Keys to a More Successful Physical Security Program
•Télécharger en tant que PPTX, PDF•
4 j'aime•2,258 vues
An effective security program is a living thing. It is comprised of a myriad of equipment, actions, policies, and procedures all of which interconnect and rely on each other in order to provide a comprehensive and effective program. The collection of documents, together forming the security program, must be, by design and intent, focused on three primary missions: remedial measures, preventative measures, and, overlapping both of these, education. The security plan must accurately describe situations both present and future; capture potential scenarios and consequences; detail the organization’s actions both during and following specific events; and, educate the organization on the specific roles specific groups play. Joachim Gloschat's presentation will address all this and more as he explores what makes a successful physical program security.
Recommandé
Contenu connexe
En vedette
En vedette (16)
Plus de EnergySec
Plus de EnergySec (20)
Dernier
Dernier (20)
Keys to a More Successful Physical Security Program
- 2. Background US Army Russian Cryptography Interceptor ○ 1984 to 1987 Mandarin Chinese Intelligence Officer ○ 1989 to 2001
- 3. Sept 11, 2001 World Trade Centers
- 4. “Working in security is doing God’s work as far as I am concerned. Security work is an opportunity to serve fellow man…There is nothing greater than saving lives.” Dr. Ona Ekhomu, CPP Security Management Magazine, March 2007 First Nigerian ASIS Certified Protection Professional
- 5. Background Antiterrorism/Force Protection 2001 – US Corps of Engineers 2002 – Operation Enduring Freedom 2003 – Operation Iraqi Freedom 2004 – Security Management Solutions ○ Federal Energy Regulatory Commission ○ Association of State Dam Safety Officials ○ InterAgency Forum for Infrastructure Protection
- 6. Post 9/11
- 8. Threat Dimensions 1. Non-linear/Asymmetrical 2. Off-the-shelf technology 3. WMD and mass casualties Low Tech vs. High Tech Urban vs. Rural fights 4. Urban fights 5. Avoid decisive battle W. Foos, SMS
- 9. Physical Attacks April 19, 1995 Murrah Federal Aug 7, 1998 Sept 11, 2001 Building US Embassy Nairobi World Trade Centers
- 10. Physical Attacks 11 March 2004 Sept 2004 Madrid Train Bombings: Chechnya Rebels Spain
- 11. Cyber Attacks 2003-2007 - TITAN RAIN 2006-present - SHADY RAT 2008- DOD Classified and Unclassified Systems-Contaminated thumb drive 2010 - STUXNET 2011 - 50 DAYS OF LULZ
- 12. Cyber Attacks 2012 13.37 million recorded compromised 189 total breaches NY Electric and Gas 1.8m Global Payments 1.5m CA Dept. of Child Support 800k Utah Dept. of Technical Services 780k
- 13. W. Foos, SMS
- 15. Why is a Security Program so vital?
- 16. How does a Security Program Work? A Security Program protects assets or facilities against: 1. Theft 2. Sabotage 3. Malevolent human attacks 4. Natural Events
- 17. What does a Security Program Encompass? 1. Physical Security 2. Cyber Security 3. Personnel Security 4. Information Security 5. Business Continuity 6. Crisis Management
- 18. Three Components of a Education Security Program 1. R&D Remediation 2. SOPs 1. Upgrading PPS 3. Emergency Response Plan 2. Upgrading Security Program 4. Physical Security Plans Education 3. Responding to Incidents 5. Define, Establish, & Update 4. Implementing Risk Reduction HLS security procedures Recommendations 6. Guard Contracts Prevention Prevention Remediation 1. Maintenance of Systems 2. Assessment – Evaluations 3. SOP Development 4. Integration of Security Security Documents: Operations 5. Training & Exercise of EAPs -Threat Assessments 6. Implementation of - Vulnerability Study Heightened Security Procedures W. Foos, SMS
- 19. Fundamentals of Security Integration Policies People Procedures Equipment An Effective Security Program ties it all together.
- 20. Security Program Measures 1. Preventative measures – Reduce the likelihood of an attack, delay the success of the attack, protect the assets or make it less vulnerable of being compromised. 2. Detective measures – Discover the attack and activate corrective or mitigative action. 3. Corrective measures – Reduce the effects of an attack and restore to normal operations. W. Foos, SMS
- 21. What are The Steps Necessary? 1. Evaluate 2. Establish 3. Sustain
- 22. Step One: Evaluation 1. Mission 2. Assets 3. Consequences 4. Threats 5. Security System Effectiveness
- 23. Step One: Evaluation (Mission) 1. What do I buy? 2. What do I sell? 3. How do I produce it? 4. What components do I need to make what I make? 5. What does it take to get those components and deliver the finished product?
- 24. How Missions lead to Assets Company Mission Company Vision License Requirements Shareholder Mandates Products of the facility Vendors Inventory System Shipping and Receiving Operational involvement & location of senior executives W. Foos, SMS
- 25. Step One: Evaluation (Assets) 1. Physical 2. People 3. Knowledge 4. Information Technology 5. Clientele 6. Any activity that has a positive value to its owner
- 26. Step One: Evaluation (Consequences) What would it take to disrupt operations? What would it take to stop operations? What would happen to the vendors, your company, your customers, if operations paused or ceased? Who and What would be impacted?
- 27. Step One: Evaluation (Threat) The Security Program Arch THREAT
- 28. Step One: Evaluation (Threat) Natural Intentional Unintentional
- 29. W. Foos, SMS
- 30. Threat Categories Terrorists (CONUS Saboteurs or OCONUS) Criminals Ecological Cyber Threat Militia / Paramilitary Gangs Rogue Other Racist Insider(s) Extremist Group Vandals TM RAM
- 32. Identifying the Design Basis Threat Motivation Capability History and Behavior Patterns Current Activity Geographic Access Organization & Numbers Mobility Technology/ Tactics TM RAM
- 33. Design Basis Threat (Example) Adversary Type Militia/Paramilitary Terrorist Group Motivation Ideological/Political/Publicity Group Terrorist Cell - 2 to 7 persons – well organized Tactics Large scale sabotage Equipment Hand tools, construction equipment, 2-way radios Weapons Small handguns, rifles, submachine guns Explosives Vegan Jell-O, TNT or Equivalent Explosives Transportation Sport utility vehicles, all-terrain vehicles, vans, 4x4s, foot access Intelligence Surveillance, Internet research, public record review gathering means Technical skills and Sophisticated technical education knowledge Financial resources Assumed unlimited Potential for collusion Disgruntled or planted employee or contractor TM RAM
- 34. Intelligence Methods used by Adversaries Open Source Research FOIA Internet Public Domain Technical Reports People Informers Intelligence Agents Communications Photographs / Surveillance Trash W. Foos, SMS
- 35. Step One: Evaluation (Security System Effectiveness) Based on analysis of Asset and Threats, create Asset-Threat Pairing Not every Asset is considered attractive to the same Threat Every asset’s protection must be evaluated against its own Design Basis Threat
- 36. Basics of Security 1. Detect 2. Assess 3. Delay 4. Respond 5. Integration and Communication
- 37. Fundamentals of Security Protection in Depth & Balanced Protection Outer Perimeter Intermediate Perimeter Inner Perimeter Exclusion Zone O Asset
- 38. What are The Steps Necessary? 1. Evaluate 2. Establish 3. Sustain
- 39. Step Two: Establish 1. Fill in the gaps 2. Create what wasn’t there 3. Accept versus Reject Risk 4. Risk Reduction Measures
- 40. Three Components of a Education Security Program 1. R&D Remediation 2. SOPs 1. Upgrading PPS 3. Emergency Response Plan 2. Upgrading Security Program 4. Physical Security Plans Education 3. Responding to Incidents 5. Define, Establish, & Update 4. Implementing Risk Reduction HLS security procedures Recommendations 6. Guard Contracts Prevention Prevention Remediation 1. Maintenance of Systems 2. Assessment – Evaluations 3. SOP Development 4. Integration of Security Security Documents: Operations 5. Training & Exercise of EAPs -Threat Assessments 6. Implementation of - Vulnerability Study Heightened Security Procedures W. Foos, SMS
- 41. Security Policies and Procedures Establish strategic security objectives and priorities for organization Identify personnel responsible for security functions Identify the employee responsibilities Should be aligned with the objectives of the organization Should cover the following topics - People - Property - Information
- 42. What are The Steps Necessary? 1. Evaluate 2. Establish 3. Sustain
- 43. Step Three: Sustain 1. Education 2. Exercises 3. Relationships 4. Reevaluation
Notes de l'éditeur
- L to Right:Dvorshak Dam, Mica Dam, Bonneville Dam
- How we look at security has changed. How we look at security MUST change. Sometimes it is a conscious effort, sometimes it is a natural shift.
- TITAN RAINYears: 2003-2007Alleged source: ChinaFallout: In 2004, U.S. federal investigators discovered an ongoing series of attacks penetrating the networks of the departments of Defense, State, Energy, and Homeland Security, as well as those of defense contractors, and downloading terabytes of data. SHADY RATYears: 2006-presentTarget: DozensAlleged source: ChinaFallout: In 2011, McAfee reported the existence of a five-year-old hacking campaign it calls Shady RAT. It works by sending an email to an employee of a targeted organization, who then installs a “Trojan horse” on the computer after clicking an innocuous-looking attachment. The 49 victims include the International Olympic Committee, the United Nations, the Association of Southeast Asian Nations, companies in Japan, Switzerland, Britain, Indonesia, Denmark, Singapore, Hong Kong, Germany, and India, and the governments of United States, Taiwan, South Korea, Vietnam, and Canada. It has been called the biggest cyberattack of all time.STUXNETYear: 2010Alleged source: IsraelFallout: Discovered in June 2010, the Stuxnet worm exploits a vulnerability in Windows to attack Siemens industrial systems, such as those used in nuclear power plants. While systems in several countries, including the United States, were affected, Iran was the worst hit, with over 16,000 computers infected. 50 DAYS OF LULZYear: 2011Alleged source: LulzSecFallout: In the spring and summer of 2011, a group of hackers calling itself LulzSec, associated with the online collective Anonymous, went on a tear, disabling and defacing a series of prominent websites. The group also took down CIA.gov at one point. In its biggest operation, Lulzsec hacked into Sony PlayStation’s website, compromising the personal information of more than a million users.
- Greeks built a Horse that the Trojans brought into Troy.A 10 year war..the Trojans were very confident…………………..We can become very comfortable with how we manage securityThe Horse was an emblem of Troy…………………………………….The adversary or threat will often mimic or look familiar to usThe Trojans brought the Horse into the city………………………..Our employees are often the carriers for the adversary
- There is a number of ways to look at the architecture of a Security Program. A security program is ideally a composite of many specific components. In this example, there are both proactive and reactive components.
- As a security professional, what do you look for when you assess the quality and quantity of a security program? It should be composed of the following measures.
- The key to a successful evaluation is a comprehensive, methodical and sequential process. Do not ever assume something. As I learned early in my military career.
- The very beginning of ANY Risk or Vulnerability Assessment should be to clearly understand the organization’s mission. Unless you understand what the organization makes, sells, brokers, etc. you will not have a starting point for identifying what or who is critical to those acts of making, selling, transporting, brokering, etc.
- This is an obviously homemade graphic that represents the significance of Threat to all other aspects of Security. In the same way that a keystone holds an arch together, our knowledge of the relevant threat holds our Security Program together. Without that knowledge, the Program, like an arch with the keystone removed, collapse.
- This can represent a physical security perimeter or it can represent a cyber security perimeter. The theory of layered protection and analysis is the same.
- We have just completely and with much exhaustion, analyzed our security program and system against the paired threat and have established where the gaps and deficiencies are, if any.Step Two begins with the building up of the existing system based on our findings during Step One: Evaluation.A critical part of establishing a viable security program is obtaining management’s decision on what level of risk they are willing to accept and which they are not.The risk they do NOT want to accept is what we take away and then return with measures designed to reduce that risk. To the chagrin of many security professionals, many decision makers base their accept versus reject decisions based on cost versus benefit versus impact.
- There are certain key points to keep in mind when an organization sets up and institutes security policies and procedures.Always have an objective or mission in mind when drafting SOPsAlways have a single Point of Contact. SomeBODY needs to be held responsible, not a department or branch or division.Ensure the SOPs cover the full spectrum of operations.
- Once the program has been evaluated, the gaps and deficiencies filled in and flushed out, the last step is Sustaining the program. The best SOP is only as good and valid and pertinent as it is in date. The best SOP is only as good as it is known and understood by the employeesThe best access control system or alarm system is only as good as the personnel responsible for its operation.Get out there and build relationships with the community, Law Enforcement and task ForcesAnd last, Step three is really NOT the last step. Part of effective sustainment is constant reevaluation. Establish a program to regularly and periodically reassess your organization from Mission to Threat to Sustainment. Keep the program dynamic. Keep the people interested, educated and engaged!