An effective security program is a living thing. It is comprised of a myriad of equipment, actions, policies, and procedures all of which interconnect and rely on each other in order to provide a comprehensive and effective program.
The collection of documents, together forming the security program, must be, by design and intent, focused on three primary missions: remedial measures, preventative measures, and, overlapping both of these, education. The security plan must accurately describe situations both present and future; capture potential scenarios and consequences; detail the organization’s actions both during and following specific events; and, educate the organization on the specific roles specific groups play. Joachim Gloschat's presentation will address all this and more as he explores what makes a successful physical program security.
4. “Working in security is doing God’s work as
far as I am concerned. Security work is an
opportunity to serve fellow man…There is
nothing greater than saving lives.”
Dr. Ona Ekhomu, CPP
Security Management Magazine, March 2007
First Nigerian ASIS Certified Protection Professional
5. Background
Antiterrorism/Force Protection
2001 – US Corps of Engineers
2002 – Operation Enduring Freedom
2003 – Operation Iraqi Freedom
2004 – Security Management Solutions
○ Federal Energy Regulatory Commission
○ Association of State Dam Safety Officials
○ InterAgency Forum for Infrastructure
Protection
8. Threat Dimensions
1. Non-linear/Asymmetrical
2. Off-the-shelf technology
3. WMD and mass casualties
Low Tech vs. High Tech
Urban vs. Rural fights
4. Urban fights
5. Avoid decisive battle
W. Foos, SMS
9. Physical Attacks
April 19, 1995
Murrah Federal Aug 7, 1998 Sept 11, 2001
Building US Embassy Nairobi World Trade Centers
10. Physical Attacks
11 March 2004 Sept 2004
Madrid Train Bombings: Chechnya Rebels
Spain
11. Cyber Attacks
2003-2007 - TITAN RAIN
2006-present - SHADY RAT
2008- DOD Classified and Unclassified
Systems-Contaminated thumb drive
2010 - STUXNET
2011 - 50 DAYS OF LULZ
12. Cyber Attacks 2012
13.37 million recorded compromised
189 total breaches
NY Electric and Gas 1.8m
Global Payments 1.5m
CA Dept. of Child Support 800k
Utah Dept. of Technical Services 780k
16. How does a Security Program Work?
A Security Program protects assets or
facilities against:
1. Theft
2. Sabotage
3. Malevolent human attacks
4. Natural Events
17. What does a Security Program
Encompass?
1. Physical Security
2. Cyber Security
3. Personnel Security
4. Information Security
5. Business Continuity
6. Crisis Management
18. Three Components of a
Education Security Program
1. R&D Remediation
2. SOPs 1. Upgrading PPS
3. Emergency Response Plan 2. Upgrading Security Program
4. Physical Security Plans Education 3. Responding to Incidents
5. Define, Establish, & Update 4. Implementing Risk Reduction
HLS security procedures Recommendations
6. Guard Contracts
Prevention
Prevention Remediation
1. Maintenance of Systems
2. Assessment – Evaluations
3. SOP Development
4. Integration of Security
Security Documents:
Operations
5. Training & Exercise of
EAPs -Threat Assessments
6. Implementation of - Vulnerability Study
Heightened Security
Procedures
W. Foos, SMS
19. Fundamentals of Security
Integration
Policies
People
Procedures Equipment
An Effective
Security Program
ties it all together.
20. Security Program Measures
1. Preventative measures – Reduce the likelihood
of an attack, delay the success of the attack, protect
the assets or make it less vulnerable of being
compromised.
2. Detective measures – Discover the attack and
activate corrective or mitigative action.
3. Corrective measures – Reduce the effects of an
attack and restore to normal operations.
W. Foos, SMS
21. What are The Steps
Necessary?
1. Evaluate
2. Establish
3. Sustain
23. Step One: Evaluation
(Mission)
1. What do I buy?
2. What do I sell?
3. How do I produce it?
4. What components do I need to make
what I make?
5. What does it take to get those
components and deliver the finished
product?
24. How Missions lead to Assets
Company Mission
Company Vision
License Requirements
Shareholder Mandates
Products of the facility
Vendors
Inventory System
Shipping and Receiving
Operational involvement & location of
senior executives
W. Foos, SMS
25. Step One: Evaluation
(Assets)
1. Physical
2. People
3. Knowledge
4. Information Technology
5. Clientele
6. Any activity that has a
positive value to its owner
26. Step One: Evaluation
(Consequences)
What would it take to disrupt
operations?
What would it take to stop operations?
What would happen to the vendors, your
company, your customers, if operations
paused or ceased?
Who and What would be impacted?
32. Identifying
the Design Basis Threat
Motivation
Capability
History and Behavior
Patterns
Current Activity
Geographic Access
Organization & Numbers
Mobility
Technology/ Tactics
TM
RAM
33. Design Basis Threat
(Example)
Adversary Type Militia/Paramilitary Terrorist Group
Motivation Ideological/Political/Publicity
Group Terrorist Cell - 2 to 7 persons – well organized
Tactics Large scale sabotage
Equipment Hand tools, construction equipment, 2-way radios
Weapons Small handguns, rifles, submachine guns
Explosives Vegan Jell-O, TNT or Equivalent Explosives
Transportation Sport utility vehicles, all-terrain vehicles, vans, 4x4s, foot
access
Intelligence Surveillance, Internet research, public record review
gathering means
Technical skills and Sophisticated technical education
knowledge
Financial resources Assumed unlimited
Potential for collusion Disgruntled or planted employee or contractor
TM
RAM
34. Intelligence Methods used by
Adversaries
Open Source Research
FOIA
Internet
Public Domain Technical
Reports
People
Informers
Intelligence Agents
Communications
Photographs / Surveillance
Trash
W. Foos, SMS
35. Step One: Evaluation (Security
System Effectiveness)
Based on analysis of Asset and Threats,
create Asset-Threat Pairing
Not every Asset is considered attractive to
the same Threat
Every asset’s protection must be evaluated
against its own Design Basis Threat
36. Basics of Security
1. Detect
2. Assess
3. Delay
4. Respond
5. Integration and Communication
37. Fundamentals of Security
Protection in Depth & Balanced
Protection
Outer Perimeter
Intermediate Perimeter
Inner Perimeter
Exclusion Zone
O
Asset
38. What are The Steps
Necessary?
1. Evaluate
2. Establish
3. Sustain
39. Step Two: Establish
1. Fill in the gaps
2. Create what wasn’t there
3. Accept versus Reject
Risk
4. Risk Reduction
Measures
40. Three Components of a
Education Security Program
1. R&D Remediation
2. SOPs 1. Upgrading PPS
3. Emergency Response Plan 2. Upgrading Security Program
4. Physical Security Plans Education 3. Responding to Incidents
5. Define, Establish, & Update 4. Implementing Risk Reduction
HLS security procedures Recommendations
6. Guard Contracts
Prevention
Prevention Remediation
1. Maintenance of Systems
2. Assessment – Evaluations
3. SOP Development
4. Integration of Security
Security Documents:
Operations
5. Training & Exercise of
EAPs -Threat Assessments
6. Implementation of - Vulnerability Study
Heightened Security
Procedures
W. Foos, SMS
41. Security Policies and
Procedures
Establish strategic security objectives and priorities
for organization
Identify personnel responsible for security functions
Identify the employee responsibilities
Should be aligned with the objectives of the
organization
Should cover the following topics
- People - Property - Information
42. What are The Steps
Necessary?
1. Evaluate
2. Establish
3. Sustain
How we look at security has changed. How we look at security MUST change. Sometimes it is a conscious effort, sometimes it is a natural shift.
TITAN RAINYears: 2003-2007Alleged source: ChinaFallout: In 2004, U.S. federal investigators discovered an ongoing series of attacks penetrating the networks of the departments of Defense, State, Energy, and Homeland Security, as well as those of defense contractors, and downloading terabytes of data. SHADY RATYears: 2006-presentTarget: DozensAlleged source: ChinaFallout: In 2011, McAfee reported the existence of a five-year-old hacking campaign it calls Shady RAT. It works by sending an email to an employee of a targeted organization, who then installs a “Trojan horse” on the computer after clicking an innocuous-looking attachment. The 49 victims include the International Olympic Committee, the United Nations, the Association of Southeast Asian Nations, companies in Japan, Switzerland, Britain, Indonesia, Denmark, Singapore, Hong Kong, Germany, and India, and the governments of United States, Taiwan, South Korea, Vietnam, and Canada. It has been called the biggest cyberattack of all time.STUXNETYear: 2010Alleged source: IsraelFallout: Discovered in June 2010, the Stuxnet worm exploits a vulnerability in Windows to attack Siemens industrial systems, such as those used in nuclear power plants. While systems in several countries, including the United States, were affected, Iran was the worst hit, with over 16,000 computers infected. 50 DAYS OF LULZYear: 2011Alleged source: LulzSecFallout: In the spring and summer of 2011, a group of hackers calling itself LulzSec, associated with the online collective Anonymous, went on a tear, disabling and defacing a series of prominent websites. The group also took down CIA.gov at one point. In its biggest operation, Lulzsec hacked into Sony PlayStation’s website, compromising the personal information of more than a million users.
Greeks built a Horse that the Trojans brought into Troy.A 10 year war..the Trojans were very confident…………………..We can become very comfortable with how we manage securityThe Horse was an emblem of Troy…………………………………….The adversary or threat will often mimic or look familiar to usThe Trojans brought the Horse into the city………………………..Our employees are often the carriers for the adversary
There is a number of ways to look at the architecture of a Security Program. A security program is ideally a composite of many specific components. In this example, there are both proactive and reactive components.
As a security professional, what do you look for when you assess the quality and quantity of a security program? It should be composed of the following measures.
The key to a successful evaluation is a comprehensive, methodical and sequential process. Do not ever assume something. As I learned early in my military career.
The very beginning of ANY Risk or Vulnerability Assessment should be to clearly understand the organization’s mission. Unless you understand what the organization makes, sells, brokers, etc. you will not have a starting point for identifying what or who is critical to those acts of making, selling, transporting, brokering, etc.
This is an obviously homemade graphic that represents the significance of Threat to all other aspects of Security. In the same way that a keystone holds an arch together, our knowledge of the relevant threat holds our Security Program together. Without that knowledge, the Program, like an arch with the keystone removed, collapse.
This can represent a physical security perimeter or it can represent a cyber security perimeter. The theory of layered protection and analysis is the same.
We have just completely and with much exhaustion, analyzed our security program and system against the paired threat and have established where the gaps and deficiencies are, if any.Step Two begins with the building up of the existing system based on our findings during Step One: Evaluation.A critical part of establishing a viable security program is obtaining management’s decision on what level of risk they are willing to accept and which they are not.The risk they do NOT want to accept is what we take away and then return with measures designed to reduce that risk. To the chagrin of many security professionals, many decision makers base their accept versus reject decisions based on cost versus benefit versus impact.
There are certain key points to keep in mind when an organization sets up and institutes security policies and procedures.Always have an objective or mission in mind when drafting SOPsAlways have a single Point of Contact. SomeBODY needs to be held responsible, not a department or branch or division.Ensure the SOPs cover the full spectrum of operations.
Once the program has been evaluated, the gaps and deficiencies filled in and flushed out, the last step is Sustaining the program. The best SOP is only as good and valid and pertinent as it is in date. The best SOP is only as good as it is known and understood by the employeesThe best access control system or alarm system is only as good as the personnel responsible for its operation.Get out there and build relationships with the community, Law Enforcement and task ForcesAnd last, Step three is really NOT the last step. Part of effective sustainment is constant reevaluation. Establish a program to regularly and periodically reassess your organization from Mission to Threat to Sustainment. Keep the program dynamic. Keep the people interested, educated and engaged!