OPTEX iSeries Wireless Photobeam Detectors, Powered by Inovonics Wireless Technology, Awarded the 2017 SSI Security Solutions Award in Intrusion Detection

 

 

OPTEX, a global leader in indoor and outdoor security sensors, and Inovonics, an industry leader in high-performance wireless sensor networks for life safety applications, proudly announce that the OPTEX iSeries Wireless Photobeam Detectors, powered by Inovonics wireless technology, have recently been awarded the 2017 SSI Security Solutions Award, in the Intrusion Detection category. The announcement was formally made at the 63rd ASIS International Annual Seminar and Exhibits taking place Sept. 23-27 in Dallas, Texas.   The SSI Security Solutions Awards program distinguishes and spotlights manufacturers and vendors whose electronic security solutions have been proven in the field to meet security, safety, or other organizational needs for end users.   The winning iSeries Wireless Photobeam Detectors offer a battery-powered, wireless quad beam 350ft point-to-point perimeter solution that eliminates the need for trenching or cables, and meets the copper-theft proof and damage-resistant needs of a large electric power company. An Inovonics EN1941 wireless transmitter is also pre-installed, and includes a battery expansion option for up to ten years of battery life. As an award recipient, OPTEX will be profiled in the SSI’s annual December Technology Issue, and spotlighted online and through other electronic media.  Click here to see full press release.

Reposted from Business Matters

Establishing a safe working environment is not as easy as it seems. Creating a set of policies and getting them implemented is not always enough, mainly because of the complex challenges employers and employees now face.

At the same time, workplace safety is a serious and important issue to attend to and there are regulations put in place to make sure every workspace is as safe as it can be.

Aside from the general aspects of safety such as installing a sprinkler system to prevent fire hazards, there are small details that can also greatly influence safety at the office. We are going to take a look at the eight workplace safety details you must never neglect in this article.

An Orientation Program

The lack of a thorough safety orientation program is still noted as one of the most common causes of workplace accidents. An orientation program helps new employees get familiar with the company’s safety policies and objectives, which is why it is very important to have an orientation program in the first place.

Training sessions and refresher courses are also important. Proper training sessions can reduce work-related accidents by as much as 80% in many cases.

Documentation

Similar to improving other parts of the business, a company can improve its safety policies by learning from its mistakes. To be able to learn from your mistakes effectively, a logging or document system needs to be put in place.

Keep a register of all injuries and accidents in the workplace. Use the log to evaluate your safety policies and how they are implemented. You can even perform deeper analysis and compare data from one period to another. This way, keeping track of the company’s progress in providing employees with a safe working environment is easier to do.

Get Employees Involved

While company management makes the final decisions, employees are the ones actually facing challenges in the workplace. The best way to improve office safety is by letting employees get involved in the creation of the company’s safety policies.

It’s never too late to start hearing input from employees. The next time a safety audit or evaluation is due, get employees involved in the process. Don’t just listen to their input either. You need to act on the feedback you receive from employees, especially when the changes can help reduce workplace-related safety risks immediately.

Pay Attention to Electrical Safety

We rely on technology more and more these days. Computers are helping companies and their employees be more efficient in many ways. Intranet and the internet, along with good networking, are just as important, mainly because they allow faster and more effective communication.

The more electrical appliances a company uses, the more important electrical safety becomes. Malfunctioning electrical equipment doesn’t just pose risks to the company’s productivity level; it is also a risk to employee safety.

Networking cables, for example, must not be allowed to run across the floor unprotected. Exposed cables pose a serious trip hazard and can even cause fatalities. Good data cabling support is handy for keeping cables close to the ceiling. There are also desk cable management services to help keep every employee’s workspace safe and free of cluttered cables. If this is an issue that you know is present in your office, get in touch with support services such as ACCL who are a London based company that can install and maintain your system for you.

Information Security

Workplace safety in today’s modern world needs to cover more than just physical safety. The policies you put in place must also govern how to handle information security, especially since over 80% of today’s business operations are recorded and stored digitally.

Having a good backup procedure in place is a good start. You can save the company a world of trouble with the help of automated backups. Storing backups in remote locations – including in the cloud – also helps with restoring the company’s operations in the event of a catastrophic disaster.

Work Well-being

As mentioned earlier, safety policies are only as good as the way they are implemented. To get these policies implemented properly, you need the support of your employees. This can only be achieved when employees are focused and aware of their surroundings. This is where work well-being comes in.

In recent years, companies are starting to invest more in the comfort of their employees. An ergonomic chair, a suitable desk, and even facilities such as an on-site gym or a comfortable break room are there to help employees stay comfortable throughout the day. By keeping employees comfortable, you are helping them focus on the tasks at hand, including maintaining maximum office safety.

Use Signs and Instructions

Last, but certainly not least, don’t hesitate to use signs and safety instructions when necessary. Many companies, especially newer ones, don’t really install safety signs and instructions at the office because they tend to look formal and daunting.

You actually have a lot of freedom with the design and placement of safety instructions, so take advantage of simpler, more modern signs to remind employees about safety in the office. This too will help improve workspace safety by a substantial margin.

See Original Post

Reposted from Campus Safety Magazine

With the common denominator of IP networks as their backbone, building automation, security and, in particular, access control systems are increasingly coming together. The myriad data these systems put forth, often through a shared protocol such as BACnet or SNMP, make it possible to create not only a safe building, but a smarter and more energy-efficient one.

The intersection of energy savings with smart building objectives can often ride on the information supplied by access control data. By knowing the occupancy of a particular building or sector within a structure, captured through entry and/or exit readers, it becomes possible to implement heating and cooling, lighting and fresh air ventilation controls based on the number and location of individuals.

With heating and cooling systems, the best savings come in seldom-used areas, where the HVAC system can operate in standby mode, rather than being subjected to a particular on-off schedule.

While such an operation isn’t recommended for a large-scale system — you wouldn’t want to heat up the entire building for just one person coming in on a weekend — it can be advantageous in areas where occupancy minimums are more easily reached.

Access control systems can be programmed to control lighting circuits based on occupancy. Once a card is presented to the reader, the system can then begin turning on the appropriate lights based on where that person’s office is located.

And unlike motion sensors, which can also be used to control lights, there is no minimum “on” times with a programmed system, so once a person logs out, the lights go off.

Ventilation is another component of the energy-saving capabilities tied to access control. While the amount of fresh air in a building is governed by building codes, it is usually expressed in the amount of fresh air per minute per person.

So, if the number of people in an area can be measured via the access control system, then the amount of fresh air can be adjusted, saving the expense of conditioning that outside air.

Deploying access control data can also serve as a planning tool for future building projects, either within the existing structure or when considering expansion or reuse of a property.

Having the details on occupancy — who is onsite, what hours is the building most used, are there areas underused or too crowded? — can become a tool for bottom-line decisions about property expenses.

Likewise, such information can be used in day-to-day planning, such as knowing how many people are likely to be at work so security details, parking attendants and cafeteria workers can be scheduled accordingly.

And at locations where shared workspace is becoming more prevalent, access data can also help when assigning desks or conference rooms to individuals and groups.

Because of the interactive nature of today’s access control systems, employees can receive necessary information through the same system that is logging their comings and goings.

Touchscreens have the ability to provide messages, whether they are alerts about an urgent matter, notices about training programs, changes in company policy or just updates on events, such as a campus-wide or department-wide meeting.

Readers can also become tools for booking rooms or, through the use of a built-in intercom, communicating with security personnel in an emergency.

Mobile apps tied to access control add yet another layer to building automation by allowing users to remotely unlock doors, receive mobile alerts and provide two-factor authentication for access to higher security areas.

Apps now and into the future will likely get cardholders even more involved with the buildings, allowing them to provide instant feedback and notifications.

Additionally, the integration of video enhances both smart building capabilities and security by making alarms visually verifiable, which increases the safety of occupants by better assessing their location and situation.

Video can help reduce false alarms and utilizing video analytics can provide further data on building usage trends.

See Original Post

Reposted from ASIS

It’s perhaps the most infamous incident of an insider threat in modern times. During the spring and summer of 2013, then-National Security Agency (NSA) contractor and Sharepoint administrator Edward Snowden downloaded thousands of documents about the NSA’s telephone metadata mass surveillance program onto USB drives, booked a flight to Hong Kong, and leaked those documents to the media.

An international manhunt was launched, Snowden fled to Moscow, hearings were held in the U.S. Congress, and new policies were created to prevent another insider breach. The damage a trusted insider can do to an organization became painfully obvious.

“If you’d asked me in the spring of 2013…what’s the state of your defense of the business proposition as it validates the technology, people, and procedures? I would have said, ‘Good. Not perfect,’” said Chris Inglis, former deputy director and senior civilian leader of the NSA during the Snowden leaks, in a presentation at the 2017 RSA Conference in San Francisco.

“I would have said that ‘we believe, given our origins and foundations, and folks from information assurance, that that’s a necessary accommodation,” he explained. “We make it such that this architecture—people, procedure, and technology—is defensible.”

Inglis also would have said that the NSA vetted insiders to ensure trustworthiness, gave them authority to conduct their jobs, and followed up with them if they exceeded that authority—intentionally or unintentionally—to remediate it. 

“We made a critical mistake. We assumed that outsider external threats were different in kind than insider threats,” Inglis said. “My view today is they are exactly the same. All of those are the exercise of privilege.”

Inglis’ perspective mirrors similar findings from the recent SANS survey Defending Against the Wrong Enemy: 2017 Sans Insider Threat Survey by Eric Cole, SANS faculty fellow and former CTO of McAfee and chief scientist at Lockheed Martin.

The SANS survey of organizations with 100 to 100,000 employees found that it can be easy to conclude that external attacks should be the main focus for organizations. 

“This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage,” Cole wrote. “Evaluating threats from that perspective, it becomes obvious that although most attacks might come from outside the organization, the most serious damage is done with help from the inside.”​

Insider Threat Programs

Incidents like the Snowden leaks and the more recent case of Harold Thomas Martin III, an NSA contractor accused of taking top secret information home with him, along with other incidents of economic espionage have raised awareness of the impact insider threats can have. However, many organizations have not adjusted their security posture to mitigate those threats.

In its survey, SANS found that organizations recognize insider threat as the “most potentially damaging component of their individual threat environments,” according to the survey. “Interestingly, there is little indication that most organizations have realigned budgets and staff to coincide with that recognition.”

Of the organizations surveyed, 49 percent said they are in the process of creating an insider threat program, but 31 percent still do not have a plan and are not addressing insider threats through such a plan. 

“Unfortunately, organizations that lack effective insider threat programs are also unable to detect attacks in a timely manner, which makes the connection difficult to quantify,” SANS found. “From experience, however, there is a direct correlation between entities that ignore the problem and those that have major incidents.”

Additionally, because many are not monitoring for insider threats, most organizations claim that they have never experienced an insider threat. “More than 60 percent of the respondents claim they have never experienced an insider threat attack,” Cole wrote. “This result is very misleading. It is important to note that 38 percent of the respondents said they do not have effective ways to detect insider attacks, meaning the real problem may be that organizations are not properly detecting insider threats, not that they are not happening.”

The survey also found that the losses from insider threats are relatively unknown because they are not monitored or detected. Due to this, organizations cannot put losses from insider threats into financial terms and may not devote resources to addressing the issue, making it difficult or impossible to determine the cost of an insider attack.

For instance, an insider could steal intellectual property and product plans and sell them to a competitor without being detected.

“Subsequent failure of that product might be attributed to market conditions or other factors, rather than someone ‘stealing it,’” Cole wrote. “Many organizations, in my experience, are likely to blame external factors and only discover after detailed investigation that the true cause is linked back to an insider.”

And when organizations do discover that an insider attack has occurred, most have no formal internal incident response plan to address it.

“Despite recognition of insiders as a common and vulnerable point of attack, fewer than 20 percent of respondents reported having a formal incident response plan that deals with insider threat,” according to the SANS survey. 

Instead, most incident response plans are focused on external threats, Cole wrote, which may explain why companies struggle to respond to insider threats.

Organizations are also struggling to deal with both malicious and accidental insider threats—a legitimate user whose credentials were stolen or who has been manipulated into giving an external attacker access to the organization. “Unintentional insider involvement can pose a greater risk, and considerably more damage, by allowing adversaries to sneak into a network undetected,” the survey found. “Lack of visibility and monitoring capability are possible explanations for the emphasis on malicious insiders.

To begin to address these vulnerabilities, SANS recommends that organizations identify their most critical data, determine who has access to that data, and restrict access to only those who need it. Then, organizations should focus on increasing visibility into users’ behavior to be proactive about insider threats. 

“We were surprised to see 60 percent of respondents say they had not experienced an insider attack,” said Cole in a press release. “While the confidence is great, the rest of our survey data illustrates organizations are still not quite effective at proactively detecting insider threats, and that increased focus on individuals’ behaviors will result in better early detection and remediation.”​

Trusted People

When the NSA recruits and hires people, it vets them thoroughly to ensure their trustworthiness, according to Inglis.

“We ultimately want to bring some­body into the enterprise who we can trust, give them some authority to operate within an envelope that doesn’t monitor their tests item by item,” he explained. “Why? Because it’s within that envelope that they can exceed your expectations and the adversary’s expectations, your competitors’ expectations, and hope­fully the customers’ expectations. 

You want them to be agile, creative, and innovative.”

To do this, the NSA would go to great lengths to find people with technical ability and possible trustworthiness. Then it or a third party would vet them, looking at their finances and their background, conducting interviews with people who knew them, and requiring polygraph examinations.

After the Snowden leaks, the U.S. federal government examined the work of its contract background screening firm—United States Investigations Services (USIS). USIS had cleared both Snowden and the Washington Navy Yard shooter Aaron Alexis. The government decided to reduce its contracted work with the company.

USIS later agreed to pay $30 million to settle U.S. federal fraud charges, forgoing payments that it was owed by the U.S. Office of Personnel Management for conducting background checks. The charges included carrying out a plot to “flush” or “dump” individual cases that it deemed to be low level to meet internal USIS goals, according to The Hill’s coverage of the case.

“Shortcuts taken by any company that we have entrusted to conduct background investigations of future and current federal employees are unacceptable,” said Benjamin Mizer, then head of the U.S. Department of Justice’s Civil Division, in a statement. “The Justice Department will ensure that those who do business with the government provide all of the services for which we bargained.”

This part of the process—vetting potential employees and conducting background checks—is where many private companies go wrong, according to Sandra Stibbards, owner and president of Camelot Investigations and chair of the ASIS International Investigations Council.

“What I’ve come across many times is companies are not doing thorough backgrounds, even if they think they are doing a background check—they are not doing it properly,” she says. 

For instance, many companies will hire a background screening agency to do a check on a prospective employee. The agency, Stibbards says, will often say it’s doing a national criminal search when really it’s just running a name through a database that has access to U.S. state and county criminal and court records that are online.

“But the majority of counties and states don’t have their criminal records accessible online,” she adds. “To really be aware of the people that you’re getting and the problem with the human element, you need to have somebody who specializes and you need to…invest the money in doing proper background checks.”

To do this, a company should have prospective employees sign a waiver that informs them that it will be conducting a background check on them. This check, Stibbards says, should involve looking at criminal records in every county and state the individual has lived in, many of which will need to be visited in person.

She also recommends looking into any excessive federal court filings the prospective employee may have made.

“I’ll look for civil litigation, especially in the federal court because you get people that are listed as a plaintiff and they are filing suits against companies for civil rights discrimination, or something like that, so they can burn the company and get money out of it,” Stibbards adds.

Additionally, Stibbards suggests looking for judgments, tax liens, and bankruptcies, because that gives her perspective on whether a person is reliable and dependable.

“It’s not necessarily a case break­er, but you want to have the full perspect­ive of if this person is capable of managing themselves, because if they are not capable of managing themselves, they may not make the greatest employee,” she says.

Companies should ensure that their background screenings also investigate the publicly available social media presence of potential employees. Companies can include information about this part of the process in the waiver that applicants sign agreeing to a background check to avoid legal complications later on. 

“I’m going to be going online to see if I see chatter about them, or if they chat a lot, make comments on posts that maybe are inappropriate, if they maintain Facebook, LinkedIn, and Twitter,” Stibbards says. 

Posting frequently to social media might be a red flag. “If you find somebody on Facebook that’s posting seven, eight, nine, or 10 times a day, this is a trigger point because social media is more important to them than anything else they are doing,” Stibbards adds.

And just because a prospective employee is hired doesn’t mean that the company should discontinue monitoring his or her social media. While ongoing review is typically a routine measure, it can lead to disciplinary action for an employee who made it through the initial vetting process. For instance, Stibbards was hired by a firm to investigate an employee after the company had some misgivings about certain behaviors.

“Not only did we find criminal records that weren’t reported, but we then found social media that indicated that the employee was basically a gang member—pictures of guns and the whole bit,” Stibbards says.

It’s also critical, once a new employee has been brought on board, to introduce him or her to the culture of the organization—an aspect that was missing in Snowden’s onboarding process, Inglis said. This is because, as a contractor working for the NSA, regulations prohibited the U.S. government from training him. 

“You show up as a commodity on whatever day you show up, and you’re supposed to sit down, do your work—sit down, shut up, and color within the lines,” Inglis explained.

So on Snowden’s first day at the NSA, he was not taken to the NSA Museum like other employees and taught about the agency’s history, the meaning of the oath new employees take, and the contributions the NSA makes to the United States.

“Hopefully there are no dry eyes at that moment in time, having had a history lesson laying out the sense of the vitality and importance of this organization going forward,” Inglis explained. “We don’t do that with contractors. We just assume that they already got that lesson.”

If companies fail to introduce contractors and other employees to the mission of the organization and its culture, those employees will not feel that they are part of the organization.​

Trusted Technology

Once trusted people are onboarded, companies need to evaluate their data—who has access to it, what controls are placed on it to prevent unwarranted access, and how that access is monitored across the network.

“The one thing I always recommend to any company is to have a monitoring system for all of their networks; that is one of the biggest ways to avoid having issues,” Stibbards says. “Whether it’s five people working for you or 100, if you let everybody know and they are aware when they are hired that all systems—whether they are laptops or whatever on the network—are all monitored by the company, then you have a much better chance of them not doing anything inappropriate or…taking information.”

These systems can be set up to flag when certain data is accessed or if an unusual file type is emailed out of the network to another address. 

Simon Gibson, fellow security architect at Gigamon and former CISO at Bloomberg LP, had a system like this set up at Bloomberg, which alerted security staff to an email sent out with an Adobe PDF of an executive’s signature.

“He’s a guy who could write a check for a few billion dollars,” Gibson explains. “His signature was detected in an email being sent in an Adobe PDF, and it was just his signature…of course the only reason you would do that is to forge it, right?”

So, the security team alerted the business unit to the potential fraud. But after a quick discussion, the team found that the executive’s signature was being sent by a contractor to create welcome letters for new employees.

“From an insider perspective, we didn’t know if this was good or bad,” Gibson says. “We just knew that this guy’s signature probably ought not be flying in an email unless there’s a really good reason for it.”

Thankfully, Bloomberg had a system designed to detect when that kind of activity was taking place in its network and was able to quickly determine whether it was malicious. Not all companies are in the same position, says Brian Vecci, technical evangelist at Varonis, an enterprise data security provider.

In his role as a security advocate, Vecci goes out to companies and conducts risk assessments to look at what kinds of sensitive data they have. Forty-seven percent of companies he’s looked at have had more than 1,000 sensitive data files that were open to everyone on their network. “I think 22 percent had more than 10,000 or 12,000 files that were open to everybody,” Vecci explains. “The controls are just broken because there’s so much data and it’s so complex.”

To begin to address the problem, companies need to identify what their most sensitive data is and do a risk assessment to understand what level of risk the organization is exposed to. “You can’t put a plan into place for reducing risk unless you know what you’ve got, where it is, and start to put some metrics or get your arms around what is the risk associated to this data,” Vecci says. 

Then, companies need to evaluate who should have access to what kinds of data, and create controls to enforce that level of access. 

This is one area that allowed Snowden to gain access to the thousands of documents that he was then able to leak. Snowden was a Sharepoint administrator who populated a server so thousands of analysts could use that information to chase threats. His job was to understand how the NSA collects, processes, stores, queries, and produces information.

“That’s a pretty rich, dangerous set of information, which we now know,” Inglis said. “And the controls were relatively low on that—not missing—but low because we wanted that crowd to run at that speed, to exceed their expectations.”

Following the leaks, the NSA realized that it needed to place more controls on data access because, while a major leak like Snowden’s had a low probability of happening, when it did happen the consequences were extremely high. 

“Is performance less sufficient than it was before these maneuvers? Absolutely,” Inglis explained. “But is it a necessary alignment of those two great goods—trust and capability? Absolutely.”

Additionally, companies should have a system in place to monitor employees’ physical access at work to detect anomalies in behavior. For instance, if a system administrator who normally comes to work at 8:00 a.m. and leaves at 5:00 p.m. every day, suddenly comes into the office at 2:00 a.m. or shows up at a workplace with a data storage unit that’s not in his normal rotation, his activity should be a red flag.

“That ought to be a clue, but if you’re not connecting the dots, you’re going to miss that,” Inglis said.  ​

Trusted Processes

To truly enable the technology in place to monitor network traffic, however, companies need to have processes to respond to anomalies. This is especially critical because often the security team is not completely aware of what business units in the company are doing, Gibson says.

While at Bloomberg, his team would occasionally get alerts that someone had sent software—such as a document marked confidential—to a private email address. “When the alert would fire, it would hit the security team’s office and my team would be the first people to open it and look at it and try analyze it,” Gibson explains. “The problem is, the security team has no way of knowing what’s proprietary and valuable, and what isn’t.”

To gather this information, the security team needs to have a healthy relationship with the rest of the organization, so it can reach out to others in the company—when necessary—to quickly determine if an alert is a true threat or legitimate business, like the signature email. 

Companies also need to have a process in place to determine when an employee uses his or her credentials to inappropriately access data on the network, or whether those credentials were compromised and used by a malicious actor. 

Gibson says this is one of the main threats he examines at Gigamon from an insider threat perspective because most attacks are carried out using people’s credentials. “For the most part, on the network, everything looks like an insider threat,” he adds. “Take our IT administrator—someone used his username and password to login to a domain controller and steal some data…I’m not looking at the action taken on the network, which may or may not be a bad thing, I’m actually looking to decide, are these credentials being used properly?”

The security team also needs to work with the human resources department to be aware of potential problem employees who might have exceptional access to corporate data, such as a system administrator like Snowden.

For instance, Inglis said that Snowden was involved in a workplace incident that might have changed the way he felt about his work at the NSA. As a systems administrator with incredible access to the NSA’s systems, Inglis said it would have made sense to put a closer watch on him after that incident in 2012, because the consequences if Snowden attacked the NSA’s network were high.

“You cannot treat HR, information technology, and physical systems as three discrete domains that are not somehow connected,” Inglis said.

Taking all of these actions to ensure that companies are hiring trusted people, using network monitoring technology, and using procedures to respond to alerts, can help prevent insider threats. But, as Inglis knows, there is no guarantee.

“Hindsight is 20/20. You have to look and say, ‘Would I theoretically catch the nuances from this?’”   

See Original Post

Reposted from The New York Times

A college freshman shot and killed a campus police officer at Texas Tech University in Lubbock on Monday night after the student was taken to the university police station for questioning in a drug-related case, the authorities said.

The on-campus shooting caused the authorities to put the university on lockdown as they searched for the student, who fled the station on foot and was identified by the university as Hollis A. Daniels, 19. The university’s Twitter account and online emergency-alert system urged those on campus to shelter in place starting at about 8:30 p.m. on Monday. Mr. Daniels was caught about an hour later, and the lockdown was lifted.

He was charged with evading arrest. Other charges were pending.

The episode began earlier Monday evening, when officers with the campus police department made a so-called student welfare check at Mr. Daniels’s room. The officers entered his room and found evidence of drugs and drug paraphernalia, according to a statement from a spokesman for the university, which is in West Texas. Officers took him to the police station for a “standard debriefing,” said the spokesman, Chris Cook. He then pulled out a gun and shot a campus officer in the head, killing the officer. The officer’s name was not immediately released.

Officials said a Texas Tech police officer later tackled Mr. Daniels as he fled near the Lubbock Municipal Coliseum and took him into custody, assisted by Lubbock officers. Mr. Daniels is from Seguin, a city nearly 40 miles east of San Antonio.

Classes were to resume as scheduled on Tuesday.

In a statement, Gov. Greg Abbott said he had spoken with Robert Duncan, the chancellor of the Texas Tech University System, and offered his condolences. “First and foremost, our hearts go out to the family of the police officer killed at Texas Tech University,” Mr. Abbott said in the statement.

See Original Post

Reposted from Total Security Daily Advisor

While mass shooting attacks in public places, offices, and on K–12 schools and college campuses are frequently in the news and more visible, a recent shooting at a city library offers a reminder of how these public facilities are vulnerable, because they can’t really pick their customers.

On August 28, 2017, a 16-year-old suspect walked into the Clovis-Carver, NM, public library and shot and killed two employees and wounded four others. He was arrested by police and gave them no motive for the attack. Like the June 2015 shootings at the Methodist Episcopalian Church in Charleston, SC, which were done by 21-year-old killer Dylan Roof, these incidents appear to be committed by depressed, disturbed young people with no connection to the organization or the people inside it at the time. These are “statement” murders, where the killer is attempting to show the world he is hurting, angry, or wanting to be recognized, even in a highly negative way.

Libraries, like other public places, can’t really pick who comes inside or controls their behavior, until it violates their code of conduct or breaks the law. Security officers are rare in most of the 99,000 libraries in the U.S., and the police presence is usually only there when they are called. Library staffers know that they deal with the homeless, mentally ill patrons, gang members, thieves, and drug takers and sellers. They often don’t know who these people are until they act out and by then, they can create fear, cause damage, or drive other members of the public away because they don’t feel the library is a safe place anymore. Like a church or other location that invites the public, library employees don’t know who may be armed with a gun or knife until that person displays a weapon.

Libraries with the best success for keeping patrons and staff safe follow these security guidelines:

• They have a posted code of conduct, which is visible in many parts of the facility and clearly spells out the rules of appropriate behavior for all patrons.
• They encourage their staffs to be firm, fair, consistent, and assertive when dealing with all patrons, but especially those who pose a security threat.
• They use proprietary or hire contract security companies to provide security officers, if not full-time, then to work during the busiest times of the day.
• They empower and encourage staff to call the police for those situations where a law enforcement presence is needed to enforce the law, preserve the peace, or make arrests for drug possession, theft of library or other patrons’ properties, fighting, panhandling, stalking behaviors, or making threats to staff or other patrons.
• They complete security incident reports to give to the library leadership, or the city or county attorneys for their agency, or to the police, to help document a pattern of a patron’s behavior over a span of time. This makes it easier to help the library get a civil restraining order against certain people who have assaulted or threatened staff or other patrons.
• The staff pays attention to the possible presence of weapons or firearms carried by patrons into the library and discusses when and if to call the police to investigate.
• They have trained their staff to follow the run-hide-fight national protocol for an active shooter or mass attacker. (In the Clovis shooting, the perpetrator allegedly told several people in the library, “Why aren’t you running? I’m shooting at you! Run!”)

See Original Post

Reposted from Security Magazine

The Battle of Thermopylae, also known as “The Hot Gates,” fought in 480 B.C. is often put in the context that 300 Spartans held off a huge Persian army. In reality, the 300 Spartans were not alone during the battle. Alongside of them fought Athenians, Thebes, Thespians, and a variety of other united Greek forces. All told, until the last day or so, the Greeks had a force of between 7,000 and 10,000 soldiers at Thermopylae. The key difference is that the Spartan warriors were bred as warriors – they were professional soldiers. The Athenians, Thebes and Thespians were soldiers, but most of them had other, full-time jobs, and fought in the army when they were called upon.

Your users are not Spartan warriors. They are developers, engineers, designers, craftsmen, lawyers, nurses and so on. They are not professional security geeks. They don’t think like hackers. Elevated security measures do not come naturally to most of these people. They all have real jobs to do which are NOT focused on information and cybersecurity.

Security awareness is important, and we cannot give it lip service. We cannot throw a bunch of generic security stuff in a set of slides and say, “Our users are trained.” The real world does not work that way. We cannot make everyone Spartan warriors.

So what do we do? We figure out an awareness program that works in our environment.

1. Create a security awareness program that is based in the organization’s environment. Use the words and language from your environment. If you call something “Confidential,” don’t call it “Proprietary” in your training. If you call your most valuable data your “sexy secrets,” don’t call it your “cool data” in the training. Better yet, if your cool data is actually your patient data, or your recordings of your creative conversations with Rock and Roll Buck Zumhoff, just say THAT. Talk about your own applications, data and systems with which your users are familiar.
2. Use examples. New ideas can be communicated very effectively by examples – kind of like a “show me.” But, use real-world examples. And by real-world examples, I mean examples from your own organization, in enough details that employees can recognize it is your organization. If you work at ACME Corp, don’t describe how something happened at Joe’s Hat, Boot and Shoe Factory, talk about something that happened at ACME Corp. Use real examples put in the context of your company. You want to make any examples as practical as you can. Avoid making things abstract to the extent possible.
3. Use real language. Your organization is not full of security geeks, so don’t say “failed authentication process.” Say “couldn’t log in” instead. Eliminate, or at least minimize, the technical and security jargon. Use the type of language your people use in their everyday lives.
4. Take it in small chunks. There have been plenty of studies done on how to effectively communicate new material. Many of them boil down to the same thing – human beings have limited attention spans, especially for new or unfamiliar material. What this really means is that five sessions of five minutes each is probably better than one 30 minute session and definitely better than one hour long session. Break your awareness/training program into manageable chunks – pieces that a user can easily go through in one sitting and think, “Well, that was painless.”
5. Understand that your awareness program is not a thing, it is a process. You need to reinforce messages through policy, email, internal videos, in staff meetings and any other media that works in your environment. Say the message. Repeat the message. Create a process which employees can, are welcome to, and are encouraged to revisit as much as they want. Set the expectation that the elements of the awareness program will be updated, and repeated on a regular basis.

One of the key elements to remember is that an awareness program really is not about “awareness.” An awareness program is about training and changing employee behavior enough that it increases your staff’s ability to consciously make more secure decisions. That is much more easily said than done.

Remember, you are not making security experts. That is why you have security geeks. You need employees to be good enough that they can help protect what is important to the organization. When you focus on their jobs, and what they do in their day to day activities, you are much better off – even more so if you can keep the security messages simple, and the security “geekiness” low.

See Original Post

Reposted from DL Online

When the Becker County Historical Society embarked on a $3.2 million fundraising campaign to build a new county museum last fall, they knew the need was urgent: The current facility, located at 714 Summit Ave., had developed significant structural issues, particularly with its leaking roof.

But this past week, it was once again illustrated just how critical this issue has become, as the museum's research library sustained "significant damage" from a leak that had expanded during a recent spate of rain, says the museum's executive director, Becky Mitchell.

"Public access to the research library will be very limited while we work to fix the damage," she added, noting that they are in the process of moving some stackable shelving into the research library area that will provide better protection for the books and other research materials that are stored there.

"We were gifted with this shelving by the county," said Mitchell, adding that the new shelves are stand-alone and do not need to be placed along the museum walls, which is where the water leaks have mainly occurred.

Because the shelving units are large and difficult to move from one location to another, they had hoped to save them for use in the new museum building — but this most recent water damage incident has changed their plans, Mitchell said.

"It's (moving the shelves) going to be quite a large undertaking, and the shelving units are going to take up a lot of space that we don't have," she added, "but keeping our research library materials and museum artifacts safe to the best of our ability is the priority."

While access to the research library will be restricted, those who need to access those resources will be able to do so.

"We encourage people who want to use our research library to call ahead and reserve a time," says Jennifer Johnson, the museum's research library director. "Also, if they can, please let us know ahead of time what they want to research, so I can pull the materials and have them ready to use when they arrive."

There has also been some water damage in the exhibit area on the museum's upper level, Mitchell said, so while all of the exhibits will remain open to the public, "some items will need to be assessed and possibly moved to off-site storage."

All of these actions are "temporary fixes," however — Mitchell says that the Historical Society has been working with the Detroit Lakes Community & Cultural Center, Chamber of Commerce, and representatives from both the City of Detroit Lakes and Becker County on developing a new construction plan for the museum building that will, hopefully, address some building and parking deficiencies for both the museum and the DLCCC.

"We hope to have a plan ready to be presented to our (Historical Society) members and (museum building project) donors in late October or early November," says Mitchell. "We want to see if it's a better alternative (than the original building plan) in terms of long-term sustainability."

The ultimate goal, Mitchell added, is "to come up with a plan that's going to carry us — not just the museum, but the community center and the (Historic Holmes) theater — through the end of our lifetimes. We want to build a facility that's not so large we can't afford it, but at the same time, is large enough to accommodate growth for the next 40-50 years.

"The historical society has been around since the late 1800s," she said. "We need to do everything we can to save what we have (i.e., research materials and artifacts) and make sure it's here for future generations."

See Original Post

Reposted from San Diego Union Tribune

All the other times the alarm tripped at the Fallbrook Gem & Mineral Museum, it was, well, a false alarm. Still, when the alarm notification came early that Sunday morning, treasurer Michael Palculich had to drag himself down to the building to reset it.

But this time would be different.

Palculich and his wife got to the museum on Alvarado Street, just west of Main Street, not long after 4 a.m. to find the wrought-iron security gate open and the glass doors behind it broken.

“We were shocked,” he said last week. “It was a crime scene at that point.”

Fallbrook Sheriff’s Detective Joel Couch said the thief or thieves who busted into the building on Sept. 10 smashed four glass display cases, grabbing a number of items.

Museum officials say they lost five notable pieces from the treasured tourmaline collection, including two remarkable 9-inch-long pink and green pieces from North County mines. One of them had been donated to the museum by a doctor years ago, in memory of his late wife.

“Why? Why would you take those things?” said Mary Fong/Walker, past vice president of the society that runs the museum.

The burglars, Fong/Walker said, “took the most iconic and valuable specimens” from the display of tourmaline mined in San Diego County. Also gone were 13 rough and cut sets. Some were tourmaline; the others included gems such as emerald, topaz and garnet.

“This is definitely not what anybody expected to happen, especially such a small museum in a sleepy town,” Fong/Walker said.

She said the Fallbrook Gem & Mineral Society has more than 100 members, and that she has been a part of the group for more than 25 years.

Fong/Walker, who works in the gem and mineral industry, declined to speculate on the monetary value of the five tourmaline pieces, which she said have been featured in special exhibits at mineral expositions around the world.

“You can’t put a price on something that is one of a kind,” she said.

Depending on the size and quality of the gemstones, they can fetch as little as a few dollars up to thousands of dollars.

News of the theft, she said, felt “kind of like having your heart ripped out of you.” There has never been a burglary — much less a smash-and-grab heist — at the museum. The place is run by volunteers, and Fong/Walker said everyone remains shocked by what happened.

“It’s such a big-hearted organization, and to violate that...” Fong/Walker said, trailing off.

Repairs have been made to the doors and display cases, but the free museum remains closed for now. It will reopen for the annual Fall Festival of Gems, a street fair right outside its doors, on Oct. 8.

Anyone with information about the burglary or missing pieces can call the Fallbrook substation at (760) 451-3100.

See Original Post

Reposted from Business Wire

Kaplan University and the International Foundation of Protection Officers (IFPO) announced a partnership that is designed to expand access to professional training and higher education for professional private security officers. The announcement was made at the ASIS International Seminar and Exhibits Conference in Dallas, Texas.

“While there are more than 2.2 million people employed in the security field, there are still not enough professionals to fill the increased demand for services,” said Sandi J. Davies, IFPO Executive Director. IFPO has trained more than 80,000 individuals who have graduated with IFPO certifications.

Through the partnership agreement, the Certified Protection Officer program (CPO) and Certified in Security Supervision and Management (CSSM) certifications offered through IFPO will translate into direct course credit that can be applied toward an associate’s or bachelor’s degree in criminal justice at Kaplan University. IFPO members will also be eligible for reduced tuition rates on courses at Kaplan University. Furthermore, Kaplan University students will be able to take the certification courses at a discounted rate.

“A partnership between IFPO and Kaplan University is an industry game-changer for the entire security industry. Education is now a critical element to the success of security officers at every level. IFPO certifications, combined with a higher education degree, work well together and provide an exponential return on investment for both the client and the community,” added Tom M. Conley, President and CEO of The Conley Group, Inc., a Des Moines, Iowa professional security services provider, and Immediate Past International Board Chair of IFPO.

Kaplan University courses are all available online providing the convenience and flexibility security officers, who typically work non-traditional hours, need in order to continue working while earning their degree.

Bryon Mills, Director of Public Sector Solutions at Kaplan who was present for the announcement, said, “A win-win partnership like this one with IFPO is what Kaplan University is best at. Providing a high-quality, affordable education for busy working professionals who need or want to earn their college credential and advance in their careers is core to our mission.”

See Original Post