Surveillance

 

 

https://adminsm.asisonline.org/Pages/Taking-Flight.aspxTaking FlightGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-05-01T04:00:00Zhttps://adminsm.asisonline.org/pages/lilly-chapa.aspx, Lilly Chapa<p>​In rural Grant County, Washington, public utility security personnel don't just protect remote substations—they help respond to the community's emergency calls. However, after one concerning encounter, it was clear something had to change—and security managers looked to the sky for solutions.</p><p>The Grant County Public Utilities Department (PUD) security leadership team gathered last March to review a disturbing incident from the previous night: a PUD security officer had responded to reports of a man seemingly under the influence firing a weapon indiscriminately in a nearby town. It's not unusual for PUD security personnel to respond to calls that do not pertain to the utilities because of the rural location and geography of the area, and that night the unarmed officer arrived at the scene of the disturbance before law enforcement. Fortunately, he was able to keep the man calm until police arrived, and the event ended without incident. Upon review, however, it was clear that the security officer could have been in harm's way.</p><p>"We have issues with people being on a substance, or domestic violence calls that we are first responders to, because law enforcement is a long way away," says Nick Weber, ​CPP, PSP, security manager for Grant County PUD. "We've had the patrol vehicle dented when residents kicked it, someone firing off weapons, and we just thought, 'how could we do this better?'" The team discussed solutions and initially joked about using a drone to mitigate problems. However, with more consideration, Weber said the idea began to gain traction. Using an off-the-shelf drone, the PUD could train its contract security officers to scope out a potentially perilous situation before endangering themselves, reducing response time. The drone could even be used for preemptive security assessments of the county's critical infrastructure.</p><p>"We had issues dealing with having unarmed security forces being placed into harm's way in order to solve issues related to the human environment, as well as looking for ways to better use our time and resources to conduct security assessments of substations, dams, and other critical buildings," says then physical security supervisor Brady Phelps, CPP, PSP. "We wanted to explore the challenges and opportunities that drones could present." Phelps—who now works as an auditor for the Western Electricity Coordinating Council—along with Weber and contract guard services account manager George Hainer began to flesh out the plan.​</p><h4>In the Industry</h4><p>The use of drones for security purposes is steadily picking up steam. As of summer 2016, more than 2,000 organizations had applied for commercial exemptions through the U.S. Federal Aviation Administration (FAA) to use drones for emergency management, security, or risk management, according to the Association for Unmanned Vehicle Systems International. And an IFSEC Global report notes that the international security market for drones will grow to $10 billion by 2020. </p><p>But applications for commercial exemptions don't lead to drone programs overnight, and Grant County PUD's security team was unaware of any other electric utility companies that used drones for emergency response augmentation. The Grant County Sheriff's Department had been using drones for investigations for about six months, and the PUD was able to turn to it for licensing advice later in the process, but first had to outline a program—and get buy-in.</p><p>"We were concerned about the optics that the security department is buying toys—other departments could complain because some of the things we do in security are cool and there's some jealousy," Hainer explains. "There were also concerns about wasting money. We talked with our boss and agreed we'd create strict usage policies, as well as safety and security standards, and went ahead with our budget to buy three hobby-level drones as a test."</p><p>While the potential for drones seems endless, Phelps stresses the importance of fully understanding their capabilities and limits to explain possibilities to those granting approval without making unrealistic promises. And while the drones were primarily going to be used for security operations, PUD wanted to share the wealth with other critical infrastructure departments in the county.</p><p>"Establishing that firm understanding of the drones' capability helped us go to other departments that have needs," Phelps explains. "We wanted to see how the line department could use it, how the dam could use it, so we went to their leadership and said that we have this tool and we want to share it. It eliminated those internal optics by showing that this is a tool for business and we'd like to help you solve problems. That went a long way to get buy-in from the whole organization."</p><p>As part of a demonstration, the PUD team worked with the county's dam department to conduct an assessment of an embankment via drone. What would normally take three or four hours and involve exposing workers to dangerous conditions took seven minutes and captured clear 4K video that allowed for easy assessment. ​</p><h4>Regulations and Beyond</h4><p>Before the PUD could begin deploying its drones regularly, it had to meet several criteria imposed by the U.S. government. Unlike individual hobbyists, organizations or public entities have to apply for commercial exemptions through the FAA. Additionally, PUD wanted the ability to fly the drones out of its line of sight and at night, which also required waivers. Another challenge was determining who was going to fly the drones—all operators must be certified by the FAA, which could be time consuming and would reduce the pool of people who could use the technology. "It's a big problem for some guards with no clue about airplanes and passing that test," Hainer notes.</p><p>After consulting with the Grant County Sheriff's Department, Hainer—who has previously held a private pilot's license—began the process to become FAA certified as the pilot in command for the team, allowing him to conduct flights and train others. PUD is still waiting on another FAA certificate that would allow the team to certify its own pilots. </p><p>During the extensive certifications process, another unforeseen challenge came up—the PUD contract security officers who typically respond to emergencies filed a grievance through their union that the drone program would take their work away. To address this issue, the PUD security team agreed that, in addition to Hainer, about 14 contract guards would be trained to operate the drones. "There's a great chance that they are going to need the drones more often than one of us internally," Hainer notes.</p><p>Weber detailed the team's efforts to assure executives that the program wouldn't be misused—one of the drones' greatest use cases might be one of its greatest challenges. One of PUD's key patrol zones is the land along either side of the Columbia River—a 50-mile stretch with only one public crossing.</p><p>"Murphy's Law tends to hold true in that patrol zone with reported incidents inordinately happening on the opposite side of the river from our patrol officer, making one or two miles away a 30-plus minute response time by vehicle," Weber notes. Responding to a call with a drone would allow security to gain situational awareness within 10 minutes and understand what kind of additional response might be needed. "Do we need to go and pick up trash or is it a violent felony?" he says.</p><p>However, one executive raised concerns about using the drones along the river during the high-volume summer months when they are most needed—what happens if a security officer decides to use a drone to follow around a boatful of teenage girls in bikinis?</p><p>"That's a valid concern," Hainer says. "There will be strict requirements for what kind of event would launch the drone, the creation of a flight plan, coordinating with Security Operations Center—especially near critical infrastructure. Every flight is going to have a lot of paperwork to make sure it's never misused." </p><p>PUD agreed to tightly restrict usage to situations where the drone would be significantly more efficient or keep personnel out of harm's way, Weber says. When a call comes in to the Security Operations Center, officials would need to document justification and a flight plan before dispatching a drone, as well as notify utilities if the flight path is within 400 meters of a power plant, transmission line, or substation. "These controls provide reasonable assurance to our senior leadership that the drones will only be operated by trained personnel and have a documented business purpose for each flight," Weber notes.</p><p>While the drone emergency response program is still in the early stages—PUD is waiting on the rest of the FAA certifications and waivers, and Hainer is training the guards on drone operation—the team has already begun to conduct safety assessments for itself and other departments, such as the dam assessment. </p><p>"Right now, we're using imagery via Google Earth for threat assessments and there's a lag on what's accurate—a couple areas don't have up-to-date imagery, and some others are low quality," Hainer notes. "We'd be launching the drone, using a program that compiles the aerial imagery for use in response plans and threat assessments, and it's much more accurate and higher quality."</p><p>Weber says that the team is most excited about the reduced response time and potential to keep security personnel safe, but the drone program will have more practical uses too. PUD plans on using drones to keep tabs on remote substations and transmission lines, instead of relying on costly cameras or roving vehicle surveillance. Phelps points out that drones can also be used to make sure that the sites remain compliant. </p><p>"We're one of the first groups in the electric industry to do this, and there's no roadmap," Weber says. "The sheriff's department has been a great help because they're six months ahead of us with their program, and our risk department that is in charge of insurance is comfortable with it because of all the benefits."</p><p>The team says it is pleased that the program will be launched in time for the busy summer months along the river, and staff members are looking forward to discovering what other applications drones have for both security and critical infrastructure.</p><p>"The limitations will be set not by the FAA, but by imagination," Hainer says. "Drones will provide a lot more opportunity than threat." </p>

Surveillance

 

 

https://adminsm.asisonline.org/Pages/Taking-Flight.aspx2018-05-01T04:00:00ZTaking Flight
https://adminsm.asisonline.org/Pages/Giving-Security-Credit.aspx2018-05-01T04:00:00ZGiving Security Credit
https://adminsm.asisonline.org/Pages/Book-Review---Surveillance-Zone.aspx2018-03-01T05:00:00ZBook Review: Surveillance Zone
https://adminsm.asisonline.org/Pages/Spot-the-Shots.aspx2018-02-01T05:00:00ZSpot the Shots
https://adminsm.asisonline.org/Pages/ENDURECE-BLANCOS-SUAVES-CON-PSIM.aspx2017-11-21T05:00:00ZENDURECE BLANCOS SUAVES CON PSIM
https://adminsm.asisonline.org/Pages/Subway-Surveillance.aspx2017-11-01T04:00:00ZSubway Surveillance
https://adminsm.asisonline.org/Pages/Harden-Soft-Targets-with-PSIM.aspx2017-10-23T04:00:00ZHarden Soft Targets with PSIM
https://adminsm.asisonline.org/Pages/Driving-a-Security-Transition.aspx2017-10-01T04:00:00ZDriving a Security Transition
https://adminsm.asisonline.org/Pages/House-Rules.aspx2017-09-01T04:00:00ZQ&A: House Rules
https://adminsm.asisonline.org/Pages/Interoperability-for-the-Safe-City-.aspx2017-08-21T04:00:00ZInteroperability for the Safe City
https://adminsm.asisonline.org/Pages/Surveillance-on-the-Fly.aspx2017-07-01T04:00:00ZSurveillance on the Fly
https://adminsm.asisonline.org/Pages/Healthy-and-Secure.aspx2017-07-01T04:00:00ZHealthy and Secure
https://adminsm.asisonline.org/Pages/On-Site-and-Cloud-Access-Control-Systems.aspx2017-05-22T04:00:00ZOn-Site and Cloud Access Control Systems
https://adminsm.asisonline.org/Pages/Surveillance-and-Stereotypes.aspx2017-04-01T04:00:00ZSurveillance and Stereotypes
https://adminsm.asisonline.org/Pages/The-Virtual-Lineup.aspx2017-02-01T05:00:00ZThe Virtual Lineup
https://adminsm.asisonline.org/Pages/Surveillance-is-Instrumental.aspx2017-02-01T05:00:00ZSurveillance is Instrumental
https://adminsm.asisonline.org/Pages/Wildlife-Trafficking.aspx2017-01-01T05:00:00ZWildlife Trafficking
https://adminsm.asisonline.org/Pages/Speedy-Surveillance.aspx2016-11-01T04:00:00ZSpeedy Surveillance
https://adminsm.asisonline.org/Pages/Reducción-de-la-Violencia-en-América-Latina.aspx2016-10-11T04:00:00ZReducción de la Violencia en América Latina
https://adminsm.asisonline.org/Pages/Guarding-A-Floating-Treasure.aspx2016-09-01T04:00:00ZGuarding A Floating Treasure

 You May Also Like...

 

 

https://adminsm.asisonline.org/Pages/case-study-a-wrinkle-time-0010139.aspxCase Study: Loss Prevention at Stew Leonard’s Farm Fresh Foods<p>In 1969, a Norwalk, Connecticut, dairy farmer named Stew Leonard had an epiph­­any: the milk delivery business was going to go the way of the horse and buggy. Leonard decided to found a small dairy shop with seven employees and carrying just eight items. The little market quickly grew into the world’s largest dairy store. Today, Stew Leonard’s Farm Fresh Foods are located in Norwalk, Danbury, and New­ington, Connecticut; and Yonk­ers, New York. It is a $300 million annual enterprise with approximately 2,000 employees.</p><p>The stores sell more than 6,000 items—everything from meats to wine to bakery goods to gifts—in a farmer’s market atmosphere where the primary rule is literally chiseled in stone on three-ton granite slabs parked at the entrance to each store: “The Customer is Always Right.” In addition to its commitments to customer service, Stew Leon­ard’s is regarded as the Disneyland of dairy stores because of its costumed characters, petting zoo, and animatronics. </p><p>The loss prevention (LP) department at Stew Leonard seeks creative solutions. It hasn’t gone so far as to use the company’s six-foot-tall dancing bananas as spy cams, but it has put into place an innovative video synopsis technology that enables security to save copious staff hours during investigations.</p><p>“We’re a relatively small security department with a significant enclave of cameras throughout our buildings,” says Bruce Kennedy, Stew Leonard’s director of LP and logistics. “We have close to 500 cameras in the network.” This becomes an issue when investigations of thefts, accidents, and other issues occur. “One investigation can take eight to 12 hours—especially if there is video involved,” he states.</p><p>About two years ago, the loss prevention team began looking for a solution to shorten the process of reviewing CCTV video. “We looked at the entire gamut of solutions…. We attended several trade shows, took a look at white papers on the Internet, and I spoke to a lot of my peers in the industry,” Kennedy recalls, adding that the solution they were seeking had to be “cost-feasible; it had to integrate seamlessly, and had to be easy to use—that was probably the most important thing.” </p><p> </p><p>LP evaluated all the technologies and narrowed it down to the two strongest con­tend­ers. “They were separated by extremes,” he says. “One involved sending the video to a third party to review and after a week or two, we’d get a response back. That was too long. We wanted to provide answers as quickly as we could.”</p><p>The other contender was BriefCam, by BriefCam Ltd. of Neve Ilan, Israel, an award-winning product suggested by an integrator who had worked with Stew Leonard’s on its CCTV system. (BriefCam was the winner of the 2011 ASIS International Accolades Award for Surveillance, as well as the 2010 Wall Street Journal Technology Innovation Award for Physical Security, and other honors.) </p><p>Kennedy contacted the company. “They were just starting to get a hold in the industry in the United States. They said, ‘Give us a try,’ and from the onset we saw the possibilities.”</p><p>BriefCam offers two solutions: BriefCam Video Synopsis (VS) Enterprise and VS Forensics, both of which use the same technology to allow video reviews to proceed at a greatly quickened pace. VS Enterprise can fully integrate with almost all IP cameras and digital video recorders (DVRs) or networked video recorders (NVRs). The software interface allows users to pull re­corded footage by specific dates and times; it then uses video-analytic software to compress the footage into a radically shortened synopsis. One hour of footage can be viewed in an average of one minute.</p><p>Kennedy explains that what he and his team see when they review the footage is a series of superimposed streams of activity—for example, if the camera feed is from a camera focused on the entrance to one of the Stew Leonard’s stores, the synopsis will show every customer or employee coming and going, each one with a time stamp following them along. “When we see something of interest, we click on the time stamp or the image,” he says. “BriefCam isolates that specific video stream.” </p><p> </p><p>Asked if the superimposed images are confusing, Kennedy responds that they are not, especially because in the majority of investigations the security staff already knows what to look for. “So, if we are looking for a customer in a red baseball cap, once we see him, we click on him, and everyone else goes away except that customer,” he states.</p><p>The BriefCam VS Forensics creates the same time-stamped synopses, but is a standalone, offline application that does not require integration with a DVR or NVR. Users import the video into VS For­ensics to create the time-compression synopses.</p><p>Kennedy decided to employ both the VS Enterprise and VS Forensics at Stew Leonard’s. The installation took place last autumn at all the stores and also at Stew Leonard’s Wine Stores, which is a legally separate entity that contracts the use of Stew Leonard’s name and human resources, public relations, loss prevention, and security services.</p><p>During integration, there were some technical kinks, “but the BriefCam staff were absolutely great,” he says. </p><p>“Early in the process,” he recalls, “as we spoke to vendors, we told them that we were looking for a partnership with Stew Leonard’s. This is not going to be a purchase and out-the-door kind of thing. We wanted to be able to call someone and get a response back to any critical issues we came across. They have come through on that.”</p><p>A BriefCam technical specialist worked with Stew Leonard’s IT department during the installation, placing the VS Enterprise software on the servers that operate the cameras covering critical areas, such as money rooms and cash registers. “Those are dialed directly into the software application so we can pull up synopses immediately,” Kennedy says. </p><p> </p><p>Synopses from noncritical cameras are created by VS Forensics on an as-needed basis, rather than being connected directly. “We can pull video from a specific camera, from any server we want, and we can export it—bring it into BriefCam VS Forensics…. It gives you the exact same synopsis as VS Enterprise will, there’s just an extra step in between.”</p><p>Ease of use was important to security, and Kennedy says the pair of solutions have not disappointed in that regard. “Within five to 10 minutes of sitting down with the product, [LP officers] were fully trained,” he states.</p><p>And after seven months of use, Ken­nedy couldn’t be more pleased. “It has worked very well. There have been a lot of successes with investigations we’ve done. We’ve also used it in nonconventional LP aspects of business. For example, it is deployed at some of our wine stores; and we use it there for marketing purposes, product flow, customer flow, and to monitor activity during tastings. We give our feedback to non-LP folks, the marketers, and the buyers,” he says.</p><p>Kennedy also states that VS Enterprise and VS Forensics “have already paid for themselves. Return on investment was in less than six months.”<br><em><br>(For more information: BriefCam, Ltd.; e-mail: info@briefcam.com; Web: <a title="www.briefcam.com" href="http://www.briefcam.com/"><span style="text-decoration:underline;"><font color="#0066cc">www.briefcam.com</font></span></a>)</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://adminsm.asisonline.org/Pages/cctv-panacea-or-problem-004444.aspxCCTV: Panacea or Problem<p>Closed-circuit television (CCTV) is the most vibrant color on the security engineer’s and integrator’s palette, but it can also be the most wasteful.  It all hinges on whether you understand its limitations.  I’ve designed, specified, or surveyed hundred’s of CCTV systems and, in my opinion, from 25% to 50% of video cameras represent wasted money, depending on the application. In some cases, there are serious hidden legal liabilities.</p><p>CCTV sales exploded after 9-11.  No one has definitive numbers and industry-generated estimates vary wildly, but annual revenues from CCTV sales are likely to range from $1.3 to $2.4 billion.</p><p>According to Security Sales & Integration Annual Installation Business Report (2006), CCTV installations experienced the second highest increase ever recorded.  (The highest was in 2003, a little more than a year after 9-11.)  Moreover, companies reported average gross profit margins of 39%. That’s pretty good.</p><p>Schools are not the largest market by any means, but they are the most troubling. There is a virtual pandemic of schools installing video cameras willy-nilly in the aftermath of Columbine and Virginia Tech. The lay public, unfortunately, doesn’t understand the technology and ignorantly believes that the simple act of installing cameras stops crime.  Cash-starved high schools, in particular, may be choosing video surveillance over higher teacher pay, text books, or afterschool programs for students.  CCTV is a superb investigative tool after something terrible occurs, but then again, the identification of the shooters in the recent incidents at schools didn’t require video to identify the perpetrators.  With very few exceptions, it is almost a useless tool to prevent serious crimes in most schools because they rarely—if ever—have the staff to effectively monitor the cameras. Too often, the monitors are tucked beneath the counter at the main reception desk.</p><p>I recall a marketing interview I had with a major New England university.  I told their chief of security and the consultant selection committee that they were planning to buy many more cameras than they needed. I didn’t get that job. It’s not what he wanted to hear.</p><p class="MsoNormal" style="line-height:200%;"> <strong>Crime Prevention Pitfalls</strong></p><p>Video is ineffectual because it only has crime prevention value under two circumstances: a human continuously monitors it and can call on an almost instantaneous response when a crime occurs.  Few organizations (save the CIA and similar high-security facilities) have the resources to effectively implement these two prerequisites. </p><p>In addition to the potentially exorbitant costs of buying and installing a full coverage video system, the consequent life-cycle costs (labor, repair, and maintenance costs) are massive over time if the video system is properly managed. The alertness of security console operators peaks in 20 minutes, according to many studies.  It is necessary to change monitoring duties every two hours for optimal surveillance—hence, the very high labor costs.  Moreover, a human can’t efficiently and reliably watch more than 9 to 12 monitors—let alone the dozens of monitors that can be found at some security monitoring centers. There is a paradox at play. CCTV is potentially the most valuable security resource as well as the most misused and wasteful.  It is the familiar story of having too much of a good thing. </p><p>Getting back to cost, as a rule of thumb, each indoor camera averages $1500 (as a complete, installed cost, including power, wire, and conduit) and each outdoor camera, $3500.  If all the bells and whistles are added, per camera costs for outdoor, day/night units can easily approach $9,800 per position and up to $60,000 for very exotic capabilities and for very difficult locations. For a very large school, university, hospital, shopping mall, parking garage, or office building, the final costs for complete video systems can range from hundreds of thousands to millions of dollars. Sometimes these expenditures are like flushing money down a toilet.</p><p>To put what I have been saying into a useful context, a very short tutorial is called for.  CCTV serves three primary functions: perform surveillance; support post-incident investigations, including identification; and automate a function, such as at remotely controlled doors or vehicle entrances. It has momentous value for crime investigation.  Most organizations, however, purchase video systems with the generally unrealistic expectations that it will prevent crime. Often, they have little understanding of security console operations or ergonomics.</p><p>There are some interesting and growing secondary applications that are mostly benign.  The increasing popularity of “nanny cams” is well known. The use of CCTV to catch red light runners at busy intersections, to read license plates at tollbooths and airport parking garages, and to catch speeders is also common now.  Similarly, video cameras can reduce bad behavior on school buses. Cameras also work well for law enforcement sting operations. Police park a “bait” automobile in an area known for high incidents of car theft and car-jackings.  When the miscreant enters the vehicle, the police can remotely lock the doors and record the event on video. But as valuable as these various uses are, these kinds of applications rarely involve thwarting serious crimes. Moreover, they document a crime; they don’t prevent it.</p><p>The use of CCTV in conjunction with very sophisticated facial recognition software is an interesting case study.  Every city that has installed these extremely expensive systems, such as Tampa and Virginia Beach, eventually shut them down.  Facial recognition isn’t ready for prime time yet. This new technology fits the same pattern: the consumer does not understand the limitations of unfamiliar technology.</p><p class="MsoNormal" style="line-height:200%;"><strong>CCTV in Public Places</strong></p><p>The installation of massive video nets in public spaces is another mounting trend, especially in light of the remarkable success the British had on several occasions in identifying and then tracking suspected terrorists after an attack.  Bear in mind that the United Kingdom has 4.2 million CCTV cameras in place.  There is a camera for every 14 people and an average Londoner is seen on camera 300 times each day.  The United States isn’t even close to that kind of surveillance saturation on a per capita basis, but we’re catching up fast. City after city is embarking on public video surveillance programs. By some accounts, downtown Manhattan already has 4,200 public and private sector video cameras. The NYPD would like to install 3,000 new cameras by the end of 2008. Police departments in Baltimore, Hollywood, Houston, Memphis, Newark, San Diego, Tampa, Virginia Beach, Washington, D.C., and in many other cities are installing video cameras and connecting to feeds from private sector CCTV systems. This is a great idea if the objective is to support post-incident investigations. Whether these systems contribute to crime reduction is still controversial—and in my view, dubious.</p><p>With the recent Federal trend toward design-build contracts, government bodies at all levels typically uses companies that sell and install video systems to determine how much CCTV they need, rather than impartial security engineers and consultants. It’s not exactly a surprise that these companies want to sell and install as many CCTV systems as they possibly can. Moreover, this is a partial explanation of the exponential growth of citywide video systems. Yet another reason for this growth is the ever-mounting pressure from the Department of Homeland Security for more and more video. Bear in mind that the British didn’t prevent any of their terrorist attacks as a result of video surveillance.  Could it happen in the future? Sure, even a blind hog can find an acorn now and then.</p><p>The effectiveness of CCTV in public spaces to reduce crime is counterintuitive and controversial. It is not at all clear that crime rates are reduced. Some criminologists think that crime is only displaced by video systems.  When studies do claim CCTV does reduce crime, the reduction is usually marginal.</p><p>In 1995, a study was conducted to determine the deterrent value of various crime prevention factors for convenience stores. These variables included how much cash was kept on site, retreat distance, police patrolling, an armed clerk, and so forth. The researcher interviewed robbers and asked them to rank the most important factors in deciding whether or not to commit the robbery. Of 11 factors, a camera system ranked tenth and video recording, eleventh. These findings were compared to a similar study that was conducted in 1985: the rankings had hardly changed. The finding was also similar to the results from a study completed in the 1970s.  The top two reasons a robber would decide against holding up a store were too little money kept on site and a long or complicated escape route.</p><p>Another phenomenon that could be at play in determining if CCTV deters crime is something called the Hawthorne Effect (or variously, the Westinghouse Effect), a term coined by a study conducted in 1939 at the Hawthorne Plant of Western Electric Company. Efficiency experts wanted to determine the optimal working conditions for maximum production.  Among various techniques, the researchers found that increasing lighting increased production. But there was a surprise. When they later reduced lighting levels to bracket peak efficiency—to the point that workers couldn’t see (some even brought in lamps from home)—production still increased. The explanation is a variant of the famous Heisenberg Uncertainty Principle, well known to Star Trek fans. The Principle states that “the act of observing alters that which is being observed.”  This can occur in various ways. There may be direct interference. There can be unconscious bias in reading or collecting the data. There can be factors interacting with the situation that are undiscovered.</p><p>Washington, D.C., conducted a number of lighting studies following the city-wide riots in April 1968 following the Martin Luther King Jr. assassination.  They wanted to learn what type of lighting was best to fight crime: low-pressure sodium, high-pressure sodium, mercury vapor, metal halides, etc. The study seemed to demonstrate that all lighting reduced crime.</p><p>It wasn’t until years later when the results were scrubbed by social psychologists and criminologists that the results became suspect.  Was it the lighting or was it because squad cars were parked on every street to observe the effects? Or, were police officers subconsciously (or consciously) motivated to underreport crime if their performance was being evaluated?  Which played the greatest role? That notwithstanding, few authorities would dispute the conclusion that lighting (and CCTV) can effectively displace crime. </p><p>Displacement is a very good thing if you happen to live or work in a high crime area.  It’s not such a good thing if you live in the area the crime is moving to. The chief question is, “Does CCTV actually reduce crime?” City politicians are more than willing to glom onto crime statistics to suggest that this or that program they championed reduced crime. When crime reductions do occur, a pantheon of factors likely causes the decline. The state of the local and national economy, for example, plays a major role.</p><p><strong>Civil Liberty and Liability Concerns</strong>.There is another very important question that some people feel very strongly, if not fanatically, about. Does saturation video surveillance in public areas violate the right to privacy? Or, is it a Fourth Amendment issue, which governs against unreasonable searches and seizures? The U.S. Supreme Court  in United States vs. Knotts  put part of this matter to bed by determining that surveillance was constitutional when conducted in areas where there should be no expectation of privacy.  However, the other shoe still hasn’t dropped.  Does CCTV surveillance represent unreasonable search? Ever? Sometimes?  Most authorities believe that the Supreme Court will continue to rule in favor of public video surveillance, but it isn’t a dead issue.</p><p>Legal liability is yet another volatile issue related to video surveillance. In our ever litigious society being a crime victim (or faking it) can sometimes be like winning the lottery. Negligent security torts are common and increasing in frequency.  The lawsuits spawned by the 1993 attack on the World Trade Center in Manhattan were only finally settled earlier this year—14 years later. The defendants paid millions. Lawsuits pertaining to the 9-11 attacks are going to the courts now.</p><p>Sometimes lawsuits are, and will be, deserving, because there is true gross negligence at work. I know of one smallish company that couldn’t afford a complete video surveillance system, so they only purchased the cameras.  There were no wires or monitors.  The idea was that the sight of the cameras along the roofline watching a dark and unfenced employee parking lot would deter theft, robbery, and rape. If someone is assaulted in spite of the cameras, someone at that company should not only pay the future victims handsomely; they should probably go to jail.</p><p>Despite their many limitations and problems, CCTV systems can also be an extremely powerful weapon in the security arsenal.  It is of critical importance in a post-incident criminal investigation: sometimes it provides the only clues available to law enforcement. The British success in identifying and then finding terrorists is phenomenal. </p><p>Video can support other important uses as well.  Security guards can do virtual tours of a large building or outdoor area without leaving the guard booth. Some cameras can see in the dark.  If you are using an access card to unlock a door on a cold, rainy night, and if for some reason it doesn’t unlock, the availability of an intercom and a camera showing you to a security guard is priceless. License-plate readers have been a boon to toll booth operators and small towns needing more revenue from speeders and red light runners. Now that technology has taken us to digital video and IP-networked surveillance, the varying applications for CCTV are spectacular. The key for security managers is to understand the system’s limitations so they choose the right system for their organization, without squandering too many resources and without making grandiose claims that only create a false sense of security.</p><hr width="100%" size="2" /><p>John J. Strauchs, CPP, is Senior Principal of Strauchs LLC.</p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://adminsm.asisonline.org/Pages/The-Unique-Threat-of-Insiders.aspxThe Unique Threat of Insiders<p>​It’s perhaps the most infamous incident of an insider threat in modern times. During the spring and summer of 2013, then-National Security Agency (NSA) contractor and Sharepoint administrator Edward Snowden downloaded thousands of documents about the NSA’s telephone metadata mass surveillance program onto USB drives, booked a flight to Hong Kong, and leaked those documents to the media.</p><p>An international manhunt was launched, Snowden fled to Moscow, hearings were held in the U.S. Congress, and new policies were created to prevent another insider breach. The damage a trusted insider can do to an organization became painfully obvious.</p><p>“If you’d asked me in the spring of 2013…what’s the state of your defense of the business proposition as it validates the technology, people, and procedures? I would have said, ‘Good. Not perfect,’” said Chris Inglis, former deputy director and senior civilian leader of the NSA during the Snowden leaks, in a presentation at the 2017 RSA Conference in San Francisco.</p><p>“I would have said that ‘we believe, given our origins and foundations, and folks from information assurance, that that’s a necessary accommodation,” he explained. “We make it such that this architecture—people, procedure, and technology—is defensible.”</p><p>Inglis also would have said that the NSA vetted insiders to ensure trustworthiness, gave them authority to conduct their jobs, and followed up with them if they exceeded that authority—intentionally or unintentionally—to remediate it. </p><p>“We made a critical mistake. We assumed that outsider external threats were different in kind than insider threats,” Inglis said. “My view today is they are exactly the same. All of those are the exercise of privilege.”</p><p>Inglis’ perspective mirrors similar findings from the recent SANS survey Defending Against the Wrong Enemy: 2017 Sans Insider Threat Survey by Eric Cole, SANS faculty fellow and former CTO of McAfee and chief scientist at Lockheed Martin.</p><p>The SANS survey of organizations with 100 to 100,000 employees found that it can be easy to conclude that external attacks should be the main focus for organizations. </p><p>“This conclusion would be wrong. The critical element is not the source of a threat, but its potential for damage,” Cole wrote. “Evaluating threats from that perspective, it becomes obvious that although most attacks might come from outside the organization, the most serious damage is done with help from the inside.”​</p><h4>Insider Threat Programs</h4><p>Incidents like the Snowden leaks and the more recent case of Harold Thomas Martin III, an NSA contractor accused of taking top secret information home with him, along with other incidents of economic espionage have raised awareness of the impact insider threats can have. However, many organizations have not adjusted their security posture to mitigate those threats.</p><p>In its survey, SANS found that organizations recognize insider threat as the “most potentially damaging component of their individual threat environments,” according to the survey. “Interestingly, there is little indication that most organizations have realigned budgets and staff to coincide with that recognition.”</p><p>Of the organizations surveyed, 49 percent said they are in the process of creating an insider threat program, but 31 percent still do not have a plan and are not addressing insider threats through such a plan. </p><p>“Unfortunately, organizations that lack effective insider threat programs are also unable to detect attacks in a timely manner, which makes the connection difficult to quantify,” SANS found. “From experience, however, there is a direct correlation between entities that ignore the problem and those that have major incidents.”</p><p>Additionally, because many are not monitoring for insider threats, most organizations claim that they have never experienced an insider threat. “More than 60 percent of the respondents claim they have never experienced an insider threat attack,” Cole wrote. “This result is very misleading. It is important to note that 38 percent of the respondents said they do not have effective ways to detect insider attacks, meaning the real problem may be that organizations are not properly detecting insider threats, not that they are not happening.”</p><p>The survey also found that the losses from insider threats are relatively unknown because they are not monitored or detected. Due to this, organizations cannot put losses from insider threats into financial terms and may not devote resources to addressing the issue, making it difficult or impossible to determine the cost of an insider attack.</p><p>For instance, an insider could steal intellectual property and product plans and sell them to a competitor without being detected.</p><p>“Subsequent failure of that product might be attributed to market conditions or other factors, rather than someone ‘stealing it,’” Cole wrote. “Many organizations, in my experience, are likely to blame external factors and only discover after detailed investigation that the true cause is linked back to an insider.”</p><p>And when organizations do discover that an insider attack has occurred, most have no formal internal incident response plan to address it.</p><p>“Despite recognition of insiders as a common and vulnerable point of attack, fewer than 20 percent of respondents reported having a formal incident response plan that deals with insider threat,” according to the SANS survey. </p><p>Instead, most incident response plans are focused on external threats, Cole wrote, which may explain why companies struggle to respond to insider threats.</p><p>Organizations are also struggling to deal with both malicious and accidental insider threats—a legitimate user whose credentials were stolen or who has been manipulated into giving an external attacker access to the organization. “Unintentional insider involvement can pose a greater risk, and considerably more damage, by allowing adversaries to sneak into a network undetected,” the survey found. “Lack of visibility and monitoring capability are possible explanations for the emphasis on malicious insiders.</p><p>To begin to address these vulnerabilities, SANS recommends that organizations identify their most critical data, determine who has access to that data, and restrict access to only those who need it. Then, organizations should focus on increasing visibility into users’ behavior to be proactive about insider threats. </p><p>“We were surprised to see 60 percent of respondents say they had not experienced an insider attack,” said Cole in a press release. “While the confidence is great, the rest of our survey data illustrates organizations are still not quite effective at proactively detecting insider threats, and that increased focus on individuals’ behaviors will result in better early detection and remediation.”​</p><h4>Trusted People</h4><p>When the NSA recruits and hires people, it vets them thoroughly to ensure their trustworthiness, according to Inglis.</p><p>“We ultimately want to bring some­body into the enterprise who we can trust, give them some authority to operate within an envelope that doesn’t monitor their tests item by item,” he explained. “Why? Because it’s within that envelope that they can exceed your expectations and the adversary’s expectations, your competitors’ expectations, and hope­fully the customers’ expectations. </p><p>You want them to be agile, creative, and innovative.”</p><p>To do this, the NSA would go to great lengths to find people with technical ability and possible trustworthiness. Then it or a third party would vet them, looking at their finances and their background, conducting interviews with people who knew them, and requiring polygraph examinations.</p><p>After the Snowden leaks, the U.S. federal government examined the work of its contract background screening firm—United States Investigations Services (USIS). USIS had cleared both Snowden and the Washington Navy Yard shooter Aaron Alexis. The government decided to reduce its contracted work with the company.</p><p>USIS later agreed to pay $30 million to settle U.S. federal fraud charges, forgoing payments that it was owed by the U.S. Office of Personnel Management for conducting background checks. The charges included carrying out a plot to “flush” or “dump” individual cases that it deemed to be low level to meet internal USIS goals, according to The Hill’s coverage of the case.</p><p>“Shortcuts taken by any company that we have entrusted to conduct background investigations of future and current federal employees are unacceptable,” said Benjamin Mizer, then head of the U.S. Department of Justice’s Civil Division, in a statement. “The Justice Department will ensure that those who do business with the government provide all of the services for which we bargained.”</p><p>This part of the process—vetting potential employees and conducting background checks—is where many private companies go wrong, according to Sandra Stibbards, owner and president of Camelot Investigations and chair of the ASIS International Investigations Council.</p><p>“What I’ve come across many times is companies are not doing thorough backgrounds, even if they think they are doing a background check—they are not doing it properly,” she says. </p><p>For instance, many companies will hire a background screening agency to do a check on a prospective employee. The agency, Stibbards says, will often say it’s doing a national criminal search when really it’s just running a name through a database that has access to U.S. state and county criminal and court records that are online.</p><p>“But the majority of counties and states don’t have their criminal records accessible online,” she adds. “To really be aware of the people that you’re getting and the problem with the human element, you need to have somebody who specializes and you need to…invest the money in doing proper background checks.”</p><p>To do this, a company should have prospective employees sign a waiver that informs them that it will be conducting a background check on them. This check, Stibbards says, should involve looking at criminal records in every county and state the individual has lived in, many of which will need to be visited in person.</p><p>She also recommends looking into any excessive federal court filings the prospective employee may have made.</p><p>“I’ll look for civil litigation, especially in the federal court because you get people that are listed as a plaintiff and they are filing suits against companies for civil rights discrimination, or something like that, so they can burn the company and get money out of it,” Stibbards adds.</p><p>Additionally, Stibbards suggests looking for judgments, tax liens, and bankruptcies, because that gives her perspective on whether a person is reliable and dependable.</p><p>“It’s not necessarily a case break­er, but you want to have the full perspect­ive of if this person is capable of managing themselves, because if they are not capable of managing themselves, they may not make the greatest employee,” she says.</p><p>Companies should ensure that their background screenings also investigate the publicly available social media presence of potential employees. Companies can include information about this part of the process in the waiver that applicants sign agreeing to a background check to avoid legal complications later on. </p><p>“I’m going to be going online to see if I see chatter about them, or if they chat a lot, make comments on posts that maybe are inappropriate, if they maintain Facebook, LinkedIn, and Twitter,” Stibbards says. </p><p>Posting frequently to social media might be a red flag. “If you find somebody on Facebook that’s posting seven, eight, nine, or 10 times a day, this is a trigger point because social media is more important to them than anything else they are doing,” Stibbards adds.</p><p>And just because a prospective employee is hired doesn’t mean that the company should discontinue monitoring his or her social media. While ongoing review is typically a routine measure, it can lead to disciplinary action for an employee who made it through the initial vetting process. For instance, Stibbards was hired by a firm to investigate an employee after the company had some misgivings about certain behaviors.</p><p>“Not only did we find criminal records that weren’t reported, but we then found social media that indicated that the employee was basically a gang member—pictures of guns and the whole bit,” Stibbards says.</p><p>It’s also critical, once a new employee has been brought on board, to introduce him or her to the culture of the organization—an aspect that was missing in Snowden’s onboarding process, Inglis said. This is because, as a contractor working for the NSA, regulations prohibited the U.S. government from training him. </p><p>“You show up as a commodity on whatever day you show up, and you’re supposed to sit down, do your work—sit down, shut up, and color within the lines,” Inglis explained.</p><p>So on Snowden’s first day at the NSA, he was not taken to the NSA Museum like other employees and taught about the agency’s history, the meaning of the oath new employees take, and the contributions the NSA makes to the United States.</p><p>“Hopefully there are no dry eyes at that moment in time, having had a history lesson laying out the sense of the vitality and importance of this organization going forward,” Inglis explained. “We don’t do that with contractors. We just assume that they already got that lesson.”</p><p>If companies fail to introduce contractors and other employees to the mission of the organization and its culture, those employees will not feel that they are part of the organization.​</p><h4>Trusted Technology</h4><p>Once trusted people are onboarded, companies need to evaluate their data—who has access to it, what controls are placed on it to prevent unwarranted access, and how that access is monitored across the network.</p><p>“The one thing I always recommend to any company is to have a monitoring system for all of their networks; that is one of the biggest ways to avoid having issues,” Stibbards says. “Whether it’s five people working for you or 100, if you let everybody know and they are aware when they are hired that all systems—whether they are laptops or whatever on the network—are all monitored by the company, then you have a much better chance of them not doing anything inappropriate or…taking information.”</p><p>These systems can be set up to flag when certain data is accessed or if an unusual file type is emailed out of the network to another address. </p><p>Simon Gibson, fellow security architect at Gigamon and former CISO at Bloomberg LP, had a system like this set up at Bloomberg, which alerted security staff to an email sent out with an Adobe PDF of an executive’s signature.</p><p>“He’s a guy who could write a check for a few billion dollars,” Gibson explains. “His signature was detected in an email being sent in an Adobe PDF, and it was just his signature…of course the only reason you would do that is to forge it, right?”</p><p>So, the security team alerted the business unit to the potential fraud. But after a quick discussion, the team found that the executive’s signature was being sent by a contractor to create welcome letters for new employees.</p><p>“From an insider perspective, we didn’t know if this was good or bad,” Gibson says. “We just knew that this guy’s signature probably ought not be flying in an email unless there’s a really good reason for it.”</p><p>Thankfully, Bloomberg had a system designed to detect when that kind of activity was taking place in its network and was able to quickly determine whether it was malicious. Not all companies are in the same position, says Brian Vecci, technical evangelist at Varonis, an enterprise data security provider.</p><p>In his role as a security advocate, Vecci goes out to companies and conducts risk assessments to look at what kinds of sensitive data they have. Forty-seven percent of companies he’s looked at have had more than 1,000 sensitive data files that were open to everyone on their network. “I think 22 percent had more than 10,000 or 12,000 files that were open to everybody,” Vecci explains. “The controls are just broken because there’s so much data and it’s so complex.”</p><p>To begin to address the problem, companies need to identify what their most sensitive data is and do a risk assessment to understand what level of risk the organization is exposed to. “You can’t put a plan into place for reducing risk unless you know what you’ve got, where it is, and start to put some metrics or get your arms around what is the risk associated to this data,” Vecci says. </p><p>Then, companies need to evaluate who should have access to what kinds of data, and create controls to enforce that level of access. </p><p>This is one area that allowed Snowden to gain access to the thousands of documents that he was then able to leak. Snowden was a Sharepoint administrator who populated a server so thousands of analysts could use that information to chase threats. His job was to understand how the NSA collects, processes, stores, queries, and produces information.</p><p>“That’s a pretty rich, dangerous set of information, which we now know,” Inglis said. “And the controls were relatively low on that—not missing—but low because we wanted that crowd to run at that speed, to exceed their expectations.”</p><p>Following the leaks, the NSA realized that it needed to place more controls on data access because, while a major leak like Snowden’s had a low probability of happening, when it did happen the consequences were extremely high. </p><p>“Is performance less sufficient than it was before these maneuvers? Absolutely,” Inglis explained. “But is it a necessary alignment of those two great goods—trust and capability? Absolutely.”</p><p>Additionally, companies should have a system in place to monitor employees’ physical access at work to detect anomalies in behavior. For instance, if a system administrator who normally comes to work at 8:00 a.m. and leaves at 5:00 p.m. every day, suddenly comes into the office at 2:00 a.m. or shows up at a workplace with a data storage unit that’s not in his normal rotation, his activity should be a red flag.</p><p>“That ought to be a clue, but if you’re not connecting the dots, you’re going to miss that,” Inglis said.  ​</p><h4>Trusted Processes</h4><p>To truly enable the technology in place to monitor network traffic, however, companies need to have processes to respond to anomalies. This is especially critical because often the security team is not completely aware of what business units in the company are doing, Gibson says.</p><p>While at Bloomberg, his team would occasionally get alerts that someone had sent software—such as a document marked confidential—to a private email address. “When the alert would fire, it would hit the security team’s office and my team would be the first people to open it and look at it and try analyze it,” Gibson explains. “The problem is, the security team has no way of knowing what’s proprietary and valuable, and what isn’t.”</p><p>To gather this information, the security team needs to have a healthy relationship with the rest of the organization, so it can reach out to others in the company—when necessary—to quickly determine if an alert is a true threat or legitimate business, like the signature email. </p><p>Companies also need to have a process in place to determine when an employee uses his or her credentials to inappropriately access data on the network, or whether those credentials were compromised and used by a malicious actor. </p><p>Gibson says this is one of the main threats he examines at Gigamon from an insider threat perspective because most attacks are carried out using people’s credentials. “For the most part, on the network, everything looks like an insider threat,” he adds. “Take our IT administrator—someone used his username and password to login to a domain controller and steal some data…I’m not looking at the action taken on the network, which may or may not be a bad thing, I’m actually looking to decide, are these credentials being used properly?”</p><p>The security team also needs to work with the human resources department to be aware of potential problem employees who might have exceptional access to corporate data, such as a system administrator like Snowden.</p><p>For instance, Inglis said that Snowden was involved in a workplace incident that might have changed the way he felt about his work at the NSA. As a systems administrator with incredible access to the NSA’s systems, Inglis said it would have made sense to put a closer watch on him after that incident in 2012, because the consequences if Snowden attacked the NSA’s network were high.</p><p>“You cannot treat HR, information technology, and physical systems as three discrete domains that are not somehow connected,” Inglis said.</p><p>Taking all of these actions to ensure that companies are hiring trusted people, using network monitoring technology, and using procedures to respond to alerts, can help prevent insider threats. But, as Inglis knows, there is no guarantee.</p><p>“Hindsight is 20/20. You have to look and say, ‘Would I theoretically catch the nuances from this?’”   ​</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465