Wireless networks are prone to jamming (attackers try to prevent sensors from contacting the central hub by blocking the signal), the communication can be eavesdropped on to gather secret keying material, and is vulnerable to replay attacks (attackers inject recorded packets, e.g. a “door open” command to a door lock, or a “no-motion” command to a motion sensor, into the communication destined for the connected device or sensor).</p><p><strong>The ZigBee Wireless Communication Standard</strong><br>ZigBee is a standard for personal area networks developed by the ZigBee Alliance, which includes companies like Samsung, Philips, Motorola, Texas Instruments, and many others. ​</p><p>ZigBee’s aim is to provide a low cost, low power consumption, two-way, reliable, wireless communication standard for short-range applications. ZigBee is used for: remote controls, input devices, home automation, healthcare, and smart energy.</p><p>Devices on a ZigBee network communicate using application profiles. Those profiles are agreements for messages, like a common alphabet and language, that enable developers to create an interoperable, distributed application employing application entities that reside on separate devices. If a manufacturer wants a device to be compatible with certified devices from other manufacturers, the device must implement the standard interfaces and practices of certain profiles, such as the Home Automation profile.</p><p>The Home Automation profile relies on secrecy of key material and secure initialization and transport of its encryption keys. Recent research by Cognosec shows that keys can be compromised by attackers by passively sniffing and using weaknesses in the standard. </p><p>Sniffing in this context is best described as passively eavesdropping on wireless communication. An attacker could compromise the key by either listening to the initial setup of the devices or by imitating a legitimate device trying to "rejoin" a network.</p><p>During this rejoin the attacker would pretend to have lost key material needed to communicate with the management hub and send an unencrypted rejoin request there. This causes the hub to send out new keys, a process that should be protected by another key. But, crucially, that key is publicly known. Ultimately using the approach an attacker could request the active encryption key on network level.</p><p>As the Home Automation profile covers devices from lights to HVAC systems and door locks, this compromise might lead to serious security issues. This security issue was shown by Cognosec during the DeepSec Conference in Vienna in 2015 by opening a Yale Door lock using ZigBee without having the proper key. Security vulnerabilities from this kind of compromise are made worse because the fallback mechanism is the standard has to be implemented by every vendor that wants to market certified devices.</p><p>To remain compatible with devices that have not been pre-configured or are unknown to a ZigBee network, a default fallback mechanism was implemented that is considered a critical risk.</p><p>This fallback is used if devices from different vendors are connected to each other initially, or new devices are joined to an existing ZigBee network and they have not been pre-configured in the same way.</p><p>A single smart home or building with vulnerabilities may not seem like a problem at first, but a network of smart buildings—or a smart city—being breached could prove to be disastrous.</p><p><strong>ZWave Wireless Communication Standard</strong><br>ZWave also stands on the forefront of the IoT revolution. It was designed in 2001 by Zen-Sys, which was later acquired by Sigma Systems. ​</p><p>The Zwave standard does not require encryption support, so one can safely assume that vendors will only implement the bare minimum needed to get their products to market. This makes ZWave networks vulnerable to replay and eavesdropping attacks.</p><p>Two security researchers—Joseph Hall and Ben Ramsey—showed that few IoT devices are using encryption, and for those that are used for critical applications—like door locks—security is an opt-in feature that has to be enabled by the user.</p><p>In a demonstration at the ShmooCon 2016 Security Conference, ZWave-controlled light bulbs were physically destroyed in less than 24 hours by an attacker who gained access to the ZWave network using openly available information and some technical know-how.</p><p>It should be noted, though, that starting on April 2, 2017, the ZWave Security Framework S2 will be mandated on all devices. However, this will not fix issues on the devices that are already on the market and in stock. Future security research on the S2 framework should be conducted.</p><p>Besides this threat, implementation errors have been found in the firmware controlling door locks that allow an attacker to control the lock and prevent it from reporting its state to a central controller unit.</p><p><strong>Connecting to the World</strong><br>The adoption of IoT technology and increased outside connectivity in critical infrastructure could pose more critical risks to the energy and water supply, as well as to industrial control systems. </p><p>Recent research from Germany conducted in 2016 by internetwache.org shows that the water supply infrastructure is vulnerable and could be controlled by hackers because it’s not properly secured against outside attacks. In this particular case, it was not the lack of a security feature or faulty implementations of a wireless protocol that made the system vulnerable. Instead, it was a software vendor used to manage Germany’s water supply plants that did not implement security, instead leaving security configurations up to the plants themselves.​​<br></p><p>This an example of a new threat to critical infrastructure as it evolves from closed to open systems. Historically, industrial control systems (ICS) were designed to operate on an isolated network to protect them from security threats. Well-established physical security measures and the need to be physically present to harm the system provided a decent level of security to the systems, even if their IT systems were not sufficiently secure.</p><p>Now, as more devices are connected to the Internet they are communicating to each other and forming huge networks with machine-to-machine communication. The result is a massive growth of the attack surface and an increase in the potential effect an attack could have. By making systems interoperable, as is the current trend with the IoT, hacking one device could open up a Pandora’s box of security breaches.</p><p>Another fact making this problem worse is that some software vendors used by critical infrastructure—like in Germany—delegate security to the customer; a customer that normally has neither the necessary awareness nor know-how to property implement the now open infrastructure as IT is not its core business.</p><p><strong>Conclusion</strong><br>Security issues affecting buildings, power, and water supply plants—or even door locks—have been around for years. Still, every few months new threats arise and the situation is worsened by adding network connectivity to devices that broaden the attack surface. ​</p><p>Security must be built-in to devices and configured to be the default, not the exception or the responsibility of the end-user. The U.S. National Institute of Standards and Technology released a publication on this issue in 2016, which called for assigning a level of trustworthiness to a device and applying security considerations to it from the very beginning. </p><p>By integrating security from the design phase to the product development and life-cycle management phase, instead of adding security features or monitoring hardware after the device has been purchased, devices will be more resilient against attacks than they are now. <br><br>Until we can resolve these issues, and create new, secure protocols, IoT hacks will increase exponentially in volume and severity.</p><p><em>Florian Eichelberger is an information systems auditor at Cognosec. </em><br></p>

 

 

https://sm.asisonline.org/Pages/Seminar-Sneak-Peek---Moving-to-the-Cloud-Repositions-Security.aspx2016-08-16T04:00:00ZSeminar Sneak Peek: Moving to the Cloud Repositions Security
https://sm.asisonline.org/Pages/New-Data-Rules.aspx2016-08-01T04:00:00ZNew Data Rules
https://sm.asisonline.org/Pages/Operating-Blind.aspx2016-03-01T05:00:00ZOperating Blind

 

 

https://sm.asisonline.org/Pages/Outdated-Protocols-and-Practices-Put-the-IoT-Revolution-at-Risk.aspx2017-03-24T04:00:00ZOutdated Protocols and Practices Put the IoT Revolution at Risk
https://sm.asisonline.org/Pages/Five-SSH-Facts.aspx2017-03-01T05:00:00ZFive SSH Facts
https://sm.asisonline.org/Pages/Stopping-the-Cyber-Buck.aspx2017-03-01T05:00:00ZStopping the Cyber Buck

 

 

https://sm.asisonline.org/Pages/Book-Review---Social-Media-Risk-and-Governance.aspx2016-11-01T04:00:00ZBook Review: Social Media Risk and Governance
https://sm.asisonline.org/Pages/Top-5-Hacks-From-Mr.-Robot.aspx2016-10-21T04:00:00ZThe Top Five Hacks From Mr. Robot—And How You Can Prevent Them
https://sm.asisonline.org/Pages/Spoofing-the-CEO.aspx2016-10-01T04:00:00ZSpoofing the CEO

 

 

https://sm.asisonline.org/Pages/Outdated-Protocols-and-Practices-Put-the-IoT-Revolution-at-Risk.aspx2017-03-24T04:00:00ZOutdated Protocols and Practices Put the IoT Revolution at Risk
https://sm.asisonline.org/Pages/Hacked-Again.aspx2017-02-01T05:00:00ZBook Review: Hacked Again
https://sm.asisonline.org/Pages/Rise-of-the-IoT-Botnets.aspx2017-02-01T05:00:00ZRise of the IoT Botnets

 

 

https://sm.asisonline.org/Pages/Book-Review---Secrets.aspx2017-01-01T05:00:00ZBook Review: Secrets
https://sm.asisonline.org/Pages/Security-Spotlight---Internet-of-Things.aspx2016-01-04T05:00:00ZSecurity Spotlight: Internet of Things
https://sm.asisonline.org/Pages/Driving-Toward-Disaster.aspx2015-06-15T04:00:00ZDriving Toward Disaster

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Kidnapping-and-the-Private-Sector.aspxKidnapping and the Private Sector<p>​The news media focuses primarily on kidnapping cases involving high-profile targets such as captured journalists and soldiers, high-net-worth individuals, and children. </p><p>However, sensational depictions in film and television have created a popular perception of kidnapping that is often at odds with the reality. Kidnaps-for-ransom happen every day around the world, with rates influenced by geography, conflict, and political, economic, and social issues. Many cases go unreported and unnoticed outside their local setting. </p><p>In some parts of the world, law enforcement and security services are too ineffective to properly guide kidnap victims to a safe resolution. Eager to project strength, and frequently lacking effective training in how to peacefully resolve the situation, security forces often prioritize tactical interventions that may jeopardize the lives of the victims. And, in rare cases, they have been found to be complicit in the kidnapping. </p><p>It is into this space that third-party actors and private sector organizations can step in to offer support and assist in securing the safe release of the victim. Otherwise, absent advisory and duty-of-care structures compound the trauma of the ordeal for victims and their families. Structure provided by experts can help guide financial negotiations, manage family and employer liaisons, and arrange post-incident support, such as counseling or medical care. There may also be jurisdictional conflicts that preclude victims from getting the full support of their home or host country, or governments could simply be unable or unwilling to provide consular or legal support abroad. </p><p>Debunking the common myths surrounding kidnap-for-ransom enables a clear understanding of where there is an opening for private sector engagement and where third-party support is most required. ​</p><h4>The Kidnappers</h4><p>Although there is a common perception that militant groups carry out a large proportion of kidnaps, data from global risk consultancy Control Risks shows that only 14 percent of the kidnapping incidents that took place worldwide last year involved these groups. </p><p>This is despite the concerted kidnapping activity accompanying insecurity in places such as Libya, Iraq, and Syria, attributed particularly to ISIS, as well as renewed kidnapping activity by al Qaeda in the Islamic Maghreb (AQIM) in the Sahel region and the Abu Sayyaf Group in the Philippines.  </p><p>Instead, some 85 percent of the kidnaps recorded this year by Control Risks were perpetrated by criminal elements such as organized networks, small gangs, or individuals. These are not exclusive, with current or former members of militant groups sometimes using their resources to carry out kidnaps-for-ransom purely for personal financial gain.​</p><h4>Targeted Victims</h4><p>Corporate security managers considering their organization’s exposure to kidnap risk at home and overseas often approach the issue with their employees’ specific profile in mind. </p><p>While managers may assume that a foreign or Western employee is more likely to be targeted in higher-risk regions abroad, this is not borne out by Control Risks’ kidnapping data, which shows that 97 percent of all kidnaps last year involved local victims. Furthermore, the professionals or businesspeople among those victims represented 54 different industries and were targeted in 77 different countries, illustrating the pervasiveness of the threat and lack of focus on a limited spectrum of sectors. </p><p>There are local nuances to the way in which kidnappers target victims in every state or province in a given country—the kidnapping group’s capability and the general security environment largely dictate target selection. Kidnappers often take into consideration the victim’s apparent wealth to draw a high ransom, the abduction’s chance of success, and other aspects of the victim’s profile.</p><p><strong>Wealth. </strong>Criminals who make their living from kidnapping want to maximize the income from each abduction. Individuals employed by multinational companies or in high-revenue sectors might attract the attention of kidnappers because they appear to be wealthy in the local context. Kidnappers will make assumptions about a potential victim’s social and economic standing based on simple things, such as material displays of wealth like new vehicles, whether they live in a wealthy suburb, or if their children go to a fee-paying school, for example. </p><p>Alternatively, they may have insider information. A fashion heiress kidnapped in Hong Kong in April 2015, for instance, was targeted after one of the suspects carried out renovations of the property and noticed the presence of luxury cars and goods. In another case in Nigeria in 2015, a large wedding celebration hosted by the victim was enough to prove his financial value to the kidnappers, who abducted him within the month. </p><p><strong>Risk.</strong> Having selected a target, the kidnappers could put the potential victim under surveillance to ascertain any weaknesses in his or her security. The simplest option is always to abduct the victims while they are in the open. Those who have a predictable daily routine are easy to target because the kidnappers know when and where they will be traveling. The daily commute, school run, or other regular travel can give kidnappers a variety of options. </p><p>Control Risks’ data shows that abductions most commonly occur during a routine journey to or from work, school, or home, with 35 percent of all kidnaps in 2016 taking place at this time. In southern Nigeria, for instance, kidnappers frequently strike on Sundays when families travel to and from church services at a regular time and are vulnerable in transit. </p><p>Nevertheless, kidnappers can often be deterred by even rudimentary security provisions. Anything that makes the abduction more difficult may convince them to move on to a new target.  </p><p><strong>Profiling.</strong> In some places, criminally motivated kidnappers are more likely to target local junior or middle management employees than CEOs or foreigners in the corporate context. The calculation is that, while the latter would probably yield a higher ransom, the increased risk of arrest that follows the abduction of a high-profile figure could outweigh the potential financial benefit. </p><p>However, foreign nationals are also often harder to abduct because those present in higher-risk areas generally employ more stringent security precautions and represent a much smaller slice of the population. </p><p>In other regions, usually those prone to militancy, the victim’s unique profile will not act as a deterrent, and foreigners are often the most highly sought captives. Some groups have significant capability to kidnap high-profile victims and, by taking advantage of difficult terrain and ungoverned spaces, can hold them for long periods without fear of arrest while they negotiate a ransom. </p><p>Indeed, for some of these kidnappers, increased attention, both from the government and the media, is part of their motivation to kidnap a high-profile victim for leverage and propaganda purposes.  ​</p><h4>Abduction Locations<img src="/ASIS%20SM%20Callout%20Images/0317%20Feature%204%20Infographic.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:610px;" /></h4><p>When preplanning an abduction, kidnappers look for an easy means of escape from the immediate vicinity of the abduction and a viable safe space for the period of captivity. </p><p>The partition of Mali in 2012 and the accompanying establishment of operating space for jihadist groups in the remote northern half of the country, for instance, emboldened and enabled AQIM to significantly ramp up its kidnapping activity. The group and its affiliates operating in the western Sahel have since carried out several high-profile kidnaps of foreign nationals, including in northern Burkina Faso and Niger, within a day’s drive of safe zones in northern Mali. </p><p>The porous border and weak security presence in the area create a permissive climate in which to conduct operations, and afford AQIM and its satellite groups the time and space to plan kidnaps. In 2016 alone, at least three separate kidnaps targeting foreign nationals and launched from northern Mali were attributed to the network, including that of an Australian couple in northern Burkina Faso last January and an American aid worker in Niger in October.  </p><p>In an opportunistic abduction, the targeting process is accelerated. A typical method is to set up a roadblock and screen victims as they drive through. The kidnappers will make snap assumptions about the victims’ wealth based on the car they are driving and whether they have a driver. </p><p>They can then further question the victims and search the vehicle for confirmation of their wealth. Often people will carry some detail of their employment, such as an identity or access card, that might alert the kidnappers to their potential worth. Visibly branded vehicles, particularly in remote or poor areas, indicate that the occupants may have a higher comparative income or that there is a chance their employer would be willing to pay a ransom for their freedom, increasing the risk. </p><p>Opportunistic, ambush-style abductions are particularly common in the eastern provinces of Congo (DRC)—for example. In North Kivu province—home to a plethora of armed groups, including Rwandan rebels, local militias, and army defectors—almost all kidnaps take place at improvised roadblocks and fake checkpoints, and they frequently target convoys of vehicles. More than half of all kidnaps recorded in Congo take place in the province. Many target nongovernmental organizations and other organizations with projects in the hinterland, including construction and telecommunications firms. ​</p><h4>The Ransom</h4><p>While a ransom is not limited to a financial payment to release the victims, financial demands are most commonly made to the victims’ families or employers and can also extend to the victims’ national government or the victims themselves. </p><p>The type of ransom sought can vary greatly depending on the kidnapper’s profile—for example, militant groups often take hostages with the intention of trading them for group members in custody in a prisoner exchange. They have also been known to make other demands, such as a cessation of drone strikes or the withdrawal of enemy troops. </p><p>In a January 2016 hostage video featuring a Swiss missionary kid­napped from her residence in Timbuktu, for example, an al Qaeda–linked group specifically demanded the release of Ahmad al-Faqi al-Hadi, a militant on trial at the international criminal court in Brussels for ordering the destruction of ancient monuments and shrines in the city during its occupation by Islamist militants in 2012. Other armed groups routinely include in their demands materials useful for their future operations, such as satellite telephones, foodstuffs, vehicles, and weapons. </p><p>Sometimes less-straightforward concessions are demanded. Kidnapping is occasionally used as a last resort in cases of industrial action or as a result of a personal, business, or criminal dispute in which one party is kidnapped to compel them to pay a debt or agree to some stipulation for their release. </p><p>Control Risks has recorded several cases in Asia where kidnap is used to apply pressure on a company or vendor; these often revolve around contracting. In one 2013 case in India, for example, employees of a company kidnapped a junior staff member at another company to compel his employer to pay them money that was unforthcoming but contractually owed. </p><p>In China, the kidnap or detention of executives is a relatively common way for employees to extract concessions from their employers during labor unrest or disputes. In one such case in 2013, Chinese factory workers held their U.S. manager for five days amid a dispute over severance pay.​</p><h4>Express and Virtual Kidnappings</h4><p>Classic kidnap-for-ransom is not the only crime that companies or security managers need to consider when thinking about risks to their staff, nor is it the sole extortive crime covered by insurance policies. New forms of extortive crime have accompanied the advent of new technology. These include cyber extortion, virtual kid­napping, and express kidnapping. </p><p>Virtual kidnapping is the name given to a form of extortion that emerged in Latin America in 2004 and has since spread to many parts of the world. Notably, it has become increasingly common in Asia, particularly China.</p><p>In a virtual kidnap, a criminal typically contacts a family and claims to have abducted one of their loved ones. The criminal threatens to harm or kill the victim if a ransom is not paid. In fact, the supposed victim of a virtual kidnap is never actually held captive, but may have been forced to cooperate with the criminals or may be completely unaware of the incident. </p><p>In many cases in Mexico, the alleged kidnap victims are contacted by the extortionists and forced to isolate themselves by checking into a hotel or another location, and remaining there until told to leave. </p><p>In most countries, the crime affects local nationals, but in Latin America, particularly in Mexico, Spanish-speaking business travelers are in­creasingly falling victim to the crime. Knowledge of the prevalence of this crime, and adequate preparation and training for employees who travel to areas where it is common, are crucial to mitigating the financial risk to both the individual and the company. </p><p>Express kidnapping generally involves the abduction of a victim who is forced, under threat of injury or death, to withdraw funds from ATMs. It is generally opportunistic and carried out by individuals or small, dedicated, and well-organized gangs that are often armed. </p><p>In Mexico, for example, they frequently use taxis to carry out kidnaps, posing as taxi drivers to rob the passenger. The average gain made by an express kidnapper is relatively small and the duration of captivity is generally between two and four hours. Kidnappers are attracted to express kidnapping because it allows them to avoid protracted negotiations with the victims’ families, involves little risk, and is a quick way of making money. </p><p>Foreign nationals are a favored target for express kidnappers because of their presumed wealth and the assumption that they are less likely to remain in the area during a police investigation or be able to identify the offenders. In countries like Brazil, Ecuador, and Tanzania, express kidnapping has overtaken traditional kidnapping-for-ransom. ​</p><h4>Response and Insurance </h4><p>Most reputable insurance companies that offer kidnap-for-ransom insurance have an exclusive partnership with a specialist response firm, guaranteeing their clients immediate access to expert consultants and advice in a crisis incident. </p><p>Although insurance companies offering kidnap-for-ransom coverage and private response companies have been working hand-in-hand for decades, the confidentiality inherent in the business precludes transparency around the specifics of the insurers’ role and the services the responders provide. </p><p>Good responders are defined by their independence and are trusted by their insurance partner to work towards the best possible outcome in each kidnap: the safe and timely release of the victim. It is imperative that the insurer maintains a reputation as a reliable provider, further incentivizing the safe release of a victim or successful resolution of the case. The role of the insurer should simply be to reimburse costs and expenses the responder incurs during the process of supporting and advising the policyholder. Kidnap-for-ransom policies sold by leading insurers can also include coverage for extortion, threats, missing persons, and wrongful detention cases.  </p><p>Experienced responders can provide invaluable support to the victims, their families, and their employers, particularly in places where law enforcement and crisis management institutions are unequipped or under-resourced. Above all, the private responder has an obligation to respect the wishes of the victim, their family, or the employer, and a duty to provide them with the best possible advice and course of action. The client is free to take or ignore that advice and is always the final decision maker. Responsible responders will never act unilaterally outside the course of action agreed with the client, or outside the law. </p><p>Kidnap-for-ransom is not confined to the world’s most dangerous locations or perpetrated principally by jihadis or guerrillas, nor does it predominantly target those wealthy enough to pay a large ransom. </p><p>The crime is constantly evolving and adapting to the changing security environment, and security professionals must understand the nuances and risks involved for all forms of kidnap and extortive crime to practice successful mitigation.   ​</p><p>--<br></p><p><em>Sebastian Boe is a special risks analyst responsible for conducting research and analysis on kidnapping and extortion trends in Africa within Control Risks’ Response department. ​</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Q-and-A---Soft-Targets.aspxQ&A: Soft Targets<p>​<span style="line-height:1.5em;">Jennifer Hesterman, Colonel, U.S. Air Force (Retired), discusses her book <em>Soft Target Hardening</em>, which was named the 2015 ASIS Security Book of the Year. Available from ASIS; asisonline.org; Item #2239; 322 pages; $69 (members); $76 (nonmembers).</span><span style="line-height:1.5em;">​</span></p><p><strong><em>Q.</em></strong><em> Why are soft targets increasingly attractive to terrorists?  </em></p><p><strong>A. </strong>Soft target, civilian-centric places that are not typically fortified—such as schools, churches, hospitals, malls, hotels, restaurants, and recreational venues—have little money to spend on security. Frequently, they must balance security, aesthetics, and a positive experience for customers.  </p><p>Terrorists select soft targets because there are many, possibly hundreds, of them in small towns and cities; they are vulnerable, so the odds of success are high and the terror effect is amplified among civilians. The story also stays in the news longer—the soft target attack in San Bernardino received far more coverage for almost twice the length of time compared to the Ft. Hood shooting. Military and government workers are generally seen as more legitimate targets than civilians, so soft targets provide more of the outrage, shock, and fear that terrorists crave.</p><p><em><strong>Q.</strong> What inspired you to write a book on hardening soft targets? </em></p><p><strong>A.</strong> I was living in the Middle East and close to several soft target attacks. I also realized that in the United States after 9-11, we further reinforced hard targets like government buildings and military installations, while soft targets are increasingly in the crosshairs but unprotected. I traveled all over the Middle East and Southwest Asia, and saw how soft targets are protected against attack. I wanted to apply some of these lessons to the civilian sector.  </p><p><em><strong>Q.</strong> Which soft targets are being hardened in the United States?</em></p><p><strong>A.</strong> Schools are further along the spectrum due to the rise of school shootings and stabbings. Mall security is much improved after the Westgate Mall attack in Nairobi, but shopping venues are still extremely vulnerable. Churches have a unique problem due to their open, inviting culture even after the Charleston shooting. Of course synagogues, mosques, and Sikh temples are moving towards a more hardened posture as the result of a rise in domestic terrorist activity. Hospitals usually don’t realize they are targets for terrorist attack or exploitation. Every type of soft target is different and requires tailored hardening tactics. </p><p><em><strong>Q. </strong>What trends should security professionals look out for?</em></p><p><strong>A. </strong>The insider threat is a growing concern. Insider attacks have the greatest possibility of success in terms of destruction of a target and mass casualties. The perpetrator can preposition items, understands the layout of the facility, has unfiltered access, and knows vulnerabilities to exploit. </p><p>We spend a great deal of time in vetting people during the hiring process, but new employees are basically left alone after the onboarding process. Venues like stadiums or concert halls may perform inadequate background checks on seasonal workers. The book discusses added layers of protection such as using behavioral detection techniques, a buddy system where a seasoned worker is paired with a new worker, and rules ensuring that no one is ever alone.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Soft-Target-Trends.aspxSoft Target Trends<p>When most people think of Orlando, Florida, Walt Disney World Resort comes to mind. The world-renowned theme park makes Orlando the second most popular travel destination in the United States. But there is much more to the city than Mickey and Minnie Mouse. </p><p>Beyond the complex infrastructure that supports Orlando’s 2.3 million citizens, the city is filled with parks and wildlife, the largest university in the country, and a vast hospitality industry that includes more than 118,000 hotel rooms. And International Drive, an 11-mile thoroughfare through the city, is home to attractions such as Universal Orlando Resort, SeaWorld Orlando, and the Orange County Convention Center, the site of ASIS International’s 62nd Annual Seminar and Exhibits this month. </p><p>Hospitality goes hand-in-hand with security in Orlando, where local businesses and attractions see a constant flow of tourists from all over the world. And at the Dr. Phillips Center for the Performing Arts, which hosts events ranging from Broadway shows to concerts to community education and events, a new security director is changing the culture of theater to keep performers, staff, and visitors safe.​</p><h4>The Living Room of the City</h4><p>Open since November 2014, the Dr. Phillips Center spans two blocks and is home to a 2,700-seat main stage, a 300-seat theater, and the Dr. Phillips Center Florida Hospital School of the Arts. The building’s striking architecture, which includes a canopy roof, vast overhang, and a façade made almost entirely of glass, stretches across two blocks and is complemented by a front lawn and plaza.</p><p>After the June 11 shooting at Pulse nightclub less than two miles south of the theater, that lawn became the city’s memorial. Days after the shooting, the Dr. Phillips Center plaza, normally used for small concerts or events, hosted Orlando’s first public vigil. A makeshift memorial was established on the lawn, and dozens of mourners visited for weeks after the attack.</p><p>Chris Savard, a retired member of the Orlando Police Department, started as the center’s director of security in December, shortly after terrorists killed dozens and injured hundreds in attacks on soft targets in Paris. Prior to Savard, the center had no security director. Coming from a law enforcement background to the theater industry was a challenging transition, he says. </p><p>“Before I came here, I was with an FBI terrorism task force,” Savard says. “Bringing those ideologies here to the performing arts world, it’s just a different culture. Saying ‘you will do security, this is the way it is’ doesn’t work. You have to ease into it.”</p><p>The Dr. Phillips Center was up and running for a year before Savard started, so he had to focus on strategic changes to improve security: “The building is already built, so we need to figure out what else we can do,” he says. One point of concern was an overhang above the valet line right at the main entrance. Situated above the overhang is a glass-walled private donor lounge, and Savard notes that anyone could have driven up to the main entrance under the overhang and set off a bomb, causing maximum damage. “It was a serious chokepoint,” he explains, “and the building was designed before ISIS took off, so there wasn’t much we could do about the overhang.”</p><p>Instead, he shifted the valet drop-off point, manned by off-duty police officers, further away from the building. “We’ve got some people saying, ‘Hey, I’m a donor and I don’t want to walk half a block to come to the building, I want to park my vehicle here, get out, and be in the air conditioning.’ It’s a tough process, but it’s a work in progress. Most people have not had an issue whatsoever in regards to what we’ve implemented.”</p><p>Savard also switched up the use of off-duty police officers in front of the Dr. Phillips Center. He notes that it can be costly to hire off-duty police officers, who were used for traffic control before he became the security director, so he reduced the number of officers used and stationed them closer to the building. He also uses a K-9 officer, who can quickly assess a stopped or abandoned vehicle on the spot. </p><p>“When you pull into the facility, you see an Orlando Police Department K-9 officer SUV,” Savard explains. “We brought two other valet officers closer to the building, so in any given area you have at least four police cars or motorcycles that are readily available. We wanted to get them closer so it was more of a presence, a deterrent.” The exact drop-off location is constantly changing to keep people on their toes, he adds.</p><p>The Dr. Phillips Center was already using Andy Frain Services, which provides uniformed officers to patrol the center around the clock. Annette DuBose manages the contracted officers. </p><p>When he started in December, Savard says he was surprised that no bag checks were conducted. When he brought up the possibility of doing bag checks, there was some initial pushback—it’s uncommon for theater centers to perform any type of bag check. “In the performing arts world, this was a big deal,” Savard says. “You have some high-dollar clientele coming in, and not a lot of people want to be inconvenienced like that.”</p><p>When Savard worked with DuBose and her officers to implement bag checks, he said everyone was astonished at what the officers were finding. “I was actually shocked at what people want to bring in,” Savard says. “Guns, knives, bullets. I’ve got 25-plus years of being in law enforcement, and seeing what people bring in…it’s a Carole King musical! Why are you bringing your pepper spray?”</p><p>Savard acknowledges that the fact that Florida allows concealed carry makes bag checks mandatory—and tricky. As a private entity, the Dr. Phillips Center can prohibit guns, but that doesn’t stop people from trying to bring them in, he notes. The Andy Frain officers have done a great job at kindly but firmly asking patrons to take their guns back to their cars, Savard says—and hav­ing a police officer nearby helps when it comes to argumentative visitors.​</p><h4>Culture, Community, and Customer Service</h4><p>There have been more than 300 performances since the Dr. Phillips Center opened, and with two stages, the plaza, classrooms, and event spaces, there can be five or six events going on at once. </p><p>“This is definitely a soft target here in Orlando,” Savard notes. “With our planned expansion, we can have 5,000 people in here at one time. What a target—doing something in downtown Orlando to a performing arts center.”</p><p>The contract officers and off-duty police carry out the core of the security- related responsibilities, but Savard has also brought in volunteers to augment the security presence. As a nonprofit theater, the Dr. Phillips Center has a large number of “very passionate” volunteers—there are around 50 at each show, he says. </p><p>The volunteers primarily provide customer service, but Savard says he wants them to have a security mindset, as well—“the more eyes, the better.” He teaches them basic behavioral assessment techniques and trends they should look for. </p><p>“You know the guy touching his lower back, does he have a back brace on or is he trying to keep the gun in his waistband from showing?” Savard says. “Why is that person out there videotaping where people are being dropped off and parking their cars? Is it a bad guy who wants to do something?”</p><p>All 85 staffers at the Dr. Phillips Center have taken active shooter training classes, and self-defense classes are offered as well. Savard tries to stress situational awareness to all staff, whether they work in security or not. </p><p>“One of the things I really want to do is get that active shooter mindset into this environment, because this is the type of environment where it’s going to happen,” Savard explains. “It’s all over the news.”</p><p>Once a month, Savard and six other theater security directors talk on the phone about the trends and threats they are seeing, as well as the challenges with integrating security into the performing arts world. </p><p>“Nobody wanted the cops inside the building at all, because it looked too militant,” Savard says. “And then we had Paris, and things changed. With my background coming in, I said ‘Listen, people want to see the cops.’” </p><p>Beyond the challenge of changing the culture at the Dr. Phillips Center, Savard says he hopes security can become a higher priority at performing arts centers across the country. The Dr. Phillips Center is one of more than two dozen theaters that host Broadway Across America shows, and Savard invited the organization’s leaders to attend an active shooter training at the facility last month. </p><p>“There’s a culture in the performing arts that everything’s fine, and unfortu­nately we know there are bad people out there that want to do bad things to soft targets right now,” Savard says. “The whole idea is to be a little more vigilant in regards to protecting these soft targets.”</p><p>Savard says he hopes to make wanding another new norm at performing arts centers. There have already been a number of instances where a guest gets past security officers with a gun hidden under a baggy Cuban-style shirt. “I’ll hear that report of a gun in the building, and the hair stands up on the back of my neck,” Savard says. “It’s a never- ending goal to continue to get better and better every time. We’re not going to get it right every time, but hopefully the majority of the time.”</p><p>The Dr. Phillips Center is also moving forward with the construction of a new 1,700-seat acoustic theater, which will be completed within the next few years. The expansion allows the center to host three shows at one time—not including events in private rooms or on the plaza. Savard is already making plans for better video surveillance and increasing security staff once the new theater is built.</p><p>“We really try to make sure that every­body who comes into the building, whether or not they’re employed here, is a guest at the building, and we want to make sure that it’s a great experience, not only from the performance but their safety,” according to Savard. “It’s about keeping the bad guys out, but it’s also that you feel really safe once you’re in here.” </p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465