Sessions add substance.
Sessions were earmarked by experience level and categorized in one of nine tracks. A new track, Focus on Homeland Security, was introduced this year. Another cross section of sessions was simultaneously translated into Spanish. The following reviews recap only a sampling of the many packed sessions.
Wake-up call. What does the face of cyber death look like? And what can be done to prevent this catastrophe from occurring? These and a series of "What if?" questions were answered by presenter Jim Litchko, president of Litchko & Associates. Litchko outlined the basics of information security: confidentiality, integrity, authentication, and availability. He then explained the many threats and vulnerabilities that leave information systems open to attack and possible destruction. Threats range from the merely offensive--for example, graffiti that defaces a corporate Web site--to the truly dangerous, such as a host of worms and viruses that can destroy data or use an innocent network as a "beachhead" to launch an attack on other computers.
Litchko explained complex computer topics such as firewalls and virtual private networks in easy-to-understand terms. But he spent most of his session describing threats to networks and underlining the need to both understand and act against these threats. He added that today's viruses and worms are capable of morphing, can spread fast, and cause great damage. The Code Red worm of 2001, for example, ultimately infected some 700,000 computers and cost businesses more than $25 billion.
Litchko prescribed solutions as well. He pointed to the increased use of artificial intelligence that can trace attacks, monitor networks, and review logs faster than humans ever could. He described easy-to-use authentication devices that can be plugged into a computer's USB port, bypassing the need for new hardware. He also examined the growth of biometrics for authentication. One future application, he said, will integrate iris scanners into cell phones, allowing only the legitimate user to operate the phone.
Getting together. Three presenters underscored the need for companies to establish and integrate chief security officer (CSO) and chief information security officer (CISO) positions. The trio explained the need for these two roles and gave suggestions on how to find qualified applicants.
The group spoke from experience. Lew Wagner, chief information security officer at the University of Texas's M.D. Anderson Cancer Center, and Reginald Williams of Boeing have earned both physical and information security credentials: CPP and CISSP (certified information systems security professional). Eduard Telders, CPP, security manager for PEMCO Financial Services, is responsible for both information and physical security.
"Historically, IT, environmental, and personnel security were handled in different departments under different managers," explained Wagner. "Each manager did not understand what the other groups did or how they were interrelated." This lack of understanding caused potentially dangerous gaps in security coverage. The CSO position is critical because "an integrated approach requires a single leader to drive the security risk management program for the organization," he said.
Having a CSO can provide a good return on investment (ROI), and Wagner provided a formula for testing ROI by measuring the costs of redundant staffing, delays in coordinating information, and gaps in security coverage. If the risks posed by these problems exceed the cost of integrating security and IT. than positive ROI is proven.
The position is not easy to fill, however. Candidates must be security visionaries and mentors; have executive, technical, and investigative knowledge; and be able to create and implement a comprehensive security risk management program.
Telders explained the typical backgrounds of CSOs and CISOs to show how their needs were similar, which makes integration a logical step in an organization's evolution. He pointed out that executives in security and IT positions employ discrete proprietary tools and need the services of specialists and vendors. But both positions want to rely less on specialists, contain costs, and simplify vendor management. Working together allows both to meet their objectives.
Hidden agenda. A preliminary behavioral interview can help investigators, security managers, and company officials decide how to proceed with a case. This point was made by Chris Norris, CFI (certified fraud investigator), and Brett Ward, CFI, of Wicklander-Zulawski and Associates, who detailed a case study and the role interviewing played in its resolution.
In the case, 15 laptop computers were stolen at a U.S. East Coast airport from a company's interstate shipment. Investigators decided to interview all persons who had access to the computers at any time.
Before showing a video of one of the interviews, the speakers discussed the behaviors seen in innocent as well as guilty individuals. During the video, the subject was asked several questions about the thefts, beginning with whether he had stolen any of the 15 computers and what punishment the thieves should receive. While the video played, attendees were asked to rate the interviewee's positive, negative, or neutral behavior.
Additionally, the pair shared data gleaned from other interviews. For instance, 55 percent of those who admitted to a crime felt that the truth was already known about their involvement (showing that the interviewer was effective), 42 percent wanted to put their own spin on the situation (perhaps to cut a deal), and 33 percent "had a conscience" and felt guilty about their involvement.
Daily double. Three panelists joined audience members in a spirited discussion of how to handle and defuse violence in the workplace. The discussion also considered ways to create inhouse resources that can be called on immediately when trouble arrives at the workplace.
The session was presented in a Jeopardy-style format, in which attendees could choose a category (such as threat assessment or management) and then pose a question to the panel. Fielding questions were Richard Lisko, CPP vice president business development with Allied Security; Stephen Morrow, CPP, vice president, crisis management group, with Bank One Corporation; and Jon Groussman, senior vice president of CAP Index Inc.
Many questions were posed during the "game" including, "What key principles must be understood when managing a potentially violent situation?" Morrow answered that he views violence as situational and looks for aspects of the situation that can be altered to mitigate possible violence. The best way to achieve that goal is to avoid making the offender look foolish. "Deal with the person in the best way to maintain this person's dignity," Morrow said. "That's a key way to avoid violence."
Hands frequently shot up among the standing-room-only audience as attendees were eager to relate scenarios they had encountered. One attendee asked if it was advisable to intervene in an incident in which a disgruntled employee was destroying company property. From a legal perspective, Groussman advised that the worker be left alone, unless it was necessary to defend oneself or others, to avoid injury to the offender. Lisko pointed out the need for a pre-established relationship with local law enforcement, and for the company's policy on reacting to workplace violence incidents to be well disseminated throughout the entire organization.
Another question concerned who should be involved in conducting an assessment. Morrow advocated using a range of expertise. "I've learned a lot from dealing with human resources, EAP [employee assistance program] members such as psychologists, and even lawyers," he said. "All of us working together can have an impact on the best possible solution." In Groussman's experience, the lack of such a team has resulted in chaos.
Lisko added another angle: How is it possible to include outside contractors when conducting assessments? This query brought another flurry of anecdotes from audience members with suggestions and warnings.
Anyone listening? "In essence, [the USA Patriot Act] gives the U.S. government free rein to tamper with any telephone and to intercept any communications of any type ... if there is any suspicion that it can be in harm of U.S. security," said countermeasures expert Doug Kelly. After a brief summary of the Patriot Act, other legislation relative to privacy, and government eavesdropping efforts such as Echelon and Carnivore, Kelly devoted much of his session to the fundamentals of technical surveillance countermeasures (TSCM).
The first phase of a TSCM sweep, Kelly said, "is a game of hide-and-seek," with the TSCM agent visually scouring every inch of an area under suspicion. To provide sufficient volume, a listening device has to be within 20 or 30 feet of the source, which provides a radius for the search. Sweepers shouldn't overlook ceiling tiles, walls, or carpets, Kelly said.
A telephone search is the second phase of a TSCM sweep. Kelly displayed and described various pieces of equipment, such as voltage meters, used to test whether telephones have been compromised.
An electronic search is the final component, and the right equipment is critical in this phase. A spectrum analyzer is sophisticated and useful, Kelly said, but its price tag is high. Other devices used for electronic sweeps include nonlinear junction detectors and instruments that capture, computerize, and analyze all signals.
In fact, Kelly said, detailed knowledge of specific equipment and manufacturers is one way to distinguish a TSCM expert from a charlatan. "Ask the company 'What gear do you have?'" he advised. "If they're vague, pass."
Planning put to the test. Ralph Blasi, corporate security director of Brookfield Financial Properties (BFP), which owns and operates the World Financial Center in New York City, spoke to a standing-room-only crowd on BFP's crisis management plans developed after the first World Trade Center bombing in 1993 and put to the test on September 11, 2001.
The two major components of a successful plan, said Blast, are "number one: Share information.... You may know what you're doing, but do you know what the person on the other side of the street is doing?" The second component, he said, is an interface with local and federal agencies.
The financial center is composed of four office towers with a large atrium called the Winter Garden. The complex was connected to the World Trade Center, which sat on the other side of an eight-lane highway, by two pedestrian bridges. After the 1993 attack on the twin towers, BFP formed a crisis management committee, which included tenant representatives with equal say, no matter how large or small their leased spaces. The committee established evacuation routes that avoided bottlenecks, sending the center's approximately 40,000 employees toward the river to clear the streets for first responders.
On September 11, the center's employees were successfully removed from harm's way, opening several areas of 1 Liberty Plaza, which first responders used as a triage center and a morgue. In the days after the attack, special jackets supplied to the center's crisis management committee allowed police to identify committee members and members to identify each other. The relationships cultivated previously between the crisis management team and various officials allowed the center to receive faster attention. For example, a fire truck was smashed against one of the center's buildings, and its removal was a priority. "You pick up a phone and if they don't know you, you're 20th on the list. But with a personal rapport things happen faster," Blasi stated.
Prearranged business continuity sites at local public schools "offered shelter for more than 6,000 business recovery personnel from the World Financial Center," he said, reminding listeners of the "global implications if a blip in operations" negatively affected the center's tenants.
Terrorism fallout. The effects of Middle East unrest on business cyber systems were explored by J. Keith Flannigan, Ph.D., of United Security Group Management, Inc. "For most of us, the chance of a terrorist cyberattack on our facilities is like the chance of being struck by lightning," Flannigan assured listeners. "Don't panic; just be aware ... of the trickle-down effect of the war on terrorism."
Flannigan explained that law enforcement personnel would likely see a rise in street crime and in cyberattacks against police computer systems. The former can in part be traced to the fact that Osama Bin Laden's AI Qaeda network was subsidizing some drug traffickers to exploit their routes into the United States. The result has been a rise in drug prices, which leads to more muggings, robberies, and other crimes. Other likely results of global unrest include increased Internet scamming and identity theft. Also, employees of multinational corporations face an increased possibility of kidnapping.
According to Flannigan, IT and security professionals may be most affected by computer viruses. However, "most prudent companies have initiated countermeasures and containment programs so even hundreds of new viruses [would affect] wise businesses less." Of concern to Flannigan and others is the possibility of cyber attacks on the routers that control the World Wide Web or physical attacks on router facilities.
Insider trading. Geoffrey, a rising star in a company that makes software for the pharmaceutical industry, works late one night, sending e-mails. When he leaves, the company's asset control system matches his laptop computer to his personal ID, ensuring that the proper equipment is leaving with the right employee. Unfortunately, the system cannot see the contents of Geoffrey's briefcase, which includes personal CDs and papers--and a large file containing company trade secrets.
The next day, Geoffrey resigns, and within a few months he forms a business, competing with his old company. His former boss suspects theft and has Geoffrey's old laptop examined forensically; he even files a lawsuit accusing Geoffrey of stealing the company's intellectual property. But little evidence is available, and the cost to bring the case to court and shut down the new company is prohibitive.
This hypothetical example, drawn from real-life cases, was related by Dennis Farley, president of The Intelligence Group. Farley explained that a single case of intellectual property theft can cost a business an estimated $1 million. However, although 75 percent to 85 percent of these thefts are committed by insiders, most organizations are not equipped to deter or prevent this type of crime.
Farley defined intellectual assets as "what we need to stay in business and be successful," including information about proprietary technologies, research and development data, operations methodologies, customer lists, and financial records. Such assets are harder to secure than ever before, Farley said. "The big problem today is that these assets are in magnetic media such as servers, desktops, laptops, PDAs," he said. Data on such media can be copied without anyone realizing it, in contrast to the outright theft of physical assets.
Security can only prevent such assets from disappearing by minimizing the opportunity for theft (opportunity is one corner of what Farley called the "theft triangle," along with need and rationalization). While Farley said that there is no "silver bullet" to prevent the theft of intellectual assets, he proposed five steps that could mitigate the risk.
First, businesses need to assess their risk, looking at issues such as insider threat, the competitiveness of their industry, and the portability of their as sets. The second step is the integration of IT and physical security, which Farley called "a must." Next, employees need to be trained and educated; employee awareness boosts compliance with policies and helps avoid problems from social engineering. The fourth step is to design systems to Facilitate later investigations. For example, companies should maintain CCTV and card access logs and audit trails and implement computer forensics tools.
Finally, companies need to recognize that they have the right to monitor. For example, e-mail traffic can be scanned to ensure that proprietary information is not sent in messages or attachments.
A proper defense. To illustrate the dangers of negligent security claims, presenter Steven C. Millwee, CPP, used a case study of a dairy processor whose night security officer was murdered on the premises. Millwee explained that the murderers had inside knowledge of the premises--a supervisor who had been fired five days before the incident for testing positive for drugs had given the information to his cohorts. The widow of the murdered man sued the company for negligent security. She claimed that her husband worked alone and had no one to protect him from acts of workplace violence.
The key to winning the case, Millwee said, was not proving that the employee was protected or trained to recognize workplace violence. Rather, the appropriate defense was to prove that no incident like this had ever happened on the property before. This issue of foreseeability is critical to understanding negligent security lawsuits, he said. Though the two parties eventually reached a settlement out of court, the lessons learned from the case are still applicable to any such lawsuit.
The best-laid plans. In early September, David G. Patterson, CPP CFE, conducted a risk and vulnerability assessment of a growing Northern California software company. When entering the security control center, he encountered an officer reading a book, with his legs kicked up on the desk. Asked why he wasn't monitoring the security systems, the officer showed Patterson the alarm monitor; "It was just going wild with alarms--door open, invalid card reads, intruders," Patterson recalled. He used the anecdote to drive home the frequent disconnect between security systems and procedures.
This disconnect can be eliminated by creating a security plan that addresses technology, procedures, and the human element, Patterson said. The plan should be scaled to address normal operations, a heightened-alert status, and the company's highest-alert condition. Patterson then walked through how one facility set up a security plan along these lines.
An early step defined factors that constituted what would be considered in normal-status, heightened-alert, or highest-alert mode. For example, "normal" might be ratcheted up to "heightened" if there had been a major terrorist attack in the general area or threats were received by a neighboring company.
The business also created a spreadsheet depicting all threats, their effects, and specific countermeasures. Additional spreadsheets set out the procedures to be followed when implementing security measures in normal-status, heightened-status, or highest-alert plans. In Patterson's example, the facility was most concerned about vehicle and package bombs. For perimeter protection, the normal-status plan called for an open perimeter, except for possible crash points. The heightened-alert plan called for a ban on perimeter parking after hours. And the highest-alert plan triggered a prohibition of vehicle parking around the perimeter with barriers around the clock.
Patterson similarly explained how to fashion procedures for a range of activities, such as alarm assessment. At the highlighted facility, he noted that an alarm from the computer room door would require the monitoring security officer to implement a range of actions such as calling up a CCTV image or dispatching a colleague to challenge the intruder and request some form of ID.
In or out? Consultant Patti McGowan spoke before a standing-room-only audience on employee background investigations and the issues organizations must consider. Specifically, she addressed the positive and negative aspects of conducting these investigations using internal staff or an outside resource.
When using in-house staff, she said, a primary consideration is whether the number of existing staff is sufficient to cover the additional duties or if additional investigators must be hired. Another consideration is whether the process should be handled by human resources or security or divided between the two departments.
On the plus side, McGowan mentioned quick turnaround time and control, including cost management. Negatives include accommodating fluctuations in workload volume, inconsistent interpretation of results by staff, liability, and the need to comply with federal and state legislation.
The benefits of outsourcing include staffing issues (for example, the organization does not have to pay benefits), technology, and controlled turnaround times, all of which can be prescribed in a contract. Staffing can also be a negative, said McGowan, because the client is not involved in hiring decisions. Also, reports might be standardized and not easily customized, and third parties can affect turnaround times.
In assessing potential vendors, an organization should consider the company's age, the experience of senior management, technological compatibilities, and time estimates for investigations, said McGowan. Other questions to ask include: Will the vendor perform facility visits? Is background screening the company's main function? Does the vendor have state or local licenses? Does the company reuse archived investigative data? And will the vendor outsource portions of the investigation?
McGowan also espoused a way to show the value of background investigations to the organization. "After one year, you can show the return on investment by looking at the number of individuals not hired due to the screening process."
To provide additional resources, McGowan distributed a CD-ROM that included sample waivers, requests for proposals, and a summary of rights.
Find a partner. Private security has more employees and twice the budget of law enforcement. Its practitioners also have specialized skills that are not always prevalent in the public sector. Thus, finding ways to combine the strengths of the public and private sectors is essential to community safety. One program that fosters communication among the two groups is "Operation Cooperation."
Robert L. Pence of the Pence Group, Michael D. Gambrill of Dunbar Armored, Inc., and Al Youngs, Investigative Division Chief of the Lakewood (Colorado) Police Department provided details on the program based on their experiences. A short video explained that Operation Cooperation is funded by the U.S. Bureau of Justice Assistance and guided by ASIS International, the International Association of Chiefs of Police, and the National Sheriffs' Association.
When should the public sector seek out the expertise of the private sector? The speakers described a scenario in which a large multinational corporation moves to a small town and experiences a number of serious computer intrusions. Although a criminal matter, the nature of the crimes is outside the expertise of local law enforcement. However, several private-sector groups have the skills to investigate the attacks and locate the perpetrator. Working together, the two groups could stop the crimes.
In the know. At a well-attended session, the training of non-law-enforcement personnel on weapons of mass destruction (WMDs) was discussed by John Ulianko, CPP, and Raymond Gauvin of the U.S. Department of Homeland Security (DHS). The newly formed department is responsible for securing approximately 470 federal buildings, and the speakers described the training the department provides for its personnel.
The portability, accessibility, and immense lethality of WMDs are critical components of the training, which includes the exploration of WMD incidents, such as 1995 Murrah Federal Building bombing. Training segments also cover the limitations of WMDs, such as the ineffective delivery methods inherent in various biological agents such us as small-pox, and radiological agents such as a "dirty bomb."
Plan for a crisis. Lawrence K. Berenson, CPP, of Sako & Associates posed this this question to his audience: "Think of what can go wrong, and if it does, what is the impact on your company?" He followed up by asking: "As a last resort, what do we need to survive?"
Berenson underscored the importance of having a crisis management plan in place and told his audience to be sure that everyone agrees on who is in charge of the plan's implementation. He encouraged the audience to make sure that all employees understand why there is a plan and what their roles are in it. An often overlooked component of the plan is an exit strategy. "Who decides when the crisis is over?" is a paramount question for a company, he said. After the crisis, the plan must be evaluated in light of actual events and then refined.
Berenson strongly counseled attendees to ensure that their companies had prepared an emergency operation center, furnished and ready to use, in an out-of-the-way location. The importance of the latter was underscored during the September 11 attack on the World Trade Center complex was completely destroyed.
In general, "keep plans fluid and flexible," Berenson suggested, "and remember that planning never ends."
Just a bite. Always have your sound bite ready. Nothing you say is ever off the record. Always assume that the most embarrassing question will be asked.
William A. Alford of International LightHouse Group, Inc. gave these and other pieces of advice to a packed audience looking for guidance on dealing with the media in a crisis. His information-packed seminar presentation focused on the tools security professionals need to stay cool under pressure and get the company's message across to members of the press.
According to Alford, the first step in responding to the press should always be to prepare a sound bite. "The more information you give the press, the more they have to choose from," he said. By limiting the amount of data given in a sound bite, the press is forced to use that information. "This is frustrating for reporters." he said. "But it allows the company to stay in control of its message.
Sign Language: Authors Autograph Books
Top-notch authors were available all four days of the ASIS International 49th Annual Seminar and Exhibits to autograph their books and pen messages to those who stopped by the signing desk set up outside the ASIS Resource Center.
Sandra Lanier, CPP, president of Lanier Security Group, Inc., in Orlando, Florida, was available to sign her book, Workplace Violence: Before, During, and After. Lanier specializes in providing security consulting services to Fortune 500 companies and government entities.
Geoff Craighead, CPP, signed copies of the recently released High-Rise Security and Fire Life Safety, 2nd Edition. Craighead has been involved with the security and life safety operations of high-rise facilities for more than 20 years. He has spoken on the topic before leading security, real estate, healthcare, hotel and casino, and risk and insurance management audiences. He currently serves as vice president of high-rise and real estate services for Securitas Security Services, USA, Inc., of Los Angeles, California.
Lt. Gen. Harold G. Moore (Ret), Tuesday's general session speaker, signed copies of his seminal book on the beginnings of the United States military involvement in Vietnam, We Were Soldiers Once ... and Young. Researched and written during the 1980s and 1990s with coauthor Joe Gallaway, Moore chronicles the first major engagement of the Vietnam War, the La Drang Battle.
Mary Lynn Garcia, CPP, senior member of the technical staff at Sandia National Laboratories, Albuquerque, New Mexico, was available to sign copies of The Design and Evaluation of Physical Protection Systems. Garcia has spent the last 18 years working on multiple security projects, including the design of equipment for use in surveillance of offshore nuclear facilities, the design and development of CCTV and lighting systems, and the management of large projects for both government and industry customers.
Eugene F. Ferraro, CPP, president of Business Controls, Inc., Golden, Colorado, was on hand to autograph Undercover Investigations. Ferraro has been a corporate investigator for more than 19 years, specializing in the investigation of employee dishonesty, substance abuse, and criminal activity in the workplace.
Richard Butler, Wednesday's general session speaker, autographed his two provocative books: The Greatest Threat: Iraq, Weapons of Mass Destruction and the Growing Crisis in Global Security and Fatal Choice: Nuclear Weapons and the Illusion of Missile Defense. Butler is recognized internationally as Australia's most influential diplomat.
Charles L. Yeschke was at the signing table to autograph copies of his book The Art of Investigative Interviewing, 2nd Edition. Yeschke brings more than 35 years of experience as an investigator and forensic psychophysiologist to his writings and has authored numerous articles and books on investigative topics.
Laurie Mylroie, Ph.D, was on hand to add her autograph to two intriguing books: Study of Revenge: Saddam Hussein's Unfinished War Against America and Bush vs. The Beltway: How the CIA and State Department Tried to Stop the War on Terror. Mylroie is vice president of the Washington, D.C.-based Information for Democracy and is recognized internationally as an expert on Iraq and the Middle East.
|Printer friendly Cite/link Email Feedback|
|Date:||Nov 1, 2003|
|Previous Article:||A treasure trove of products and services.|
|Next Article:||Preseminar workshops expand knowledge.|