Security by Industry

 

 

https://sm.asisonline.org/Pages/GridEx-IV-Tests-The-North-American-Power-Grid.aspxGridEx IV Tests The North American Power GridGP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-11-17T05:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​The North American power grid is completing its largest biennial exercise today, called GridEx, with its highest number of participants since it was launched in 2011 by the North American Electric Reliability Corporation (NERC).</p><p>More than 5,000 electric utilities; regional and federal government agencies in law enforcement, first response, and intelligence community functions; critical infrastructure cross-sector partners; and supply chain stakeholders participated in GridEx IV, a biennial exercise designed to simulate a cyber/physical attack on electric and other critical infrastructure across North America.</p><p>The exercise promotes a strong learning environment and collaboration between industry and the public sector to "enhance the security, reliability, and resiliency" of the bulk power system, said Charlie Baradesco, CEO of NERC.</p><p>Exact details of the exercise are not released due to security concerns. But it is similar to the other GridEx exercises in that it has participants work through their incident response plans, practice their local and regional response, engage interdependent sectors, improve communication skills, engage senior leadership, and compile lessons learned. The exercise, however, has no impact on the real electric grid.</p><p>GridEx IV is a "series of escalating scenarios in which the system is stressed continually further," says Tom Fanning, Electricity Subsector Coordinating Council cochair and chairman, president and CEO of Southern Company. "Consider the joint effects of a cyber and kinetic attack that,​ as time goes by, creates greater consequences to our ability to undertake commerce…what we're looking for are the potential friction points or breaks in the system. That's how we learn."</p><p>Also new this year is an emphasis on communication with the public, incorporating social media response and fake news mitigation​ says Marcus Sachs, CSO of NERC. On the first day of the exercise, participants uploaded photographs of simulated damage, explosions, and news stories to test how that information would play out. </p><p>"Allowing that to play out in an exercise space…shows how the simulation is a good replication of real world problems that we face," Sachs says.</p><p>The exercise also pulls in other industry stakeholders outside of the utilities sector, such as finance and telecom, because the utility sector is dependent on these to get the grid back up and running should an incident occur.</p><p>"We're taking the Russian nesting doll approach to preserving our system when it's under duress," Fanning adds. "We're dependent on telecom—we've got to be able to talk to our people in the field."</p><p>While a cyberattack has never turned off the power in North America, stakeholders must remain vigilant, Baradesco added in a call with reporters on Thursday. GridEx helps ensure "we remain as prepared as possible."</p><p>More than 400 executives—from government and the private sector—are also involved in this year's GridEx, participating in tabletop exercises to work through how they would handle an attack on the grid. </p><p>This participation is critical, Sachs says, because "security starts at the top."</p><p>And this commitment to getting those at the top involved in the exercise sets GridEx apart from other exercise scenarios, says Brian Harrell, CPP, vice president of security at AlertEnterprise. </p><p>"While federal partners have often incorporated losing critical grid components within their exercise scenarios, GridEx is the only event that has industry CEOs, trade associations, government partners, academia, and utility subject matter experts responding to a grid reliability scenario," Harrell says.</p><p>Harrell is the former operations director of the Electricity ISAC and director of critical infrastructure protection programs at NERC. He helped launch the first GridEx in 2011 because, as the largest machine on the planet, the North American power grid requires constant maintenance, monitoring, and continuous learning.</p><p>"Exercises are a key component of national preparedness—a well-designed exercise provides a low-risk environment to test capabilities, familiarize personnel with security policies, and foster interaction and communication across organizations," Harrell adds.</p><p>Participation in GridEx is voluntary, but Harrell says there is value for utilities to participate—even if in a limited capacity. </p><p>"Reviewing the security response to the grid's critical components, such as generators, large substations, and transmission lines during a disruptive, coordinated attack on the grid will help industry understand how to make the system more secure," he says.</p><p>Other industries—both those inside and outside the United States—run exercises to test specific response plans, policies, and procedures. But these exercises tend to focus on reliability issues, as a result of supply shortages, natural disasters, and catastrophic failure, Harrell explains.</p><p>"Very few exercises incorporate a coordinated physical and cyberattack scenario designed to destroy critical infrastructure components," Harrell says.</p><p>This has become all the more important after the cyberattack on Ukraine's electric grid in December 2015, which resulted in the first known loss of power due to a cyberattack. </p><p>"The United States has never experienced a massive cyberattack-related power outage, but there have been direct cyber events in recent years against energy infrastructure, including intrusions into energy management systems, targeted malware,, and advanced persistent threats (APTs) left behind on computers by phishing attacks," Harrell says. "The perception that cyber risks are low because only a few and limited attacks have occurred on industrial control systems is not just ignorant, but highly dangerous."</p><p>Once GridEx IV is completed, participants will begin to share lessons learned which NERC will compile into an after-action report. That report, according to officials on Thursday's call, is expected to be released in March 2018.</p>

 

 

https://sm.asisonline.org/Pages/Disaster-Recovery.aspx2014-09-01T04:00:00ZDisaster Recovery
https://sm.asisonline.org/Pages/21st-century-security-and-cpted-designing-critical-infrastructure-protection-and-crime-prev-0.aspx2014-05-01T04:00:00Z21st Century Security and CPTED: Designing for Critical Infrastructure Protection and Crime Prevention, Second Edition.
https://sm.asisonline.org/Pages/security-design-abu-dhabi-0013246.aspx2014-04-01T04:00:00ZSecurity by Design in Abu Dhabi

 

 

https://sm.asisonline.org/Pages/Stress-Test.aspx2017-10-01T04:00:00ZStress Test
https://sm.asisonline.org/Pages/Houston’s-Game-Day-Solutions.aspx2017-07-01T04:00:00ZHouston’s Game Day Solutions
https://sm.asisonline.org/Pages/Protecting-Executives-at-Home.aspx2017-06-19T04:00:00ZProtecting Executives at Home

 

 

https://sm.asisonline.org/Pages/Slipping-Through-the-Cracks.aspx2017-11-01T04:00:00ZSlipping Through the Cracks
https://sm.asisonline.org/Pages/October-2017-Industry-News---Supporting-the-Troops.aspx2017-10-01T04:00:00ZOctober 2017 Industry News: Supporting the Troops
https://sm.asisonline.org/Pages/Embassy-Evacuations.aspx2017-10-01T04:00:00ZEmbassy Evacuations

 

 

https://sm.asisonline.org/Pages/Accolades-Entries-Spotlight-Innovation.aspx2016-09-11T04:00:00ZAccolades Entries Spotlight Innovation
https://sm.asisonline.org/Pages/SM-Online-February-2016.aspx2016-02-01T05:00:00ZSM Online February 2016
https://sm.asisonline.org/Pages/SM-Online-October-2015.aspx2015-10-01T04:00:00ZSM Online October 2015

 

 

https://sm.asisonline.org/Pages/Driving-a-Security-Transition.aspx2017-10-01T04:00:00ZDriving a Security Transition
https://sm.asisonline.org/Pages/Changing-Course-for-Success.aspx2017-07-10T04:00:00ZChanging Course for Corporate Success
https://sm.asisonline.org/Pages/Industry-News-May-2017.aspx2017-05-01T04:00:00ZIndustry News May 2017

 

 

https://sm.asisonline.org/Pages/Resilience-Trends.aspx2016-09-01T04:00:00ZResilience Trends
https://sm.asisonline.org/Pages/Required-License-to-Operate.aspx2015-02-01T05:00:00ZRequired: License to Operate
https://sm.asisonline.org/Pages/chemical-facilities-tackle-explosive-problem-0013191.aspx2014-03-01T05:00:00ZChemical Facilities Tackle an Explosive Problem

 

 

https://sm.asisonline.org/Pages/The-ASIS-2017-Exhibit-Hall.aspx2017-09-26T04:00:00ZThe ASIS 2017 Exhibit Hall: An Interactive Learning Lab
https://sm.asisonline.org/Pages/ASIS-2017-Product-Showcase.aspx2017-09-19T04:00:00ZASIS 2017 Product Showcase
https://sm.asisonline.org/Pages/Less-is-More.-A-KISS-Approach-to-ESRM.aspx2017-09-12T04:00:00ZLess is More: A KISS Approach to ESRM

 

 

https://sm.asisonline.org/Pages/GridEx-IV-Tests-The-North-American-Power-Grid.aspx2017-11-17T05:00:00ZGridEx IV Tests The North American Power Grid
https://sm.asisonline.org/Pages/Global-Water-Risk.aspx2017-09-01T04:00:00ZGlobal Water Risk
https://sm.asisonline.org/Pages/Solar-Technology-Can-Help-Secure-Military-Grids,-New-Paper-Finds.aspx2017-05-08T04:00:00ZSolar Technology Can Help Secure Military Grids, New Paper Finds

 

 

https://sm.asisonline.org/Pages/School-Lockdown-Procedure-Prevented-Tragedy-in-Rancho-Tehama.aspx2017-11-16T05:00:00ZSchool Lockdown Procedure Prevented Tragedy in Rancho Tehama
https://sm.asisonline.org/Pages/Building-a-Professional-Guard-Force.aspx2017-10-10T04:00:00ZBuilding a Professional Guard Force
https://sm.asisonline.org/Pages/An-Education-Connection.aspx2017-09-01T04:00:00ZAn Education Connection

 

 

https://sm.asisonline.org/Pages/Business-Theft-and-Fraud--Detection-and-Prevention.aspx2017-07-17T04:00:00ZBook Review - Business Theft and Fraud: Detection and Prevention
https://sm.asisonline.org/Pages/Accesos-Bajo-Control.aspx2017-06-01T04:00:00ZAccesos bajo Control
https://sm.asisonline.org/Pages/Teller-Trouble.aspx2017-03-01T05:00:00ZTeller Trouble

 

 

https://sm.asisonline.org/Pages/Securing-Service--How-Security-Is-Helping-The-Children-Of-Camden-County.aspx2017-11-09T05:00:00ZSecuring Service: How Security Is Helping Camden County’s Children
https://sm.asisonline.org/Pages/The-Dirty-Secret-of-Drug-Diversion.aspx2017-08-01T04:00:00ZThe Dirty Secret of Drug Diversion
https://sm.asisonline.org/Pages/Senior-Safety.aspx2017-07-01T04:00:00ZSenior Safety

 

 

https://sm.asisonline.org/Pages/Bag-Checks-At-Hotels-Unlikely-To-Become-New-Normal,-Expert-Says.aspx2017-10-04T04:00:00ZBag Checks At Hotels Unlikely To Become New Normal, Expert Says
https://sm.asisonline.org/Pages/House-Rules.aspx2017-09-01T04:00:00ZQ&A: House Rules
https://sm.asisonline.org/Pages/Houston’s-Game-Day-Solutions.aspx2017-07-01T04:00:00ZHouston’s Game Day Solutions

 

 

https://sm.asisonline.org/Pages/November-2017-Industry-News.aspx2017-11-01T04:00:00ZNovember 2017 Industry News
https://sm.asisonline.org/Pages/Safety-in-Shared-Spaces.aspx2017-09-01T04:00:00ZSafety in Shared Spaces
https://sm.asisonline.org/Pages/Protecting-Fine-Art-and-Other-Industry-News.aspx2017-09-01T04:00:00ZProtecting Fine Art and Other Industry News

 

 

https://sm.asisonline.org/Pages/The-Fight-Against-Fake-Pharmaceuticals.aspx2015-02-01T05:00:00ZThe Fight Against Fake Pharmaceuticals
https://sm.asisonline.org/Pages/uncovering-smart-solutions-0013513.aspx2014-07-01T04:00:00ZUncovering Smart Solutions
https://sm.asisonline.org/Pages/online-pharmacies-0013326.aspx2014-05-01T04:00:00ZRogue Online Pharmacies

 

 

https://sm.asisonline.org/Pages/Highway-to-Hurt.aspx2017-11-01T04:00:00ZHighway to Hurt
https://sm.asisonline.org/Pages/Industry-News-June-2017.aspx2017-06-01T04:00:00ZIndustry News June 2017
https://sm.asisonline.org/Pages/The-Evolution-of-Airport-Attacks.aspx2017-04-01T04:00:00ZThe Evolution of Airport Attacks

 

 

https://sm.asisonline.org/Pages/Subway-Surveillance.aspx2017-11-01T04:00:00ZSubway Surveillance
https://sm.asisonline.org/Pages/The-Most-Resilient-Countries-in-the-World.aspx2017-05-11T04:00:00ZThe Most Resilient Countries in the World
https://sm.asisonline.org/Pages/Redefining-Loss.aspx2017-04-01T04:00:00ZRedefining Loss

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/The-Unique-Threat-of-Insiders.aspxThe Unique Threat of Insiders<p>​It’s perhaps the most infamous incident of an insider threat in modern times. During the spring and summer of 2013, then-National Security Agency (NSA) contractor and Sharepoint administrator Edward Snowden downloaded thousands of documents about the NSA’s telephone metadata mass surveillance program onto USB drives, booked a flight to Hong Kong, and leaked those documents to the media.</p><p>An international manhunt was launched, Snowden fled to Moscow, hearings were held in the U.S. Congress, and new policies were created to prevent another insider breach. The damage a trusted insider can do to an organization became painfully obvious.</p><p>“If you’d asked me in the spring of 2013…what’s the state of your defense of the business proposition as it validates the technology, people, and procedures? I would have said, ‘Good. Not perfect,’” said Chris Inglis, former deputy director and senior civilian leader of the NSA during the Snowden leaks, in a presentation at the 2017 RSA Conference in San Francisco.</p><p>“I would have said that ‘we believe, given our origins and foundations, and folks from information assurance, that that’s a necessary accommodation,” he explained. “We make it such that this architecture—people, procedure, and technology—is defensible.”</p><p>Inglis also would have said that the NSA vetted insiders to ensure trustworthiness, gave them authority to conduct their jobs, and followed up with them if they exceeded that authority—intentionally or unintentionally—to remediate it. </p><p>“We made a critical mistake. We assumed that outsider external threats were different in kind than insider threats,” Inglis said. “My view today is they are exactly the same. All of those are the exercise of privilege.”</p><p>Inglis’ perspective mirrors similar findings from the recent SANS survey Defending Against the Wrong Enemy: 2017 Sans Insider Threat Survey by Eric Cole, SANS faculty fellow and former CTO of McAfee and chief scientist at Lockheed Martin.</p><p>The SANS survey of organizations with 100 to 100,000 employees found that it can be easy to conclude that external attacks should be the main focus for organizations. </p><p>“This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage,” Cole wrote. “Evaluating threats from that perspective, it becomes obvious that although most attacks might come from outside the organization, the most serious damage is done with help from the inside.”​</p><h4>Insider Threat Programs</h4><p>Incidents like the Snowden leaks and the more recent case of Harold Thomas Martin III, an NSA contractor accused of taking top secret information home with him, along with other incidents of economic espionage have raised awareness of the impact insider threats can have. However, many organizations have not adjusted their security posture to mitigate those threats.</p><p>In its survey, SANS found that organizations recognize insider threat as the “most potentially damaging component of their individual threat environments,” according to the survey. “Interestingly, there is little indication that most organizations have realigned budgets and staff to coincide with that recognition.”</p><p>Of the organizations surveyed, 49 percent said they are in the process of creating an insider threat program, but 31 percent still do not have a plan and are not addressing insider threats through such a plan. </p><p>“Unfortunately, organizations that lack effective insider threat programs are also unable to detect attacks in a timely manner, which makes the connection difficult to quantify,” SANS found. “From experience, however, there is a direct correlation between entities that ignore the problem and those that have major incidents.”</p><p>Additionally, because many are not monitoring for insider threats, most organizations claim that they have never experienced an insider threat. “More than 60 percent of the respondents claim they have never experienced an insider threat attack,” Cole wrote. “This result is very misleading. It is important to note that 38 percent of the respondents said they do not have effective ways to detect insider attacks, meaning the real problem may be that organizations are not properly detecting insider threats, not that they are not happening.”</p><p>The survey also found that the losses from insider threats are relatively unknown because they are not monitored or detected. Due to this, organizations cannot put losses from insider threats into financial terms and may not devote resources to addressing the issue, making it difficult or impossible to determine the cost of an insider attack.</p><p>For instance, an insider could steal intellectual property and product plans and sell them to a competitor without being detected.</p><p>“Subsequent failure of that product might be attributed to market conditions or other factors, rather than someone ‘stealing it,’” Cole wrote. “Many organizations, in my experience, are likely to blame external factors and only discover after detailed investigation that the true cause is linked back to an insider.”</p><p>And when organizations do discover that an insider attack has occurred, most have no formal internal incident response plan to address it.</p><p>“Despite recognition of insiders as a common and vulnerable point of attack, fewer than 20 percent of respondents reported having a formal incident response plan that deals with insider threat,” according to the SANS survey. </p><p>Instead, most incident response plans are focused on external threats, Cole wrote, which may explain why companies struggle to respond to insider threats.</p><p>Organizations are also struggling to deal with both malicious and accidental insider threats—a legitimate user whose credentials were stolen or who has been manipulated into giving an external attacker access to the organization. “Unintentional insider involvement can pose a greater risk, and considerably more damage, by allowing adversaries to sneak into a network undetected,” the survey found. “Lack of visibility and monitoring capability are possible explanations for the emphasis on malicious insiders.</p><p>To begin to address these vulnerabilities, SANS recommends that organizations identify their most critical data, determine who has access to that data, and restrict access to only those who need it. Then, organizations should focus on increasing visibility into users’ behavior to be proactive about insider threats. </p><p>“We were surprised to see 60 percent of respondents say they had not experienced an insider attack,” said Cole in a press release. “While the confidence is great, the rest of our survey data illustrates organizations are still not quite effective at proactively detecting insider threats, and that increased focus on individuals’ behaviors will result in better early detection and remediation.”​</p><h4>Trusted People</h4><p>When the NSA recruits and hires people, it vets them thoroughly to ensure their trustworthiness, according to Inglis.</p><p>“We ultimately want to bring some­body into the enterprise who we can trust, give them some authority to operate within an envelope that doesn’t monitor their tests item by item,” he explained. “Why? Because it’s within that envelope that they can exceed your expectations and the adversary’s expectations, your competitors’ expectations, and hope­fully the customers’ expectations. </p><p>You want them to be agile, creative, and innovative.”</p><p>To do this, the NSA would go to great lengths to find people with technical ability and possible trustworthiness. Then it or a third party would vet them, looking at their finances and their background, conducting interviews with people who knew them, and requiring polygraph examinations.</p><p>After the Snowden leaks, the U.S. federal government examined the work of its contract background screening firm—United States Investigations Services (USIS). USIS had cleared both Snowden and the Washington Navy Yard shooter Aaron Alexis. The government decided to reduce its contracted work with the company.</p><p>USIS later agreed to pay $30 million to settle U.S. federal fraud charges, forgoing payments that it was owed by the U.S. Office of Personnel Management for conducting background checks. The charges included carrying out a plot to “flush” or “dump” individual cases that it deemed to be low level to meet internal USIS goals, according to The Hill’s coverage of the case.</p><p>“Shortcuts taken by any company that we have entrusted to conduct background investigations of future and current federal employees are unacceptable,” said Benjamin Mizer, then head of the U.S. Department of Justice’s Civil Division, in a statement. “The Justice Department will ensure that those who do business with the government provide all of the services for which we bargained.”</p><p>This part of the process—vetting potential employees and conducting background checks—is where many private companies go wrong, according to Sandra Stibbards, owner and president of Camelot Investigations and chair of the ASIS International Investigations Council.</p><p>“What I’ve come across many times is companies are not doing thorough backgrounds, even if they think they are doing a background check—they are not doing it properly,” she says. </p><p>For instance, many companies will hire a background screening agency to do a check on a prospective employee. The agency, Stibbards says, will often say it’s doing a national criminal search when really it’s just running a name through a database that has access to U.S. state and county criminal and court records that are online.</p><p>“But the majority of counties and states don’t have their criminal records accessible online,” she adds. “To really be aware of the people that you’re getting and the problem with the human element, you need to have somebody who specializes and you need to…invest the money in doing proper background checks.”</p><p>To do this, a company should have prospective employees sign a waiver that informs them that it will be conducting a background check on them. This check, Stibbards says, should involve looking at criminal records in every county and state the individual has lived in, many of which will need to be visited in person.</p><p>She also recommends looking into any excessive federal court filings the prospective employee may have made.</p><p>“I’ll look for civil litigation, especially in the federal court because you get people that are listed as a plaintiff and they are filing suits against companies for civil rights discrimination, or something like that, so they can burn the company and get money out of it,” Stibbards adds.</p><p>Additionally, Stibbards suggests looking for judgments, tax liens, and bankruptcies, because that gives her perspective on whether a person is reliable and dependable.</p><p>“It’s not necessarily a case break­er, but you want to have the full perspect­ive of if this person is capable of managing themselves, because if they are not capable of managing themselves, they may not make the greatest employee,” she says.</p><p>Companies should ensure that their background screenings also investigate the publicly available social media presence of potential employees. Companies can include information about this part of the process in the waiver that applicants sign agreeing to a background check to avoid legal complications later on. </p><p>“I’m going to be going online to see if I see chatter about them, or if they chat a lot, make comments on posts that maybe are inappropriate, if they maintain Facebook, LinkedIn, and Twitter,” Stibbards says. </p><p>Posting frequently to social media might be a red flag. “If you find somebody on Facebook that’s posting seven, eight, nine, or 10 times a day, this is a trigger point because social media is more important to them than anything else they are doing,” Stibbards adds.</p><p>And just because a prospective employee is hired doesn’t mean that the company should discontinue monitoring his or her social media. While ongoing review is typically a routine measure, it can lead to disciplinary action for an employee who made it through the initial vetting process. For instance, Stibbards was hired by a firm to investigate an employee after the company had some misgivings about certain behaviors.</p><p>“Not only did we find criminal records that weren’t reported, but we then found social media that indicated that the employee was basically a gang member—pictures of guns and the whole bit,” Stibbards says.</p><p>It’s also critical, once a new employee has been brought on board, to introduce him or her to the culture of the organization—an aspect that was missing in Snowden’s onboarding process, Inglis said. This is because, as a contractor working for the NSA, regulations prohibited the U.S. government from training him. </p><p>“You show up as a commodity on whatever day you show up, and you’re supposed to sit down, do your work—sit down, shut up, and color within the lines,” Inglis explained.</p><p>So on Snowden’s first day at the NSA, he was not taken to the NSA Museum like other employees and taught about the agency’s history, the meaning of the oath new employees take, and the contributions the NSA makes to the United States.</p><p>“Hopefully there are no dry eyes at that moment in time, having had a history lesson laying out the sense of the vitality and importance of this organization going forward,” Inglis explained. “We don’t do that with contractors. We just assume that they already got that lesson.”</p><p>If companies fail to introduce contractors and other employees to the mission of the organization and its culture, those employees will not feel that they are part of the organization.​</p><h4>Trusted Technology</h4><p>Once trusted people are onboarded, companies need to evaluate their data—who has access to it, what controls are placed on it to prevent unwarranted access, and how that access is monitored across the network.</p><p>“The one thing I always recommend to any company is to have a monitoring system for all of their networks; that is one of the biggest ways to avoid having issues,” Stibbards says. “Whether it’s five people working for you or 100, if you let everybody know and they are aware when they are hired that all systems—whether they are laptops or whatever on the network—are all monitored by the company, then you have a much better chance of them not doing anything inappropriate or…taking information.”</p><p>These systems can be set up to flag when certain data is accessed or if an unusual file type is emailed out of the network to another address. </p><p>Simon Gibson, fellow security architect at Gigamon and former CISO at Bloomberg LP, had a system like this set up at Bloomberg, which alerted security staff to an email sent out with an Adobe PDF of an executive’s signature.</p><p>“He’s a guy who could write a check for a few billion dollars,” Gibson explains. “His signature was detected in an email being sent in an Adobe PDF, and it was just his signature…of course the only reason you would do that is to forge it, right?”</p><p>So, the security team alerted the business unit to the potential fraud. But after a quick discussion, the team found that the executive’s signature was being sent by a contractor to create welcome letters for new employees.</p><p>“From an insider perspective, we didn’t know if this was good or bad,” Gibson says. “We just knew that this guy’s signature probably ought not be flying in an email unless there’s a really good reason for it.”</p><p>Thankfully, Bloomberg had a system designed to detect when that kind of activity was taking place in its network and was able to quickly determine whether it was malicious. Not all companies are in the same position, says Brian Vecci, technical evangelist at Varonis, an enterprise data security provider.</p><p>In his role as a security advocate, Vecci goes out to companies and conducts risk assessments to look at what kinds of sensitive data they have. Forty-seven percent of companies he’s looked at have had more than 1,000 sensitive data files that were open to everyone on their network. “I think 22 percent had more than 10,000 or 12,000 files that were open to everybody,” Vecci explains. “The controls are just broken because there’s so much data and it’s so complex.”</p><p>To begin to address the problem, companies need to identify what their most sensitive data is and do a risk assessment to understand what level of risk the organization is exposed to. “You can’t put a plan into place for reducing risk unless you know what you’ve got, where it is, and start to put some metrics or get your arms around what is the risk associated to this data,” Vecci says. </p><p>Then, companies need to evaluate who should have access to what kinds of data, and create controls to enforce that level of access. </p><p>This is one area that allowed Snowden to gain access to the thousands of documents that he was then able to leak. Snowden was a Sharepoint administrator who populated a server so thousands of analysts could use that information to chase threats. His job was to understand how the NSA collects, processes, stores, queries, and produces information.</p><p>“That’s a pretty rich, dangerous set of information, which we now know,” Inglis said. “And the controls were relatively low on that—not missing—but low because we wanted that crowd to run at that speed, to exceed their expectations.”</p><p>Following the leaks, the NSA realized that it needed to place more controls on data access because, while a major leak like Snowden’s had a low probability of happening, when it did happen the consequences were extremely high. </p><p>“Is performance less sufficient than it was before these maneuvers? Absolutely,” Inglis explained. “But is it a necessary alignment of those two great goods—trust and capability? Absolutely.”</p><p>Additionally, companies should have a system in place to monitor employees’ physical access at work to detect anomalies in behavior. For instance, if a system administrator who normally comes to work at 8:00 a.m. and leaves at 5:00 p.m. every day, suddenly comes into the office at 2:00 a.m. or shows up at a workplace with a data storage unit that’s not in his normal rotation, his activity should be a red flag.</p><p>“That ought to be a clue, but if you’re not connecting the dots, you’re going to miss that,” Inglis said.  ​</p><h4>Trusted Processes</h4><p>To truly enable the technology in place to monitor network traffic, however, companies need to have processes to respond to anomalies. This is especially critical because often the security team is not completely aware of what business units in the company are doing, Gibson says.</p><p>While at Bloomberg, his team would occasionally get alerts that someone had sent software—such as a document marked confidential—to a private email address. “When the alert would fire, it would hit the security team’s office and my team would be the first people to open it and look at it and try analyze it,” Gibson explains. “The problem is, the security team has no way of knowing what’s proprietary and valuable, and what isn’t.”</p><p>To gather this information, the security team needs to have a healthy relationship with the rest of the organization, so it can reach out to others in the company—when necessary—to quickly determine if an alert is a true threat or legitimate business, like the signature email. </p><p>Companies also need to have a process in place to determine when an employee uses his or her credentials to inappropriately access data on the network, or whether those credentials were compromised and used by a malicious actor. </p><p>Gibson says this is one of the main threats he examines at Gigamon from an insider threat perspective because most attacks are carried out using people’s credentials. “For the most part, on the network, everything looks like an insider threat,” he adds. “Take our IT administrator—someone used his username and password to login to a domain controller and steal some data…I’m not looking at the action taken on the network, which may or may not be a bad thing, I’m actually looking to decide, are these credentials being used properly?”</p><p>The security team also needs to work with the human resources department to be aware of potential problem employees who might have exceptional access to corporate data, such as a system administrator like Snowden.</p><p>For instance, Inglis said that Snowden was involved in a workplace incident that might have changed the way he felt about his work at the NSA. As a systems administrator with incredible access to the NSA’s systems, Inglis said it would have made sense to put a closer watch on him after that incident in 2012, because the consequences if Snowden attacked the NSA’s network were high.</p><p>“You cannot treat HR, information technology, and physical systems as three discrete domains that are not somehow connected,” Inglis said.</p><p>Taking all of these actions to ensure that companies are hiring trusted people, using network monitoring technology, and using procedures to respond to alerts, can help prevent insider threats. But, as Inglis knows, there is no guarantee.</p><p>“Hindsight is 20/20. You have to look and say, ‘Would I theoretically catch the nuances from this?’”   ​</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Building-a-Professional-Guard-Force.aspxBuilding a Professional Guard Force<p>In today's environment of heightened security in all areas, security departments are struggling to attract and retain high-quality guards. Now more than ever, it's vital to examine how security guards are evaluated, trained, and compensated.</p><p>All entities, including corporations and government facilities, understand the importance of a top-notch security force. However, not all of them recognize the elements needed to create such a force.</p><p>Security managers may presume that a security guard who passed the preemployment screening and successfully completed training when hired will perform the required duties well. And that may be true. But human nature allows people to become complacent, cut corners, and get too comfortable. Continuing education, regularly scheduled evaluations, and enhanced training can improve the team's performance.</p><p>On March 1, 2016, at Escuela Campo Alegre, Caracas, Venezuela, we initiated a new method of recruitment and selection for incoming loss prevention and control analysts (LPCAs). At that time, we chose to enhance our program by hiring 10 people with bachelor's or associate degrees in engineering, economics, administration, education, and other related fields.</p><p>We developed a screening and training program for candidates hoping to join our security team as LPCAs. In addition, we created a regimen of close supervision and daily evaluation of the security force to reinforce the training. </p><p>Here are the elements that led to success in creating excellent employees for our school's protection, from the first job application to seasoned protection professional.</p><p><strong>SCREENING AND TRAINING</strong></p><p><strong>Detailed job description. </strong>Experience has taught me the importance of a detailed and clearly stated job description. Candidates for the position of LPCA receive a precise explanation of the duties and expectations. This is presented first so that potential candidates fully understand the duties and responsibilities of the position. If the job description isn't something the candidate wants to do, we have saved everyone a lot of time.</p><p><strong>Required qualifications. </strong>Every security force has necessary requirements when seeking team members such as age, place of residence, experience, physical abilities, criminal background, and computer skills. Education, of course, is taken into consideration, and at Escuela Campo Alegre we look for higher education, from associate degree to bachelor's degree and up, for LPCA candidates.</p><p><strong>Testing potential candidates. </strong>LPCAs must have certain abilities from the beginning.</p><p><em>Observation.</em> The candidate must be attentive and aware at all times of the general appearance of people, placement of objects, locations, colors, vehicles, and location of security equipment.</p><p><em>Oral communication.</em> The candidate must be able to respond in detail when relaying and explaining the facts of a situation. The candidate must also be able to delegate duties to a third party using clear directions.  </p><p><em>Written communication: </em>The candidate must be able to write a report using correct grammar and vocabulary. An excellent memory is needed to write a complete report. Also, the candidate must be computer literate to produce the report.</p><p>During the interview process, we determine if the candidate has the qualifications listed above. We evaluate the ability to give directions properly to a third party. Observation skills are also evaluated. Reporting skills are tested by having the candidate read and summarize a paragraph using a computer.</p><p><strong>Introduction to private surveillance. </strong>A candidate who passes the initial interview process is invited to attend an eight-hour training presentation the next day. This introduction exposes the candidate to the basic requirements of private security. Among the topics addressed are the expectations of a security officer, the organizational mission, legal aspects, visitor management, keys and locks, and guard tours.</p><p>After the presentation, the candidate undergoes a test, which requires 17 points to pass. If successful, the candidate is invited to come the following day to read the operations manual. </p><p><strong>Operations manual. </strong>This next step is important. We determined that it requires five business days to read, analyze, and understand the school's operations manual. We administer an evaluation at the end of each day to determine whether the candidate has understood the reading for the day. This helps to clarify questions or misunderstandings the candidate may have. If the candidate does not reach the minimum score during the first evaluation, the average of the first and second tests must be a passing score. Candidates who do not receive the required score are no longer considered, but those who pass the evaluation are invited to the induction program.</p><p><strong>Induction program. </strong>This phase of our program provides detailed descriptions of the jobs to be performed. Candidates learn that they will rotate throughout the facility and understand that there are multiple and varying tasks at each location. They receive on-the-job exposure to the work by staying at our institution during four day shifts and two night shifts.</p><p>The candidate is evaluated each day, and the minimum passing grade is 17 out of 20 points. Once again, candidates who do not receive a passing grade will no longer be considered for a position.</p><p><strong>Final evaluation. </strong>After passing the induction program, the candidate will meet with the security manager for the final assessment. This assessment includes topics such as employee identification, addresses of various locations, location of safety equipment, knowledge of the operations manual, recognition of patrol routes, and disciplinary code.</p><p><strong>Assignment to a guard group. </strong>Candidates who advance through the final evaluation receive the rank of Officer I and are assigned to a regular working group. Together with the supervisor, the officer will put into practice all theoretical and practical knowledge achieved through training. The officer will work as an auxiliary for 90 days and will perform day-shift and night-shift tasks in conjunction with the assigned group. </p><p>During this trial period, the officer will be guided and instructed by the supervisor regarding the responsibilities of the log book; closing and opening of facilities; operation of lighting; vehicle fleets; entry and exit of students; entrance of drivers, chauffeurs, and caregivers; Escuela Campo Alegre staff, contractors, tutors, substitutes, trainers, and frequent visitors; entry and exit materials; fire alarm system; evacuation drill; and many other activities. </p><p><strong>Completing the probationary period</strong>. Once Officer I completes the probationary period, we administer an evaluation to demonstrate readiness to assume multiple responsibilities. If the officer does not pass the evaluation, an additional 15 days as an auxiliary allows for more instruction, followed by another evaluation. When this evaluation is passed, the individual is promoted to Officer II.</p><p><strong>Certification as Loss Prevention and Control Analyst. </strong>An Officer II will work for nine continuous months at the new job, demonstrating knowledge of establishing priorities, situation analysis, decision making, safety, conflict management, investigations, and first aid. Depending on performance and the results of monthly assessments, it can be determined that the officer has a clear understanding of what constitutes the work of the supervisor. The officer is now eligible to be certified as an LPCA. A further evaluation involves a series of cases and situations and requires a passing score to become a certified LPCA.</p><p>Out of 120 people who apply for a position as an LPCA, only about 10 successfully reach this point.</p><p><strong>EMPLOYEE DEVELOPMENT</strong></p><p><strong>Training updates. </strong>In our organization, we believe that providing continuous training enhances the performance of each member of the group. Daily training is provided to each member of the guard force for 15 minutes prior to the day shift and the night shift. This training is different every day and covers more than 40 areas related to the fulfillment of security tasks. The training aims to strengthen the knowledge and ability to perform required tasks.</p><p><strong>Daily evaluations. </strong>From the first moment the candidate joins our ranks, we stress the importance of maintaining our organization with a spirit of healthy competition within the groups. This interest and enthusiasm in our organization fosters respect, pride, and knowledge about the organization.</p><p>The daily evaluation is a practical application that consists of the exchange of files and questions that the coordinator of vigilance presents to each member of the group. Officers must demonstrate their ability to recognize the faces of employees, know the geographical location of any room on campus, know the exact location of the security equipment, provide detailed information of the operations manual, run the courses correctly, and honor the disciplinary code. This daily evaluation keeps officers on their toes and objectively assesses their knowledge.</p><p><strong>Monthly evaluations. </strong>At the end of each month, the scores from the daily assessments are reviewed, allowing us to determine who has been an outstanding analyst and who may need more supervision and additional training. Officers who come up short three times during the school year are reassigned to jobs outside of Escuela Campo Alegre. </p><p><strong>LPCA lectures. </strong>Each LPCA of Campo Alegre School, as part of ongoing professional development, must present a lecture about security once a year. Each 20-minute lecture is followed by a 10-minute question-and-answer session. The topic of the lecture is assigned by management. </p><p><strong>Annual research presentation. </strong>For further professional development, each LPCA at Escuela Campo Alegre must research and propose new tools, criteria, or procedures to make the job function better and more efficiently. This improves the LPCA's skills while helping management meet its objectives.</p><p><strong>Interpersonal communications with management. </strong>Once a week, an off-duty analyst will attend an hour-long meeting with management. The parties discuss topics not related to work, such as sports, hobbies, and leisure pursuits. Management gains an appreciation of the social, cultural, and familial environment of the analyst, and both participants strengthen their communication. </p><p><strong>Disciplinary court. </strong>If any officer is involved in a disciplinary action, that officer seeks a member of his group to act as his "lawyer." The lawyer will represent the officer and help to clarify the situation. Likewise, management will choose an officer to act as "prosecutor" to argue the case of the disciplinary action. This interaction allows each party a fair chance to present facts. </p><p><strong>LPCA authors. </strong>Every member of the security team is required to write an article about campus security. The article is published in our digital magazine and is shared with the Campo Alegre community, including parents, students, teachers, employees, and contractors.</p><p><strong>LPCA of the month. </strong>Each month, an officer who has successfully met all objectives is awarded LPCA of the month. The objectives include staff identification, detailed knowledge of the campus, analytical prowess with regard to the operations manual, location of safety equipment, completion of duties, and adherence to the disciplinary code. The officer must demonstrate clear concise communication and common sense.</p><p><strong>LPCA of the year. </strong>This honor is awarded to the LPCA who has received the greatest number of monthly awards.</p><p><strong>Compensation. </strong>In addition to careful training, we know that humans respond well to a good salary and benefits. They feel appreciated for a job well done. We are proud to say that our LPCAs are the best paid in the country. In addition, they receive a stipend for being a university graduate, a stipend for transportation, and bonuses for work performance. The Escuela Campo Alegre community also shows appreciation through thank you notes and personal gratitude. That goes a long way in making our team feel appreciated.</p><p><strong>RESULTS</strong></p><p>Since Escuela Campo Alegre began this program of recruitment, training, supervision, daily evaluations, and professional development of analysts, management has observed both positive and negative behaviors: distractibility, obscurity, lack of discipline, lack of confidence to perform duties, inequality when working in groups, selfishness, and lying, as well as professionalism, fairness, honesty, transparency, and overall pride in the work and the institution. </p><p>Our evaluation system contributes greatly toward a successful program. A Google Doc is available so that every person on the task force can monitor his behavior and improve in areas of operation, manual details, face recognition, geographic location on campus, security equipment location on campus and security rounds. With this information available at any time, they can self-motivate and improve. The same Google Doc can show them where they stand as far as positioning and they can see what salary increase they may expect on their next evaluation. The disciplinary system tracks all mistakes made by the analyst on duty. This provides the analyst the opportunity to correct mistakes and advance in the program.</p><p>Our turnover is very low because of our evaluation system. It not only helps those who wish to advance, but it also allows others to realize, on their own, that their job performance is too low to continue.</p><p>The analysts take pride in their work and, because they can see what other analysts are achieving, they can collaborate and ask questions of those higher achievers. There are fewer missed shifts. Because the analysts work so closely together and respect each other, they are more willing to cover for a team member.</p><p>It has been arduous work that involves a great deal of discipline, ethics and morals, teaching, and faith in what we are doing. We are proud of our successful program and will continue to refine and improve it in the future.</p><p><em>Guillermo Guevara Penso was security manager at Escuela Campo Alegre in Caracas, Venezuela, until July 2017 when he elected to seek other security related opportunities in Chile. He has more than 30 years of experience in the security field.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Building-a-New-Corporate-Security-Strategy.aspxBuilding a New Corporate Security Strategy<p>​</p><p>CATERPILLAR, a Peoria, Illinois-based Fortune 500 company that makes mining equipment, engines, and turbines, and generates annual revenues in the neighborhood of $50 billion, needs a security department able to handle the demands of protecting worldwide operations.</p><p>Timothy L. Williams, CPP, who served as the 2008 ASIS International president, became the director of global security at Caterpillar in 2006. He and other members of the company’s security strategy team spoke with Security Management about how they have addressed challenges.</p><p>A central concern for the team, say members, is keeping security staff focused on strategies and core competencies, making sure staff can handle the needs of multiple cultural environments, and ensuring that they remain nimble in the face of constant change. But first and foremost, Williams had to form the right team.</p><p>One of the most important challenges in putting together the strategy team was ensuring that the individuals who were hired represented diverse backgrounds. If the individuals are too similar, says Williams, you “run the risk of recycling the same perspective of issues and solutions.”</p><p>Steven Seitz, the security contract manager and a strategy team member, elaborates: “In most security organizations, you’ll find a bias towards a certain discipline. It may be a police discipline, a military discipline, or a fire and safety discipline…. I think that the balance as a team really is the true value.”</p><p>The Caterpillar strategy team includes members with medical, military, and law enforcement backgrounds.</p><p>Team members must also be individuals who are not afraid to challenge the boss, says Williams. It’s important to “have people tell you what they’re thinking about the direction versus what they think you want to know about your direction,” he explains.</p><p>Williams admits it’s difficult to hire for that trait, but says, “what I try to do is reward the people who have the courage of conviction to point out a different way of looking at an issue or a different solution. And that tends to reinforce people’s ability to want to take that opportunity to speak up.”</p><p>With the right balance of talents assembled, the strategy team proceeded. Among their objectives was to focus the entire security staff on strategy.</p><p>That included 20 people on the global security staff and about another hundred in 500 locations who spend at least 50 percent of their time on security.</p><p>“A lot of times, people became so close to the processes and the projects that they were working on, they couldn’t truly understand... the new security approach,” says Timothy N. Strunk, a strategy team member. “They saw, here’s my process, here’s what I’m trying to do. And they couldn’t get out of that box. So, it was very difficult for people to say, how does my project relate to strategy.”</p><p>To change that mind-set, Williams’ team developed a communications plan that kept everyone focused on the overarching security goals and aligning those goals globally with the business goals.</p><p>The team also sought to shift the company’s security operations from an Illinois-centric mind-set to a more global one. To do this, the company hired security professionals with specific regional, cultural, and language expertise, and acclimated them to the Caterpillar environment, rather than trying to acclimate Caterpillar people to various new cultural environments, explains Karen A. Frank, global security manager, and the third member of the strategy team.</p><p>The security strategy team also helped by working with the new hires out in the field, says Frank. The team worked on recruiting security professionals who had good reputations in the part of the world they would be working in, according to Williams. He adds, “When we develop [policies] here in Peoria, through the functional planning team, we pass it over to each regional director who customizes it for their culture and application in their particular part of the world.”</p><p>Another major undertaking for the team, according to Frank, was assessment of which security components were core versus unnecessary and value-added elements. The team focused on four core areas: establishing a risk-based security program as opposed to a one-size-fits-all approach; outlining investigative protocols; aiding the company’s new crisis management program; and development of an employee-awareness component.</p><p>The new risk-based approach changed the way security is managed at the company. Williams says facility security coordinators in the field have been given back some physical security responsibilities, but they must use risk-based security guidelines developed by the global security team.</p><p>The team also engaged in “change management,” so that the team’s effectiveness would not diminish as individual members left over the years. Toward that end, Williams worked closely with HR personnel, who are experts on change management, as well as with the communications department.</p><p>Companies like Caterpillar must also ensure that they are in line with the industry, by benchmarking regularly to ensure that best-in-class security procedures are applied where needed. And of course, the team must always be ready to adapt policies and procedures to any changes in threats and risks for the company and its employees.<br></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465