Tag prevention

Thinking Smarter About Security

Tim Riecker, The Contrarian Emergency Manager 2 Comments

If you work in any facet of public safety and you aren’t thinking about how you secure public and event spaces, you haven’t been paying attention.  Our complacency is the greatest gift we can give to terrorists and criminals.  I certainly acknowledge that the most difficult aspect of dealing with criminal intent versus natural hazards is their determination to circumvent our own protective measures and systems, but we often make it easy for them because it’s too difficult for us to change. Is that really the excuse you want to give to the board, the media, or the families of those killed in a criminal act?

While I will never claim to be a security expert, I try to look at things with a critical eye and take the advice of those who are experts in the field.  Here are a few examples of things I’ve encountered.

Several years ago I was part of a team supporting preparedness at a major sporting venue.  The organization who had exclusive rights to the venue requested support in planning, training, and exercise activities.  I provided incident management training and was the lead on exercises.  As preparation for a tabletop exercise, I coordinated with the organization to observe security procedures during a major event.  The security screeners at the entrances to the venue did a reasonable job with most patrons, although consistently faulted with one type of patron – persons in wheelchairs.  Anyone who came to the door in a wheelchair was waved through ALL security screening without so much as a bag check.  This became the gap that I exploited for the exercise, much to the objection of their head of security who insisted that personnel were trained in how to screen patrons in wheelchairs.  While they may have been trained, it is something they consistently failed in doing and I never observed a supervisor correct the behavior.  Perhaps they weren’t trained at all, or the training wasn’t effective, or it was too uncomfortable or inconvenient for them to do.  Regardless, this is a significant gap that I’ve continued to see at other locations through the years.

Earlier this year I attended a large convention that drew tens of thousands of patrons in a large convention center over a long weekend.  I was an attendee and not working in any official capacity.  Security at the venue was laughable.  Security personnel had three main activities – bag checks, credential checks, and metal detector operation.  Metal detector operation was only performed the first day, utilizing walk through detectors as well as wands.  The personnel clearly had no idea how to operate either (I was among dozens if not hundreds of people who were directed to go through a walk through detector – which I noticed was unplugged).  On the occasion that a walk through alerted (one that was plugged in…), I observed security personnel waiving the wand around people too quickly and too far away from their bodies.  For bag checks, we were asked to open all bags for security inspection.  The ‘inspection’ I observed on each day usually consisted of someone saying thank you and waving you through as they looked around the room or chatted with a co-worker, certainly not actually looking into the bags.  As for checking credentials, every patron was provided with a lanyard and a pass to be attached to said lanyard.  Security personnel were supposed to be checking passes as people entered doors to the main exhibit hall and other areas.  I noted some security personnel did this better than others – some of which didn’t check at all.  I actually managed to keep my pass in my pocket through the entire event, only being challenged by security once.  I was so alarmed by some of the practices that on separate occasions I introduced myself to a county sheriff’s deputy and a fire marshal to point out some of the more egregious issues.

My work has brought me to a number of secure facilities owned by various levels of government and private entities.  One federal facility I’ve frequently visited through the years usually screens vehicles.  As expected, this includes the opening of doors and the trunk of the car.  Not once, in the many years and visits to this facility has anyone ever moved a seat or checked a bag or package.

My last anecdote comes from a few years ago spending some down time in a small park in an area of DC where there a number of embassies.  One embassy seemed to have regular traffic in and out for visitors as well as some light construction work being performed on their grounds.  As one guard would check identification and presumably verify the need of the visitor to be there, another guard would walk around the vehicle with an inspection mirror (the type at the end of a pole with which to inspect the underside of a vehicle).  It was evident that the guard was either not trained in its proper use or the importance of this protocol, as every time he walked around a vehicle holding the mirror, but never actually putting it in position to view under the vehicle, much less ever looking down at the mirror.  He simply took a casual stroll around the vehicle.

The things I’ve noted here are just a few that happened to come to mind as I crafted this article.  There are dozens more, and I’m sure each of you can come up with a list of poor practices as well.  Keep your eyes open when you go to a public space to see how security is handled.  Look at things through the lenses of potential adversaries.  How could someone gain entry?  Are there recognized security patterns they can circumvent?  What vulnerabilities exist?  If you are responsible for security for a facility, have a security audit performed.  While formal security audits are valuable, often the most meaningful ones are casual and unannounced, with someone the front-line security personnel don’t know trying to gain entrance to the facility.  Are they challenged appropriately? Are they screened effectively?

The mitigation, prevention, and protection against security threats is something that many take too lightly – clearly even those whose job it is to focus on those matters.  Highly effective training programs are available – but we need to ensure that people take these courses and implement what they’ve learned in accordance with documented organizational practices.  Supervisors must be present and constantly maintain quality control.  This is a good matter of practice, but even more important when most non-sworn security personnel have a high rate of turn over or may be part time or temporary employees, or even volunteers.  For large events, proper just-in-time training must be performed for supplemental security staff who are not certified or otherwise professionally qualified security personnel.

Security is a challenging environment to work in.  We must constantly be recognizing threats and trying to out-think potential adversaries.  We must strive to keep passive and active security practices up to par, meeting or exceeding standards without becoming predictable to an observer.  How do you assess security in your facility?  What best practices have you identified?

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Public Area Security National Framework

Tim Riecker, The Contrarian Emergency Manager Leave a comment

The Transportation Security Administration (TSA) recently released this report in cooperation with a variety of stakeholders which provides information and guidance on preparedness, prevention, and response activities to strengthen the public spaces of transportation venues.  While the focus of the document is on airports, the information in the document is great not only across all transportation venues, but other public spaces as well.  I think there are great takeaways for other areas of vulnerability, such as malls, convention centers, event spaces, and others.

To be honest, there is nothing particularly earthshattering in this document.  The document is brief and identifies a number of best practices across emergency management and homeland security which will help agencies and organizations prevent, protect, prepare, and respond to threats, particularly attacks.  That said, the document does accomplish providing concise information in one document on key activities that absolutely should be considered by entities which control public-access spaces.  I would also suggest that this document is still 100% relevant to those which have some access controls or entry screenings.

Information in the document is segmented into three key tenets: Information Sharing, Attack Prevention, and Infrastructure and Public Protection.  Within these tenets are found recommendations such as relationship building, communication strategies, vulnerability assessments, operations centers, planning, training, and exercises.  Most of the recommendations provide examples or leading best practices (although no links or sources of additional information, which is a bit disappointing).

The framework is worth a look and can probably serve as an early foundation of activity for those who haven’t yet done much to prepare their spaces for an attack.

© 2017 – Timothy Riecker, CEDP

Emergency Preparedness Solutions, LLC

Adapting to the Cyber Threat – Who Holds Liability?

Tim Riecker, The Contrarian Emergency Manager Leave a comment

Over the past year or so, even the past few months, we have seen a huge increase in high visibility hacks and cyber attacks.  Among the highest profile attacks are:

  • Target department stores suffered the theft of credit card holder data
  • the US government had a huge theft of information of government employees as well as theft of tax payer data from the IRS
  • and just recently the theft and subsequent public release of information of Ashley Madison account holders.

While cyber attacks and hacking didn’t just start occurring recently, our society, laws, and policies have yet to grow to truly keep up with prevention, mitigation, protection, response, and recovery from these incidents.  This is a familiar place we find ourselves in with other human-caused incidents such as mass shootings.  We have recently seen some insurance companies offering cybersecurity policies.  I’m not knowledgeable of the terms and conditions of these policies, but I’m hopeful policy holders are required to have cybersecurity policies and programs in place to help prevent and mitigate against the impacts of a cyber attack.  Presumably, the insurance  policy covers financial losses to the company and perhaps even litigation.  Consumers have a variety of protections available for identity theft offered through banks and credit cards.

With the recently announced class action lawsuit against Ashley Madison, I began thinking about where the real liability for a cyber attack lies.  Certainly those individuals whose personal information was stolen (moral issues aside) may suffer some measure of financial loss.  The same can be held true for those whose data was stolen from the Target and US government hacks.  Those individuals trusted and were generally assured that their personal and financial information would be protected.  These assurances place a liability on the entity that holds their information.  However, we tend to treat liability differently for disasters and acts of terrorism where entities, so long as they made reasonable and prudent efforts to avoid impacts, are held harmless; or in the event of a criminal act, we see liability shifted to the perpetrators of the criminal act.

I’m convinced that any system can eventually be hacked and suffer either data loss or data theft.  Unlike a natural disaster, intentional human-caused incidents include the factor of persistence.  Persistence is a unique element which requires constant and concerted efforts on the part of other humans to prevent, protect, and mitigate against criminal acts.  Given the law of averages and the constant need for cybersecurity experts to keep up with all tactics used by criminals, the good guys are bound to lose a battle once in a while.  While I don’t disagree that those who have their personal information stolen through no fault of their own may be deserving of financial compensation for their losses, I’m left wondering about the real liability of those entities who make reasonable and prudent efforts to protect that data.

Certainly the perpetrators, when found guilty, are at fault and hold the ultimate responsibility, but we have difficulty in identifying and persecuting these attackers.  Even if the perpetrators are found and convicted, is there still a shared liability among other parties?

Like climate change, we struggled for many years fighting the inevitable and thinking we could stop or reverse its effects.  We are finally shifting to a new philosophy of adaptation.  While we do what we can to slow the speed of climate change, many have accepted that climate change, and thus its impacts, are an inevitability.  This leads me to suggest that we need to take the same stance with all disasters, including those caused by humans.  Incidents will occur.  While we MUST do what we can to prevent, protect, and mitigate against them, we need to shift the thinking of society to response, recovery, and adaptation for when, inevitably, it does occur.

While I’m no attorney or expert in liability and litigation, it seems to be a fairly unexplored area in terms of cybersecurity.  I welcome your thoughts and ideas on this.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

Are You Really Considering All Hazards?

Tim Riecker, The Contrarian Emergency Manager 1 Comment

Natural hazards, such as flooding, tornados, wildfire, and earthquakes, bring about the greatest losses, calculated in nearly every metric possible, as compared to human-caused incidents.  Human-caused incidents, either accidental or intentional, still bring tremendous impact to communities world-wide on a daily basis.  While working to prepare for, mitigate, respond to, and recover from natural hazards will always continue to be important, it seems that many still often forget about human-caused incidents despite all the conversations out there.

Human-caused incidents include a variety of hazards such as infrastructure failure, transportation accidents, hazardous materials incidents, and intentional attacks.  These are all things which we can fit into our traditional model of Prepare, Mitigate, Respond, and Recover.  The National Planning Goal introduced the model of the five Mission Areas – Prevention, Protection, Mitigation, Response, and Recovery – to help address our many of our major functions (Core Capabilities) for human-caused incidents (note that Preparedness is now a higher level concept that applies to all Mission Areas).  While this Mission Area model has helped bring these key activities into the greater fold of what we do, it has also kept them largely isolated through the thought that many human-caused incidents are only addressed through Prevention and Protection Mission Area activities.

Nowhere, it seems, do we see this more than in the area of hazard mitigation.  The vast majority of hazard mitigation plans which exist only address natural hazards (even at the state level).  Since many readers view this blog for my opinion, here it is – this is archaic and dangerous thinking!  We have all seen hazard mitigation plans which claim they are ‘all hazards’, yet only list natural hazards.  That’s fine, if by some unbelievable circumstance, your jurisdiction is only impacted by natural hazards.  This is a circumstance which I am highly doubtful of.  Some mitigation plans get a little more realistic and will address human-caused hazards such as dam failure and/or hazardous materials release, which were likely the greatest human-caused threats they may have been vulnerable to in the previous century.  In today’s world this still doesn’t quite get us to where we need to be.  There are a great many mitigation activities which we can leverage against human-caused incidents.

How do we fix this?  It’s easy – start with conducting a hazard analysis.  A hazard analysis, be it as a stand-alone activity or part of the THIRA process, should review all possible hazards which your jurisdiction, company, or organization is vulnerable to.  It should be comprehensive, not just limited to the set of natural hazards.  Along with infrastructure failure and hazardous materials incidents (both in-transit and fixed site), consider hazards such as active shooters, cyber attacks, improvised explosives, and civil unrest.  This may require bringing some additional subject matter experts into the room for your hazard analysis – like your IT director.  In a hazard analysis, each hazard is ranked (at a minimum) by its likelihood to occur and its severity of impact should it occur.

A well conducted hazard analysis provides the basis for everything we do in emergency management and homeland security.  It not only informs our activities such as planning, training, and exercises, it also helps assign priority to those hazards which require the greatest focus and allocation of resources.

© 2015 – Timothy Riecker

Emergency Preparedness Solutions, LLC

WWW.EPSLLC.BIZ

Well OF COURSE Drones Can Be Used As WEAPONS

Tim Riecker, The Contrarian Emergency Manager Leave a comment

It’s rather insane that it took this long for the US Department of Homeland Security to issue a warning to law enforcement about the potential use of drones/UAVs as weapons or to further the criminal enterprise.  If you’re not familiar with the DHS bulletin, see this CBS News story.

For those of you who have been steady readers of mine, you can probably tell that I’m pro-drone.  However, just like anything else, someone is bound to adapt the technology for their own malicious purposes.  While we are still getting our act together in figuring out how to apply UAV technology for myriad good and purposeful things, there have been those out there trying to figure out how to use the same technology for advancing criminal and terrorist agendas.

Amazon and others want to use UAVs to deliver packages.  Well guess what –drug cartels will certainly be using them to deliver packages of drugs.  The US military uses UAVs to strike at terrorists in unfriendly territory.  Terrorists, criminals, or even your run-of-the-mill stupid people, can do the same.  Have you seen this article about a teen who mounted a handgun to a UAV?  UAVs are great for providing a birds-eye view of any situation, but when operating in a disaster environment they can’t impede responders as they did in the recent wildfires in California.

I have no doubts that terrorists somewhere, foreign or domestic, are playing with UAV electronics and explosives to determine how best to deliver those deadly packages.  As inevitable as it is, do we ban the use of UAVs?  Well we haven’t banned cars or moving vans, and both have been used to transport explosives.  The good outweighs the bad, so we have to figure out how best to deal with it.

The fact of the matter is that all well intended technology can be used for not so good purposes.  Does this mean we do away with the technology?  No.  Does this mean we do away with innovation?  No.  It does mean that we have to stay a step ahead of those who have ill intent or practice in stupidity.  Prevention, protection, and mitigation against these things is a constant challenge.  We now need to be aware of a new threat and address it.  It’s something we’ve done through time.  People built walls around their towns to protect themselves and their property from people and animals who would do them harm.  Attackers innovated and approached walls with ladders, so defenders built taller walls and other defensive technologies.  Today we use physical barriers to prevent vehicles from getting too close to buildings, locked doors to prevent entry, and cameras to monitor.  Perhaps the threat of an attack from the air will require other measures.

Has your company or jurisdiction considered the threat UAVs may pose to your interests?  What are your thoughts on deterring attacks?

© 2015 – Timothy Riecker

EMERGENCY PREPAREDNESS SOLUTIONS, LLC

WWW.EPSLLC.BIZ