Printer Friendly

Security circles.

I WAS ONCE ASKED TO HIDE AN INVISIBLE AIRPLANE. "HOW HARD COULD THAT BE?" said. "If it's invisible, you can put it anywhere and no one will see it." Of course, my job as director of security for the Stealth bomber technology programs was not that simple, but the technique behind our success can be applied easily by any company that wants to hide new products or classified projects from prying eyes. (*) To use the approach I developed, called security circles, first look at your business from afar in the context of its surroundings, then move progressively closer to the target--the company itself. In essence, you are pretending to be an industrial spy or a thief planning to fraudulently victimize your company. Thinking like the enemy reveals company vulnerabilities that are often not discovered through a conventional security survey. You will never be able to walk through, drive around, or fly over your company in the same way.

The big picture. Start the survey from space if you have access to satellite pictures of your facilities. If that's not feasible, begin with an aerial view. Aerial photographs of the properties may already be available. In fact, such pictures are often displayed on the lobby walls of corporate headquarters.

Draw a large circle around the area where your company is located. Look for businesses that might attract the attention of groups or individuals who could then pose a threat to your own operations. You may also notice competitors in the region who would profit from knowledge of your activities.

In conducting this large-area threat assessment, another often-overlooked resource is the FBI. While the FBI will not comment on ongoing cases or specifics, it may provide a general threat assessment for the area. That would, for instance, let you know whether the type of product you are developing has been targeted by a hostile intelligence agency.

Still using the aerial shot, look specifically at your facility. You can observe duct work, power sources, unusual designs, and even the type of air-conditioning system. To the trained eye of a plant engineer, architect, or other expert, such clues can be used to determine the building's purpose with surprising precision. Expensive air-conditioning systems suggest that climate control is for large computer equipment, rather than for personal comfort. Duct work configuration and the number of BTUs emitted, which can be easily measured, can reveal production activity.

Once you are aware of these inadvertent clues, you can take steps to confound the sleuths, such as the installation of false duct work.

Now notice where the fencing is in each aerial view. When these areas change or when new buildings are added, anyone watching will guess something is going on.

Changes are typically based on business opportunities, factored into the budget, and planned along a time line. Most time lines go something like this: Make a business plan, do independent research and development, make a bid proposal or unsolicited offer, get a contract, build up for production, produce, and wind down or close down activity as the contract expires.

The value of this knowledge for the industrial spy is that once he or she finds an indicator of physical change in the facility or gets other useful information. he or she can establish where the company is on the time line.

If you determined that a competitor was doing computer modeling and product testing, you could guess that the company was working with a small-scale prototype and project how many years it would be before full-scale development. You could then work backward to verify information obtained from other sources. You could also use your knowledge to wait for probable future events orinsert your devious self in the right place to take advantage of what you have learned.

Now, back to the descending aerial views. You noted that such things as changing fence positions can indicate increased protection for different areas. The attention paid to physical security can also show how sensitive the area is or whether security measures are intended to protect information or conform government requirements.

Is there a guard post? Is it there to protect the well-being of employees or to check for identification? Are specialized vehicles visible? Tankers, emergency equipment, or transport vehicles could disclose information.

Pay particular attention to open areas where materials going into or coming out of the building are stored. This will reveal not only what was in the building but also roughly how much floor space is being cleared to make room for new inventory. Noting new materials going in is also useful for your, time line.

What if the goods are boxed or covered? Coverings are rarely meant to hide material and they rarely can. The company that manufactures and ships the items often uses distinctive markings. With binoculars or telescopic lenses, you can read the nomenclature.

Down to earth. Moving closer to your subject, drive around the facility or pick a surveillance point nearby. You will probably see clearly marked executive parking places. Company officials like to park close to their projects. As someone's parking place moves, you can make an educated guess about the type of project he or she is working on and where it's located. Since you can also guess that the executive worked on the proposal but likely did not move until the contract was assured, you have another time line notation.

Note where logos or project names are printed on doors, such as Project ASIS--authorized Entry Only. These markings give a name to the project. You can then begin adding together items with similar logos or warnings. This may help you determine which materials are in open storage and who is working on this sensitive project.

I used this method when I was having trouble getting a corporate executive to support necessary security measures. I told him how I would target and penetrate his company to learn what classified or sensitive projects it was working on. I proceeded to tell him about four of the programs.

By his expression I knew that I was right. After I had assured him that I had no previous knowledge of his company's activities, he asked how long my organization had been surveying his facility. I told him that I had driven around the plant on public streets twice the previous night.

One of the projects the company was working on was the sale of amored vehicles to a foreign country. As I explained to him, that was obvious because from outside the fence I could see some of the vehicles draped in a fenced storage area and the markings on the undercarriage in the other country's language were visible.

Continuing with the survey of your own company, find the best vantage points to observe the facility from outside your property. It's possible that the business was originally built in a remote location and that it hasn't made security adjustments to respond to growth in surrounding areas. Could you rent a home on a hill overlooking the facility and have a fixed surveillance point?

It's also possible to employ other means, like using lasers or parabolic antenna to hear what is being said at a distance-even inside a building. Most security experts know that this occurs every day, although industrial espionage is not openly discussed.

In the door. Now let's go through the front door. Remember, don't think of this as your company. You're a spy. Should you go to the personnel office to get hired and learn about secret projects from within? No. Normally such a time-consuming investment is not necessary.

Go to the lobby to pick up some brochures and look at any aerial shots on display. Marketing people and public relations people naturally want to show the best your company has to offer. Sometimes they are precluded by the classified or proprietary nature of the activity, but as soon as they can, they will include a picture and description of new buildings, equipment, and capabilities in the official literature Time line input? You're learning fast.

I went to one test facility and reviewed readily available publications from the last two years. Since the facility had to operate at a profit, they had to advertise new capabilities as soon as possible to attract new customers. By comparing the brochures I determined what was new in the current year and what was probably new the previous year. Taking into account budgets, appropriations, acquisitions, and the time to write and print the brochures, I developed a time line. I was able to guess when the capability was originally needed and its probable purpose. That was enough to accurately penetrate some very sensitive activities.

Reversing the process. Keep in mind that you are looking for ways an outsider could gain intelligence about your company. A spy may want to find where the high-value items or projects are, who can go from project to project, or how to steal from within.

Let's draw some more circles, moving now from the inside out. Circle every known target of opportunity in your facility where fraud, theft, or other harmful activities could occur, starting with where such activities could occur in moderate to large amounts. Who has access to the opportunity within that circle? Don't think only of normal work hours, Monday through Friday, just think about who has access. How would they get the fraudulent funds or the criminally obtained goods out of your little circle?

Draw another larger circle at the next point at which individuals are checked, stopped, or confronted. If you cannot draw a second circle for this opportunity or for some of the people who have access, you may lack adequate controls.

In one case I worked on, the individual working in the high-value cage was audited and overseen by another employee, his wife. Items missing were explained as theft by unknown persons, but there were no reports of breaking and entering. In another instance, trucks were checked going into a plant but not leaving the plant. It was dumb, but that was the procedure, and the security officers were not encouraged to question dumb rules.

Change procedures to add the second circle and see who complains. That person may be the center of your next inquiry. Continue drawing larger circles coming out of each of your original circled targets. Stop drawing larger circles when you stop finding vulnerabilities.

Robert J. Bird, CPP, CFE (certified fraud examiner), is president of Robert J. Bird & Associates Inc. in Broomfield, CO.
COPYRIGHT 1992 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Information Security
Author:Bird, Robert J.
Publication:Security Management
Date:Aug 1, 1992
Previous Article:Making the cinema safe at showtime.
Next Article:Manufacturing a secure partnership.

Related Articles
Detecting weak links in executive armor.
Latest security products.
Latest security products.
Security Products Showcase.
Security hotlist.
Systems integration hotlist.
Security/authentication hotlist.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters