Attendees at the hundreds of educational sessions offered this week learned more about the latest in security issues and trends. Security professionals could immerse themselves in a variety of topics, from terrorism to counterfeiting. Following is a sampling of some of the sessions held on Tuesday and Wednesday.
Transportation systems are increasingly vulnerable as more and more trains, ships, and automobiles are becoming connected to Internet networks, said Alan McDougall, CPP, director of Evolutionary Security Management, Inc., in the “Emerging Threats to Transportation” session Tuesday afternoon.
The session was sponsored by the ASIS Supply Chain and Transportation Security Council, which McDougall chairs, and the ASIS Critical Infrastructure Working Group. McDougall and his fellow panelist, Bob Radvanovsky, principal of Infracritical, discussed how without taking appropriate IT security measures and assessing vulnerabilities, the wrong people could be gaining access to private data and transportation systems and causing harm.
For instance, in most vehicles there is a light on the dashboard that turns on to let the driver know that the oil needs to be changed. However, if someone was able to gain access to the monitoring system of your car he could adjust the setting so the oil light never went off when it needed to be changed, resulting in serious damage to the vehicle over time, McDougall said.
The same can be applied to ships where a person could gain access to the system that is responsible for maintaining a ship’s ballast system, which keeps it balanced while in the water, and cause the ship to tilt, possibly damaging cargo resulting in an economic loss for the company, he explained.
Perpetrators can gain access to these networks through hacking into the system by using weak passwords, taking advantage of default settings, and by using additional methods, such as antennas, to connect to WiFi signals.
Ships are increasingly vulnerable because blueprints and plans of their ballast systems are available on Google Patent Search and can be accessed by the general public by searching “ship ballast system.” This gives those who’d like to use that information to harm the ship, or the company that owns it, additional aid because they can easily find information if it’s made available online for access.
The security industry needs to find a way to work around this and ensure that it’s protecting its assets because the information has already been exposed. “The information is public...you can’t put the genie back in the bottle,” McDougall said.
Attendees to Tuesday’s session “Product and Technology Counterfeiting: It’s Not What You Think” learned that counterfeiting isn’t only used to sell fake products, but can also be used for security attacks. Roger G. Johnson, CPP, of the Vulnerability Assessment Team at Argonne National Laboratory, explained that full counterfeiting of security products is not as difficult as one might expect but is rarely even needed; often partial counterfeiting is sufficient. Johnson said counterfeiters usually only need to mimic the superficial appearance and some of the capabilities of the original product to pass it off as the real thing.
Johnson also discussed counterfeits in the art world and said that the uncanny valley phenomenon, often discussed in relation to robotics, applies here as well. Uncanny valley is a hypothesis that states that when a robot, say, has features that are extremely but not exactly human-like, it turns people off. He related that to art counterfeiters, stating that the “forgers have to avoid getting too close to the thing they are copying or it sets off a feeling of unease.”
With regard to counterfeit products, Johnson discussed various types of anti-counterfeiting tags, such as RFID, holograms, and color-change film, but he said these don’t tend to work well to deter counterfeiters. Additionally, one blunder manufacturers make is to put information on how to spot authentic products in with their packaging; Johnson says counterfeiters can do this, too. Further, encryption does not necessarily have a role in counterfeit detection and product authentication, said Johnson.
Some ways to raise public training and awareness about spotting counterfeits are to encourage intuition (such as uncanny valley) and observation of suspicious seals and packaging, provide contact information for when counterfeits are suspected, and reward people and companies for spotting fakes. Johnson said that some options for deterring counterfeiters include improved forensics, increased penalties, improved seals, and increased regulatory action.
Johnson added that manufacturers have to know that pretending these counterfeits don’t exist can backfire.
Seminar attendees gathered Tuesday afternoon to discuss antiterrorism measures and how to implement them in the workplace. Ross Johnson, CPP, senior manager of security and contingency planning at Capital Power of Alberta, in Alberta, Canada, presented the “Preventing Terrorist Attacks” session. In his session, Johnson focused on the management of security technology in the fight against terrorist attacks.
Since 9-11, there has been a vast amount of technology produced to increase security in critical infrastructures, but the fundamental management of all that technology is missing, Johnson said. He discussed trends in terrorism over the last decade, pointing out that terrorists tend to attack people and places by using bombs and explosives.
Johnson also defined the difference between antiterrorism and counterterrorism measures. Antiterrorism is the name for the passive measures used to protect organizations from terrorists, while counterterrorism is the active measures taken by law enforcement and governments to destroy terrorists. Contingency planning professionals need to focus on antiterrorism measures, not counterterrorism measures, he emphasized.
The key to a successful antiterrorism plan is to destroy an adversary’s confidence in attacking the facility, Johnson said. Companies should complete a threat vulnerability assessment to understand the strengths and weaknesses of their security. This includes outlining what threats the companies face, defining who the terrorists are, determining what tactics they would use, defining the threat environment, and understanding the threat level, Johnson said. Security professionals should also list what assets need to be protected and evaluate the types of threats their facilities face.
After completing a threat assessment and understanding the risks their facilities face, companies must implement specific security measures tailored to these specific needs. This includes considering the necessity of different security measures and staying flexible to preserve resources. Another important security measure is training guards to pay attention to specific unusual behaviors and noting them, Johnson said. Guards should be trained to recognize potential terrorists scoping out the facility. Repeated observations of such activity in an area that would provide them important information—such as when and where staff come and go—should be noted and reported, Johnson emphasized.
Another way to deter terrorists is to implement random antiterrorism measures, Johnson said. These measures help create layers of changing, unpredictable, and flexible security measures that introduce doubt into the terrorist planning cycle. These measures should be implemented when there is a terrorist threat that is medium or higher, and should be practiced once a month, Johnson suggested.
There is a fine line between panic and awareness, Johnson noted, and contingency planners should make sure employees understand the importance of observation and vigilance without making them fearful, and this can be done through open communication between all levels of security management, Johnson said.
A morning session on “Strategies for a Safer Campus” drew a standing-room-only crowd. Sponsored by the ASIS International School Safety and Security Council, it explored what some colleges and universities are doing to increase the effectiveness of their campus security forces. The presenters were: Chauncey Bowers, executive director of security and emergency management, Central Piedmont Community College; Michael Salatino, chief of police of Benedictine University; and John Pack, director of higher education for G4S Secure Solutions (USA), an integrated security solutions provider that has worked with both schools.
Pack polled the audience to see how many attendees came from universities, which was a significant amount, then how many came from schools that were considering a sworn police force, which was a smaller number. Pack said that such a force is one option for educational institutions that are “trying to solve problems with increasingly dwindling resources,” as is augmenting traditional campus police departments with additional support.
Pack began by explaining that to be successful in changing a campus police force to increase its effectiveness required an honest assessment that made a clear delineation between needs and wants. He stressed that no true needs assessment could take place without polling key stakeholders. Sometimes on college campuses, he said, there are so many that “it can become difficult to know who they are.” He suggested that campus police departments have their own advisory panels made up of individuals who will provide honest input.
Pack stressed that this was part of much more good advice to be found in the book Good to Great by Jim Collins, who wrote that the most important aspect of evolving into a new or augmented force does not start with ‘what’ but with ‘whom.’ “You must have people who are passionate about what they do and who are willing to work on a team,” he added.
Pack counseled school security practitioners in the audience to drill down to the functions on campus that only the police department can perform as the basis for the needs evaluation. He also noted that most schools “don’t look at data beyond the annual crime report.” He urged them to collect data daily and to visualize that data to reveal patterns and trends. Pack also noted that earlier discussions among the three panelists led to the agreement that the divvying up of educational institution resources was “rapidly becoming a data-driven enterprise.”
Piedmont Community College is located in north central North Carolina and has two campuses: the Person County Campus in Roxboro, North Carolina, and the Caswell County Campus in Yanceyville, North Carolina. Bowers told the audience that for many years, the community college had relied on off-duty law enforcement officers to provide security at the school facilities. The continued growth of the college eventually made it more practicable to bring in contract security officers, dispatch, and account managers, but to have a proprietary management level. Brown said this allowed that layer of management to focus on specific issues to attack. For example, he noted, on-campus thefts have dropped by 30 percent. This proprietary management level could also deal with issues such as VIP and executive protection, and developing a security baseline for all facilities.
At Benedictine University in Lisle, Illinois, Salatino told attendees, it was decided from the top levels of administration that the school would have a police department with armed officers. His task was to find the right people to fill the positions. He said the candidates had to be state-certified peace officers with police skill sets, but they had to have come from a campus environment and not have been street cops. “We needed the warm and fuzzy,” he told attendees, explaining that he had assembled his force by recruiting from other universities with sworn police forces.
Before this, Benedictine University had contract officers. Many of these individuals, he said, still work on campus, but they are now in the roles of dispatchers and other positions of responsibility, such as running license plates and searching for warrants. He also needed mass communication specialists to be in charge of launching mass texts and e-mails, running the PA system in emergencies, and other duties.
Sharon Smith, president of Forensic Psycholinguistics, LLC, told attendees at Wednesday’s session “Early Warning System: Assessing Threatening Communications” that behavioral research she did in her years as a special agent with the FBI helped lead to the development of an algorithm that can analyze threatening language to determine whether the person doing the threatening is likely to act on the threats. These threats can turn into action in a variety of ways, from harassment and stalking to violence.
Using the Threat Triage system to determine the likelihood that the threatening individual would act can help maximize limited resources and protect people and property, said Smith.
The cases that went into the research all came from the FBI’s National Center for the Analysis of Violent Crime. There were 227 variables analyzed for their relationship with action. In 73 percent of the cases, no action was taken by the threatener. But in 12.5 percent of those “no action” cases, law enforcement intervened before action could be taken.
The research found that some indicators of increased risk in the communication analyzed were polite tone, romance, and contacting the target more than once. Some indicators of reduced risk are specifying weapons, paranoia, religious prejudice, and providing real return addresses.
The equation derived from the analysis of these threats and their outcomes helped Smith develop a risk assessment probability score that ranked threats as low, medium, and high. In the low risk category, which was accurate 93 percent of the time, nine out of 10 individuals will not take action on their threats. In the high-risk category, accurate 92 percent of the time, two out of three individuals will take action.