Where’s Your Wallet?

Posted on 31, May | Posted by Kevin M. McQuade, CPP

walletIdentity theft is talked about constantly, and when it happens to someone, their response is normally “I don’t know how this happened to me”. Sometimes it is just too easy.

On a recent business trip – to a security conference no less – as we walked into a restaurant for breakfast we passed an empty booth with no one close to it. In the booth was a woman’s purse, open and just waiting to be taken.

Shortly after that, we boarded the bus that transports us to the security conference. When I took my seat, I looked over to the seat beside me. There was a man’s wallet just lying on the seat next to his backpack. The owner of these items – who works for a large security integration company – was sitting in the seat in front of his belongings. It would have been very easy to take either the wallet or the bag without his knowledge.

Maybe because this was a bus full of security professionals going to a security conference, this individual thought he was safe. He was this time, but he may not be the next time.

Let’s not make it any easier for those who insist on stealing your identity. Keep your purse, wallet, credit cards, and other items secured at all times and not left for someone to take.

 

Continue reading

Campus Alert – Lessons from Lone Star College System

Posted on 24, May | Posted by Tasha D. Dyson

On January 22, 2013, gunshots were heard on the North Harris campus of Lone Star College System. It was later learned that an altercation between to individuals (one of whom may have been a student) had escalated to gun violence. The shooters were injured along with an innocent bystander.

Incidents such as this immediately bring to mind topics such as crime, gun control, workplace violence, weapons on campus, mental health issues, or law enforcement response – topics which are covered extensively in the media and will not be discussed here.

What we noticed was the alert system of Lone Star College System.

During the lockdown on January 22, visitors to the homepage of Lone Star College System saw this:

Lone Star College System Alert

Important information about the current situation was included at the top of the page surrounded by a red outline. More general emergency information was included lower on the page with links to Lone Star’s Office of Emergency Management and the LSCS Emergency Preparedness Guide. Specific information topics included Personal Preparedness Checklist, Tips for People with Special Needs or Disabilities, Weather Emergencies, Terrorism, Building Explosion, Bomb Threats, Shelter in Place, Epidemic, Preventing Crime, Contact Information, and Automated External Defibrillators (AEDs). A link to the standard “non-lockdown” homepage of Lone Star College System was also included.

Based on the design of the page, it appears that Lone Star College System has created an alert template to be used in an emergency situation. With this arrangement, college representatives can simply add relevant information and activate the page, thereby increasing the speed with which they can provide information to students, faculty, staff, and visitors. Although we did not test it, the design of this page suggests that it would be easily viewed on a mobile device or a tablet.

We do not know what other communication methods were used by Lone Star College System, if any, and used alone, this website replacement may not be a comprehensive notification strategy.

However, when used in conjunction with other means of notification such as phone, text, and email, this alert webpage is a fast and efficient was to communicate information to students, faculty, staff, visitors, and the general public.

On April 9, 2013, the CyFair campus of Lone Star College System was placed on lockdown because of an individual who stabbed fourteen people. During the incident, the main webpage of Lone Star College System was again replaced with an “alert” page. Although the design of the page had changed slightly from January to April, the important information was present and highly visible.

Continue reading

Who’s Watching You?

Posted on 17, May | Posted by Emily Liner

Predators could be spying on you through your computer’s webcam. Criminals are now able to hack in and watch your every move – without you ever knowing it. Scary, right?

webcam

We’re all guilty of it: we use our computer, get distracted with something, and just walk away. We forget the computer is still on – and this is the key action criminals are counting on. Now they can access your webcam remotely, watching your most intimate moments from the kitchen to the privacy of your own bedroom. The worst part is, you may never even know.

Not only must we remain aware of our surroundings in public or walking through parking lots and decks, now we must stay vigilant in the privacy of our own home. Though there is little we as the public can do to fight crime against hacking, we are not completely helpless to this threat. The basics solutions are all ones we’ve heard before. Have good anti-virus software on your computer. Do not click any links in your email – especially the ones from “Facebook”. Because Facebook has so many users worldwide, it’s the perfect cover to trick people into thinking the link is legitimate.

The best advice is to learn more about webcam hacking to better understand the risks. Luckily, just like many other appliances and technology, there is a light or another indication that the device is on or in use. Watch your webcam light to know if it has been activated. When it is not in use, cover the lens. This physically stops hackers from watching and recording your activities.

Continue reading

RMA Completes Assessment at Frost Bank

Posted on 26, Apr | Posted by RMA

Risk Management Associates, Inc. working in conjunction with Caprock Consulting Group has completed a Limited Building Security Assessment for Frost Bank in San Antonio, Texas.

The project team interviewed executives about their security concerns to gain an understanding of the security culture at Frost Bank and interviewed key staff members in charge of security policies, administration, and day-to-day operations as part of the physical review. The team conducted a daytime walk-through of the facility to assess general physical security, procedures and operations of the main entry levels and executive floors, including a security assessment at critical points of entry and exit. Finally, the team developed a comprehensive security assessment report of the three executive levels and ground level entrances.

Founded in San Antonio in 1868, Frost is the banking, investments and insurance subsidiary of Cullen/Frost Bankers, Inc. (NYSE: CFR), a financial holding company with $22.5 billion in assets at March 31, 2013. One of 24 banks included in the KBW Bank Index and a top-50 U.S. bank by asset size, Frost provides a full range of business and consumer banking products, investment and brokerage services, insurance products and investment banking services to businesses and individuals in the Austin, Corpus Christi, Dallas, Fort Worth, Houston, Rio Grande Valley and San Antonio regions.

Continue reading

Jerry Blanchard Presents at School Task Force

Posted on 26, Mar | Posted by RMA

From WTVD:

From WRAL:

Continue reading

The Dark Parking Lot

Posted on 6, Feb | Posted by Teresa Ivey

dark parking lotI went to a local big box store and pulled into the parking lot at about 6:30pm – not too late in the evening but after dark in the winter. As I was parking I received a phone call, so I sat in my car to complete the call. While on the phone it occurred to me how dark the parking lot was. They had a few lights, but clearly not enough.

As I sat there, I started to get that feeling that something was just not right about this. There was nothing obviously wrong, but I felt uncomfortable. So I left and went to another store where the parking lot has plenty of lights and I had a much safer feeling.

There are two points to this story. First, crimes happen in the dark. I want to see, and I want to be seen. If there’s not enough light, I’m going somewhere else. Second, always listen to that inner voice. It’s there for a reason. You may not know why you have a “feeling”, but you should always listen.

Continue reading

Social Engineering

Posted on 30, Jan | Posted by Christine L. Peterson, CPP, ISP

intruderIn the last 30 days, a single individual in the Raleigh/Durham area has managed to bypass the security protocols at two area companies and two government facilities. (Read more about that here.) Recently, I attended an invitation-only business reception at a local restaurant when an uninvited guest joined the group and began networking when she clearly did not belong. In both cases the individuals were successful in penetrating the closed spaces by acting like they belonged until such time that it was realized that they did not.

We are not talking about facilities that don’t understand the principles of security, a comprehensive security program, or layers of security. They get it, and they have solid security programs and protocols. How could this happen, and how can we stop it from happening again?

Answering these questions and addressing the conflicting forces in the workplace that lead to security breaches of this type requires an understanding of human nature and the laws of complacency and diminishing returns. First we need to begin with Billy Green’s Security 101 lesson that does such a good job describing the concept of security. Security is protection from injury or loss caused by the deliberate actions of people. It all boils down to people and intent, and this is true whether we are talking about physical security or cyber security. In these recent events, there was a motivated person who wanted something (physical asset, intelligence, electronic assets, damage to reputation) and believed he had a good chance at being successful in attaining it without negative consequences.

What he wanted is irrelevant, and we should instead focus on how access was obtained in order to identify vulnerabilities and anticipate future events.

According to the Information Bulletin put out by the North Carolina Information Sharing and Analysis Center (NC ISAAC), the individual was confronted by security and escorted off the premises. In addition it is believed that the individual either entered a door by following closely behind an employee of the company/agency who had the appropriate access (piggy-backing) or used social engineering techniques to gain entry into areas that were controlled spaces.

Social engineering is the art of manipulating people into performing actions or divulging confidential, sensitive, or controlled information. In the workplace it is a method of trickery or deception for the purpose of gathering information, committing fraud, or gaining access to computer systems or other assets. The effective social engineer is an astute student of human nature and adapts to the environment to develop a level of trust and capitalize on human vulnerabilities and nature. (Source: Wikipedia)

None of us is completely immune to social engineering because as human beings we tend respond to stimuli in predictable ways depending on our age, experience, training, and other characteristics, and that is what the social engineer is counting on. In addition, the social engineer is most successful if they are adept at changing their manner and demeanor based on the situation. Studies show that a female voice is more effective in generating information from men, and a young inexperienced employee will be more responsive to someone who appears to have authority. How someone dresses, how they behave, what accessories or equipment they carry – all of these non-verbal features affect the response a social engineer is going to get.

assorted badgesThe ability of an employee to easily separate those who belong within the work environment and those who don’t is a powerful tool to counter the attempts by an outsider. If only visitors wear identification badges, they can “become” an employee simply by removing their badge. If contractors are not required to wear badges, someone just needs to look like a contractor to easily blend in with the population.

The social engineer will use their persuasive skills to convince someone to give them what they want. The same traits that you may value in your employees are tools for the social engineer including:

  • Good customer service and helpful responses
  • Belief that most people are good and are looking for good
  • Fear of being made to look foolish or the desire to belong
  • Efficient, bypassing security protocols to get more done faster
  • Assumption that everyone thinks like I do (if I obey the rules than everyone else will too)

Effective social engineering countermeasures begin with first understanding human nature and how the law of diminishing returns will affect your employees’ responses to security events. Over time, human beings who have been oriented or trained in certain concepts or expectations will reach a certain level of performance followed by a decline in effectiveness or an increase in complacency.

In order for a company to have a chance of protecting critical assets, security awareness training and reinforcement needs to be continual process.

George Bernard Shaw once said that “The single biggest problem in communication is the illusion that it has taken place.” It is not reasonable to expect that employees will understand their responsibilities as they pertain to company assets based on a single briefing on security at orientation. Security programs protect the reputation, people, and hard and soft assets of the company that provide the income generation for the business to exist.

Has your management communicated to its stakeholders that the security program exists to protect them and the company’s ability to compete?

Employees expect there to be a method to lock their office, suite, or building. Other security tools such as lighting, cameras, and access control devices are the norm in today’s workplace and are elements of a comprehensive security program.

Do your employees recognize that they play a key role in the company’s security program and their own protection? Or do they view security as a game that someone came up with to make their job more difficult?

The security breaches described in this article were recognized by quick acting people who understood their responsibilities in the protection of the assets. Some of them were security professionals but in most cases of social engineering, it will not be your security employees who are approached by someone trying to elicit information. The employee who will “give away the farm” in most cases will be someone who is trying to do a really good job for the company by providing information or a good customer experience, responding to a command, enhancing their value, or looking for a way to move up in the organization by helping someone out. The moral of this story is security is everyone’s business. Good security begins with understanding what the company’s assets are and sharing the responsibilities for protecting them with all the stakeholders through awareness, training, responsibility, and accountability.

Continue reading

Situational Awareness Information Bulletin

Posted on 29, Jan | Posted by RMA

JosephDeanHillBetween December 26, 2012 and January 10, 2013, the below identified subject was able to breach security at two identified private sector facilities and two Government facilities in the Raleigh/Durham/Chapel Hill area.

Joseph Dean Hill
Aliases: Mark, Mark Johnson, Joseph Turnag

The identified subject was observed operating a black Nissan Pathfinder with NC plate BEK-9106 in two of the incidents. The subject also has a 2004 Nissan Maxima registered in DMV with NC plate XNM-6071.

It is believed he piggy-backed off employees and/or used social engineering techniques to gain access to secure areas. In each incident, the subject gave Security false names and explanations for his presence at their facility. During each encounter, the subject was confronted by Security and escorted off the premises.

The subject has been subsequently confronted by local, state and federal law enforcement about these incidents at which time he could not provide a credible explanation for his actions.
JDHill-cctv1JDHill-cctv2

 
 
 
 
 
 
 
If your agency has information that this subject has made attempts or succeeded in breaching security at other facilities in your jurisdiction, please contact the NC Information Sharing and Analysis Center (ISAAC) at 919-716-1111, or by email at NCISAAC@ncdoj.gov.

Continue reading

Hotel Locks

Posted on 17, Jan | Posted by Emily Liner

Most hotel room locks use a key rather than a card, and in recent months this is presenting a big problem. A low-cost piece of hardware called a microcontroller can make for a simple hack and easy burglary with no signs of forced door or picked lock. See the story here.

The up side for hotels to use keycards instead of keys is that they are inexpensive if misplaced and management can use a device to read the memory of the keycard lock. However hundreds of thousands of locks protecting hotel rooms can be hacked with a digital tool that only takes seconds to trigger its opening.

Although this is going to be a growing problem around the world remember to travel smart, folks. Many hotel rooms these days have safes – use them! Don’t travel with any electronics if you don’t need them and when you can, take your laptop, tablet, and other devices with you.

Continue reading

RMA Completes Assessment of Mitchell Community College

Posted on 14, Jan | Posted by RMA

Mitchell Community CollegeRMA has completed a Security Assessment at Mitchell Community College. The purpose of the analysis was to evaluate the security threats at each of the campuses, identify gaps in the current security program, and recommend measures that MCC should consider going forward to mitigate the probability and criticality of a future security event. Included in this assessment were surveys that were done at each of the five Mitchell Community College sites located in Statesville and Mooresville.

The ultimate objective is to provide Mitchell Community College with the information that they can use as a guideline to improve security across the system using an appropriate blend of people, processes, and technology to increase the safety and well-being of the staff, faculty, students, visitors, and vendors at each campus.

Mitchell Community College, founded in 1852, is a comprehensive, open-admissions community college dedicated to meeting the post-secondary education and training needs of the citizens of Iredell County and surrounding areas. The college provides an array of high quality programs at low cost in an historically rich environment. Mitchell is a student-centered institution where all persons are encouraged to develop their abilities in a community that respects diversity and is supportive of individual achievement. Concerned with the social, civic, cultural, and economic development of the community as a whole, instructional programs are focused on meeting the educational and training needs of all persons over eighteen years of age and persons sixteen years of age and older with special needs.

Continue reading
« Older entries

Blog Topics

Tag Cloud

access control Anti-terrorism/Force Protection ATFP background investigations background screening blast mitigation business continuity campus security Clery Act community improvement computer forensics corporate compliance CPTED crime crime prevention through environmental design criminal record checks crisis management disaster planning embezzlement employee theft executive protection fraud information security integrated security investigation key control lighting mail and package screening mail bombs master plan package bombs personal security planning policies premises liability procedures security plan security program small business system design technology theft training vulnerability assessment workplace violence
Sign up to receive our Email Newsletter